Abuse: Random users with invalid emails and Russian URLs

The 2.0.x discussion forum has been locked; this will remain read-only. The 3.0.x discussion forum has been renamed phpBB Discussion.
Bjørn Lindeijer
Registered User
Posts: 10
Joined: Sat Sep 25, 2004 9:09 pm
Contact:

Abuse: Random users with invalid emails and Russian URLs

Post by Bjørn Lindeijer »

Lately I've had an increasing number of users signing up with invalid email addresses. They also had numbers in their name and their URL set to some commercial Russian website. It's been 15 users now, that I have subsequently removed.

I'm worried that there might be some kind of crawler detecting forums (or at least phpBB) and automatically signing up, adding "@hotmail.com" to the random username to create an email address. I think this because my site is rather low traffic, and wouldn't be interesting enough to go and add these accounts manually.

I think the problem is caused by phpBB showing the new user even if it hasn't properly activated its account. Hence I would suggest only showing members that have clicked their activation link in the next release, to make this kind of abuse pointless.
User avatar
Draegonis
Former Team Member
Posts: 3950
Joined: Mon Apr 22, 2002 3:12 pm
Location: Kµlt øƒ Ø
Contact:

Post by Draegonis »

Alterntivley, you can use the amasingly simple Visual Confirmation MOD that's in the /contrib dir of your phpBB download. :)
Bjørn Lindeijer
Registered User
Posts: 10
Joined: Sat Sep 25, 2004 9:09 pm
Contact:

Post by Bjørn Lindeijer »

I don't like adding visual confirmation, and the activation turning out quite useless, I've turned that off too now. It's all the more hassle for people trying to sign up. Good to know there's a resolution close at hand when things get worse though!

I still think unactivated users showing up in the member list and "newest user" area is faulty behaviour. I could fix that locally, but that doesn't stop this kind of abuse. Fixing it in the next release will make this kind of abuse less interesting worldwide.
User avatar
Draegonis
Former Team Member
Posts: 3950
Joined: Mon Apr 22, 2002 3:12 pm
Location: Kµlt øƒ Ø
Contact:

Post by Draegonis »

Uh, I didn't say anything about activation. The VC MOD doesn't require any effort on your part, bar to upload a few files from the zip file, and it will prevent these bots from registering at all.
Bjørn Lindeijer
Registered User
Posts: 10
Joined: Sat Sep 25, 2004 9:09 pm
Contact:

Post by Bjørn Lindeijer »

I know, it's the effort from the users I was worrying about. I don't like to have to copy a number if it isn't necessary. Until now, we have been fine for 2 years without this. I'm only adding this when the above kind of abuse increases too much.
Heimidal
Former Team Member
Posts: 958
Joined: Fri Jul 06, 2001 11:56 am
Location: Greeley, CO, US
Contact:

Post by Heimidal »

Bjørn Lindeijer wrote: I know, it's the effort from the users I was worrying about. I don't like to have to copy a number if it isn't necessary. Until now, we have been fine for 2 years without this. I'm only adding this when the above kind of abuse increases too much.

And according to your first post, the level of abuse has increased to a sufficient amount to warrant this action, or you wouldn't be complaining in the first place.

Huge sites use this technique and it takes an extra 15 seconds (max) to sign up. What's the problem, exactly?
User avatar
Arty
Former Team Member
Posts: 16654
Joined: Wed Mar 06, 2002 2:36 pm
Name: Vjacheslav Trushkin
Contact:

Post by Arty »

I had the same problem on my forum. And I also don't like visual confirmation, so I solved problem differently - don't show website url for users who have 0 posts, and don't show memberlist to search engines (makes whole registration spamming thing pointless). Also I added hidden variable to registration form and if form is submitted without that variable then registration fails (keeps registration bots away from forum).
Vjacheslav Trushkin / Arty.
Free phpBB 3.1 styles | New project: Iconify - modern SVG framework
Bjørn Lindeijer
Registered User
Posts: 10
Joined: Sat Sep 25, 2004 9:09 pm
Contact:

Post by Bjørn Lindeijer »

Huge sites use this technique and it takes an extra 15 seconds (max) to sign up. What's the problem, exactly?

The problem exactly is that phpBB encourages these kind of bots because it will show username and url even if the accounts are not activated. The problem with copying a random code is that I think it's an ugly and unnecessary counter measure. 15 of these fake users is enough to get me posting here, but not enough to get me to add that kind of thing to the forum.

Thanks CyberAlian for your suggestions, I'll at least think about the doing hidden variable thing and will be looking into adding memberlist to robots.txt file.
Heimidal
Former Team Member
Posts: 958
Joined: Fri Jul 06, 2001 11:56 am
Location: Greeley, CO, US
Contact:

Post by Heimidal »

Bjørn Lindeijer wrote: The problem exactly is that phpBB encourages these kind of bots because it will show username and url even if the accounts are not activated. The problem with copying a random code is that I think it's an ugly and unnecessary counter measure. 15 of these fake users is enough to get me posting here, but not enough to get me to add that kind of thing to the forum.

Thanks CyberAlian for your suggestions, I'll at least think about the doing hidden variable thing and will be looking into adding memberlist to robots.txt file.

We do not encourage bots - we simply operate in a way that makes sense. Some people might get confused if they never get the email they were supposed to get from registration, don't see their username in the memberlist, and can't register again.

And I get it... it's good enough for Ticketmaster, who gets thousands of hits and orders a day, but not good enough for your forum..

Good luck finding a reliable safeguard that isn't user-facing and failproof. The functionality of the forum will not be changed anytime soon.
User avatar
Arty
Former Team Member
Posts: 16654
Joined: Wed Mar 06, 2002 2:36 pm
Name: Vjacheslav Trushkin
Contact:

Post by Arty »

Bjørn Lindeijer wrote: The problem exactly is that phpBB encourages these kind of bots because

All other forum software have similar features. But phpBB is the most popular forum software and because of that spammers are attracted to phpBB. In phpBB 2.2 list of users is shown only to registered users, so it also makes registration spamming useless. You can wait for phpBB 2.2 that will be released later this year, or you can apply one of solutions posted above (visual confirmation or hidden items in form + hide users list).
Vjacheslav Trushkin / Arty.
Free phpBB 3.1 styles | New project: Iconify - modern SVG framework
Bjørn Lindeijer
Registered User
Posts: 10
Joined: Sat Sep 25, 2004 9:09 pm
Contact:

Post by Bjørn Lindeijer »

I don't understand the level of hostility here. I'm just voicing some concern, asking for a change that might reduce the problem, and interested in ways to prevent it without bothering new users.

I'm glad at least part of the problem is taken into account in 2.2. As far as I'm concerned now, I'll just wait and see how many fake users sign up next week and go on from there.
User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Post by Techie-Micheal »

Bjørn Lindeijer wrote: I don't understand the level of hostility here. I'm just voicing some concern, asking for a change that might reduce the problem, and interested in ways to prevent it without bothering new users.

I'm glad at least part of the problem is taken into account in 2.2. As far as I'm concerned now, I'll just wait and see how many fake users sign up next week and go on from there.
Hostility begets hostility. You weren't exactly very nice to us when we answered your question. ;)

You have a couple of choices here.

1. Use the visual confirmation, which 2.2 makes use of by the way.
2. Edit the registration template so that registering users will not have the opportunity to input their homepage, ICQ, MSN, etc. until they are approved by the admin, and log in again. Rather simple to do actually. And in fact, 2.2 makes use of this as well.
Proven Offensive Security Expertise. OSCP - GXPN
User avatar
Mike Panic
Registered User
Posts: 61
Joined: Fri Feb 28, 2003 10:15 pm
Contact:

Post by Mike Panic »

im in the same boat... tons of new bogus registers all w/ numbers and all pointing to the same url... choppy.com/something-something, they are all differant.

im at the point where im about to call the person who owns the domain name and ream him out... then call their host and put in a formal spam complaint

ive disallowed *.hotmail email addy's from registering, but its still allowing them for some odd reason... so frikkin annoying

btw Techie-Micheal - took a look at your site... your more then welcomed to come join http://www.iphotoforum.com :)
MikePanic.com Online Photography Porfolio
iPhotoForum.com The Definitive Photography Community
GetTipsy.com FREE drink recipes & mixes!!
PimpMyCase.com Upload and vote on modded systems for FREE
User avatar
globetrotting
Registered User
Posts: 217
Joined: Thu Jan 15, 2004 8:14 pm
Location: globetrotting
Contact:

Edit reg template

Post by globetrotting »

Techie-Micheal wrote: ... Edit the registration template so that registering users will not have the opportunity to input their homepage, ICQ, MSN, etc. until they are approved by the admin, and log in again. Rather simple to do actually.


Would it also be "rather simple" to explain how to do it?
I'd appreciate an explanation very much, as my board is infected as well :(
Das Sein ändert das Bewußtsein
User avatar
Harriers9
Registered User
Posts: 79
Joined: Wed May 12, 2004 8:43 pm
Location: Kidderminster
Contact:

Post by Harriers9 »

The same here.

I am also getting spam registrations from this Chopoy w**ker and would like it stopped.

Not being a php expert I would like to know how to modify the registration template.

I tried to update my board from 2.0.8 to 2.0.10 last week but failed due to the lack of simple advice from the experts on here. We are not all tech heads that can understand complicated instructions or just told to change some obscure code without being told how to achieve that.

Good example at the end of this:

http://www.phpbb.com/phpBB/viewtopic.ph ... highlight=
Locked

Return to “2.0.x Discussion”