Trying to prevent registration abuse...

The 2.0.x discussion forum has been locked; this will remain read-only. The 3.0.x discussion forum has been renamed phpBB Discussion.
Locked
tk-123
Registered User
Posts: 12
Joined: Sat Apr 19, 2003 8:33 pm

Trying to prevent registration abuse...

Post by tk-123 »

Hi - I'm noticing some strange activity on one of my forums, where someone is registering dozens of user-accounts each day, along with a web-site URL and other account information that links to porn or spam, but the user is not confirming or completing the registration process, nor making any posts.

I believe the user is actually trying to exploit the "Memberlist" as a way to generate traffic to their own sites, because the Memberlist will display even unconfirmed registrants along with their web site URL and other information that can be indexed by search engines (the more cross-links you have to your site, the better your ranking)...

So here's my issues and questions (I'm running phpBB 2.0.3, by the way)

(1.) The user IP Address doesn't appear to be recorded until AFTER the member posts something. Am I wrong? Is any IP address recorded during the registration process, so I could add these spammers to a banlist? If not, this might be a good feature (if not already part of an update I haven't installed yet)... It'd be nice to capture all that info at registration, and also be able to see it from the User Management area of the Admin panel. Right now, I have to wait until they post something, look up their post, and then use the "ip" button... yuk..

(2.) AND/OR maybe I could just update the memberlist SQL to only display "CONFIRMED registrants AND members with > 1 posts". Does anyone have an easy update to the SQL SELECT statement (and where I'd find it for the Memberlist) that I could use to limit the display on that page? Updating the SELECT statement would prevent the Memberlist page from displaying anything that might benefit these guys who appear to just be exploiting the free link that comes with simply registering.

That's all for now. Thanks in advance for the advice...

TK
TinEastwood
Registered User
Posts: 112
Joined: Sun Feb 01, 2004 10:05 pm
Location: Denmark

Post by TinEastwood »

Same here :twisted:

I use Registration IP - Logs the users IP address upon registration.

Then it`s easy to ban that ip in ACP :D

[spam]
Last edited by Techie-Micheal on Sat Jun 23, 2007 3:08 am, edited 1 time in total.
Reason: Removed spam
Image
tk-123
Registered User
Posts: 12
Joined: Sat Apr 19, 2003 8:33 pm

Post by tk-123 »

Thanks for the quick reply, but is "Registration IP" a MOD or data field? (apologies for my ig'nance) :)
TinEastwood
Registered User
Posts: 112
Joined: Sun Feb 01, 2004 10:05 pm
Location: Denmark

Post by TinEastwood »

Image
User avatar
drathbun
Former Team Member
Posts: 12204
Joined: Thu Jun 06, 2002 3:51 pm
Location: TOPICS_TABLE
Contact:

Post by drathbun »

tk-123
Registered User
Posts: 12
Joined: Sat Apr 19, 2003 8:33 pm

Post by tk-123 »

I did search, but this was one of those issues where I didn't quite know what keywords I should be using... Spambot? I had no idea these registrations may have been coming from some automated system... But thanks for the links and quick replies though... I'm scrambling now to tighten up the forums using the mods/changes mentioned in these posts...
Crazy spammers. They just keep finding new ways to drain the hours from my day... I think they should be doing hard-time in the state penn!

Best regards,

TK
User avatar
drathbun
Former Team Member
Posts: 12204
Joined: Thu Jun 06, 2002 3:51 pm
Location: TOPICS_TABLE
Contact:

Post by drathbun »

tk-123 wrote: I did search, but this was one of those issues where I didn't quite know what keywords I should be using...

Good point. It's always easy to find the answer when you already know the answer. ;-)

Good luck. I've managed to cut down on the registrations with the latest round of changes, so there is hope. 8-)
I blog about phpBB: phpBBDoctor blog
Still using phpbb2? So am I! Click below for details
Image
bog_tom
Translator
Posts: 308
Joined: Thu Sep 26, 2002 6:58 am
Location: New Jersey, USA
Contact:

Post by bog_tom »

TanPimp
Registered User
Posts: 30
Joined: Wed Feb 11, 2004 8:15 pm
Location: Iowa City, IA
Contact:

Post by TanPimp »

Where can I find this mod at? I have the same problem. I'm pretty sure a bot isn't doing it. Since I've only had about 10 registrations in about a month. It's no big deal but its becoming annoying. If someone could help me out that would be great.
geocator
Registered User
Posts: 16242
Joined: Fri Jan 09, 2004 11:56 pm
Location: On dry land
Contact:

Post by geocator »

If reffering to the visual confirmation MOD it is in the contrib directory of the download package.
sander marechal
Registered User
Posts: 66
Joined: Sun Feb 15, 2004 8:45 pm
Location: The Netherlands
Contact:

Post by sander marechal »

I have found that most spammers do not bother to auto-post or even auto-activate their account. Simply leaving them off the memberlist or something won't stop them from registering in the first place. They are registering with robots after all so simply not displaying their profile won't work. They have no clue where they register and if they hacked it to not-show their profile. You have to disallow registering altogether for them. In order to fight them, I made the following changes (which should be simple for anyone familliar with the phpBB code).

1) Disable the website field on the registration/profile page (for people that register only. Active users are able to give a webpage)

2) If someone registers and $website is set, give him the finger and message_die() with something nasty.

This works because spammers always try to register with a website in their profile. If real users cannot do this then anyone who tries to must do so from a remote register script (and those are all spammers) :)
geocator
Registered User
Posts: 16242
Joined: Fri Jan 09, 2004 11:56 pm
Location: On dry land
Contact:

Post by geocator »

sander marechal wrote: 1) Disable the website field on the registration/profile page (for people that register only. Active users are able to give a webpage)

2) If someone registers and $website is set, give him the finger and message_die() with something nasty.


Which is another good idea. However there are some flaws in your logic.

If you never show there website they will not bother registering. The reason is that they look for board with good pagerank that will show there link then tell there script to go register accounts.

Also the visual confermation MOD is not perfect but it does do a very good job.
sander marechal
Registered User
Posts: 66
Joined: Sun Feb 15, 2004 8:45 pm
Location: The Netherlands
Contact:

Post by sander marechal »

That was what I though at first as well so I made those changes, but the spammers just kept coming. Then I started tracking their IP's and visits and I saw that they just registered (remotely) and never came back. Most likely they just have a webspider that searches for phpBB forums and pour the list into an auto-register-bot and simply press 'start'. They never even visit your site, only their bot does.

Then I made the changes I mentioned above and hooked a log to it. It's been running a little over a month now and so far it has stopped over 30 spammer registrations and has had 0 false positives. Real users hardly notice it since most of them will upload an avatar once they are activated, at which point they will see the website field as expected.
User avatar
globetrotting
Registered User
Posts: 198
Joined: Thu Jan 15, 2004 8:14 pm
Location: globetrotting
Contact:

Spam Block

Post by globetrotting »

My board is "infected" too :(
I can follow the reasoning leading to your advice
sander marechal wrote: 1) Disable the website field on the registration/profile page (for people that register only. Active users are able to give a webpage)

2) If someone registers and $website is set, give him the finger and message_die() with something nasty.


Could you please explain how to do 1) and 2) ?
Das Sein ändert das Bewußtsein
sander marechal
Registered User
Posts: 66
Joined: Sun Feb 15, 2004 8:45 pm
Location: The Netherlands
Contact:

Post by sander marechal »

Hehe, I just found an even easier way in another thread on this forum. Open up your profile_add_body.tpl and add the following on line 3 (just below the <form> command):

Code: Select all

<input type="hidden" name="mysecretvar" value="1">
Next, open up includes/usercp_register.php and find this bit around line 255:

Code: Select all

	$passwd_sql = '';
	if ( $mode == 'editprofile' )
	{
		if ( $user_id != $userdata['user_id'] )
		{
			$error = TRUE;
			$error_msg .= ( ( isset($error_msg) ) ? '<br />' : '' ) . $lang['Wrong_Profile'];
		}
	}
	else if ( $mode == 'register' )
	{
Just below that, add these lines:

Code: Select all

	//First, weed out any remote register scripts. Easily identifyable since they have no mysecretvar set
	if( !isset($_POST['mysecretvar']) )
	{
		message_die(GENERAL_ERROR, 'Die, you spammer >:( ');
	}
You can replace 'mysecretvar' for another variable name if you want to.

Edit: I made an error in the above code (fixed now). I wrote it on-the-fly because I could not simply copy-paste it out of my own sourcecode (I wrote far too many custom mods). I tested this on a clean board install and it should work now.
Last edited by sander marechal on Mon Sep 27, 2004 7:22 pm, edited 2 times in total.
Locked

Return to “2.0.x Discussion”