I'm continuing to get a rash of spam member signups - I'm having to block and delete 10 or more members a day. Question: when I select the ban option (when editing a member profile) is it banning the IP address or something else? I went into my recipe for banning IP addresses and it doesn't appear to auto-update when I ban a new IP address, which is why I ask. Thanks.
Sorry you are having to deal with so many spammers.
Banning a user has no correlation with the recipe for "rejecting new registrants based on IP Address".
When you ban a specific member, that just means that they are still registered on your site but they lose all permissions on your site and will not be able to access it while they are signed in as that member. It does not take their IP address and ban it in any way.
In general, you want to be very careful when banning specific IP addresses, because many times IP addresses are shared. This article may be useful on that point:
And that is why we never auto-add an IP address to any kind of ban list. If you know you want to permanently prevent someone with a specific IP Address from registering on your site, then the recipe for "rejecting new registrations based on IP address" is the way to go, and you'll just need to update it with each new IP address you want to ban.
In terms of other suggestions for dealing with spam registrations... have you enabled the CAPTCHA test for new registrations (this option is found in your Registration Settings)?
Are you requiring email verification?
Well, I've been banning spammer IPs for four years, as that was previous advice given. But . . . I can't see it's done any collateral damage.
I believe I have the captcha set up? Where do I do that so I can check?
What is email verification (how does it work) and where do I set that up (I may have done that already too; just don't remember)? This spamming activity has been very heavy in the last few months.
Both of those settings (enabling CATCHA and requiring email verification) are enabled in your control panels' Registration Settings (in the BASICS section of the control panel). It looks like this:
Email verification may not solve your problem completely, but it requires them to take one more step (which is click on a verification link in their registration welcome email) in order to gain member status. It would not PREVENT them from joining, but it would prevent them from participating as a full member until they verified. I highly recommend it for all sites, regardless, because that we you know that the email addresses your members are using are real and belong to those users.
Yes, I've always had Captcha and email verification on, since the get-go. Any other suggestions, as the clean-up is painful. What should I be banning then - email address, text in their bio, something else? I cant moderate to this extent every day. Thanks.
Another option to consider is to start moderating all new registrations. That would mean approving every new registration, via the Registration Moderation approval queue. But at least that is one queue to go through and maybe it gives you more peace of mind. The downside of course is that new members have to wait for you to approve them.
Aside from that, is there something about these spammers that they all have in common? Is it is a particular email domain? (If so, you could set a rule to reject registrations from those email domains, for instance.)
Yeah, but then I have to check every new member - more work. They are different email domains, but I'll just start blocking those email domains then, if you think that is better than blocking an IP address.
So, can you tell me how to write a recipe to ban all sign-ups from particular domains. I thought I did this yesterday by using a *.domainname recipe on the email field in the member profile, but I had more people signed up from this domain this morning. I don't want to restrict an exact email address, as they just keep changing names around on the email address (i.e, Kate@xxx.com, Su@xxx.com). It would be most expedient to ban the whole domain. Thanks. Could use help as soon as possible. All I can find otherwise are recipes to restrict exact addresses.
Use the template for "Reject Registration Based on Specific Email Address" and then for the Email Address condition you should be able to the domains, as described there (see screenshot below).
For example, if you want to reject all users with an email address domain of hotmail.ru, you would enter @hotmail.ru (that will reject anyone with an @hotmail.ru email address) . Note that you should separate each email address with a comma.
If you have any issues with this, please let us know!
I wanted to report that this issue has become increasingly problematic for my site. I must spend at least an hour a day screening new members and deleting and banning accounts, which is unsustainable for probably any community. I delete more members than I leave in place each day. It feels like something has changed (around November) that's making it easier for spam members to find and hack the site or your platform, as this is a recent yet LARGE issue. Some go as far as to send spam emails to other members once they've accessed their email addresses by joining the site. This is the biggest concern, because some have been able to hassle members even off the site. Just yesterday, some members tracked some spam they got via email back to a member on the site. Another joined and sent harassing (sexually explicit) PMs to many members, which is not the norm, but happens too.
I don't want to have to moderate all member sign-ups, as that's as burdensome as what I am now doing. I would like to find a way to exclude more of this garbage before the signups register.
If there's nothing you can do on your end to prevent this (which I sincerely hope you will investigate), then perhaps you can tell me how to write a recipe to screen for the pattern I seem to be seeing most often. Most emails seem to be coming from the EU (Poland, in particular). When the person signs up they list a US place of residence, but in my "bite size bio" field, they are entering Polish (or some other language) and a link that leads to a website completely unrelated to anything having to do with my site. See example screen shot below.
The trouble is: every signup registers under a new name and email extension. I have been banning all suspect extensions (I.e., everything after the @ sign), but more new ones crop up daily. See last screen shot for sampling of today's bans. If you get into that recipe of mine, you'll see how vast that list is.
Any help would be appreciated as I can't sustain this much longer, and I can't afford to hire someone to do this sort of thing.
What the link in bio leads to:
Hi, any help you can provide on my post from four days ago (above) would be appreciated.
One thought I have is that in an upcoming release, you'll be able to set up recipes to flag users based on their IP address geolocation (i.e. their physical location). With this, you could set up recipes to automatically ban anyone from a country that you don't want to allow to register. That will probably help with your scenario.
I'll try to remember to post a note here when that release is out (within the next week or so), but you can also keep an eye on our blog for the release announcement.
Okay, I don't think I want to ban any single country (we have a global audience, and that smacks too much of policies of our current admin, which I abhor!), but if I could screen/monitor/moderate based on location, then I would have less to moderate. So that could help!
Forum/blog spam is becoming a more widespread problem in recent years, and has reached a point that even smaller sites with more obscure audiences get caught in it.
Also, it’s commonly thought that it’s just spambots, but it’s more often a combination of bots controlled by paid labor from actual people. Hence why spammers may pass any CAPTCHA or obscure questions your site requires at registration.
On international sites there’s not an awful lot you can do without banning emails/IP’s at lower levels, such as banning all free email services and IP ranges from countries that produce most spam.
Maybe Hoop.la devs can look into implementing http://stopforumspam.com at some point. Forums and blogs I moderate or help with seemed to have great success with that API, and I don’t think it violates privacy regulations if used during registration. It basically checks your site’s registrations against a global database of known spammers to prevent them from spreading.
Hi, again! Is it possible people are able to bypass the CAPTCHA. Just got this message from a member saying that she did (read below to see how). If so, this could explain some of the rash of spam sign-ups I've been seeing since November.
More on what this person said she did to bypass the CAPTCHA; this should not be possible, am I right? I hope so!
I'm not aware of any way to bypass the CAPTCHA. Hoop.la uses reCAPTCHA from Google. It's a pretty universally used CAPTCHA tool, and I'd be very surprised if there is a way to game the system.
Have you tested this on my site?
Not with a full registration, no. But it seems to be working. When CAPTCHA is enabled, Hoop.la will only allow people to register who have successfully passed CAPTCHA. Hoop.la checks with Google to make sure the CATPCHA approval is legitimate, so if there is an issue (which I don't think there is), it would have to be with Google.