Log in

Fake users registration attack

Hello everybody,

Since yesterday I have been under a spam attack. I disabled "Allow new users to register" option from Settings > Advanced Settings admin panel and I still have got attacks because new fake users have been registered.

Additionaly I have this plugins installed and enabled: uservalidationbyemail, recaptcha, iptracker, spam_login_filter, spam_throttle, honeypot and akismet.  

What can I do? Thank you very much.

Replies

  • Matt Beckett 117 days ago

    you're getting registration even though the setting is turned off?
    Are you using any social login integration - Facebook/Twitter etc?  They may be registering through a plugin like that.

  • Paweł Sroka 117 days ago

    Make sure your installation is up to date. What version are you using now?

  • rjcalifornia 116 days ago

    That's strange. Are spammers still registering after turning off registration?

    Are the current registered fake spammers attacking your site?

    Rodolfo Hernandez

    Arvixe/Elgg Community Liaison

  • Ron Wallace 116 days ago

    We get exactly the same thing. No matter how we try to stop them (including disabled "Allow new users to register"), they still register. We have Spam Login Filter installed too. We get emails saying that we've blocked hundreds of registrations, but when we look at the sites for the same period, we see 30-40 actual fake registrations that made it through. We've tried every spam plugin, but nothing works. They still are registering. We have had to turn off our sites to stop them. We are using HybrideAuth Client for Elgg for Elgg 1.8 for Facebook login - so maybe that's it. I'm going to turn it off and see if that helps. Othewise, I don't have a hint how to stop them. - FYI we're using 1.8.16 - same probelm on 3 different sites.

     

  • David Romaní 116 days ago

    I'm using Elgg 1.8.16, since yesterday, it seems that no more fake users registered. It's true, if I disable the users registration setting, then I don't have the problem. Sorry for my mistake.

    But, If I turn on the setting then I have the same problem again.

  • Michele 116 days ago

    Same as Ron here.

    No social login/registration. Elgg 1.8.16

    Many are blocked by spam login filter but around 70-80 since almost a week ago succeed in registering daily anyways. I didn't turn off the allow new user registration option but I did turn on (which I recommend) User Validation by Admin by Webgalli which is annoying to use because you have to check those who register but at least your users do not suffer any spamming.

    I also noticed that lately stopforumspam is sometimes down so that could explain at least part of the problem

    Cheers

  • Aaron W 116 days ago

    I have also had lots of fake users signing up - l have uservalidation by email and captcha 1.8.1 installed. This only started happening about a week for me - I googled the problem and came to this page - Looks to me like they is some kind of "attack" that is causing this to happen to elgg sites. I dont really want to turn off new user creation. The users that had validated their email seamed to be selling baby clothes, but they is probably a darker story to it. I think that a human must be doing something to get past the captcha systems - I doubt that someone has created a system to do this.

    I am using 1.8.16 - Aaron

  • Ron Wallace 116 days ago

    David said, <if I disable the users registration setting, then I don't have the problem>. You are lucky David, cause when we disable registration, it makes no difference, they still register the fake users. But, I'm going to try again, - although - we won't like to have to have that as our only option to stop this.

    Michele said, <No social login/registration.> Darn, I was hoping that was our problem.

    And <but around 70-80 since almost a week ago succeed in registering daily anyways> That's about the same number for us. But, as soon as we delete them, another batch arrives.

    And, <also noticed that lately stopforumspam is sometimes down> I noticed the same, but it only lasts for a few seconds, and another thing I  noticed is that sometimes the IP addresses that are submitted are weird.

    Aaron said, <I think that a human must be doing something to get past the captcha systems - I doubt that someone has created a system to do this.>  I think differently. I've tried all kinds of captcha's, and just about everything else. The fakes keep coming. And the numbers started small but are increasing. I doubt very much that any human is doing this - to me, you, and Michele, and David and everyone else that's going to get bombed eventually.

    So far we've found no solution, we've had to turn all of our sites off. It's too timecoming having to clean all these fake users all day long.

    Next, just to be sure, we are turnining off the Facebook login and we're going to try the Profile Manager plugin and require an image and a new field and accetance of our terms upon registration. And see if they get by that.

  • Michele 116 days ago

    @Ron, if you have like me only max100 spammers and few new real users per day isn't it better to check and approve/delete them manually (uservalidation by admin) than switch off sites?

  • Michele 116 days ago

    PS any of you guys knows if Fassim service is now more reliable? I did get the api key but many months ago had to turn it off on spam login filter because of so many complaints on false positives.

  • Matt Beckett 116 days ago

    We still get more false positives with Fassim, but Fassim does have a lower number of false negatives.  It's a bit of a tradeoff, but the community here doesn't get as much spam as you're reporting...

  • Michele 116 days ago

    That's because they target interesting communities :D

  • Michele 116 days ago

    By the way guys, sorry for the off topic but since we have no wire here.... HAVE YOU ALL ELGGERS A GREAT 2014!

  • Ron Wallace 116 days ago

    My tests... 

    1) I turned my test site back on at 11:53AM. I removed the Facebook login.

    2) So far I've gotten spam blocks at these times...

    11:53, 11:53, 11:53, 11:54, 12:02, 12:03, 12:04, 12:04, 12:06, 12:06, 12:11, 12:11, 12:16, 12:18, 12:18 12;20, 12:20, 12:20, 12:21, 12:23, 12:24, 12:24, 12:24, 12:24, 12:26, 12:27

    ONE NEW FAKE USER IP Austria

    ANOTHER FAKE USER IP Hyderabad (PK)

    here we go again, 12:34, 12:35, 12, 35, 12:39, 12:36, 12:36, 12:36, 12:36 12:39, 12:39, 12:40, 12:41, 12:41, 12:41

    ANOTHER FAKE USER IP Jalandhar (IN)

    ANOTHER FAKE USER IP Unfortunately we could not find a matching location.

    3) NOW I DISABLE - Allow new users to register

    here we go again, 12:59, 1:02, 1:02, 1:03, 1:03, 1:03. 1:07, 1:11, 1:11, 1:11, 1:18, 1:18, 1:24, 1:25

    In Summary

    Within 10 seconds of turning my site back on again, we started getting bombed again. This must be automated. No way manual spammers were waiting for me to turn it back on.

    For the most part, each is a separate and different ISP, although once in a while, in a small number of cases they are duplicate ISPs, which appear to be at the same time. Also, each is a different email address or the email address is blank.

    It almost looks like this is hunting for IP addresses that are not blocked, and then causing an automated registration when it finds one.

    Disabling New User Registration does not appear to have stopped the attack. Although, for some reason the time between blocks has increased, and since then, I have not gotten a new fake registration.

    I'm going to wait it out a little while and see what happens and report back. Disabling the registration is not a solution, we don't want to do that, but at least we may be able to keep the sites open while we are trying to find an answer.

    There is definately something very unfriendly going on here.

    @Michelle, we have not tried the uservalidation by admin. We'll give it a whirl and see if that's helpful. 

    And I've read that Fassim causes clean users to be incorrectly be flagged as spammers. I believe I read that at the plugin page.

  • Ron Wallace 115 days ago

    Here's the followup ... In the last few hours we got several hundred blocked registrations and NO new fake users - because we have New User Registration diasabled. -- New User Registration being disabled is not a solution, so, although it appears that it stops the fake registraion, we do not want it. I have not tired the uservalidation by admin suggested by Michelle cause it appears that would still allow the fake user to be registered and that would be a mess. Our next plan is to try the Profile Manager and see if that will help keep the fakes away by requiring various registration fields. If anyone else has any ideas, I'd appreciate hearing them.

  • Michele 115 days ago

    Hi Ron, the suggested plugin puts all newly registered users in the unvalidated section therefore only visible to admins who can validate them or not.

    The situation here is worsening, 55 fake users registered in 9 hours and now many with gmail accounts other than outlook and hotmail plus a bunch of muscle growth+diet "review" sites.

    This is another attack...iw was few months we were ok but now again...thank you spammers...

     

  • Ron Wallace 115 days ago

    Over night, we got hundreds upon hundreds of blocked registrations, but since we have New User Registration disabled, we got NO new fake users, but of course, this is not an acceptable alternative. Michele, thank you for the info, I understand. My concern is that we have 3 sites, and if one site is being attacked at a a rate of one per minute that 3 times that will cause our host to blow his cool. Further, we had plans of opening more sites, with this kind of attack rate, it's not likely. We're thinking seriously about moving the sites on a regular basis trying to stay in front of the spammers or looking for an alternative, which is sad since we've been working with elgg since version .9. It just appears that elgg is prone to attacks whick is a serious problem for a professional business. We're thinking.

    By the way, I feel very, very sorry for any person on this universe that has nothing to do with their time than to hurt and harm other people. Life is so short, and there are so many people that need help and are suffering for a million different reasons, that if these spammers would put their energy toward helping people rather than harming them, the world would be a better place and I'm sure the spammers would have a better life. To hell with them.

  • Michele 115 days ago

    Before looking for other platforms let's consider this as the best and try to help in what we can.

    Idea (bad?): Since stopforumspam+fassim seem not to be enough against attacks to elgg what about creating a group of verified elgg-based sites owners in which to add and share our domain and email blacklists?

    I'm mantaining mine through spam login filter and maybe joining forces and importing (best) or copy/paste from such a list into spam login filter could help.

    What do you think?

    Cheers

  • Michele 115 days ago

    Last (bad?) idea in 2013 :)

    Add uservalidation by admin features to spam login filter would also help a lot because when I now delete users from uvba they're not reported to stopforumspam so can register again and again and again...

    Cheers

  • Ron Wallace 115 days ago

    Michele, I'm willing to participate in any way and all ways. Right now I've got 2 of 3 sites shut down and the one that is open is getting 1 to 4 spam attacks per minute. We've gone years without this being a problem, but once they found us, about a month or so ago, all 3 of our sites were attacked. Presently we're working on moving the test site.

    We too are using spam login filter, that's how we know how many hits we are getting. I'm just not confident though that uservalidation by admin is the best choice. I admit I have not tried it, but since we were getting 50-150 fake registrations per day for one site, 3 sites would cause 150-450 per day and that's a lot of messing around to delete them or however. And, the fact that we're now getting such a large attack, we worry that our host will shut us down.

  • Ron Wallace 115 days ago

    @Michele, You said, "when I now delete users from uvba they're not reported to stopforumspam so can register again and again and again"

    We we delete fake users, they ARE REPORTED. Our last report was Dec 28, which was the last fake users we got. And they have been being reported since last Sept, when I believe that problem had been fixed.  So, it appeas to me that they ARE getting reported properly. But, to me, the problem is that there are so many of the fake users be created, it's impossible to keep up with them.

  • Ron Wallace 115 days ago

    Experimented with moving the site, bad idea. So, we're back to at the very least trying to keep the fake registrations away - "maybe" if we can do that, they may decide to stop the attack. We've added the Profile Manager and required an icon be added. Let you know what happens.

  • Michele 115 days ago

    @Ron as for the not reported ones I was referring to the usage of uservalidation by admin not spam login filter which almost always works except obviously when stopforumspam is down

  • Ron Wallace 114 days ago

    So far so good, although we got a boat load of spam attacks that were all discovered by stopformspam, since we installed ProfileManager and required a profile icon during registration we have NOT gotten any fake registrations.

  • Team Webgalli 114 days ago

    You can also try another option.

    1. Remove the registration form from the elgg's default registration page.
    2. Create a new page for user registrations and link your "Register" button to that page. 

    This way all those bot softwares that are targeting your elgg's registration page will fail.

You must log in to post replies.