Here's what I did. In the admin pages for the Profile module, make a couple of additional fields, such as first name and last name and make them required. there is a entry for "Show in registration form" where you enter "Step 2" so that they need to be completed in the second step of registration. In Profile admin/registration steps for "Save after step" enter No for step 1 and Yes for step 2.

On my site I modified the Disclaimer to include a statement that registration is a two step process and "please complete both steps". That is so a human registering will know what to do.

So far that has completely stopped those annoying spam registrations. I still have my site set to require admin approval of a registration but so far all have been genuine.

barryC

Just an update for information purposes. After making the first step on our registration pages "not saved" and including a couple of required fields in the second step I have had no more spam registrations. By now, based on the last couple of weeks, I would have seen half a dozen. The change seems to have at least temporarily stopped these guys.

barryC

On our site the profile module forms the basis for our membership roster, that is for a national aquarium association. This is a criticial part and function of our web site.

I am interested in your project and would be happy to help test it when the time comes. I'm not a programmer but I do pretty well at finding problems. I have a mirror site that I use for such testing.

I assume that your module would be able to import data from an existing list of users in the current profile module?

barryC

I took one step that ghia mentioned and that may be helping. I have a two step registration process, the first being just the basics (user name, email, etc.) and the second containing additional information, including first and last name, which are required. I originally had Xoops set to save both steps, but now only save after the second step. I haven't received any spam registrations since doing that but I'll know more tomorrow. I'm sure "they" will soon figure a way around that too. I did do a test registration after making that change and it came through. Filling only the first form (step) did not.

Peekay, I have installed your hack for blocking direct access to register.php. Hopefully you can modify that.

Regarding the idea of not entering a registration unless a valid email address is entered, I don't think that will work. Some of these spammers do use valid email addresses. Once they register they may start filling your site with spam advertising or, worse, porn. So far none of the spam registrations on my site have followed up with confirmations. That may be because the email addresses are spoofed or that they are simply not monitoring the registration confirmation messages. Presumably there would be thousands of them. I do know that I don't get many bounce messages although I've had a few, suggesting that many of the email addresses are real.

barryC

Thanks ghia. I'll see if I can install it this weekend. In the meantime I have set my site to require webmaster approval of new registrations so no spam gets through.

barryC

ghia,

a question. In the profile module there is an option to "save after step". I have two steps but they are set to be saved. I THINK that setting save after step makes the additional steps unnecessary. Is that right? Would it be better to have the first step NOT saved so that the user has to complette both before the registration is accepted?

Is sexy captcha this one posted by frankblack? I just want to make sure I'm identifying the right one, but going back to the beginning of that thread, I assume it is.

I visited frankblack's web site and downloaded the files. So you recommend the version modified by culex rather than the original?

I want to try this for the registration page. However, it's not clear to me how to do this. Where does one insert the codes indicated on frankblack's web site?

Sorry if I seem dumb. I'm no programmer.

barryc

I am still getting hammered by these spam registrations, several a day. The IP address is different for each one so it is apparently being spoofed. I can't block the offending IP. Below is the log entry for one of these registrations. I have X'ed out my real site name.

This registration took 6 seconds. Another one a few minutes later took 9 seconds. The next one reported "Mozilla/4.76 [en] (Windows NT 5.0; U)" not Opera.

[Edit] I found a real registration for comparison, which appears to have taken the person about 2 minutes.

I'd be interested in opinions as to whether this looks like a bot or a person doing the registration. All so far are using spoofed email addresses so they never get confirmed. They are a damn nuisance, though.

barryC

199.15.234.20 - - [18/Jan/2011:14:21:46 -0700] "GET /xxx/modules/newbb/index.php HTTP/1.0" 200 67607 "http://www.xxxxx.org/xxx/modules/newbb/index.php" "Mozilla/5.0 (Windows NT 5.1; U; en) Opera 8.01"
199.15.234.20 - - [18/Jan/2011:14:21:47 -0700] "GET /xxx/register.php HTTP/1.0" 302 378 "http://www.xxxx.org/xxx/register.php" "Mozilla/5.0 (Windows NT 5.1; U; en) Opera 8.01"
199.15.234.20 - - [18/Jan/2011:14:21:48 -0700] "GET /xxx/modules/profile/register.php HTTP/1.0" 200 54826 "http://www.xxxx.org/xxx/modules/profile/register.php" "Mozilla/5.0 (Windows NT 5.1; U; en) Opera 8.01"
199.15.234.20 - - [18/Jan/2011:14:21:49 -0700] "POST /xxx/modules/profile/register.php HTTP/1.0" 200 64148 "http://www.xxxx.org/xxx/modules/profile/register.php" "Mozilla/5.0 (Windows NT 5.1; U; en) Opera 8.01"
199.15.234.20 - - [18/Jan/2011:14:21:51 -0700] "POST /xxx/user.php?op=login HTTP/1.0" 200 2872 "http://www.xxxx.org/aka/modules/profile/register.php" "Mozilla/5.0 (Windows NT 5.1; U; en) Opera 8.01"
199.15.234.20 - - [18/Jan/2011:14:21:51 -0700] "GET /xxx/index.php HTTP/1.0" 200 67602 "http://www.xxxx.org/aka/index.php" "Mozilla/5.0 (Windows NT 5.1; U; en) Opera 8.01"
199.15.234.20 - - [18/Jan/2011:14:21:52 -0700] "GET /xxx/modules/newbb/index.php HTTP/1.0" 200 67549 "http://www.xxxx.org/xxx/modules/newbb/index.php" "Mozilla/5.0 (Windows NT 5.1; U; en) Opera 8.01"

I have done so and there are some corresponding entries that seem to be too fast for humans to do. I am getting hammered by these spam registrations at the moment, at least 6 ore more a day. All of them are using spoofed email addresses, sometimes from Russia (ending in .ru) sometimes gmail addresses. They are therefore not getting the confirmation emails and so far none have activated the account. I just got a bounce message from Google that one of those addresses did not exist.

I will search the logs again. Maybe you'd be willing to look at a log segment again for me Ghia to see if you agree that it looks as if someone has found a way around reCaptcha and the hack to prevent direct access to register.php.

At the moment they are just a bloody nuisance. They are pretty easy to spot as they usually use the same unlikely first name and last name, which are required on my site. As they haven't confirmed registration they can't do anything on the site. I hope they soon tire of the game. I know I have.

Ghia, if you are willing to look at a log segment, remind me of your email by PM. If I can be sure of the IPs that correspond to the spam registrations, from the logs, I can look into where they are coming from, as long as the IPs aren't spoofed. Thanks.

barryC

I have reCaptcha installed on my site and I also have the hack to prevent direct access to register.php, but I'm still getting a lot of spam registrations. Most of these are never activated so they can't do anything on the site. That suggests they are bot registrations.

Has anyone had a similar experience? Is there any way I can find the IP address of the machine registering when the "user" does not complete the confirmation step?

barryC

Well, color my face red. The explanation is something I simply hadn't thought of but which became obvious when I expanded the headers on the notification message.

I have a duplicate site on a different domain that I use to evaluate modules, etc. Benny had actually registered there. I didn't recognize that the notification email came from there as it is not a public site and the notifications look identical unless the headers are expanded.

Registering on that site does make it clear that it is a spurious registration. Clearly some robot is trolling for places to register.

So, Xoops is in fact behaving normally. It's just me that is not. I apologize for the confusion and for wasting your time. No need to examine the logs.

barryC