Spam registration amount and handling is unbearable

Nefarius

Greetings, long time NodeBB user here.

Currently running: NodeBB v1.14.3-beta.14

Over the years and growing popularity the amount of spam/scam registrations despite enforcing hCaptcha and E-Mail registration on my installation is becoming unbearable. I have the following countermeasures in place which seem to not do much:

• Spam Be Gone Plugin is used with Project Honeypot, StopForumSpam and hCaptcha
  • Judging by the traffic on the Repository this plugin appears to be fairly abandoned? Any good alternatives or built in solutions?
• E-Mail verification is required
• Admin approval on registration from same IP is enforced
  • The user page is still visible without approval, this is exploitable
• I started to manually work on an IP blacklist but that's a loosing battle

Some questions:

• Why are users pages immediately live to the public without e-mail approval or even when admin approval is still pending? This is a major attack surface for spam becoming available without any counter measures and very attractive for spammers
• Can the "About me" for users be disabled? It's flooded with scam text and link or advertising and the like.
• Can showing user details be completely disabled? So far adjusting the permissions to registered users only has done nothing.

Pardon if I come across a bit heated but it seems like there's either not enough built-in anti-spam functionality or I'm missing something, I'd really appreciate some insights and how to handle this other than banning entire IP-ranges.

Thanks for reading, cheers

baris

User pages shouldn't be visible if the user is still in the approval queue since the user account isn't created yet.

You can increase the reputation required to enter a "About me" text which usually takes care of spam users. Set it to 1-2 reputation.

If you remove the View Users privilege from guests, users who are not logged in won't be able to see the profiles of other users.

Nefarius

@baris ah, perfect, I somehow missed that, I applied the two suggestions, thanks! Will monitor the situation.

Cheers

julian

@nefarius For what its worth, spam-be-gone is still very much actively maintained, but we don't get to many bugs for it because it just works

I'm not saying it's the perfect solution, by any means, but we will definitely fix up issues if reported.

gotwf

@nefarius One thing I am uncertain about: What is your default setting for user email addresses, i.e. ACP :

admin/settings/user

Account Settings> Hide email from uses (ON)

This knob sets a nice default.

Nefarius

@gotwf pardon the late response, I've adopted your suggestion, thanks!

@julian good to know! And apparently my spammers were all "human-powered"; ever since I made the changes suggested by @baris the blacklist hits and spam accounts have dropped to zero!

Hopefully it stays that way so I can focus on content

Cheers