Spam registration amount and handling is unbearable

General Discussion
  • Greetings, long time NodeBB user here.

    Currently running: NodeBB v1.14.3-beta.14

    Over the years and growing popularity the amount of spam/scam registrations despite enforcing hCaptcha and E-Mail registration on my installation is becoming unbearable. I have the following countermeasures in place which seem to not do much:

    • Spam Be Gone Plugin is used with Project Honeypot, StopForumSpam and hCaptcha
      • Judging by the traffic on the Repository this plugin appears to be fairly abandoned? Any good alternatives or built in solutions?
    • E-Mail verification is required
    • Admin approval on registration from same IP is enforced
      • The user page is still visible without approval, this is exploitable
    • I started to manually work on an IP blacklist but that's a loosing battle

    Some questions:

    • Why are users pages immediately live to the public without e-mail approval or even when admin approval is still pending? This is a major attack surface for spam becoming available without any counter measures and very attractive for spammers
    • Can the "About me" for users be disabled? It's flooded with scam text and link or advertising and the like.
    • Can showing user details be completely disabled? So far adjusting the permissions to registered users only has done nothing.

    Pardon if I come across a bit heated but it seems like there's either not enough built-in anti-spam functionality or I'm missing something, I'd really appreciate some insights and how to handle this other than banning entire IP-ranges.

    Thanks for reading, cheers

  • User pages shouldn't be visible if the user is still in the approval queue since the user account isn't created yet.

    You can increase the reputation required to enter a "About me" text which usually takes care of spam users. Set it to 1-2 reputation.


    If you remove the View Users privilege from guests, users who are not logged in won't be able to see the profiles of other users.


  • @baris ah, perfect, I somehow missed that, I applied the two suggestions, thanks! Will monitor the situation.


  • @nefarius For what its worth, spam-be-gone is still very much actively maintained, but we don't get to many bugs for it because it just works 😄

    I'm not saying it's the perfect solution, by any means, but we will definitely fix up issues if reported.

  • @nefarius One thing I am uncertain about: What is your default setting for user email addresses, i.e. ACP :


    Account Settings> Hide email from uses (ON)


    This knob sets a nice default. 🙂 🌻

  • @gotwf pardon the late response, I've adopted your suggestion, thanks! 👍

    @julian good to know! And apparently my spammers were all "human-powered"; ever since I made the changes suggested by @baris the blacklist hits and spam accounts have dropped to zero!

    Hopefully it stays that way so I can focus on content 😇


Suggested Topics

  • 0 Votes
    2 Posts

    @daftcyborg Use the setting "Forum Terms of Use" in the admin/settings/user page for a simple agreement at registration.

  • 1 Votes
    3 Posts

    Well, there are language files in /public/language. The GDPR text is, as far as I remember, sourced from a few of these entries (the language files are JSON files with a prase identifier, and translation). So if you want to change the wording, you would have to modify these files in your clone of the repo.

    Not sure if this is the "best way" since they might be overwritten when you pull the next version (could someone with more knowlede than me confirm this?) but that's a git issue that you should be able to handle once you get to updating.

    For example, I see three entries in the file "/public/language/en-US/register.json" that start with "gdpr_". There are probably others but this is a good place to start. Just search those language files for the exact wording.

    Also note that to chnag eit you would have to change all of the languages, but if english only is enough for you, that is easier.

  • 0 Votes
    1 Posts


    When I'm trying to manage the users who are in registration queue, I happen to see a green tick and red cross button.

    If I click green tick, then the error - email taken is being displayed.

    How to fix this? How to approve the users in the registration queue?

  • 0 Votes
    2 Posts

    Can you add a ?lang=de to the registration page and see? The language should be set to German upon registration 😄

  • 0 Votes
    1 Posts

    I just installed it but i dont see captcha for version 6.0?