Greetings, long time NodeBB user here.
Currently running: NodeBB v1.14.3-beta.14
Over the years and growing popularity the amount of spam/scam registrations despite enforcing hCaptcha and E-Mail registration on my installation is becoming unbearable. I have the following countermeasures in place which seem to not do much:
- Spam Be Gone Plugin is used with Project Honeypot, StopForumSpam and hCaptcha
- Judging by the traffic on the Repository this plugin appears to be fairly abandoned? Any good alternatives or built in solutions?
- E-Mail verification is required
- Admin approval on registration from same IP is enforced
- The user page is still visible without approval, this is exploitable
- I started to manually work on an IP blacklist but that's a loosing battle
- Why are users pages immediately live to the public without e-mail approval or even when admin approval is still pending? This is a major attack surface for spam becoming available without any counter measures and very attractive for spammers
- Can the "About me" for users be disabled? It's flooded with scam text and link or advertising and the like.
- Can showing user details be completely disabled? So far adjusting the permissions to registered users only has done nothing.
Pardon if I come across a bit heated but it seems like there's either not enough built-in anti-spam functionality or I'm missing something, I'd really appreciate some insights and how to handle this other than banning entire IP-ranges.
Thanks for reading, cheers