• Home
  • Categories
  • Recent
  • Popular
  • Top
  • Tags
  • Users
  • Groups
  • Documentation
    • Home
    • Read API
    • Write API
    • Plugin Development
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse
v3.5.2 Latest
Buy Hosting

Spam registration amount and handling is unbearable

Scheduled Pinned Locked Moved General Discussion
6 Posts 4 Posters 563 Views
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • NefariusN Offline
    NefariusN Offline
    Nefarius
    wrote on last edited by
    #1

    Greetings, long time NodeBB user here.

    Currently running: NodeBB v1.14.3-beta.14

    Over the years and growing popularity the amount of spam/scam registrations despite enforcing hCaptcha and E-Mail registration on my installation is becoming unbearable. I have the following countermeasures in place which seem to not do much:

    • Spam Be Gone Plugin is used with Project Honeypot, StopForumSpam and hCaptcha
      • Judging by the traffic on the Repository this plugin appears to be fairly abandoned? Any good alternatives or built in solutions?
    • E-Mail verification is required
    • Admin approval on registration from same IP is enforced
      • The user page is still visible without approval, this is exploitable
    • I started to manually work on an IP blacklist but that's a loosing battle

    Some questions:

    • Why are users pages immediately live to the public without e-mail approval or even when admin approval is still pending? This is a major attack surface for spam becoming available without any counter measures and very attractive for spammers
    • Can the "About me" for users be disabled? It's flooded with scam text and link or advertising and the like.
    • Can showing user details be completely disabled? So far adjusting the permissions to registered users only has done nothing.

    Pardon if I come across a bit heated but it seems like there's either not enough built-in anti-spam functionality or I'm missing something, I'd really appreciate some insights and how to handle this other than banning entire IP-ranges.

    Thanks for reading, cheers

    gotwfG 1 Reply Last reply
    1
  • barisB Offline
    barisB Offline
    <baris> NodeBB
    wrote on last edited by
    #2

    User pages shouldn't be visible if the user is still in the approval queue since the user account isn't created yet.

    You can increase the reputation required to enter a "About me" text which usually takes care of spam users. Set it to 1-2 reputation.

    61f75274-1f6b-4524-ba8a-8505fb1d400b-image.png

    If you remove the View Users privilege from guests, users who are not logged in won't be able to see the profiles of other users.

    caa26972-d8fc-4df6-8fb2-000d81f23cf9-image.png

    NefariusN 1 Reply Last reply
    1
  • NefariusN Offline
    NefariusN Offline
    Nefarius
    replied to <baris> on last edited by
    #3

    @baris ah, perfect, I somehow missed that, I applied the two suggestions, thanks! Will monitor the situation.

    Cheers

    julianJ 1 Reply Last reply
    1
  • julianJ Offline
    julianJ Offline
    julian GNU/Linux
    replied to Nefarius on last edited by julian
    #4

    @nefarius For what its worth, spam-be-gone is still very much actively maintained, but we don't get to many bugs for it because it just works 😄

    I'm not saying it's the perfect solution, by any means, but we will definitely fix up issues if reported.

    1 Reply Last reply
    1
  • gotwfG Offline
    gotwfG Offline
    gotwf Community Rep
    replied to Nefarius on last edited by gotwf
    #5

    @nefarius One thing I am uncertain about: What is your default setting for user email addresses, i.e. ACP :

    admin/settings/user
    

    Account Settings> Hide email from uses (ON)

    a570d080-828f-4089-9a44-a03ff02364f9-image.png

    This knob sets a nice default. 🙂 🌻

    NefariusN 1 Reply Last reply
    0
  • NefariusN Offline
    NefariusN Offline
    Nefarius
    replied to gotwf on last edited by
    #6

    @gotwf pardon the late response, I've adopted your suggestion, thanks! 👍

    @julian good to know! And apparently my spammers were all "human-powered"; ever since I made the changes suggested by @baris the blacklist hits and spam accounts have dropped to zero!

    Hopefully it stays that way so I can focus on content 😇

    Cheers

    1 Reply Last reply
    0

Copyright © 2023 NodeBB | Contributors
  • Login

  • Don't have an account? Register

  • Login or register to search.
Powered by NodeBB Contributors
  • First post
    Last post
0
  • Home
  • Categories
  • Recent
  • Popular
  • Top
  • Tags
  • Users
  • Groups
  • Documentation
    • Home
    • Read API
    • Write API
    • Plugin Development