Spam registration amount and handling is unbearable

  • Greetings, long time NodeBB user here.

    Currently running: NodeBB v1.14.3-beta.14

    Over the years and growing popularity the amount of spam/scam registrations despite enforcing hCaptcha and E-Mail registration on my installation is becoming unbearable. I have the following countermeasures in place which seem to not do much:

    • Spam Be Gone Plugin is used with Project Honeypot, StopForumSpam and hCaptcha
      • Judging by the traffic on the Repository this plugin appears to be fairly abandoned? Any good alternatives or built in solutions?
    • E-Mail verification is required
    • Admin approval on registration from same IP is enforced
      • The user page is still visible without approval, this is exploitable
    • I started to manually work on an IP blacklist but that's a loosing battle

    Some questions:

    • Why are users pages immediately live to the public without e-mail approval or even when admin approval is still pending? This is a major attack surface for spam becoming available without any counter measures and very attractive for spammers
    • Can the "About me" for users be disabled? It's flooded with scam text and link or advertising and the like.
    • Can showing user details be completely disabled? So far adjusting the permissions to registered users only has done nothing.

    Pardon if I come across a bit heated but it seems like there's either not enough built-in anti-spam functionality or I'm missing something, I'd really appreciate some insights and how to handle this other than banning entire IP-ranges.

    Thanks for reading, cheers

  • NodeBB

    User pages shouldn't be visible if the user is still in the approval queue since the user account isn't created yet.

    You can increase the reputation required to enter a "About me" text which usually takes care of spam users. Set it to 1-2 reputation.


    If you remove the View Users privilege from guests, users who are not logged in won't be able to see the profiles of other users.


  • @baris ah, perfect, I somehow missed that, I applied the two suggestions, thanks! Will monitor the situation.


  • GNU/Linux Admin

    @nefarius For what its worth, spam-be-gone is still very much actively maintained, but we don't get to many bugs for it because it just works ๐Ÿ˜„

    I'm not saying it's the perfect solution, by any means, but we will definitely fix up issues if reported.

  • Community Rep

    @nefarius One thing I am uncertain about: What is your default setting for user email addresses, i.e. ACP :


    Account Settings> Hide email from uses (ON)


    This knob sets a nice default. :) ๐ŸŒป

  • @gotwf pardon the late response, I've adopted your suggestion, thanks! ๐Ÿ‘

    @julian good to know! And apparently my spammers were all "human-powered"; ever since I made the changes suggested by @baris the blacklist hits and spam accounts have dropped to zero!

    Hopefully it stays that way so I can focus on content ๐Ÿ˜‡


Suggested Topics

  • 18
  • 4
  • 2
  • 8
  • 3
| |