Spam registration amount and handling is unbearable


  • Greetings, long time NodeBB user here.

    Currently running: NodeBB v1.14.3-beta.14

    Over the years and growing popularity the amount of spam/scam registrations despite enforcing hCaptcha and E-Mail registration on my installation is becoming unbearable. I have the following countermeasures in place which seem to not do much:

    • Spam Be Gone Plugin is used with Project Honeypot, StopForumSpam and hCaptcha
      • Judging by the traffic on the Repository this plugin appears to be fairly abandoned? Any good alternatives or built in solutions?
    • E-Mail verification is required
    • Admin approval on registration from same IP is enforced
      • The user page is still visible without approval, this is exploitable
    • I started to manually work on an IP blacklist but that's a loosing battle

    Some questions:

    • Why are users pages immediately live to the public without e-mail approval or even when admin approval is still pending? This is a major attack surface for spam becoming available without any counter measures and very attractive for spammers
    • Can the "About me" for users be disabled? It's flooded with scam text and link or advertising and the like.
    • Can showing user details be completely disabled? So far adjusting the permissions to registered users only has done nothing.

    Pardon if I come across a bit heated but it seems like there's either not enough built-in anti-spam functionality or I'm missing something, I'd really appreciate some insights and how to handle this other than banning entire IP-ranges.

    Thanks for reading, cheers

  • NodeBB

    User pages shouldn't be visible if the user is still in the approval queue since the user account isn't created yet.

    You can increase the reputation required to enter a "About me" text which usually takes care of spam users. Set it to 1-2 reputation.

    61f75274-1f6b-4524-ba8a-8505fb1d400b-image.png

    If you remove the View Users privilege from guests, users who are not logged in won't be able to see the profiles of other users.

    caa26972-d8fc-4df6-8fb2-000d81f23cf9-image.png


  • @baris ah, perfect, I somehow missed that, I applied the two suggestions, thanks! Will monitor the situation.

    Cheers

  • GNU/Linux Admin

    @nefarius For what its worth, spam-be-gone is still very much actively maintained, but we don't get to many bugs for it because it just works 😄

    I'm not saying it's the perfect solution, by any means, but we will definitely fix up issues if reported.

  • Community Rep

    @nefarius One thing I am uncertain about: What is your default setting for user email addresses, i.e. ACP :

    admin/settings/user
    

    Account Settings> Hide email from uses (ON)

    a570d080-828f-4089-9a44-a03ff02364f9-image.png

    This knob sets a nice default. 🙂 🌻


  • @gotwf pardon the late response, I've adopted your suggestion, thanks! 👍

    @julian good to know! And apparently my spammers were all "human-powered"; ever since I made the changes suggested by @baris the blacklist hits and spam accounts have dropped to zero!

    Hopefully it stays that way so I can focus on content 😇

    Cheers

Suggested Topics

  • 1
  • 1
  • 13
  • 9
  • 56
| |