Spam registration amount and handling is unbearable

@gotwf pardon the late response, I've adopted your suggestion, thanks!

@julian good to know! And apparently my spammers were all "human-powered"; ever since I made the changes suggested by @baris the blacklist hits and spam accounts have dropped to zero!

Hopefully it stays that way so I can focus on content

Cheers

@baris ah, perfect, I somehow missed that, I applied the two suggestions, thanks! Will monitor the situation.

Cheers

Greetings, long time NodeBB user here.

Currently running: NodeBB v1.14.3-beta.14

Over the years and growing popularity the amount of spam/scam registrations despite enforcing hCaptcha and E-Mail registration on my installation is becoming unbearable. I have the following countermeasures in place which seem to not do much:

• Spam Be Gone Plugin is used with Project Honeypot, StopForumSpam and hCaptcha
  • Judging by the traffic on the Repository this plugin appears to be fairly abandoned? Any good alternatives or built in solutions?
• E-Mail verification is required
• Admin approval on registration from same IP is enforced
  • The user page is still visible without approval, this is exploitable
• I started to manually work on an IP blacklist but that's a loosing battle

Some questions:

• Why are users pages immediately live to the public without e-mail approval or even when admin approval is still pending? This is a major attack surface for spam becoming available without any counter measures and very attractive for spammers
• Can the "About me" for users be disabled? It's flooded with scam text and link or advertising and the like.
• Can showing user details be completely disabled? So far adjusting the permissions to registered users only has done nothing.

Pardon if I come across a bit heated but it seems like there's either not enough built-in anti-spam functionality or I'm missing something, I'd really appreciate some insights and how to handle this other than banning entire IP-ranges.

Thanks for reading, cheers