New users added to site with crazy usernames
October 18, 2007 - 9:59am
Check out the re captcha
Check out the re captcha module, it's in use here too (I just registered). It displays an image and the user has to type in the words on the image. The words are slightly distorted to make it more difficult for OCR to recognize. That should keep out most of your bots.
October 18, 2007 - 10:06am
spam-alot
I would say this is spam. I would bet if you look in your userlist, you'll see that none of these users have logged in. What happens is: They can create an account, but can't login with it until they activate it using their email link.
So, probably what's happening is that they're creating accounts, and never logging in.
Putting a captcha on your registration page is the way to go...that will keep them from even going that first step and junking-up your user list.
-Rob Feature
Geeks and God Co-Host
www.mustardseedmedia.com
October 18, 2007 - 10:57am
Thanks - I loaded the simple
Thanks - I loaded the simple text captcha module, and it was painless. I figure I'll start here first, with the math problem, and then when the bots can fool that I'll move on to reCaptcha. One question though - there is also an image captcha module that can be enabled - this needs a true-type font file - is this worth using (and if so, any recommendation on getting the file), or would it be better to use reCaptcha if I need a stronger blocking system?
October 18, 2007 - 10:03pm
Dealing with Spam registrations
Lots of ways to go with this one -
CAPTCHA is not an accessible solution. Vision-impaired users will have a difficult time with this approach. There are other approaches being successfully implemented to address this issue (hidden form fields that will be filled by bots and not by real users is one, random field names is another) that are more accessible solutions.
CAPTCHA is also easy to defeat - using an iframe, the would-be registrant-bot displays your captcha image on their site as their own captcha. The real users there supply the response to the bot which passes it along to your site.
Wonder how they register and respond? This video - http://blogs.pandasoftware.com/blogs/images/PandaL... makes it very clear.
There is no complete solution, only compromise, in my mind. Balance the admin's headaches of dealing with bot registrations with the users frustration of posting on your site.
October 19, 2007 - 9:05am
Captha and humans doing this
You are right that captchas are not accessible. Re-Captcha solves that for us. It provides an audio captcha for the vision impaired.
Captchas are easy to defeat. The trick you posted as been used before and they talked about it on Security Now.
But, captchas stop most bots. Yet, bots are not the issue here. Many of the registrants from China are real people doing the work. They are paid cheaply to go to sites, register, and then post adds on sites. This means you just have to pay attention to your site. It's a matter of looking for people misusing your site and not bots.
Good luck with this. It's an issue a lot of people are dealing with right now.
Matt Farina
Geeks and God Co-Host
www.innovatingtomorrow.net
www.mattfarina.com
I've been running our church website on Drupal for 3 months now and it is working great! [p.s. thanks to your podcast and forum for the great help in getting things going!]
I've been monitoring the Admin logs, and notice that every day or so there is a new user registering for the site with a crazy username
- i.e. New user: TkIsfsWwyhRHGRm (yacasi@witzwil.cn)
I have "Require e-mail verification when a visitor creates an account" checked, so can I assume that this is a valid email address, and that they replied to the invitation email? All of them seem to have .cn domain names. When I check the User status, the last access for them is never, so I just go and delete them.
I suppose I could change the User Setting to "Visitors can create accounts but administrator approval is required", but I would rather not do this if I don't have to.
So I have some questions:
1) Have these users passed "Require e-mail verification" ?
2) If not, is there an automatic way to delete users that haven't verified email after say a few days?
3) If they have passed, could this be a Spambot? Any ideas (short of administrator approval) how to eliminate them?
Thanks for your help!