Author Topic: Disabling forum registrations  (Read 3595 times)

Steven

  • Administrator
  • Sr. Member
  • *****
  • Posts: 34344
Most of you probably are not aware that this forum is bombarded with new registrations by spammers, and for some time I have been manually approving them in order to filter out the obvious ones.
However its recently taken a turn for the worse where there is now a new account is attempted to be registered every few minutes and it very quickly resumes when I change the challenge questions, so the number of accounts to approve is overwhelming.
There is a google captcha plugin which could help but unfortunately it doesnt work when cloudfare is being used and i'm not proficient at managing a website/ forum or at web development to be able to do anything about it.
If anyone has any suggestions or can help in some way then let me know but for now I think i will disable registrations over night

phred

  • Global Moderator
  • Sr. Member
  • *****
  • Posts: 9340
Calling AvikB. Calling AvikB. Please report to the Administrator's Office.

I hate to say this, but perhaps all new registrations should be temporarily halted. With a notice on the registration page apologizing for the temporary suspension of new registrations due to the massive increase in spam. And to check back in a month. (Or some such time period.)
Download the latest MusicBee v3.5 or 3.6 patch from here.
Unzip into your MusicBee directory and overwrite existing files.

----------
The FAQ
The Wiki
Posting screenshots is here
Searching the forum with Google is  here

Zak

  • Global Moderator
  • Sr. Member
  • *****
  • Posts: 2458
Oh, that sucks.

I see the forum is running version 2.0.17 of the SMF package, whereas the latest patch just made available is 2.1.2.
Not suggesting it will specifically include any new anti-spam features, but it does mention security updates which sounds like a good thing.

Do you have to use Google captcha? From the SMF Security and Moderation page here:
https://wiki.simplemachines.org/smf/SMF2.0:Security_and_Moderation

Quote
Configure Verification Methods
Below you can set which anti-spam features you wish to have enabled whenever a user needs to verify they are a human. Note that the user will have to pass all verification so if you enable both a verification image and a question/answer test they need to complete both to proceed.

Verification Questions
If you want users to answer verification questions in order to stop spam bots you should setup a number of questions in the table below. You should pick relatively simple questions; answers are not case sensitive, though you should not use a 0 (zero) or a space as an answer to a question. You may use BBC in the questions for formatting, to remove a question simply delete the contents of that line.

Visual verification image to display - This allows you to choose whether to add a verification image and to change its difficulty.
Number of verification questions a user must answer - Select any number above zero to set the number of verification questions which need to be answered.

It sounds like there are other user verification options available, including custom questions. Or are they already being used and simply don't work?
(It's a long time since I registered, so I can't remember what I had to do)

SMF also supports Mods, including this one:
Spam protection, AntiSpam, FireWall by CleanTalk (no Captcha/reCaptcha)
https://custom.simplemachines.org/index.php?mod=3851

(Disclaimer: I've never heard of CleanTalk before now - I just found it while sniffing around for anything that might help)

It does require a CleanTalk account and paid license, but I see the price of a license for one year is only $8.
If it works like they say it does, that would seem like a good investment. Hell, I'd even pay for a year myself and I'm sure there are other forum members that could find eight bucks down the back of their couch.
Bee excellent to each other...

phred

  • Global Moderator
  • Sr. Member
  • *****
  • Posts: 9340
Hell, I'd even pay for a year myself and I'm sure there are other forum members that could find eight bucks down the back of their couch.
Damn right! I'd even pony up for a couple of years.
Download the latest MusicBee v3.5 or 3.6 patch from here.
Unzip into your MusicBee directory and overwrite existing files.

----------
The FAQ
The Wiki
Posting screenshots is here
Searching the forum with Google is  here

Steven

  • Administrator
  • Sr. Member
  • *****
  • Posts: 34344
Thanks Zak, the 2 methods: Verification Questions and Visual verification image to display are already being used and changing the questions only stops things for a short time. I don't think the clear talk plugin will help as the website requests are via cloudfare IP addresses so the real IP address of the sender is not known.

In the 30 minutes i re-enabled registration this morning, 20 accounts were registered for approval, so its clearly not sustainable for me to manually approve and with that volume many mistakes will be made. So for now I think I will keep registrations disabled which of course means the forum will be on a slow death spiral


phred

  • Global Moderator
  • Sr. Member
  • *****
  • Posts: 9340
I don't particularly like Reddit, but there's a MusicBee forum over there. I drop in occasionally, and have offered up some advice. I rarely see spam there.
I seem to recall the moderator over there posted something in the MB forum quite a while ago, but can't find it now. I think the mod was/is a forum member.

@Severn- It might be worth monitoring it for a bit to see if it's something that can replace this forum.
https://old.reddit.com/r/musicbee/
NOTE: If you leave the "old" off this URL you'll get the "new" Reddit which is truly awful.
Download the latest MusicBee v3.5 or 3.6 patch from here.
Unzip into your MusicBee directory and overwrite existing files.

----------
The FAQ
The Wiki
Posting screenshots is here
Searching the forum with Google is  here

Zak

  • Global Moderator
  • Sr. Member
  • *****
  • Posts: 2458
I don't think the clear talk plugin will help as the website requests are via cloudfare IP addresses so the real IP address of the sender is not known.
I figure it must be doing more than just blacklisting IP addresses, otherwise it wouldn't work for any forum anywhere.

They say that they don't block Cloudflare IP addresses:

Quote
Is CleanTalk Compatible with Cloudflare?
 CleanTalk is fully compatible with Cloudflare service.
The CleanTalk Service doesn't filter Cloudflare's IP's (AS13335) with blacklist database. That means the CleanTalk module will filter spambots using other anti-spam tests and checks.
I can't see it explicitly stated anywhere what "other anti-spam tests and checks" means, but the SMF mod page gives more clues:

Quote
SMF Anti-Spam Features
SMF Anti-Spam MOD protects from spam: new user registrations registrations, posts and protection for the form of "quick reply". When a visitor fills and submits a form MOD catches the visitor's IP, e-mail, message itself, some other parameters and sends them to the CleanTalk Cloud. After analysis of sent parameters the CleanTalk Servers decide whether a request should be blocked or allowed. All requests are being saved in your log.
My interpretation is that besides IP addresses, it's also checking the content of posts algorithmically to detect spam.

So for now I think I will keep registrations disabled which of course means the forum will be on a slow death spiral
Forum death would be a shame, but I can't begrudge you the well-earned break after so many years!


I don't particularly like Reddit, but there's a MusicBee forum over there.
It might be worth monitoring it for a bit to see if it's something that can replace this forum.
I don't use Reddit, but I don't see how that would work if you can't group posts into separate sub-areas. Wouldn't it just be one big streaming amorphous mess of messages?
Bee excellent to each other...

phred

  • Global Moderator
  • Sr. Member
  • *****
  • Posts: 9340
I don't particularly like Reddit, but there's a MusicBee forum over there.
It might be worth monitoring it for a bit to see if it's something that can replace this forum.
Wouldn't it just be one big streaming amorphous mess of messages?
It certainly is. The organization here with SMF can't be reproduced in Reddit. I think the only plus Reddit has going for it is its search capability.
Download the latest MusicBee v3.5 or 3.6 patch from here.
Unzip into your MusicBee directory and overwrite existing files.

----------
The FAQ
The Wiki
Posting screenshots is here
Searching the forum with Google is  here

Steven

  • Administrator
  • Sr. Member
  • *****
  • Posts: 34344
i'm going to try bumping up the difficulty with the visual challenge to see if that helps

So for now I think I will keep registrations disabled which of course means the forum will be on a slow death spiral
Forum death would be a shame, but I can't begrudge you the well-earned break after so many years!
its not what i want

cartman005

  • Member
  • Sr. Member
  • *****
  • Posts: 589
I don't use Reddit, but I don't see how that would work if you can't group posts into separate sub-areas. Wouldn't it just be one big streaming amorphous mess of messages?

Most subreddits address that by using "flair" which is a type of tag. For example, the Plex subreddit lets you tag your posts as Discussion, Tips, News, Help, or Solved.

Steven

  • Administrator
  • Sr. Member
  • *****
  • Posts: 34344
i'm going to try bumping up the difficulty with the visual challenge to see if that helps
the answer - it doesnt help enough. 12 registrations in 30 minutes so still too high

frankz

  • Sr. Member
  • ****
  • Posts: 3876
It's not the best solution or even a particularly good one, but there are dedicated forum hosts like https://www.proboards.com/ where it seems like you can offload the registration headaches to a third party and let them deal with mitigating the spam registrations.

AvikB

  • Sr. Member
  • ****
  • Posts: 945
I thought cloudflare provided their own captcha and bot protection. It would be really hard to defend against targeted attack tbh.

hiccup

  • Sr. Member
  • ****
  • Posts: 7856
A thought to (at least for the time being) have a way for people to register:

We create a MusicBee email account on e.g. gmail or outlook.
A couple of forum volunteers get logins for that.

We create a forum post that explains that to join, an email needs to be send there.
(the email address should be written or described in a slightly cryptic manner so non-carbon lifeforms can't easily read it)

Aspiring forum members can send an email there to request a forum account, briefly stating why he/she wants to join, and also provide a valid email address. (so to check validity and a human response)
The forum volunteers read and evaluate these mails, and the ones that seem legit get passed to administrator(s) who then can create the account.

Mail services such as gmail and outlook have pretty good spam filtering for emails, so I think that MB account wouldn't get flooded or polluted much.
I am guessing if at least some three or four forum members volunteer for this task, it would take them very little time or effort to maintain this system.
Perhaps a couple of minutes per week?

Steven

  • Administrator
  • Sr. Member
  • *****
  • Posts: 34344
We create a MusicBee email account on e.g. gmail or outlook.
A couple of forum volunteers get logins for that.
Thats a great idea to keep things going for now.
I created an email account:
<name of this application>[dot]forum [at] gmail [dot] com
send me an email to that address if you can help out with reviewing the accounts.
The process would be to review the request and if valid send me a PM with the details

However I wonder if google mail will throw a wobbly if the volunteers who log on from different ip addresses around the world will throw security alerts or block the account - lets see.
I'll create a topic giving users instructions
Last Edit: May 11, 2022, 08:20:19 AM by Steven