Spam registrations - links in user Name fields
Moderator: General Support Moderators
Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
-
- Joomla! Apprentice
- Posts: 27
- Joined: Wed Jan 26, 2011 2:23 pm
Spam registrations - links in user Name fields
Hi there,
I have a lot of bot registrations targeting Joomla native registration module on my project of business directories [ redacted ] and [ redacted ].
A spam message is inserted in User>"Name" field, Bots use as a Name fied:
"Поздравляем! Получите Ваш подарочный билет ГОСЛОТО: [ redacted ]
The result, targeted email will get a "system message" from our Joomla about "account creation" and this will result like the following (see image https://freeimage.host/i/s9UZcF )
I have google recaptcha configured for user registration, this helped to reduce rate of registrations from 300+ a day to nearly 3-5 a day.
I have reduced in DB the field max length to 30 characters... but the issue still persist because the message is sent with the value inserted by the bot and not DB value of the Name field in "Users".
How its possible that user profile allow full Link with special characters like "://" to be used in User>Name field??? How it may be fixed?
I have Joomla 3.10, however the security hole is the same in Joomla 4x version...
I have a lot of bot registrations targeting Joomla native registration module on my project of business directories [ redacted ] and [ redacted ].
A spam message is inserted in User>"Name" field, Bots use as a Name fied:
"Поздравляем! Получите Ваш подарочный билет ГОСЛОТО: [ redacted ]
The result, targeted email will get a "system message" from our Joomla about "account creation" and this will result like the following (see image https://freeimage.host/i/s9UZcF )
I have google recaptcha configured for user registration, this helped to reduce rate of registrations from 300+ a day to nearly 3-5 a day.
I have reduced in DB the field max length to 30 characters... but the issue still persist because the message is sent with the value inserted by the bot and not DB value of the Name field in "Users".
How its possible that user profile allow full Link with special characters like "://" to be used in User>Name field??? How it may be fixed?
I have Joomla 3.10, however the security hole is the same in Joomla 4x version...
Last edited by toivo on Thu Sep 22, 2022 8:49 am, edited 2 times in total.
Reason: mod note: inaccessible URLs removed, kudos removed - please observe the forum rules!
Reason: mod note: inaccessible URLs removed, kudos removed - please observe the forum rules!
- mandville
- Joomla! Master
- Posts: 15150
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: Spam registrations - links in user Name fields
just to clarify ,
this does not seem to be a "security hole" ie are they able to hack your site by doing this
the fact that the user name field allows urls is your real concern is it not?
this does not seem to be a "security hole" ie are they able to hack your site by doing this
the fact that the user name field allows urls is your real concern is it not?
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
-
- Joomla! Hero
- Posts: 2867
- Joined: Fri Jul 05, 2013 10:35 am
- Location: Parts Unknown
Re: Spam registrations - links in user Name fields
Have you looked for plugins on JED? There's this https://extensions.joomla.org/extension ... usernames/. It hasn't been updated in a while but it does work on J4 and PHP 8.
-
- Joomla! Apprentice
- Posts: 27
- Joined: Wed Jan 26, 2011 2:23 pm
Re: Spam registrations - links in user Name fields
Hi, yes exactly - its a plain "spam hole".
As I said also after google recaptcha activation (google recaptcha's "Security Preference" is already set to most secure - it helps a lot, but not exclude all of spams) I continue to get registrations which use my server as a spam resource. and put under risk of blacklisting my email domain....
I saw this one, but its cover a "username" field, the issue I referred to is field "Name" in user profile.SharkyKZ wrote: ↑Fri Sep 23, 2022 6:01 amHave you looked for plugins on JED? There's this https://extensions.joomla.org/extension ... usernames/. It hasn't been updated in a while but it does work on J4 and PHP 8.
Just try it on your self how its works....
its very strange that no one has inserted this "spam hole" in joomla's roadmap. since I saw that this issue was discussed several times within web, without any valid stable solution and Joomla community has ignored the issue...
p.s. A possible joomla core update could be - Excluding any NON WORD characters REGEX rule will suit all languages, since no country permit DOT, COMMA or any SPECIAL CHARACTER in a NAME FIELD...
Last edited by bobby11 on Sun Sep 25, 2022 7:39 am, edited 1 time in total.
-
- I've been banned!
- Posts: 13639
- Joined: Sun Jul 05, 2009 3:30 am
- Location: Canberra, Australia
Re: Spam registrations - links in user Name fields
Ahhhh ... spam registrations and why all those CAPTCHA methods don't work ...
No website is protected by CAPTCHA: this discussion forum site is a good example of that ...
There have probably been more discussions about spam registrations (and even more "suggestions" to use third-party extensions) than on any other subject in this forum or anywhere else on the internet. Therefore, I won't offer my suggestions (even though they are 99.99% effective in combating spam/bogus registrations) and I'll let you guys fight this one out amongst yourselves.
It's not a J! problem. It's a website management problem.
No website is protected by CAPTCHA: this discussion forum site is a good example of that ...
There have probably been more discussions about spam registrations (and even more "suggestions" to use third-party extensions) than on any other subject in this forum or anywhere else on the internet. Therefore, I won't offer my suggestions (even though they are 99.99% effective in combating spam/bogus registrations) and I'll let you guys fight this one out amongst yourselves.
It's not a J! problem. It's a website management problem.
-
- Joomla! Apprentice
- Posts: 27
- Joined: Wed Jan 26, 2011 2:23 pm
Re: Spam registrations - links in user Name fields
sozzled wrote: ↑Sun Sep 25, 2022 7:40 amAhhhh ... spam registrations and why all those CAPTCHA methods don't work ...
There have probably been more discussions about spam registrations (and even more "suggestions" to use third-party extensions) than on any other subject in this forum or anywhere else on the internet. Therefore, I won't offer my suggestions (even though they are 99.99% effective in combating spam/bogus registrations) and I'll let you guys fight this one out amongst yourselves.
It's not a J! problem. It's a website management problem.
I think its a J! problem, since I'm not referring to spam registrations as new fields in my database... but to spam registrations as a mean to use J! core to spam within internet - and J! admin may only hardcode to avoid the issue.
J! core is work like:
1. It permit insert a spam LINK in a user's NAME filed;
2. admin cant disable J! notification to "new user" about its "new profile" (only hard-code change may solve email sending);
If J! give any corebuild control over point 1 or 2, then spam registrations a not more J! project issue, or you disagree?
-
- I've been banned!
- Posts: 13639
- Joined: Sun Jul 05, 2009 3:30 am
- Location: Canberra, Australia
Re: Spam registrations - links in user Name fields
It's not a "J! problem" otherwise there would be thousands of people flooding this forum with this question and those same people would be abandoning J! in their thousands. It's a website management problem.
I reject the suggestion that the onus for fixing this matter falls entirely on the J! development team. If that were the case then the team has evidently been delinquent in this area for the past seventeen years. Come on, don't you think you're exaggerating the problem? Just how do "spam registrations" (whatever that means) "use the J! core to spam within the internet?" Again, that's a website management problem. If you allow people to create bogus accounts on your website then you allow them to do whatever you allow them to do.
I thing you've taken one plus one and come up with three.
I reject the suggestion that the onus for fixing this matter falls entirely on the J! development team. If that were the case then the team has evidently been delinquent in this area for the past seventeen years. Come on, don't you think you're exaggerating the problem? Just how do "spam registrations" (whatever that means) "use the J! core to spam within the internet?" Again, that's a website management problem. If you allow people to create bogus accounts on your website then you allow them to do whatever you allow them to do.
I thing you've taken one plus one and come up with three.
See viewtopic.php?t=940016 for further thoughts on this.
-
- Joomla! Apprentice
- Posts: 27
- Joined: Wed Jan 26, 2011 2:23 pm
Re: Spam registrations - links in user Name fields
- if you haven't understood the issue I refer to - please check to my first post to understand the problem.
p.s. check your PM, I sent you an example on your email using joomla.org website.
this topic refer to "username" - the issue I focus on is regarding "name" field.See viewtopic.php?t=940016 for further thoughts on this.
If you allow people to create bogus accounts on your website then you allow them to do whatever you allow them to do.
The J! core user creation on frontend is the issue. Any Joomla with standard core, is subject to send spam emails using field NAME in user's profile - J! will send spam email within first request of user registration - not email verification, or other standard settings will not help, please refer to my initial post.
I have just tested top Joomla extension developers from JED websites which use J! for their home site, any of their website is subject to send spam links through "Name" filed during user creation.
I have tested magazine.joomla.org, Akeeba.com, regularlabs.com, crosstec.org, jevents.net etc.
So all admins and Joomla.org admins are incompetent?
Its not a Joomla Management Issue - its J! Core issue, since only hardcode may solve the problem.
I dont think this must be fixed with any third party plugin which is always subject to compatibility or updates issues, but by core update.
- mandville
- Joomla! Master
- Posts: 15150
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: Spam registrations - links in user Name fields
moving topic to administration - nto a security issue.
then report it as an issue - https://github.com/joomla/joomla-cms/issues https://issues.joomla.org/bobby11 wrote: ↑Sun Sep 25, 2022 7:47 amI think its a J! problem, since I'm not referring to spam registrations as new fields in my database... but to spam registrations as a mean to use J! core to spam within internet - and J! admin may only hardcode to avoid the issue.
J! core is work like:
1. It permit insert a spam LINK in a user's NAME filed;
2. admin cant disable J! notification to "new user" about its "new profile" (only hard-code change may solve email sen
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
-
- I've been banned!
- Posts: 13639
- Joined: Sun Jul 05, 2009 3:30 am
- Location: Canberra, Australia
Re: Spam registrations - links in user Name fields
Interesting (perhaps) but this demonstrates that (a) you're very resourceful and (b) this forum and other *.joomla.org websites have management problems.
Perhaps this topic should be moved to another forum, e.g. Sites & Infrastructure - Feedback/Information
I concede that my first observations about CAPTCHA have nothing to do with what we're discussing now.
-
- Joomla! Apprentice
- Posts: 27
- Joined: Wed Jan 26, 2011 2:23 pm
Re: Spam registrations - links in user Name fields
Hi mandville, do I need to report the issue to git or you have already made any kind of copy past to the section?mandville wrote: ↑Sun Sep 25, 2022 12:43 pmthen report it as an issue - https://github.com/joomla/joomla-cms/issues https://issues.joomla.org/
unfortunately I'm just a victim, since my 60+ installations which require a registration face the issue and since they share the same email address because are referring to the same project my concerns are about avoiding the blacklisting of my main project domain and mail address, if its possible...
I appreciate that you follow the topic a lot, but I disagree that this is something about "bad management". Because it would be so if there was any workaround to implement, something to setup or configure - something related to "management", I have found no solution in J! core, nor in JED....*.joomla.org websites have management problems.
Currently there are only 2 ways to avoid the issue:
1. Setup to DISALLOW J! core registration to users - such solution is not always possible and not fix the core issue.
2. Hardcode J! and add REGEX with excluded characters for mail "subject" and "name" filed in email body. (but considering I manage 60+ J! installation under one project It's another headache on each core update...
Great, and thanks) I like J! since I use it for many years and take part on events which are organized in Europe. So my concern first of all was to understand if I maybe have missed something, and if not, to understand how to fix the issue in a practical way...I concede that my first observations about CAPTCHA have nothing to do with what we're discussing now.
thank you all and have a nice day
Last edited by toivo on Sun Sep 25, 2022 10:06 pm, edited 1 time in total.
Reason: mod note: missing quote tag
Reason: mod note: missing quote tag
-
- I've been banned!
- Posts: 13639
- Joined: Sun Jul 05, 2009 3:30 am
- Location: Canberra, Australia
Re: Spam registrations - links in user Name fields
I didn't use the term "bad management"; I merely stated that this matter is a website management issue.
This may be of interest to the managers of the several *.joomla.org websites. I don't think it's an issue for ordinary members of the community who create and maintain their own websites with J!.
This may be of interest to the managers of the several *.joomla.org websites. I don't think it's an issue for ordinary members of the community who create and maintain their own websites with J!.
-
- Joomla! Hero
- Posts: 2867
- Joined: Fri Jul 05, 2013 10:35 am
- Location: Parts Unknown
Re: Spam registrations - links in user Name fields
You seem to know some PHP. Why don't you write a proper plugin instead of hacking core over and over again?bobby11 wrote: ↑Sun Sep 25, 2022 10:00 pmCurrently there are only 2 ways to avoid the issue:
1. Setup to DISALLOW J! core registration to users - such solution is not always possible and not fix the core issue.
2. Hardcode J! and add REGEX with excluded characters for mail "subject" and "name" filed in email body. (but considering I manage 60+ J! installation under one project It's another headache on each core update...
- mandville
- Joomla! Master
- Posts: 15150
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: Spam registrations - links in user Name fields
you are the one experiencing the issue therefore you need to report it
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
- Webdongle
- Joomla! Master
- Posts: 44024
- Joined: Sat Apr 05, 2008 9:58 pm
Re: Spam registrations - links in user Name fields
Set New User Registration to 'Administrator'. They need to confirm their email address first then Admin needs to allow them.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
-
- Joomla! Apprentice
- Posts: 27
- Joined: Wed Jan 26, 2011 2:23 pm
- Webdongle
- Joomla! Master
- Posts: 44024
- Joined: Sat Apr 05, 2008 9:58 pm
Re: Spam registrations - links in user Name fields
It will not prevent them using spurious user names but it will prevent then from being activated. You can then batch delete them at various intervals.
You can also ban domain names if there are any bogus registrations frequently from a given email address.
You can block specific IP addresses in the .htaccess
Although having a character limit for the Name and username fields would be a good feature.
You can also ban domain names if there are any bogus registrations frequently from a given email address.
You can block specific IP addresses in the .htaccess
Although having a character limit for the Name and username fields would be a good feature.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
-
- Joomla! Apprentice
- Posts: 27
- Joined: Wed Jan 26, 2011 2:23 pm
Re: Spam registrations - links in user Name fields
[ redacted ]
Please read the first post in the topic, and try to replicate the issue. After that reply here - sorry but all of these measures are no sense to the issue.
Please read the first post in the topic, and try to replicate the issue. After that reply here - sorry but all of these measures are no sense to the issue.
Last edited by toivo on Tue Sep 27, 2022 9:30 pm, edited 1 time in total.
Reason: mod note: unnecessary quote removed
Reason: mod note: unnecessary quote removed
- Webdongle
- Joomla! Master
- Posts: 44024
- Joined: Sat Apr 05, 2008 9:58 pm
Re: Spam registrations - links in user Name fields
I have read the first post and have replicated the issue. As I said "...having a character limit for the Name and username fields would be a good feature." However there is nothing to stop registrations like that. All that can be done is mitigate the circumstances by the methods I have suggested. Perhaps you could raise an issue in https://issues.joomla.org/ ?
Not being able to restrict the length or Name and Username might be considered a bug? It might be a considered a bug to allow spaces in the Username?
Not being able to restrict the length or Name and Username might be considered a bug? It might be a considered a bug to allow spaces in the Username?
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
-
- Joomla! Enthusiast
- Posts: 132
- Joined: Thu May 13, 2010 4:43 am
- Location: Athens Greece
Re: Spam registrations - links in user Name fields
@Bobby11
There is a paid Pro extension from Kubik-Rubik that does what you need and is available for Joomla 3 & 4.
https://kubik-rubik.de/downloads/erc-ea ... omla-4-pro
I absolutely love using his extensions and currently use anywhere between 12 and 15 of them on most of my sites. He also has great support and response time!
In the meantime I'd recommend reporting the issue so it can be fixed in the Joomla core.
kind regards,
Michael
There is a paid Pro extension from Kubik-Rubik that does what you need and is available for Joomla 3 & 4.
https://kubik-rubik.de/downloads/erc-ea ... omla-3-proAdded "Block links in name field" option. This option detects (spam) links in the name input field and stops the account creation process.
https://kubik-rubik.de/downloads/erc-ea ... omla-4-pro
I absolutely love using his extensions and currently use anywhere between 12 and 15 of them on most of my sites. He also has great support and response time!
In the meantime I'd recommend reporting the issue so it can be fixed in the Joomla core.
kind regards,
Michael