Spam registrations - links in user Name fields

Need help with the Administration of your Joomla! 3.x site? This is the spot for you.

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
Locked
bobby11
Joomla! Apprentice
Joomla! Apprentice
Posts: 27
Joined: Wed Jan 26, 2011 2:23 pm

Spam registrations - links in user Name fields

Post by bobby11 » Thu Sep 22, 2022 8:40 am

Hi there,

I have a lot of bot registrations targeting Joomla native registration module on my project of business directories [ redacted ] and [ redacted ].

A spam message is inserted in User>"Name" field, Bots use as a Name fied:
"Поздравляем! Получите Ваш подарочный билет ГОСЛОТО: [ redacted ]

The result, targeted email will get a "system message" from our Joomla about "account creation" and this will result like the following (see image https://freeimage.host/i/s9UZcF ) :pop

I have google recaptcha configured for user registration, this helped to reduce rate of registrations from 300+ a day to nearly 3-5 a day.
I have reduced in DB the field max length to 30 characters... but the issue still persist because the message is sent with the value inserted by the bot and not DB value of the Name field in "Users". :eek:

How its possible that user profile allow full Link with special characters like "://" to be used in User>Name field??? How it may be fixed? ??? ??? ???

I have Joomla 3.10, however the security hole is the same in Joomla 4x version...
Last edited by toivo on Thu Sep 22, 2022 8:49 am, edited 2 times in total.
Reason: mod note: inaccessible URLs removed, kudos removed - please observe the forum rules!

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15150
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Spam registrations - links in user Name fields

Post by mandville » Thu Sep 22, 2022 6:14 pm

just to clarify ,
this does not seem to be a "security hole" ie are they able to hack your site by doing this
the fact that the user name field allows urls is your real concern is it not?
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

SharkyKZ
Joomla! Hero
Joomla! Hero
Posts: 2867
Joined: Fri Jul 05, 2013 10:35 am
Location: Parts Unknown

Re: Spam registrations - links in user Name fields

Post by SharkyKZ » Fri Sep 23, 2022 6:01 am

Have you looked for plugins on JED? There's this https://extensions.joomla.org/extension ... usernames/. It hasn't been updated in a while but it does work on J4 and PHP 8.

bobby11
Joomla! Apprentice
Joomla! Apprentice
Posts: 27
Joined: Wed Jan 26, 2011 2:23 pm

Re: Spam registrations - links in user Name fields

Post by bobby11 » Sun Sep 25, 2022 7:21 am

mandville wrote:
Thu Sep 22, 2022 6:14 pm
just to clarify ,
this does not seem to be a "security hole" ie are they able to hack your site by doing this
the fact that the user name field allows urls is your real concern is it not?
Hi, yes exactly - its a plain "spam hole".
As I said also after google recaptcha activation (google recaptcha's "Security Preference" is already set to most secure - it helps a lot, but not exclude all of spams) I continue to get registrations which use my server as a spam resource. and put under risk of blacklisting my email domain....
SharkyKZ wrote:
Fri Sep 23, 2022 6:01 am
Have you looked for plugins on JED? There's this https://extensions.joomla.org/extension ... usernames/. It hasn't been updated in a while but it does work on J4 and PHP 8.
I saw this one, but its cover a "username" field, the issue I referred to is field "Name" in user profile.
Just try it on your self how its works....

its very strange that no one has inserted this "spam hole" in joomla's roadmap. since I saw that this issue was discussed several times within web, without any valid stable solution and Joomla community has ignored the issue...

p.s. A possible joomla core update could be - Excluding any NON WORD characters REGEX rule will suit all languages, since no country permit DOT, COMMA or any SPECIAL CHARACTER in a NAME FIELD...
Last edited by bobby11 on Sun Sep 25, 2022 7:39 am, edited 1 time in total.

sozzled
I've been banned!
Posts: 13639
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia

Re: Spam registrations - links in user Name fields

Post by sozzled » Sun Sep 25, 2022 7:40 am

Ahhhh ... spam registrations and why all those CAPTCHA methods don't work ... :laugh:

No website is protected by CAPTCHA: this discussion forum site is a good example of that ... :p

There have probably been more discussions about spam registrations (and even more "suggestions" to use third-party extensions) than on any other subject in this forum or anywhere else on the internet. Therefore, I won't offer my suggestions (even though they are 99.99% effective in combating spam/bogus registrations) and I'll let you guys fight this one out amongst yourselves. :pop

It's not a J! problem. It's a website management problem. :)

bobby11
Joomla! Apprentice
Joomla! Apprentice
Posts: 27
Joined: Wed Jan 26, 2011 2:23 pm

Re: Spam registrations - links in user Name fields

Post by bobby11 » Sun Sep 25, 2022 7:47 am

sozzled wrote:
Sun Sep 25, 2022 7:40 am
Ahhhh ... spam registrations and why all those CAPTCHA methods don't work ... :laugh:

There have probably been more discussions about spam registrations (and even more "suggestions" to use third-party extensions) than on any other subject in this forum or anywhere else on the internet. Therefore, I won't offer my suggestions (even though they are 99.99% effective in combating spam/bogus registrations) and I'll let you guys fight this one out amongst yourselves. :pop

It's not a J! problem. It's a website management problem. :)

I think its a J! problem, since I'm not referring to spam registrations as new fields in my database... but to spam registrations as a mean to use J! core to spam within internet - and J! admin may only hardcode to avoid the issue.

J! core is work like:
1. It permit insert a spam LINK in a user's NAME filed;
2. admin cant disable J! notification to "new user" about its "new profile" (only hard-code change may solve email sending);

If J! give any corebuild control over point 1 or 2, then spam registrations a not more J! project issue, or you disagree?

sozzled
I've been banned!
Posts: 13639
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia

Re: Spam registrations - links in user Name fields

Post by sozzled » Sun Sep 25, 2022 8:07 am

It's not a "J! problem" otherwise there would be thousands of people flooding this forum with this question and those same people would be abandoning J! in their thousands. It's a website management problem.

I reject the suggestion that the onus for fixing this matter falls entirely on the J! development team. If that were the case then the team has evidently been delinquent in this area for the past seventeen years. Come on, don't you think you're exaggerating the problem? Just how do "spam registrations" (whatever that means) "use the J! core to spam within the internet?" Again, that's a website management problem. If you allow people to create bogus accounts on your website then you allow them to do whatever you allow them to do. :)

I thing you've taken one plus one and come up with three. ;)

bobby11 wrote:
Sun Sep 25, 2022 7:47 am
J! core is work like:
1. It permit insert a spam LINK in a user's NAME filed
See viewtopic.php?t=940016 for further thoughts on this.

bobby11
Joomla! Apprentice
Joomla! Apprentice
Posts: 27
Joined: Wed Jan 26, 2011 2:23 pm

Re: Spam registrations - links in user Name fields

Post by bobby11 » Sun Sep 25, 2022 10:45 am

sozzled wrote:
Sun Sep 25, 2022 8:07 am
"spam registrations" (whatever that means)
- if you haven't understood the issue I refer to - please check to my first post to understand the problem.
p.s. check your PM, I sent you an example on your email using joomla.org website. :pop
See viewtopic.php?t=940016 for further thoughts on this.
this topic refer to "username" - the issue I focus on is regarding "name" field.
If you allow people to create bogus accounts on your website then you allow them to do whatever you allow them to do.

The J! core user creation on frontend is the issue. Any Joomla with standard core, is subject to send spam emails using field NAME in user's profile - J! will send spam email within first request of user registration - not email verification, or other standard settings will not help, please refer to my initial post.

I have just tested top Joomla extension developers from JED websites which use J! for their home site, any of their website is subject to send spam links through "Name" filed during user creation.
I have tested magazine.joomla.org, Akeeba.com, regularlabs.com, crosstec.org, jevents.net etc.
So all admins and Joomla.org admins are incompetent?


Its not a Joomla Management Issue - its J! Core issue, since only hardcode may solve the problem.
I dont think this must be fixed with any third party plugin which is always subject to compatibility or updates issues, but by core update.

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15150
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Spam registrations - links in user Name fields

Post by mandville » Sun Sep 25, 2022 12:43 pm

sozzled wrote:
Sun Sep 25, 2022 7:40 am
Ahhhh ... spam registrations and why all those CAPTCHA methods don't work ... :laugh:
It's not a J! problem. It's a website management problem. :)
moving topic to administration - nto a security issue.
bobby11 wrote:
Sun Sep 25, 2022 7:47 am
I think its a J! problem, since I'm not referring to spam registrations as new fields in my database... but to spam registrations as a mean to use J! core to spam within internet - and J! admin may only hardcode to avoid the issue.

J! core is work like:
1. It permit insert a spam LINK in a user's NAME filed;
2. admin cant disable J! notification to "new user" about its "new profile" (only hard-code change may solve email sen
then report it as an issue - https://github.com/joomla/joomla-cms/issues https://issues.joomla.org/
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

sozzled
I've been banned!
Posts: 13639
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia

Re: Spam registrations - links in user Name fields

Post by sozzled » Sun Sep 25, 2022 6:58 pm

bobby11 wrote:
Sun Sep 25, 2022 10:45 am
... check your PM, I sent you an example on your email using joomla.org website.
Interesting (perhaps) but this demonstrates that (a) you're very resourceful and (b) this forum and other *.joomla.org websites have management problems. :-\

Perhaps this topic should be moved to another forum, e.g. Sites & Infrastructure - Feedback/Information ???

I concede that my first observations about CAPTCHA have nothing to do with what we're discussing now. 8)

bobby11
Joomla! Apprentice
Joomla! Apprentice
Posts: 27
Joined: Wed Jan 26, 2011 2:23 pm

Re: Spam registrations - links in user Name fields

Post by bobby11 » Sun Sep 25, 2022 10:00 pm

mandville wrote:
Sun Sep 25, 2022 12:43 pm
then report it as an issue - https://github.com/joomla/joomla-cms/issues https://issues.joomla.org/
Hi mandville, do I need to report the issue to git or you have already made any kind of copy past to the section?
sozzled wrote:
Sun Sep 25, 2022 6:58 pm
... (a) you're very resourceful
unfortunately I'm just a victim, since my 60+ installations which require a registration face the issue and since they share the same email address because are referring to the same project my concerns are about avoiding the blacklisting of my main project domain and mail address, if its possible...
...*.joomla.org websites have management problems. :-\
I appreciate that you follow the topic a lot, but I disagree that this is something about "bad management". Because it would be so if there was any workaround to implement, something to setup or configure - something related to "management", I have found no solution in J! core, nor in JED.
Currently there are only 2 ways to avoid the issue:
1. Setup to DISALLOW J! core registration to users - such solution is not always possible and not fix the core issue.
2. Hardcode J! and add REGEX with excluded characters for mail "subject" and "name" filed in email body. (but considering I manage 60+ J! installation under one project It's another headache on each core update... :eek:

I concede that my first observations about CAPTCHA have nothing to do with what we're discussing now. 8)
Great, and thanks) I like J! since I use it for many years and take part on events which are organized in Europe. So my concern first of all was to understand if I maybe have missed something, and if not, to understand how to fix the issue in a practical way...

thank you all and have a nice day
Last edited by toivo on Sun Sep 25, 2022 10:06 pm, edited 1 time in total.
Reason: mod note: missing quote tag

sozzled
I've been banned!
Posts: 13639
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia

Re: Spam registrations - links in user Name fields

Post by sozzled » Sun Sep 25, 2022 11:30 pm

I didn't use the term "bad management"; I merely stated that this matter is a website management issue.

This may be of interest to the managers of the several *.joomla.org websites. I don't think it's an issue for ordinary members of the community who create and maintain their own websites with J!.

SharkyKZ
Joomla! Hero
Joomla! Hero
Posts: 2867
Joined: Fri Jul 05, 2013 10:35 am
Location: Parts Unknown

Re: Spam registrations - links in user Name fields

Post by SharkyKZ » Mon Sep 26, 2022 5:40 am

bobby11 wrote:
Sun Sep 25, 2022 10:00 pm
Currently there are only 2 ways to avoid the issue:
1. Setup to DISALLOW J! core registration to users - such solution is not always possible and not fix the core issue.
2. Hardcode J! and add REGEX with excluded characters for mail "subject" and "name" filed in email body. (but considering I manage 60+ J! installation under one project It's another headache on each core update... :eek:
You seem to know some PHP. Why don't you write a proper plugin instead of hacking core over and over again?

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15150
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Spam registrations - links in user Name fields

Post by mandville » Mon Sep 26, 2022 5:53 pm

bobby11 wrote:
Sun Sep 25, 2022 10:00 pm
Hi mandville, do I need to report the issue to git or you have already made any kind of copy past to the section?
you are the one experiencing the issue therefore you need to report it
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 44024
Joined: Sat Apr 05, 2008 9:58 pm

Re: Spam registrations - links in user Name fields

Post by Webdongle » Mon Sep 26, 2022 6:15 pm

Set New User Registration to 'Administrator'. They need to confirm their email address first then Admin needs to allow them.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".

bobby11
Joomla! Apprentice
Joomla! Apprentice
Posts: 27
Joined: Wed Jan 26, 2011 2:23 pm

Re: Spam registrations - links in user Name fields

Post by bobby11 » Tue Sep 27, 2022 9:18 am

Webdongle wrote:
Mon Sep 26, 2022 6:15 pm
Set New User Registration to 'Administrator'. They need to confirm their email address first then Admin needs to allow them.
This will not solve the issue.

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 44024
Joined: Sat Apr 05, 2008 9:58 pm

Re: Spam registrations - links in user Name fields

Post by Webdongle » Tue Sep 27, 2022 12:13 pm

It will not prevent them using spurious user names but it will prevent then from being activated. You can then batch delete them at various intervals.
You can also ban domain names if there are any bogus registrations frequently from a given email address.

You can block specific IP addresses in the .htaccess

Although having a character limit for the Name and username fields would be a good feature.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".

bobby11
Joomla! Apprentice
Joomla! Apprentice
Posts: 27
Joined: Wed Jan 26, 2011 2:23 pm

Re: Spam registrations - links in user Name fields

Post by bobby11 » Tue Sep 27, 2022 2:48 pm

[ redacted ]

Please read the first post in the topic, and try to replicate the issue. After that reply here - sorry but all of these measures are no sense to the issue.
Last edited by toivo on Tue Sep 27, 2022 9:30 pm, edited 1 time in total.
Reason: mod note: unnecessary quote removed

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 44024
Joined: Sat Apr 05, 2008 9:58 pm

Re: Spam registrations - links in user Name fields

Post by Webdongle » Tue Sep 27, 2022 3:44 pm

I have read the first post and have replicated the issue. As I said "...having a character limit for the Name and username fields would be a good feature." However there is nothing to stop registrations like that. All that can be done is mitigate the circumstances by the methods I have suggested. Perhaps you could raise an issue in https://issues.joomla.org/ ?
Not being able to restrict the length or Name and Username might be considered a bug? It might be a considered a bug to allow spaces in the Username?
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".

mkoontz
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 132
Joined: Thu May 13, 2010 4:43 am
Location: Athens Greece

Re: Spam registrations - links in user Name fields

Post by mkoontz » Tue Sep 27, 2022 8:05 pm

@Bobby11

There is a paid Pro extension from Kubik-Rubik that does what you need and is available for Joomla 3 & 4.
Added "Block links in name field" option. This option detects (spam) links in the name input field and stops the account creation process.
https://kubik-rubik.de/downloads/erc-ea ... omla-3-pro

https://kubik-rubik.de/downloads/erc-ea ... omla-4-pro

I absolutely love using his extensions and currently use anywhere between 12 and 15 of them on most of my sites. He also has great support and response time!

In the meantime I'd recommend reporting the issue so it can be fixed in the Joomla core.



kind regards,

Michael


Locked

Return to “Administration Joomla! 3.x”