Spam User Registration ??
Moderator: General Support Moderators
Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
- eskwire
- Joomla! Enthusiast
- Posts: 118
- Joined: Sun Sep 25, 2005 3:57 pm
- Location: Atlanta, GA
- Contact:
Re: Spam User Registration ??
Thanks for this thread, for what ever reason my spam signups have jumped to 10 to 20 perday times 10 websites and that turns out to be quite a few emails.
I have been working with some of the different reCaptcha plugins and have them working but I am not sure it is slowing down the bots. Have some more testing to do.
1. If you have recaptcha on the user sign up form is it possible for a bot to get past this with out entering the text correctly. Perhaps a way the bot could go straight to the database?
2. I use sh404SEF, if I turn on project honeypot will site performance suffer?
After a little more testing I hope to write up my results to hopefully help others.
Thanks!
I have been working with some of the different reCaptcha plugins and have them working but I am not sure it is slowing down the bots. Have some more testing to do.
1. If you have recaptcha on the user sign up form is it possible for a bot to get past this with out entering the text correctly. Perhaps a way the bot could go straight to the database?
2. I use sh404SEF, if I turn on project honeypot will site performance suffer?
After a little more testing I hope to write up my results to hopefully help others.
Thanks!
- fcoulter
- Joomla! Ace
- Posts: 1685
- Joined: Thu Sep 13, 2007 11:39 am
- Location: UK
- Contact:
Re: Spam User Registration ??
I use sh404sef with project honeypot, I have not found a big difference in performance. And it is effective in stopping a lot of spam, I have found it stops most, where a small amount slips through the net it is usually possible to ban the rest by IP address.
I would certainly recommend trying it, if it does not work for you then you can always stop using it again. Project Honeypot is a great service in my opinion.
It is my understanding that some bots can now read some captchas, that might be how they are getting through.
I would certainly recommend trying it, if it does not work for you then you can always stop using it again. Project Honeypot is a great service in my opinion.
It is my understanding that some bots can now read some captchas, that might be how they are getting through.
http://www.spiralscripts.co.uk for Joomla! extensions
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"
-
- Joomla! Guru
- Posts: 730
- Joined: Tue Oct 28, 2008 11:06 pm
- Location: NE Florida
- Contact:
MORe: Spam User Registration ??
I have same problem except that they are registering from India to try to post classified ads. In my case I turned OFF registrations in the global configuration yet they are still able to register.
My login forms and registration forms ( when active ) use captcha as well.
I removed the links to register from the site as well. It still has not prevented them from creating a user account.
( They cannot post adds without my approving them however. Using AdsManager )
I am not certain that the extension Adsmanager is not creating a back door but since they have locked their forums and have removed their contact us form I assume no one is minding that extension any longer.
My login forms and registration forms ( when active ) use captcha as well.
I removed the links to register from the site as well. It still has not prevented them from creating a user account.
( They cannot post adds without my approving them however. Using AdsManager )
I am not certain that the extension Adsmanager is not creating a back door but since they have locked their forums and have removed their contact us form I assume no one is minding that extension any longer.
- fcoulter
- Joomla! Ace
- Posts: 1685
- Joined: Thu Sep 13, 2007 11:39 am
- Location: UK
- Contact:
Re: Spam User Registration ??
I think you are right this might be something to do with ads manager.
Certainly it should be the case that disallowing user registration in your site configuration should effectively block any registration, the Joomla user component definitely checks for this before allowing any registration, and I have found that to be effective in the past in blocking spammy registrations.
Certainly it should be the case that disallowing user registration in your site configuration should effectively block any registration, the Joomla user component definitely checks for this before allowing any registration, and I have found that to be effective in the past in blocking spammy registrations.
http://www.spiralscripts.co.uk for Joomla! extensions
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"
-
- Joomla! Guru
- Posts: 730
- Joined: Tue Oct 28, 2008 11:06 pm
- Location: NE Florida
- Contact:
Re: Spam User Registration ??
fcoulter wrote:I think you are right this might be something to do with ads manager.
Certainly it should be the case that disallowing user registration in your site configuration should effectively block any registration, the Joomla user component definitely checks for this before allowing any registration, and I have found that to be effective in the past in blocking spammy registrations.
I tend to agree but am confounded by how AdManager is able to circumvent the Joomla setting to not allow registrations since those are registering as Joomla members. Also there are no links to any registration forms any longer. In fact I even deleted the /component/com_user/register files.
There must be some hack they are using. Problem is there is no longer any help available from AdsManager site as the forum is locked closed. I like this program better than others I have tried.
- fcoulter
- Joomla! Ace
- Posts: 1685
- Joined: Thu Sep 13, 2007 11:39 am
- Location: UK
- Contact:
Re: Spam User Registration ??
I just took a look at ads manager, it contains the following function (in adsmanager.php at line 2184)
This is clearly a user registration function which bypasses com_user, and ignores the site configuration - it is surely the source of your problem. If you really want to use this extension I suggest deleting the function code so that it is just a stub, eg
Another reason for doing that is that the query
seems to be vulnerable to SQL injection, since $row->username does not appear to be escaped, unless I am missing something. I am not particularly familiar with Joomla 1.0, so can't say for sure.
Code: Select all
function saveRegistration($comprofiler) {
global $database, $acl,$mosConfig_absolute_path;
// simple spoof check security
//josSpoofCheck();
$row = new mosUser( $database );
if (!$row->bind( $_POST, 'usertype' )) {
mosErrorAlert( addslashes(end($row -> getErrors())) );
}
mosMakeHtmlSafe($row);
$row->id = 0;
$row->usertype = '';
$row->gid = $acl->get_group_id( 'Registered', 'ARO' );
if (!$row->check()) {
echo "<script> alert('".addslashes(end($row -> getErrors()))."'); window.history.go(-1); </script>\n";
exit();
}
$row->password = md5( $row->password );
$row->registerDate = date( 'Y-m-d H:i:s' );
if (!$row->store()) {
echo "<script> alert('".addslashes(end($row -> getErrors()))."'); window.history.go(-1); </script>\n";
exit();
}
$row->checkin();
$database->setQuery( "SELECT u.id "
. "\nFROM #__users u "
. "\nWHERE u.username='".$row->username."'"
);
$userid = $database->loadResult();
if ($comprofiler > 0)
{
$lastname = mosGetParam( $_POST, 'name', "" );
$firstname = mosGetParam( $_POST, 'firstname', "" );
$middlename = mosGetParam( $_POST, 'middlename', "" );
$query = "INSERT INTO #__comprofiler (id,user_id,firstname,middlename,lastname) VALUES ('$userid' ,'$userid' ,'$firstname','$middlename','$lastname')";
$database->setQuery($query);
$database->query();
}
return $userid;
}
This is clearly a user registration function which bypasses com_user, and ignores the site configuration - it is surely the source of your problem. If you really want to use this extension I suggest deleting the function code so that it is just a stub, eg
Code: Select all
function saveRegistration($comprofiler) {
return 0;
}
Code: Select all
$database->setQuery( "SELECT u.id "
. "\nFROM #__users u "
. "\nWHERE u.username='".$row->username."'"
);
seems to be vulnerable to SQL injection, since $row->username does not appear to be escaped, unless I am missing something. I am not particularly familiar with Joomla 1.0, so can't say for sure.
http://www.spiralscripts.co.uk for Joomla! extensions
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"
- mandville
- Joomla! Master
- Posts: 15153
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: Spam User Registration ??
can i have the developers site for adsmanager to check it out, thanks
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
portable mini golf https://www.putterspalace.co.uk/
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
portable mini golf https://www.putterspalace.co.uk/
- fcoulter
- Joomla! Ace
- Posts: 1685
- Joined: Thu Sep 13, 2007 11:39 am
- Location: UK
- Contact:
Re: Spam User Registration ??
It seems to be http://www.joomprod.com/ - that's all I know. According to the comments in the JED it is no longer supported.
http://www.spiralscripts.co.uk for Joomla! extensions
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"
-
- Joomla! Guru
- Posts: 730
- Joined: Tue Oct 28, 2008 11:06 pm
- Location: NE Florida
- Contact:
Re: Spam User Registration ??
Yes...I went there first for help but the lights are out! I am not a programmer but will take a stab ad modding that file keeping a copy of the original to see what happens when legally registered users try to log in to post an ad.
Thanks...I will post results
Thanks...I will post results
--- http://www.Stuffdone.com ---
Wow. Doing web sites for over 28+ years now. Still learn new tricks...not bad for an old dog
Wow. Doing web sites for over 28+ years now. Still learn new tricks...not bad for an old dog
- fcoulter
- Joomla! Ace
- Posts: 1685
- Joined: Thu Sep 13, 2007 11:39 am
- Location: UK
- Contact:
Re: Spam User Registration ??
Good luck with that. Personally i would recommend not using this extension. Even if I am wrong about the previous query, the following one
surely is vulnerable to SQL injection, since the '$firstname','$middlename','$lastname' parameters come directly from POST values.
The fact that there seem to be so many problems in one function is not exactly encouraging about the rest of the extension. It looks insecure to me and you are risking the security of your site by using it.
Code: Select all
$query = "INSERT INTO #__comprofiler (id,user_id,firstname,middlename,lastname) VALUES ('$userid' ,'$userid' ,'$firstname','$middlename','$lastname')";
The fact that there seem to be so many problems in one function is not exactly encouraging about the rest of the extension. It looks insecure to me and you are risking the security of your site by using it.
http://www.spiralscripts.co.uk for Joomla! extensions
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"
-
- Joomla! Apprentice
- Posts: 9
- Joined: Thu Aug 31, 2006 12:48 pm
Re: Spam User Registration ??
Hello,
I am the author of this quite old component.
The code that you mentionned here is only activated when a specific option is activated in adsmanager (option: allow adsmanager for automatic registration).
I didn't have the time right now to check if there is a real issue, but if you think, this could be a real issue just don't use this option and that is all
Thomas
I am the author of this quite old component.
The code that you mentionned here is only activated when a specific option is activated in adsmanager (option: allow adsmanager for automatic registration).
I didn't have the time right now to check if there is a real issue, but if you think, this could be a real issue just don't use this option and that is all
Thomas
-
- Joomla! Guru
- Posts: 730
- Joined: Tue Oct 28, 2008 11:06 pm
- Location: NE Florida
- Contact:
Re: Spam User Registration ??
Thanks. I have that feature turned off but it is still allowing people to create Joomla users ( which is also turned off ) and create ads. Of course they are not appearing inline because I don't approve them. Bottom line there is a problem. I have tried some of the other classifieds extensions and liked this the best until this problem became apparent. Hope you fix it sometime.
--- http://www.Stuffdone.com ---
Wow. Doing web sites for over 28+ years now. Still learn new tricks...not bad for an old dog
Wow. Doing web sites for over 28+ years now. Still learn new tricks...not bad for an old dog
-
- Joomla! Guru
- Posts: 643
- Joined: Mon Nov 07, 2005 3:45 am
- Contact:
Re: Spam User Registration ??
i have my setting set to "membership needed to post an ad" and the page indeed takes people to the registration page. this should be removed from the extension list. it was a good extension while it lasted - thanks.
- mandville
- Joomla! Master
- Posts: 15153
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: Spam User Registration ??
all 1.0.x were removed from the JED so where ever your getting it from - dont bother -
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
portable mini golf https://www.putterspalace.co.uk/
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
portable mini golf https://www.putterspalace.co.uk/
-
- Joomla! Guru
- Posts: 643
- Joined: Mon Nov 07, 2005 3:45 am
- Contact:
Re: Spam User Registration ??
so, the 1.5.x version is safe?
- mandville
- Joomla! Master
- Posts: 15153
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: Spam User Registration ??
http://docs.joomla.org/Vulnerable_Extensions_List
Please check with the extension publisher in case of any questions over the security of their product.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
portable mini golf https://www.putterspalace.co.uk/
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
portable mini golf https://www.putterspalace.co.uk/
-
- Joomla! Apprentice
- Posts: 38
- Joined: Thu Oct 19, 2006 11:19 am
Re: Spam User Registration ??
Is there a plug in that can require the real name and username be different? Seems that all of the spam regs I get have the same real name and username.
I tried a recaptcha for a while and was having some folks on Safari filling it out correctly, but they couldn't get registered. Don't want to throw out the baby with the bathwater...
I tried a recaptcha for a while and was having some folks on Safari filling it out correctly, but they couldn't get registered. Don't want to throw out the baby with the bathwater...
- mandville
- Joomla! Master
- Posts: 15153
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: Spam User Registration ??
plugins for j1.0.x are no lonnger listed on the JED, have a look in the joomla 1.0.x extension forum for some ideas
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
portable mini golf https://www.putterspalace.co.uk/
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
portable mini golf https://www.putterspalace.co.uk/
-
- Joomla! Apprentice
- Posts: 38
- Joined: Thu Oct 19, 2006 11:19 am
Re: Spam User Registration ??
ugh - didn't notice this was a 1.0 extension forum...
-
- Joomla! Apprentice
- Posts: 25
- Joined: Wed Apr 22, 2009 6:28 pm
Bringing up an old topic.
EDIT: Likewise, I didn't realize this was a 1.0 forum. My problem is based on 1.5. Hope this can be moved to the appropriate forum.
I have disabled registration forms in CB, Joomla, and Kunena on my Joomla website. Still bots are forcing registration by using their own forms (or seem to be) using my the URL to my website.
I have never made a Joomla plugin before so maybe one of the good Samaritans on this forum could build one based on the suggestions for auto-blocking spam using the information provided below.
http://www.rubyrobot.org/article/protec ... m-spambots
If YOU do generate the plugin (or component as this is very capable of becoming) I'm sure we'd all be more than grateful and would return the favor by a generous link back to the website of the creator or maybe sporting a nice "Website Protected By" flag. ...I would anyway.
Hope this is possible and taken advantage of.
I have disabled registration forms in CB, Joomla, and Kunena on my Joomla website. Still bots are forcing registration by using their own forms (or seem to be) using my the URL to my website.
I have never made a Joomla plugin before so maybe one of the good Samaritans on this forum could build one based on the suggestions for auto-blocking spam using the information provided below.
http://www.rubyrobot.org/article/protec ... m-spambots
If YOU do generate the plugin (or component as this is very capable of becoming) I'm sure we'd all be more than grateful and would return the favor by a generous link back to the website of the creator or maybe sporting a nice "Website Protected By" flag. ...I would anyway.
Hope this is possible and taken advantage of.
- mandville
- Joomla! Master
- Posts: 15153
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: Spam User Registration ??
as it would be hard to split the appropriate posts, perhaps a new post in the 1.5 forums, probably administration as spam isnt really a security issue
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
portable mini golf https://www.putterspalace.co.uk/
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
portable mini golf https://www.putterspalace.co.uk/
- FidelGonzales
- Joomla! Guru
- Posts: 584
- Joined: Thu Nov 03, 2005 12:10 am
- Location: Hesperia, California, USA
- Contact:
Re: Spam User Registration ??
This may be worth giving a try.
http://extensions.joomla.org/extensions ... ation/7319
So far, it seems to have made a formidable improvement without causing issues.
http://extensions.joomla.org/extensions ... ation/7319
So far, it seems to have made a formidable improvement without causing issues.
http://www.MediaArmory.com - WEB | PHOTO | WRITE | MARKETING | DESIGN
http://www.DirtArmory.com - Off Road Sports Lifestyle
http://www.DirtArmory.com - Off Road Sports Lifestyle
-
- Joomla! Fledgling
- Posts: 1
- Joined: Wed Nov 03, 2010 8:53 am
Re: Spam User Registration ??
I use version 1.5.21 and regularly updated at last version and I have the same problem with too much spam user registration. I use captcha image, new user activation -> NO.
I believe the problem is in the joomla core and this spam user registration is caused by a "sql injection". Therefore installing add-on components is not the best solution. Instead, in order to stop this "spam registrations", I believe it would be better to work on the joomla core.
I believe the problem is in the joomla core and this spam user registration is caused by a "sql injection". Therefore installing add-on components is not the best solution. Instead, in order to stop this "spam registrations", I believe it would be better to work on the joomla core.
-
- Joomla! Fledgling
- Posts: 4
- Joined: Sat Dec 25, 2010 6:04 pm
Re: Spam User Registration ??
is there any free version of 404sef.
ps. does honeypot work on its own, or do you have to block the ip addresses?
ps. does honeypot work on its own, or do you have to block the ip addresses?
Last edited by mandville on Tue Dec 28, 2010 6:31 pm, edited 1 time in total.
Reason: Bump posts deleted. Please see forum rules
Reason: Bump posts deleted. Please see forum rules
-
- Joomla! Fledgling
- Posts: 4
- Joined: Fri Jul 29, 2011 5:56 pm
Re: Spam User Registration ??
We also have same problem of SAPM user on our website...users are from russia. We have facility of registration from front end and the form doesn't contain captcha.
However, I feel that user is not using our registration form to create these SPAM users since SPAM users has not been registered in the "Other Component" published on our website.
Is it possible that SPAM users are directly hitting com_user to create these SPAM users or that is not possible at all.
If they are using our registration form only then why those are not appearing in other Component.
I am fed up....please help...........
However, I feel that user is not using our registration form to create these SPAM users since SPAM users has not been registered in the "Other Component" published on our website.
Is it possible that SPAM users are directly hitting com_user to create these SPAM users or that is not possible at all.
If they are using our registration form only then why those are not appearing in other Component.
I am fed up....please help...........
-
- Joomla! Apprentice
- Posts: 7
- Joined: Sun Sep 26, 2010 9:06 am
- Location: Hanoi
- Contact:
Re: Spam User Registration ??
Please Install this plugin: http://extensions.joomla.org/extensions ... tcha/13876
http://www.dieutridau.com
Điều trị đau .com - Xua tan những cơn đau !
Điều trị đau .com - Xua tan những cơn đau !
- mandville
- Joomla! Master
- Posts: 15153
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: Spam User Registration ??
this is a J1.0 topic not a j1.5 topic.dieutridau wrote:Please Install this plugin: http://extensions.joomla.org/extensions ... tcha/13876
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
portable mini golf https://www.putterspalace.co.uk/
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
portable mini golf https://www.putterspalace.co.uk/
-
- Joomla! Fledgling
- Posts: 4
- Joined: Thu Apr 25, 2013 3:55 pm
Re: Spam User Registration ??
I was having this same problem after our web developer transferred our website to a new server. (We're using Joomla 2.5) We were getting dozens of spam registrants a day. After reading here and getting advice from other folks, I learned how to fix the problem. (so far)
1. I changed all the passwords for each administrator. (Just a cautionary step)
2. ReCaptcha was turned off for some reason. I re-enabled it. (Spammers still coming through)
3. Under "Users Manager" changed setting to the following - Allow User Registration = No.
4. Under "Global Configeration" select the "Permissions" tab. Go to the Public selection, under Site Login, select Denied.
(Make sure to Save.)
Note: As soon as I changed the settings under step 4, the spam registrants stopped immediately. So in changing that, I'm guessing it stops the public from logging into the front/back end of the site.
I tried installing extensions, which didn't apply to my problem, and was about to insert a hidden text field but found some negatives in doing that. So I spent hours trying to find another solution and this seems to work the best. *Relief*
1. I changed all the passwords for each administrator. (Just a cautionary step)
2. ReCaptcha was turned off for some reason. I re-enabled it. (Spammers still coming through)
3. Under "Users Manager" changed setting to the following - Allow User Registration = No.
4. Under "Global Configeration" select the "Permissions" tab. Go to the Public selection, under Site Login, select Denied.
(Make sure to Save.)
Note: As soon as I changed the settings under step 4, the spam registrants stopped immediately. So in changing that, I'm guessing it stops the public from logging into the front/back end of the site.
I tried installing extensions, which didn't apply to my problem, and was about to insert a hidden text field but found some negatives in doing that. So I spent hours trying to find another solution and this seems to work the best. *Relief*
- mandville
- Joomla! Master
- Posts: 15153
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: Spam User Registration ??
these options do not apply to joomla 1.0.xporuca wrote:I was having this same problem after our web developer transferred our website to a new server. (We're using Joomla 2.5)
as there seems to be a trend in necroposting irrelevant information to this topic, it will be lockedm
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
portable mini golf https://www.putterspalace.co.uk/
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
portable mini golf https://www.putterspalace.co.uk/