blocking certain countries from registering

[gofer123]

Hi folks,
I've got a Joomla 3.9.22 site with a online shopping (Virtuemart) and we are receiving a lot of bogus registrations from a certain country. We only sell into Australia and New Zealand so I would like to block other countries if possible?
Thanks in advance
Cheers

[AMurray]

Some general suggestions below:

(1) Block IP's or range of IP's - see https://htaccessbook.com/block-ip-address/.

(2) Use a security extension (firewall) capable of blocking IP's) - https://extensions.joomla.org/tags/site-security/

(3) Deny use of certain email domains (gmail, hotmail,yahoo etc). There might be disadvantages here especially if your users use those sorts of emails, but it could help to reduce the spam registrations.

Users would need to use an email associated with their ISP e.g.

Code: Select all

someone@bigpond.com, someone@iinet.net.au

and so on.

You could try any or all of these methods but maybe sparingly as you don't want to block yourself from your own site.

[sozzled]

@AMurray has some worthwhile suggestions but I'll cut to the chase and say that none of the so-called bock-by-country mechanisms that I've researched (and used) is effective. Blocking site access by IP address/range overcomes some of the more simple efforts that people use but they can be easily worked around with techniques like fast flux networks (where the IP address of the attack source changes every few seconds) and it's like playing whack-a-mole to defeat them.

Some people put their faith in CAPTCHA or other prove-you-are-a-human methods but these are no better than IP blocking in my view. One method that works well for me is the prove-you-have-a-valid-email-account-before-you-register and this is more effective than many others I've tried. None of these methods is bullet-proof.

Look at this forum: 95% of all new account registrations are either 'bot-generated, bogus or never used by the people (or objects) that created them.

If you want a bullet-proof solution to prevent bogus account registrations, charge a nominal fee as part of the registration procedure. Although that may reduce the "attraction" to register at your website you can be assured that people who pay a few cents are serious in wanting to use your website and the services you provide. The final choice, of course, is up to you. Good luck.

[gofer123]

Thank you very much guys, I will look at all those suggestions.
Cheers

[waarnemer]

in the captcha field, hashcash by Michael Richey does block automated account registrations..
stupid thing though... e commerce extensions (and others) do not always respect the core captcha settings and plugins.. if you are using Joomla registration method, hashcash may help.

for some odd reason devs on a lot of extensions think they can do better than core plugins..

there is an option you may check if you are in control of your server.
have fail2ban installed.
if I am correct, access and or error log do keep the traces on the registration page in Joomla and also Virtuemart.. find a pattern in the logs that fail2ban can use as a trigger.
fail2ban will then block the IP for your website (and all else on that server since it interacts with the firewall)

A bot will fail to register as there is no field or input in the hashcash captcha method on the registration page.
Registration fails on a retry and retry and retry... fail2ban sees x retries and you do set a x retry treshold then block...

[gofer123]

Thank you for that, I will check that out also
Cheers

[sozzled]

... hashcash by Michael Richey does block automated account registrations ...

Do you think something like that would prevent the hundreds of bogus registrations each week at this forum?

[waarnemer]

@sozzled.. well simply said: ..it does.

this plugin doesn't rely on a third party "find a tree, car, bike, bridge, cross-roads" puzzle that is out there for anyone to hack or trick.

and yes it blocks all automated account registrations .. and all automated contact form requests and all..
unfortunately there are extension developers that do not include the core captcha feature in their forms.
They don't know or worse sell it as a paid feature to use a lowsy constructed Google Captcha.. the ones that are hacked first...

Anyway hashcash is blocking any automated form submit on your site.
If you are still having doubts but also you are having full server control and use a tool like fail2ban, you can use your current access log patterns or even modify the plugin to file an error_log on a failed attempt.. x amount of errors from an IP.. kaboom.. blocked for the entire server... immediately protecting any other service you are running on that machine.


However, it does not block the low-cost-labour-country-spam-farms that use real people to manually fill out a form.


But blocking on this forum.. probably not as there is only a joomla plugin, no phpbb.. at least not that I know of...

[huyhoa]

Hi folks,
I've got a Joomla 3.9.22 site with a online shopping (Virtuemart) and we are receiving a lot of bogus registrations from a certain country. We only sell into Australia and New Zealand so I would like to block other countries if possible?
Thanks in advance

Do you mean block access to your site or block register member?

[gws]

Admin tools pro has the function to block countries via their IP address,how effective that actually is I don't know.

[pe7er]

IMHO blocking (or allowing) certain IP ranges might not be very successful. It's easy to circumvent using a VPN.

Are you using a Captcha check against automated spam bots on your registration form?

[xman-logan]

You should use Captcha, browse to plugins and search for captcha. Register and obtain your keys and then enable the site to use captcha in global configuration.

For country blocking, region and IP...I personally prefer rs_firewall.

Best Wishes.