Automated account creation by spammers

Regular Joined: Jan 14, 2005 Posts: 93

HELP!

I've recently moved my web server and did a fresh install of Ravenuke 2.10.01. I hoped this issue would have been resolved, but it has not.

Essentially, I'm getting a large number of automated subscriptions by spammers to my site. Rolling Eyes

The last version of Nuke I was running on my old server, I could never seem to get the capcha function to work correctly. I was excited when I installed Ravenuke and capcha started working again! I figured this was the hole that these idiots were exploiting, and that finally implimenting the capcha on my site would put an end to this nonsense.

Well, it hasn't. Evil or Very Mad

I continue to see a very large number of bogus subscriptions when I browse the nuke_users table. Without exception, they have added links to their user_website fields advertising porn, viagra, etc... I'd block their IP subnets, but I've also noticed that without exception, there is never an IP listed under the last_ip field - its always a value of "0". The last_seen_blocker field also has a value of "0" for every one of these guys.

Again - these are validated subscribers in the nuke_users table - not people waiting to activate in nuke_users_temp

Does anyone have any idea how to stop this? What hole(s) are these dolts exploiting to allow this? And why am I not able to see their IP addresses listed?

Any help is as always greatly appreciated! Smile

registered · Posted: Sat Dec 29, 2007 9:32 am

ghostgeek, I am running 2.10.01 on all my sites and I have ZERO of these. I did, however, once have someone manually create a user and then used that user to spam some comments, but he had to also manually do the spamming because I had the spam captcha's turned on for all modules. He stopped after five articles because it just wasn't worth his time.

Are you sure this is only core RavenNuke files or have you added anything to it? If you are not seeing them being created with NukeSentinel's Tracked IP's queries, then it sounds like they are somehow getting added through some other hole/script.

BTW, PM me a link to your site if you don't mind. I'd like to take a look at the captcha.

Posted: Sat Dec 29, 2007 4:17 pm

Would be nice to review the server logs as well.
If you have access to those, I'd be happy to go over them for you if you want to email them webmaster<nospam>ATcode-authors.DOTcom

registered · Posted: Sun Dec 30, 2007 1:55 am

My guess is that they are going through the Forums Registration, you'll want to set that at least to User Confirmation, if not Admin Confirmation. The other idea is just to disable it... I posted some simple code on this site to do just that

Posted: Sun Dec 30, 2007 9:38 am

Yes, I believe Evaders is correct as I see that you have forum registration enabled. (Sorry, didn't get to looking at it until this morning).

However, you also have another problem in that I never received the registration email (from a "proper" new user registration), so I suspect that your host may not have mail() enabled? Are you getting any of the emails?