Users registering in elgg without an email confirmation. Spamming in blogs

Users registering in elgg without an email confirmation
Elgg version :  Release - 1.7.2, Version - 2010071002
The new users write spam blogs with repeated links to other sites.
http://eclug.co.uk/elgg/


An attempt to block some of the rogue spammers attempting hack into this site in the last few days from the following ip address.
124.160.102.132
 91.212.135.69
124.160.102.131
122.234.243.12
118.250.188.187

To block these ip address.
 In cpanel under SITE MANAGEMENT select IP DENY MANAGER Add an "IP Deny Manager"  Click on add.
 This has helped but each day I have to delete even more unwanted blogs and anonymous logins.
As a temporary measure in cpanel I password protected  the blogs directory.

The following plugins used

Tool Administration

Enable AllDisable All
This admin panel allows you to control and configure tools installed on your site.
Down Bottom
Disable

header_menu

Adds a button bar menu below the header
more info
Top Up Down Bottom
Disable

tinymce

TinyMCE plugin-embed multimedia TinyBrowser - Elgg Language Support and TinyBrowser Userdirs by Karsten Schulze 2009
more info
Top Up Down Bottom
Disable

tracker [Settings]

more info
Top Up Down Bottom
Disable

categories

Site wide categories
more info
Top Up Down Bottom
Disable

logrotate [Settings]

Rotate the system log at specific intervals
more info
Top Up Down Bottom
Disable

file

File browser plugin
more info
Top Up Down Bottom
Disable

twitter

Elgg simple twitter widget
more info
Top Up Down Bottom
Disable

garbagecollector [Settings]

Perform some database cleanup tasks
more info
Top Up Down Bottom
Disable

thewire

Provides a microblogging service for your Elgg site.
more info
Top Up Down Bottom
Disable

search

Allow search across entities of the site
more info
Top Up Down Bottom
Disable

uservalidationbyemail

Simple user account validation via email.
more info
Top Up Down Bottom
Disable

members

A simple plugin to let users browser other members.
more info
Top Up Down Bottom
Disable

notifications

Elgg notifications plugin
more info
Top Up Down Bottom
Disable

defaultwidgets

This plugin enables an administrator to define a default set of widgets for new users
more info
Top Up Down Bottom
Disable

externalpages

This is a very simple plugin that lets site admin populate an about page, terms, privacy and contact. You can also edit the frontpage text.
more info
Top Up Down Bottom
Disable

messageboard

This plugin allows users to put a message board on their profile for other users to post comments.
more info
Top Up Down Bottom
Disable

groups [Settings]

Provides group support for elgg
more info
Top Up Down Bottom
Disable

reportedcontent

Adds the option for users to report content and for admins to check it out.
more info
Top Up Down Bottom
Disable

diagnostics

Elgg diagnostics tool
more info
Top Up Down Bottom
Disable

logbrowser

Browse the system event log
more info
Top Up Down Bottom
Enable

invitefriends

Friend invite page
more info
Top Up Down Bottom
Disable

zaudio

This simple plugin lets users play mp3's in the page.
more info
Top Up Down Bottom
Disable

pages

Elgg Pages
more info
Top Up Down Bottom
Disable

crontrigger

Provides a poor man's cron trigger to trigger cron scripts based on site visits.
more info
Top Up Down Bottom
Disable

blog

Elgg blog plugin
more info
Top Up Down Bottom
Disable

riverdashboard [Settings]

Alternative replacement for the standard Elgg dashboard.
more info
Top Up Down Bottom
Disable

bookmarks

Elgg bookmarks plugin.
more info
Top Up Down Bottom
Disable

twitterservice

Provides a simple Elgg wrapper around the twitter class written by David Grudl
more info
Top Up Down Bottom
Disable

htmlawed

Provides security filtering. Disabling this plugin is extremely insecure. DO NOT DISABLE.
more info
Top Up Down Bottom
Disable

embed

Allows users to easily upload and embed media into text areas.
more info
Top Up Down Bottom
Disable

messages

Elgg internal messages plugin. This plugin lets user send each other messages.
more info
Top Up Down Bottom
Disable

custom_index

A simple plugin to replace the sites index page with boxes containing the latest content from the site.
more info
Top Up Down Bottom
Disable

friends

Provides friend widgets for your profile
more info
Top Up Down Bottom
Disable

profile

Elgg profile plugin.
more info
Top Up Down Bottom
Disable

captcha

Provides captcha support (Requires the php_gd library).
more info
Top Up Down Bottom
Disable

event_calendar [Settings]

Elgg event calendar plugin
more info
Top Up Down Bottom
Disable

tidypics [Settings]

Tidypics Photo Gallery
more info
Top Up Down Bottom
Disable

izap_videos [Settings]

This plugin lets users to put videos from youtube, vimeo, veoh or directly from the desktop.
more info
Top Up
Enable

videolist

Elgg Videolist
more info

Do you know any way to stop the anonymous logins that seem to bypass the email verification?
Do I need to change some of the file permissions?
In cpanel I can password protect any directory would this be a solution the password on blogs is not very satisfactory?

Tony
 East Cheshire Linux User Group.

  • There is no way that I know of to bypass the validation step.

    I don't know what you mean by anonymous logins.

    Also, there are some better captchas other there. You could try the recaptcha plugin available in the plugin repository.

  • Hi Cash

    Many thanks for your advice.  I will try an enhanced recaptcha plugin sounds like good advice.
    My very simple temporary approach to stop the continual spam blogs.
    Yesterday In cpanel I password protected /mod/   blog directory.
    This morning a user logged in and posted 4 spam blogs I wasn’t expecting any.
    Spammers seem to be spoiling so many elgg sites I had a look at about 6 or 7 elgg sites all had multiple random off subject texts but with repeated links to watches, clothing, finance.
    Trying to trap rogue urls and IP address does help but only to find yet another pop up.
    All the post so far originates not from the uk & Europe but from China, Asia/Africa and Russia.

    I love the elgg cms but wish we could overcome spam.

    I wonder if any coders have any solutions like a plugin to only allow home countries.

    Or perhaps a spam filter plugin similar to some of the very good email filters used in Thunderbird.

    Thank you all for putting so much time into the elgg project.

    Tony

     

  • Update on the login and spam blogs.
    Cash recommendations on updated captcha.
    Also updated elgg to the latest version.
    Thank you Cash for the simple answer and fixed the login problems.
    I tried siteaccess and trapped one of the spammers
    They attempt to create Elgg accounts by devious means all had an email ending in @126.com
    tracking the ip address appeared to be a local ip address but the email address with
     126.com  is located Guangdong. 
    Guangdong is one of China's most prosperous provinces in China. 
    Although 126 appear to be a very large legitimate company.
    New accounts with the these will need constant monitoring to trap the user and prevent nuisance spam blogs.
  • Hi There,

    We have been experiencing a similar issue. Take a look at mod/uservalidationbyemail/start.php

        function uservalidationbyemail_generate_code($user_guid, $email_address)
        {
            global $CONFIG;
            return md5($user_guid . $email_address . $CONFIG->site->url.get_site_secret());
        }

    If the line reads...
    return md5($user_guid . $email_address . $CONFIG->site->url);

    Then you have an insecure build as there is a vulnerability in registration confirmation (it is possible to predict the confirmation code sent in the email.)

    The site secret needs to be added to the code as per the listing above

  • Google "ip blacklist database" to see what sort of spam blockers aid is already available. There are also country-ip databases available where REMOTE_ADDR can be looked up to fetch country and then one can allow or deny.

  • I fixed the vulnerability in the email validation plugin 10 months ago: http://trac.elgg.org/changeset/3731/trunk/mod/uservalidationbyemail/start.php

     

  • Yup, my apologies for that Cash, the only reason this came to my attention is that I was looking an an old 1.5 build. I found that some folks could punch their way through using this technique.

    These guys do a great free IP database for determining country of origin

    "wget http://software77.net/geo-ip/?DL=1 -O /path/IpToCountry.csv.gz"

    1) Wget that file (read the terms as they have some 'non abuse' conditions)
    2) Use a mysql infile statement to import it into a table of choice
    3) Use code similar to that shown below...This will return a row of data, country of Origin

    $address_long =  sprintf('%u',ip2long($_SERVER['REMOTE_ADDR']));
    $sql = "SELECT * FROM country_ips WHERE start <= ".$address_long." AND end >= ".$address_long;
    $rows = get_data($sql);

    Get this data and then decide on whether or not the user will receive the validation mail. If the user does not receive the mail, an admin will. Customise actions/register.php to achieve this.

    I hope this helps.

     

    Paul