Fake users registration attack

Hello everybody,

Since yesterday I have been under a spam attack. I disabled "Allow new users to register" option from Settings > Advanced Settings admin panel and I still have got attacks because new fake users have been registered.

Additionaly I have this plugins installed and enabled: uservalidationbyemail, recaptcha, iptracker, spam_login_filter, spam_throttle, honeypot and akismet.  

What can I do? Thank you very much.

  • you're getting registration even though the setting is turned off?
    Are you using any social login integration - Facebook/Twitter etc?  They may be registering through a plugin like that.

  • Make sure your installation is up to date. What version are you using now?

  • That's strange. Are spammers still registering after turning off registration?

    Are the current registered fake spammers attacking your site?

    Rodolfo Hernandez

    Arvixe/Elgg Community Liaison

  • We get exactly the same thing. No matter how we try to stop them (including disabled "Allow new users to register"), they still register. We have Spam Login Filter installed too. We get emails saying that we've blocked hundreds of registrations, but when we look at the sites for the same period, we see 30-40 actual fake registrations that made it through. We've tried every spam plugin, but nothing works. They still are registering. We have had to turn off our sites to stop them. We are using HybrideAuth Client for Elgg for Elgg 1.8 for Facebook login - so maybe that's it. I'm going to turn it off and see if that helps. Othewise, I don't have a hint how to stop them. - FYI we're using 1.8.16 - same probelm on 3 different sites.

     

  • I'm using Elgg 1.8.16, since yesterday, it seems that no more fake users registered. It's true, if I disable the users registration setting, then I don't have the problem. Sorry for my mistake.

    But, If I turn on the setting then I have the same problem again.

  • I have also had lots of fake users signing up - l have uservalidation by email and captcha 1.8.1 installed. This only started happening about a week for me - I googled the problem and came to this page - Looks to me like they is some kind of "attack" that is causing this to happen to elgg sites. I dont really want to turn off new user creation. The users that had validated their email seamed to be selling baby clothes, but they is probably a darker story to it. I think that a human must be doing something to get past the captcha systems - I doubt that someone has created a system to do this.

    I am using 1.8.16 - Aaron

  • David said, <if I disable the users registration setting, then I don't have the problem>. You are lucky David, cause when we disable registration, it makes no difference, they still register the fake users. But, I'm going to try again, - although - we won't like to have to have that as our only option to stop this.

    Michele said, <No social login/registration.> Darn, I was hoping that was our problem.

    And <but around 70-80 since almost a week ago succeed in registering daily anyways> That's about the same number for us. But, as soon as we delete them, another batch arrives.

    And, <also noticed that lately stopforumspam is sometimes down> I noticed the same, but it only lasts for a few seconds, and another thing I  noticed is that sometimes the IP addresses that are submitted are weird.

    Aaron said, <I think that a human must be doing something to get past the captcha systems - I doubt that someone has created a system to do this.>  I think differently. I've tried all kinds of captcha's, and just about everything else. The fakes keep coming. And the numbers started small but are increasing. I doubt very much that any human is doing this - to me, you, and Michele, and David and everyone else that's going to get bombed eventually.

    So far we've found no solution, we've had to turn all of our sites off. It's too timecoming having to clean all these fake users all day long.

    Next, just to be sure, we are turnining off the Facebook login and we're going to try the Profile Manager plugin and require an image and a new field and accetance of our terms upon registration. And see if they get by that.

  • We still get more false positives with Fassim, but Fassim does have a lower number of false negatives.  It's a bit of a tradeoff, but the community here doesn't get as much spam as you're reporting...

  • My tests... 

    1) I turned my test site back on at 11:53AM. I removed the Facebook login.

    2) So far I've gotten spam blocks at these times...

    11:53, 11:53, 11:53, 11:54, 12:02, 12:03, 12:04, 12:04, 12:06, 12:06, 12:11, 12:11, 12:16, 12:18, 12:18 12;20, 12:20, 12:20, 12:21, 12:23, 12:24, 12:24, 12:24, 12:24, 12:26, 12:27

    ONE NEW FAKE USER IP Austria

    ANOTHER FAKE USER IP Hyderabad (PK)

    here we go again, 12:34, 12:35, 12, 35, 12:39, 12:36, 12:36, 12:36, 12:36 12:39, 12:39, 12:40, 12:41, 12:41, 12:41

    ANOTHER FAKE USER IP Jalandhar (IN)

    ANOTHER FAKE USER IP Unfortunately we could not find a matching location.

    3) NOW I DISABLE - Allow new users to register

    here we go again, 12:59, 1:02, 1:02, 1:03, 1:03, 1:03. 1:07, 1:11, 1:11, 1:11, 1:18, 1:18, 1:24, 1:25

    In Summary

    Within 10 seconds of turning my site back on again, we started getting bombed again. This must be automated. No way manual spammers were waiting for me to turn it back on.

    For the most part, each is a separate and different ISP, although once in a while, in a small number of cases they are duplicate ISPs, which appear to be at the same time. Also, each is a different email address or the email address is blank.

    It almost looks like this is hunting for IP addresses that are not blocked, and then causing an automated registration when it finds one.

    Disabling New User Registration does not appear to have stopped the attack. Although, for some reason the time between blocks has increased, and since then, I have not gotten a new fake registration.

    I'm going to wait it out a little while and see what happens and report back. Disabling the registration is not a solution, we don't want to do that, but at least we may be able to keep the sites open while we are trying to find an answer.

    There is definately something very unfriendly going on here.

    @Michelle, we have not tried the uservalidation by admin. We'll give it a whirl and see if that's helpful. 

    And I've read that Fassim causes clean users to be incorrectly be flagged as spammers. I believe I read that at the plugin page.

  • Here's the followup ... In the last few hours we got several hundred blocked registrations and NO new fake users - because we have New User Registration diasabled. -- New User Registration being disabled is not a solution, so, although it appears that it stops the fake registraion, we do not want it. I have not tired the uservalidation by admin suggested by Michelle cause it appears that would still allow the fake user to be registered and that would be a mess. Our next plan is to try the Profile Manager and see if that will help keep the fakes away by requiring various registration fields. If anyone else has any ideas, I'd appreciate hearing them.