Fake users registration attack

Hello everybody,

Since yesterday I have been under a spam attack. I disabled "Allow new users to register" option from Settings > Advanced Settings admin panel and I still have got attacks because new fake users have been registered.

Additionaly I have this plugins installed and enabled: uservalidationbyemail, recaptcha, iptracker, spam_login_filter, spam_throttle, honeypot and akismet.  

What can I do? Thank you very much.

  • We still get more false positives with Fassim, but Fassim does have a lower number of false negatives.  It's a bit of a tradeoff, but the community here doesn't get as much spam as you're reporting...

  • That's because they target interesting communities :D

  • By the way guys, sorry for the off topic but since we have no wire here.... HAVE YOU ALL ELGGERS A GREAT 2014!

  • My tests... 

    1) I turned my test site back on at 11:53AM. I removed the Facebook login.

    2) So far I've gotten spam blocks at these times...

    11:53, 11:53, 11:53, 11:54, 12:02, 12:03, 12:04, 12:04, 12:06, 12:06, 12:11, 12:11, 12:16, 12:18, 12:18 12;20, 12:20, 12:20, 12:21, 12:23, 12:24, 12:24, 12:24, 12:24, 12:26, 12:27



    here we go again, 12:34, 12:35, 12, 35, 12:39, 12:36, 12:36, 12:36, 12:36 12:39, 12:39, 12:40, 12:41, 12:41, 12:41


    ANOTHER FAKE USER IP Unfortunately we could not find a matching location.

    3) NOW I DISABLE - Allow new users to register

    here we go again, 12:59, 1:02, 1:02, 1:03, 1:03, 1:03. 1:07, 1:11, 1:11, 1:11, 1:18, 1:18, 1:24, 1:25

    In Summary

    Within 10 seconds of turning my site back on again, we started getting bombed again. This must be automated. No way manual spammers were waiting for me to turn it back on.

    For the most part, each is a separate and different ISP, although once in a while, in a small number of cases they are duplicate ISPs, which appear to be at the same time. Also, each is a different email address or the email address is blank.

    It almost looks like this is hunting for IP addresses that are not blocked, and then causing an automated registration when it finds one.

    Disabling New User Registration does not appear to have stopped the attack. Although, for some reason the time between blocks has increased, and since then, I have not gotten a new fake registration.

    I'm going to wait it out a little while and see what happens and report back. Disabling the registration is not a solution, we don't want to do that, but at least we may be able to keep the sites open while we are trying to find an answer.

    There is definately something very unfriendly going on here.

    @Michelle, we have not tried the uservalidation by admin. We'll give it a whirl and see if that's helpful. 

    And I've read that Fassim causes clean users to be incorrectly be flagged as spammers. I believe I read that at the plugin page.

  • Here's the followup ... In the last few hours we got several hundred blocked registrations and NO new fake users - because we have New User Registration diasabled. -- New User Registration being disabled is not a solution, so, although it appears that it stops the fake registraion, we do not want it. I have not tired the uservalidation by admin suggested by Michelle cause it appears that would still allow the fake user to be registered and that would be a mess. Our next plan is to try the Profile Manager and see if that will help keep the fakes away by requiring various registration fields. If anyone else has any ideas, I'd appreciate hearing them.

  • Hi Ron, the suggested plugin puts all newly registered users in the unvalidated section therefore only visible to admins who can validate them or not.

    The situation here is worsening, 55 fake users registered in 9 hours and now many with gmail accounts other than outlook and hotmail plus a bunch of muscle growth+diet "review" sites.

    This is another attack...iw was few months we were ok but now again...thank you spammers...


  • Over night, we got hundreds upon hundreds of blocked registrations, but since we have New User Registration disabled, we got NO new fake users, but of course, this is not an acceptable alternative. Michele, thank you for the info, I understand. My concern is that we have 3 sites, and if one site is being attacked at a a rate of one per minute that 3 times that will cause our host to blow his cool. Further, we had plans of opening more sites, with this kind of attack rate, it's not likely. We're thinking seriously about moving the sites on a regular basis trying to stay in front of the spammers or looking for an alternative, which is sad since we've been working with elgg since version .9. It just appears that elgg is prone to attacks whick is a serious problem for a professional business. We're thinking.

    By the way, I feel very, very sorry for any person on this universe that has nothing to do with their time than to hurt and harm other people. Life is so short, and there are so many people that need help and are suffering for a million different reasons, that if these spammers would put their energy toward helping people rather than harming them, the world would be a better place and I'm sure the spammers would have a better life. To hell with them.

  • Before looking for other platforms let's consider this as the best and try to help in what we can.

    Idea (bad?): Since stopforumspam+fassim seem not to be enough against attacks to elgg what about creating a group of verified elgg-based sites owners in which to add and share our domain and email blacklists?

    I'm mantaining mine through spam login filter and maybe joining forces and importing (best) or copy/paste from such a list into spam login filter could help.

    What do you think?


  • Last (bad?) idea in 2013 :)

    Add uservalidation by admin features to spam login filter would also help a lot because when I now delete users from uvba they're not reported to stopforumspam so can register again and again and again...


  • Michele, I'm willing to participate in any way and all ways. Right now I've got 2 of 3 sites shut down and the one that is open is getting 1 to 4 spam attacks per minute. We've gone years without this being a problem, but once they found us, about a month or so ago, all 3 of our sites were attacked. Presently we're working on moving the test site.

    We too are using spam login filter, that's how we know how many hits we are getting. I'm just not confident though that uservalidation by admin is the best choice. I admit I have not tried it, but since we were getting 50-150 fake registrations per day for one site, 3 sites would cause 150-450 per day and that's a lot of messing around to delete them or however. And, the fact that we're now getting such a large attack, we worry that our host will shut us down.