Our Elgg 1.5 site, UnionBook, is being hit by a massive wave of spammers who are successfully registering and validating their accounts despite the fact that we've enabled the site access plugin which has a kind of numberic captcha built in.

I've just added a site-wide password in the hope that spambots won't read it, but we need a long-term solution -- what works best in Elgg to prevent these scumbags from signing up to our sites?


Eric Lee

  • Elgg 1.6 will have a captcha plugin installed and enabled by default.  I'm not familiar with the Site Access plugin, but perhaps Elgg's official captcha will work better for you?  It's being used on this site and automated spam registration is about nill.

  • When will Elgg 1.6 be available?

  • It's pretty much common knowledge that the spambots have completely figured out their way around captcha. A simple google search will return hundreds of results of people talking about how captcha no longer works. Even re-captcha is now vunerable.

    If you don't believe me, install 1.6 with captcha, give me your url, within hours I can have thousands of new accts on your system.

    I did a ton of 'homework' on these bot problems after my wordpress sites got attacked as well as many of my vbulletin sites. So I found and installed a few of the bot programs and needless to say I was more than amazed at how efficient they were.

    Now it's not all bad news:

    There are a few tricks that I have found work really well.

    1. Bots basically search the web for known strings, so that they know if you are running elgg, wordpress, vb, etc... then they simply find your registration form and fill it in..... So, one trick I have done is to add extra 'hidden' fields to the registration forms. These are fields that are not visible to the user, but are visible to the bots. If they fill in those lines, then it's obvious that the registration is from a bot, and the registration is declined. That works really well with almost all of the bots.

    2. Have questions the user has to answer specifically. Such as 'what color is the sky' answer blue..

    I have yet to find a bot that can find their way around registration processes that require multiple questions to be answered by the user.

    3. You would have to adapt this to work with elgg, but basically it should be very easy to implement.

    insert the following, after you modify it, into your .htaccess file

    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} POST
    RewriteCond %{REQUEST_URI} .wp-signup\.php*
    RewriteCond %{HTTP_REFERER} !.** [OR]
    RewriteCond %{HTTP_USER_AGENT} ^$
    RewriteRule (.*) [R=301,L]

    change wp-signup to whatever elgg uses for it's registration page php file
    change to your website
    change die-spammers to where you want to send them.

    Basicaly it looks for the referring page that a user/bot is coming from, in this case
    wp-signup. As all bot programs actually never visit your site, there is no referring

    Anyhow, those are 3 of my favorite tricks to stop the bots. Forget captcha, it's dead
    technology when it comes to stopping the bots.

    Maybe brett can look into my ideas and a few others and help people furher with this

    hope it helps
  • The method you described is called a reverse captcha. One of the first plugins I wrote and released does exactly this. Search for Uncaptcha if you want to check it out....

  • That only works if the spammers are filling in all fields - but we're finding they don't.  Sometimes they fill in some fields, sometimes others.  At the moment we've moved toward manual validation b administrators while we wait for Elgg 1.6.  And by the way - can we use the CAPTCHA in Elgg 1.6 together with the uncaptcha plug-in?  Thanks.

  • @Eric -- We've released Elgg 1.6RC1 last week and will be releasing 1.6 final in about another week assuming there are no show-stopper bugs found in RC1.

    I've never tried using Captcha and Uncaptcha at the same time.  It should work, but you'd want to test internally first!

    @Shawn -- I'm not sure the situation is that dire yet.  As I said, community uses a simple captcha and since it was implement the amount of spam has dropped considerably.  We're still having a few people spam from users from Twitter and Facebook, however... These accounts don't have to register with our site...

    As a point of interest, I was against adding captchas to Elgg by default.  I find them invasive and a secondary barrior to having users register.  That was part of the reason I really leapt on the reverse-captcha train and wrote that plugin.  It's a transparent means of security that seems to work decently well.  Unfortunately this plugin hasn't been tested on a huge, high-traffic site...

  • @Brett The only reason it's not that dire yet is because elgg is not yet mainstream. It's not really worth the time to modify the bot scripts to search out elgg installations as there are not really that many large networks to go after. At least there is no talk about elgg on the h4cky0u or similar forums yet.

    It is very easy to modify the bot scripts to go after elgg, seriously just a few inputs and set it loose. The thing is though that with millions of vb/phpbb/wordpress/blogger/etc... scripts out there, it's more effective to go after those for spamming. Once elgg becomes more mainstream, or someone 'introduces' elgg to the other 'communities' you would see an exponential growth in attacks as elgg is basicaly wide open right now.

    So it's really smart to plan ahead as when elgg takes off, it will become a decent sized target. Might as well get all the 'ducks in a row' first....

  • @ Brett I use to use uncaptcha on our site and never had any problem with it or spamming. I stoped using it when we migrated and I started using site access. I tend to agree with you about captcha's being a site block in the registration process, but if what shawn is saying that captcha's are easy to bypass then maybe we should be looking at your idea with a bit more interest. We have a fairly high traffic site 50 to 70 users online most of the time. I would not want it to be destroyed with spamming.

    I'd like to hear more thoughts on this

    Shawn you are probably right in that once elgg becomes more mainstream we will start to get more attacks

  • @Shawn

    With "It's not that dire yet" I was referring to captchas not being effective, not Elgg's use of them.  I think they're still effective for the most part...annoying or not.

    I'm going to take you up on your offer.  Has a bog-standard 1.6RC1 installation with captcha enabled.  Show me your thousands ;)

    I'm doing full logging on the site so if they do break through we can figure out better ways to stop them, which of course will be shared here!

  • (Live example) 2000 spam users within 48 hours on a (client's) moodle site !!! No register button/ No register page. All users are registered by Admin... *Smart hackers got in..!

    I am **very interested to see Shawn' testing with Brett's Hopefully he *will crack his way in (somehow) and one then analyze... If he cannot - we might be lulled into false security.