HELP with SPAM Auto Sign Up Accounts...

I am having a very bad time with Spam Accounts being Auto Generated there are 1,000's so far and am looking for a way to make the SITE either an INVITE ONLY site or only have OPENID and Google Friend Connect as the ONLY Options to Sign Up / Sign IN and Join the site. Can someone please help me there is no other way to fix this major problem besides just Leaving Elgg and going back to Statusnet Open Source Microblogger. I do not LIKE STATUSNET!!!! So Please someone help me with this SPAM Auto Account Problem. thanks

  • The flexreg plugin (part of my form and related plugin suite) allows you to moderate registrations or (instead) to invite specific people by sending them a unique registration code.

    You don't need to be a PHP coder to set it up but there is a lot to read through in the README.txt files in the different plugin directories so you have to be patient and read the documentation carefully.

  • sorry do post the here - but seeing that it has revelance to the topic, when registering for this site they had a captcha using pictures. How is this done? Is there a plugin for something like this as i only get a few auto spam signup and im sure this will fix my sitiation. Also looks cooler that jumbled letters and nubers. Do i just have to play with that plugin or somthing? Thanx

  • Ok I just finally figured out a VERY CRUDE Method meaning that I am very Unskilled at doing any Customization to the Elgg Site Code and it shows in this Fix... What I did and I really should consider making it LOOK BETTER is Delete Everything inside of the register.php file the MAIN one for the entire site. What I did was copy and paste three plugin codes which are: Facebook Connect ; Google Friend Connect and the Newest OpenID. So when someone clicks on the Register Link where the Main Front Page Login Box is it will take them to a blank page where it asks for the users who wish to signed up to Click any of the Three Choices to Sign Up to use the site.

    I am not good at any of this and I know that many people are going to think this method is very dumb but I really had no other option that I could figure out. So what happens now anyone that wants to join the site Has to Join by either Sync their Facebook profile, Google Friends Connect (Which is So GREAT it even has Twitter and Yahoo and More into this) or even Open ID which Google Friend Connect also has Open ID. So I have almost every Possible SAFE Way that anyone could have to Sign Up and into the site.

    All of the Spam Screening is now down already by Yahoo, Google, Twitter, Facebook, OpenID and a lot more other Login / Sign Up options that these have.

    I feel a piece of mind finally that my site is now more secure. If they really want to keep on creating Spam Accounts not they will now have to do it Thru all the above sites I listed. There is no other way. So I am using the protection of the BIG GUYS.

    I think this alone could be a VERY cool Plugin or Modification for people like me who have been Brutially Attacked with over 4,000 Spam Bot Accounts that signed up. Now I am not even going to spend the rest of my life trying to Delete 4,200 Accounts from the MYSQL. I am going to let them sit there.. One big issue now is who ever set them up can still ACCESS them and Login.

    Is there a Solution to NOW FIX all the Signed Up Bot accounts over 4,000 of them?? I do not have any means of trying to Ban all of them by hand.

  • Thank you both guys above for your help and taking your time out to help me on here. I just think for right now this is the only solution to put a stop to the mass accounts. One thing is very Unusual is the traffic. This could be from what ever API Bot this person or persons are using to make accounts. They are Random States and Areas around the World that are coming into the site but they are not coming for any Referred Search Engine. They are Direct Linked as if someone is clicking my link directly without any search engine searching. Traffic like this I feel does not help period with Rankings if I am correct. Anyone else ever seen this before?? How I know this is because of a Live Traffic feed Widget known as I have on the main page.

    Check it out and see all the hits coming in LIVE. It is crazy.

    Somehow someone is using API calls or could have used the OAUTH plugin to get API Keys to my site. Maybe might need to turn off the API stuff??


  • @jacque - It's called Visual Captcha and is in the plugins repo, but not officially supported or released yet and might only work on 1.8.


  • bots that hit elgg-based (or others) are usually written by people who know a heck of a lot of php and about pkgs such as Elgg. so they write their code to try to exploit weaknesses. using some form of image or stronger captcha (ie v1.8's visual) should block such bots. just browse thru your apache access and error logs (we regularly do this) and you'll see patterns of 'strange' accesses which could never be a real person. anyone who's had their elgg site hit by bots -- you've obviously not installed any captcha and so those spammers can get to you. on our flagship elgg-based site (112,000 users registered) we have almost zero spam users, occasional (human) spammers - who get "killed" within hours. we're simply using SiteAccess - courtesy of mi a amigo ShellCode from the SanFranciso area. The rarer smarty spammers - we hunt them down and block their IPs or the whole country (we did this once b/c the person was using dial-up) as needed. if each  plugin had their own htaccess to implement "leach-protection" - might make life a lot easier b/c then bots will be blotted out.

  • I have captcha setup also for my elggsite but a bot was still able to create multiple user accounts. 

    They have gotten smarter now too, before I was able to manually delete the user profile, but now if i click on the user profile to delete from the admin page, the page redirects to a spam site.  It apparently is somebody who knows the intricacies and internals of elgg.

    When i manually deleted some users from SQL Admin, my site is not functioning properly now.

    Im trying to upgrade to elgg the latest version, im hoping that will help..any tips?


  • ouch ;-) 

    do not delete users.. just goto phpmyadmin users entity and set the "banned" field to on.

    yes those smarty spammers do hook up their profile to flip over to their junk website

  • This sucks..there still is no solution to stopping the bot...

    Is there a tool to approve new users?

  • @Rocker: Have you tried the Site Access Plugin? It forms a walled garden on Elgg.