Spam/ Hackers problem

Hi Everyone!

I'm running Release - 1.6.1, Version - 2009072201 on a site at

I've been experiencing a lot of problems with spurious members (usually based in Chine) that register and then flood the blog area with spam. I keep on deleting the accounts but the problem is getting heavy. I also notice that one of these had hijacked the "Blogs" link and a Viagra ad. came up when it was pressed.

I think I need to be able to validate accounts manually as the auto e-mail verification set-up is not secure enough OR is there a way of filtering this crap? I notice most of the e-mail addresses given are jibberish - surely there's a mod somewhere that could distinguish between rubbish and genuine account registrations.

Any suggestions anyone?

Many Thanks,


  • BigG,

    You have to upgrade to the current version. That's fact of life too, not just for this particular anti-spam plugin. So, back up a step ... :) .. take a deep breath ... and upgrade to 1.7.5. And count on the necessity of upgrading to 1.8 in the near future, and then 1.8.1, etc..

    I can't be too helpful on the details. My host uses a service called Softaculous that handles tools like Elgg - the original installation and (so far) two upgrades.

    In concept, upgrades are not terribly difficult. Download the new zip file to you local machine. Upload it to the proper folder in your server, and then unzip it. The idea is that it will replace all the folders & files that it matches, but will leave alone the unmatched ones (i.e. your plugin folders).

    Digression: I confess that I get tangled up with the top-level folder name. All the folders and files have to go into public_html, but when I unzip the file, they are in a folder named "elgg-1.7.5." So, after wrestling with that a little bit, I just let Softaculous do the whole upgrade for me. But with a litte work, thought, and perhaps better, more specific advice from those smarter than me, you'll be able to see a clear path to regular, routine upgrades.

  • I've cut alot of spam but adding a site password and adding a small bit of info disclosing the site password on the registration form, I had one spam member this week which has been the only one in the last three weeks since adding the site password before that I was getting like 10 a day! I would expect though of elgg to at least have a captcha system from the start as a default like the guys at phpbb do!

  • You have to remember that, while the majority of spammers are 'bots', some of them, such as the one who bypassed your site password, are not. They are real people who have enough time to go through numerous random sites, such as yours, register, and spam.


    Therefore, you need to work out a system that will stop most spammers in their tracks.

    -Not allowing them to post URLs for the first week

    -Not allowing them to post messages less then 10 words

    -Requiring email verification and making sure their personal data is correct

    Etc etc etc...


    There are lots of ways you can handle this. Without a spam-block algorithim, such as the ones used by google in GMail to send spam email to the spam folder, spammers still won't have a huge amount of trouble bypassing most/all of your preventatives. The best way to handle it is have multiple site moderators, plus maybe a few of the things I have presented in this topic [or think of your own ways!].


    Good luck.

  • These ->    " - Not allowing them to post URLs for the first week; - Not allowing them to post messages less then 10 words; - Requiring email verification and making sure their personal data is correct.." make sense - if someone wants to volunteer to kick-start these features off, I will try to make spare time to mentor along.

  • Thank you SO much everyone. A lot of good advice that's much appreciated.

    I'm extremely interested in those "Registration Control" and  "Turn off Elgg registrations" plugins Steve - they sound like the sort of thing needed.

    The only snag is the need for an upgrade (one of the plugins you mentioned requires version 1.7). As Stephen Sherman points out - & quite rightly - upgrades are a fact of life (a pain in the ar_e but nevertheless a necessity unfortunately). I'm scared sick of attempting an upgrade, especially after the horror stories I've heard from the experiences of others in the past.

    My site at took a long time for me to customise and get working the way I wanted it. It now has over 200 members - if I upset the apple cart and it fell apart all my hair would leap out of my scalp without me having to tear it out!! There is so much contributed material there from members. To lose anything would be a disaster.

    If I am going to be enticed into an upgrade it has to be foolproof (and idiotproof for that matter). Is an upgrade a safe enough proceedure to attempt under these circumstances?

    I really need to put the brakes on the spammers, because they are also spoiling everyone's enjoyment of the site. So I'm stuck between a rock and a hard place.

    Is there any documentation somewhere to hold my hand with an upgrade? Once I upgrade I'll obviously have more options open to me on the spammer front.

    One more thing (I did mention it in an earlier post in this thread, but didn't get a response). After I deleted one of the hacker accounts I got this error message:


    The account remains undeleted, so I changed the details (password etc.) on it so that it cannot be used. On top of that I now find that when I'm logged in to the site, when I go to the "Home" page I get the same error message.




  • I have the same experience. Running the Database Validator plugin couldn't fix it either! :(

  • @Shouvik :=

    If you deleted a User - it is most likely that you had all metadata for that User also deleted.

    Therefore - now if you get the "FileStore not found" message - it is because Elgg cannot find the appropriate actual meta name and value to point from in order to determine and fetch the FileStore / FileName and so.. gets all hung up about it ;- (

    Most likely the only way to fix this would to dissect ("open-heart surgery") on your database to scan for the missing data integrity aspects and to try and fix that.

  • @BigG - We had this problem as well.  The way we fixed it was going into the database and deleting the conflicting file entities from that user.  Obviously be very careful doing this.

    This has only happeend once out of the hundreds of spam accounts we have deleted.  For us, we don't annoying spam user accounts present hence why we delete them :)

  • Hmmm that sounds horrible to me! OPEN HEART SURGERY on a DB!


    Do you think the Database Validator plugin could fix it? Incidentally what is the actual name of the Plugin please? So that I can download it. Will it work with v 1.6.1?

    I can understand that by deleting an User Account all metadata for that User may also be deleted and there may be issues as a consequence BUT what would cause the same error message to appear instead of the Front Page? I.e. when you visit the site you can see the Front (Home) Page. If you login and click on HOME you get this instead:


    All other navigation seems to be OK.

    Things seem to be going from bad to worse!!!!



  • You may have a file widget or something similar on the front page.  So when it goes to grab the file it triggers your error.