Social Connect logins - How to stop spam from entering?

So I really need the social network connect system for logins, but I had to shut off my new user registrations.... .it's not that recaptcha isn't working.. it's that all the spam bots come in through the social network connections and not the normal registration path...

   SO HOW do I get new members to come in AND keep the spambots OUT of my instant logins?

  • @acientspart

    I found that elgg_social_login will work with registration turned off.

    You can change these settings in:  administration>settings>advanced settings - about 2/3 the way down.

  • Okay so I made a registration question mandatory...  but I don't know how to make the system check against the answer?    when I'm gone, I want the system to allow or disallow based on that registration question... HOW do I do that?   The only admin option having anything to do with new registrations is on or off...  please help me set up this question?   I had 5+2 = ?   and it lets me put a field in (I downloaded and installed profile manager, newest one).      So NOW how do I make it work?


      Stumpy..   Thank you for testing that I was about to do that when I found the suggestion on a question in the registration.. now I'm "stumped" as to how to make it work.

  • @acientspark

    In profile manager, after creating the profile field, you'll find below a set of questions with dropdown options:  show on registration form?  make manatory? etc etc.  the thing is you can only make it mandatory to answer the question, the answer they give will be irelevent.  so if you as what is 1 + 1?  and they answer 127564 it will still be considered correct because it will only check that the field has been filled in.  You can get the functionality you want from


    with these the answer must be correct. However, as discussed above, the effectiveness of these is questionable if not, well...

    IMHO your best choices for fighting spam (for free) would be a cobination of:

    The captue (pointless by most accounts) will help to make sure (correct me if i'm wroung) bots cannot get past your  regiastration form. (look into robots.text)

    If it isn't a bot but a person trying to register to create spam, the spam login filter will check against a list to help prevent them registering,

    The site code will also help against bots (I Think) because a site code needs to be manually copied and pasted for confirmation. 

    Should someone negate these, which they will, the spam throttle will help to reduce/ban/suspend them.

    using a combination of them above plugins is your best bet IMHO.

  • @acientspark

    If you're not using https, deactivating registration and using elgg_social_login is a nice way for people to have encrypted registration/login because it is done over https ;) i.e username/passwords cannot be decrypted - unless somebody knows how to decrypt 256 bit encryption blindly with no sniff of the private key.  

  • I have done just that..  I am ONLY using the social logins now... thank you... everything else did not seem to work.. but I like the site code thing... just is that I would have to somehow let people know ahead of time what that is and I can't do that when I'm not there....   so THIS is best... just using social logins...  thank you SO much, EVERYBODY that replied to this.. I APPRECIATE all of you very very much!  Thanks!    come join my site at XLOG 2.1  | PHOENIX and see if you like it!

  • @acientspark

    You're most welcome.  As for informing people about using the site code, you can do that by editing the language files. for example, If you go to mod/elgg_social_login/languages/en.php you could change "Or connect with" to "Connect with"  If you just look in the language files in mods and elgg, you'll recognise the messages and will be able to change them to your liking.

    I'd seriously consider getting an ssl certificate tho'.

  • Dead or not captchas can still help. I'd like a generic hook and view API for consuming captcha services on Elgg sites, then you could add captcha provider plugin(s). (could allow multiple in times of desperation)

    Re: social logins, these plugins should allow disabling a new account until a captcha solve. Better would be to present the captcha just before creating the account, but this complicates the coding a bit (have to store profile data in SESSION while captcha attempts are made). In the short term my team is working on integrating recaptcha with facebook_connect.

    Another simple place for a captcha would be just before email validation. It would be easy to code because only the validation token needs to persist while the captcha is being solved.

    Do the social logins all bypass User Validation by Email?