Support

Admin Tools

#10246 Dealing w/ robot registrations

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by user528 on Tuesday, 24 January 2012 15:04 CST

Tuesday, 24 January 2012 09:56 CST

user528
Mandatory information about my setup:

Have I read the related troubleshooter articles above before posting (which pages?)? yes
Have I searched the forum before posting? yes
Have I read the documentation before posting (which pages?)? yes
Joomla! version: 1.7.3
PHP version: 5.2.17
MySQL version: (unknown)
Host: lunarpages
Admin Tools version: (2.2.a2


Description of my issue:

I have been battling robot registrations since I created my Joomla 1.7 site. They seem to be skirting the regular registration process , and I cannot figure out how. I have JomSocial, Account Expiration Control, and even recaptcha installed. The bots seem to register without me getting an email, and they don't fill in any of the required forms.

I recently turned on the option to email me when there are security exceptions. I have blocked some ip addys, but they just kept coming. So, I tried blocking a couple of the countries (Russia and China) - and yes, I did read your thoughts on why you shouldn't bother blocking countries...but I thought I would give it a shot...well, it helped some, but ip addys from those countries are still coming through.

So, I checked the security exception log. All fake attempts to login are going to a specific url: http://www.mysite.com/index.php?option=com_users&lang=en

I'm not sure why they would be able to hack into that page, but that seems to be the case. Any idea how I can block access to that page? Or will that screw up all legitimate registrations?

Thanks :)

Tuesday, 24 January 2012 10:01 CST

nicholas
Blocking that page will block all user registrations, so it's not recommended. You can do something simple. Enable registration confirmation emails. Automated bots can't get through. If they manage to get through, you're in deep crap. The latest trend is hiring dirt cheap workers who will do one spam registration for 0.01$ or less. Apparently, the only way to ensure legitimate registrations is charging for them :(

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 24 January 2012 10:07 CST

user528
I hate to enable registration confirmation emails now that my site is finally running smoothly...just another step to cause confusion for the masses.

But, I question whether it'll matter. How would bots be able to register without filling in required fields? A confirmation email wouldn't matter would it - they are obviously getting past the regular registration form, and requirements.

Tuesday, 24 January 2012 10:11 CST

nicholas
No, you get it wrong. The bot comes to your site to register. Then it is sent a confirmation email ASKING IT to visit the site and paste a token (or click a URL). The bot can not read the mail, therefore can not complete the registration. Ergo, its user account remains inactive. As a result they cannot spam you.

The next thing you can do is to automatically remove crap accounts left behind by spam bots. Admin Tools 2.1.14 and later offer this option, it's hidden in the options of the "System - Admin Tools" plugin. Take a look at the documentation.

AS for your users, the confirmation emails are so common that nobody will care.

Bluntly put: you will either enable the confirmation email, or go through each and every user registration manually to determine if it's a spammer. Which one of the two sound like a better approach?

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 24 January 2012 10:15 CST

user528
Actually, I think I made a slight error...the country block may have worked. I was confused because I have admin tools set to email me with every exception. I am still getting emails for those country ip's, but the email says they are blocked with GeoBlock. I think I'll turn off the email for exceptions, let it run for a week, and just check the security log for failed logins. Then I'll know if bots from those countries are still making it through.

======

Just saw your new post. It is actually easy for me to tell which are bots, because regular registrations send me an email...while I get none from bots. So, I can easily delete the culprits.

But, yes, I do see your point. I will look into it, and probably enable it. Then I can automate the process of deleting users who register, but never activate their accounts. It will be much easier. :)

Thanks for the help.

Tuesday, 24 January 2012 10:17 CST

nicholas
I bet that you get emails for all registrations, but those coming from bots get trapped in your ISPs, mail provider's or mail application's spam filter :)

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 24 January 2012 10:21 CST

user528
I use gmail for my mx servers. I get no emails from those registrations. I have checked the spam folder...nothing. Unless, as you said, it is at the isp level. How would I check that?

Tuesday, 24 January 2012 10:26 CST

nicholas
Probably you can check with your ISP, but I suppose that all mail is being handled by Google. The only way to not get a user registration notification email is if the registration failed, i.e. the user account is disabled. Otherwise it IS in your spam folder, somewhere. Joomla! always sends such an email. The option to disable this email was added in J! 2.5 very recently.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 24 January 2012 13:09 CST

user528
Well, I went ahead and set up the registration to require an activation by user. Tried it several times myself, and I needed to click the link to activate. I also received an email each time a new user registered.

Then, I got another robot registration...fully activated...no new user email came in...wtf? They are getting in somewhere...

The saving grace is that they can't do anything on my site until they get a plan through AEC. So, I don't have to worry about spam and stuff. But, it is still very frustrating...

Tuesday, 24 January 2012 14:26 CST

nicholas
This means that you're not dealing with bots, but humans. There are specialised companies, offering an API, which allow you to essentially hire humans to solve CAPTCHAs and perform spam registrations... for 1$ per 1000 CAPTCHAs or 1$ per a few dozens of registrations (no kidding, I was reading a comparison of such services yesterday!). You are fighting a losing battle. Soon enough you'll be doing what I'm doing: ask people to pay or severely limit what they can do on your site.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 24 January 2012 14:34 CST

user528
Sounds scary. But, I'm still not sure that making them pay will help. They are obviously registering 'outside' of the regular process. If they were using the regular route, then AEC forces people to choose a plan already. sure, I have a free plan, and a paid plan, but they are choosing neither of them. They are bypassing it entirely. So, it wouldn't matter if I got rid of the free plan, and made the whole site paid...they would still register. (Of course, just like now, they still cannot login without joining a plan, but they can register and cause me the grief of deleting users.)

AEC says there is no way to register without going through their extension, but that clearly isn't the case.

I know there are extension which will delete any user not activated after "x" number of days, or one who hasn't logged in after "x" number of days. I would love to use that, and forget about it. But, the problem I see is that some people may pay for my site, and not log in for months at a time. I can't be deleting paid members :(

Grrr - I hate people/bots/whatever it is.

Tuesday, 24 January 2012 14:35 CST

nicholas
OK, NOW I understand what you're talking about. You want all registrations to go through AEC. Excellent! Just go to your site's Global Configuration and turn off User Registration. This means that the perpetrators won't be able to use the direct URL you pasted earlier to self-register. They will have to go through AEC instead.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 24 January 2012 14:41 CST

user528
Seriously? It is That Easy?! Haha - please let it be true!!! I'm going to do that right now, and test it out

Tuesday, 24 January 2012 15:00 CST

user528
Houston, we have a problem...

Well, that wasn't the answer. I turned off registrations, then went to the homepage. I clicked register, AEC asked me plan i wanted. When I clicked the free plan, I was presented with an error: User registrations is disabled in Joomla

Hmmm - shoot. I knew it was too easy.

Tuesday, 24 January 2012 15:03 CST

nicholas
Darn, I wonder why AEC has this limitation?! Apparently, you can't do that with AEC. :(

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 24 January 2012 15:04 CST

user528
I'm contacting them again to see if it is possible.

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!