Support

Admin Tools

#29353 Unauthorized registrations still occur despite the latest AdminTools

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by on Tuesday, 10 April 2018 17:17 CDT

jooomlaa
First recently I took over the project for support, because the customer permanently received unauthorized registrations in Joomla. I immediately updated Joomla from 3.8.3 to 3.8.5, installed the AdminTools and blocked a lot of functions in Joomla. Nevertheless, Russian spammers are still being registered. How could that be?!?

nicholas
Akeeba Staff
Manager
What you consider "uanuthorized" user registration is actually proper user registrations done through Joomla!. Someone goes to the user account creation page, fills in the form, receives the email validation emails, visits the activation link in there and the user account is activated. From where your site is sitting there is no telling that this is a "Russian spammer" (something which you determine based on your arbitrary criteria). Please note that Joomla's registration page can be reached without a published menu item. This is by design in Joomla. It's what allows login modules to have a link to create a new user account.

If the "Russian spammers" do NOT follow the activation link in the email, i.e. they are indeed spammers, the user account created is not activate. You can go to Extensions, Plugins, System - Admin Tools and set up the automatic deletion of inactive user accounts. This is why this feature is there. Please do keep in mind that inactive users CAN NOT spam you in any way; they can not even log in.

If you do not want any new users to be created you can simply go to Users, Manage, click on Options in the toolbar and disable the user registration by setting User Registration to None.

If you want to block certain email domain names from registering you can set them up as Bad Words in Admin Tools. Remember to enable the Bad Words filtering in the Configure WAF page.

If you want to prevent anyone from Russia to access your site you can use Admin Tools' Geographic Blocking feature. Please note that this is not an absolute protection. Geoblocking can be trivially circumvented by using a VPN or proxy server with an IP outside the list of countries you are blocking.

In any other case you have to convert your "Russian spammer" gut feeling into actual rules you want to be followed. What makes someone a Russian spammer? If you say "their name" I will tell you that not all Russians are spammers and not all spammers have Russian names, so how exactly do you believe a name can be a sure indicator of being a spammer and also how do you determine a "Russian" name. Is it their country based on their IP? See above. Is it their email's domain name? See above. Is it a user with a name and email which doesn't "sound Russian" but posts content in Russian? Tough, there is no way to block content based on language since there is no open API which can determine the language of posted content (even though we could integrate with something like Microsoft Cognitive API you'd end up paying thousands of dollars per month to use that API since all requests to your site would need to go through it AND it'd slow your site to a crawl). In this case you can simply use Bad Words filtering to block common Russian words. If it's just your gut feeling that certain users are "Russian spammers", well, computers don't have guts or feelings.

So, to answer your question in simple terms: you have a badly defined problem; as a result you have not configured Admin Tools to deal with it (defining the problem is a prerequisite to solving it). Try defining the problem as very specific parameters which can be checked by a computer with absolute certainty and then configure Admin Tools to prevent access to your site based on these parameters.

The hard part is converting your gut feeling into actionable parameters. This is highly dependent on what your site does. For example, on our business site -the one we're having this conversation on- we know that if you're not a subscriber (belong to specific user groups) your only spam target is our Contact Us page and the Pre-sales category. This reduces this issue to deleting inactive user accounts of people who have never been subscribers after a couple of months and using Bad Words to block requests with known spammy content. We get two or three spam messages through every year but we have established that trying to catch these results in false positives which are detrimental to our user. On this site we can't block anything Russia-related since we have Russian clients (same goes for any other country, really) and we can't turn off user registration since that would obviously make it impossible to sell subscriptions. On my wedding site I have disabled user registration altogether because I am manually controlling who gets access. On my blog I use Bad Words filtering and Project Honeypot integration to keep spammers away. I do get some spam, then I update my Bad Words and it goes away. There is a bit of upkeep but I would be lying if I said I spend more than 5' a month on it, so it's not that bad. In every case I defined the same problem as a different set of parameters based on the context of the site's functionality and configured Admin Tools accordingly. I hope these examples give you some ideas.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

System Task
system
This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!