Registration limited to manual admin activation

This forum was archived to /woltlab and is now in read-only mode. Please register a new account on our new community platform.

You can create a thread on the new site and link to an archived thread. This archive is available as knowledge base, safe and secured.

More details here.
  • Hi,

    in the past couple of weeks we had a permanent problem with spam bots. Our forum is based on WBB4 and has reCaptcha enabled during the registration process. This normally prevents bots from registering and starting to spam the forum with meaningless postings.

    I guess there are various hacks out there which allow to "crack" reCaptcha, or by paying someone to do that on a manual basis. In either way, reCaptcha does not prevent those bots from registering. Yesterday there were round about 300 postings during the mornings. We need to manually remove them and ban the users.

    Since there is no immediate solution to this issue other than workarounds, I've disabled the registration and am requesting administrators to review and activate new accounts. This is not as good as it sounds as you will have to wait for someone to active your account. Please be patient.

    Probably there is a better method but from our first analysis of registered IP addresses, this ranges from Korea, Taiwan, US west coast, to anything you cannot really block by simple filters.

    Stay tuned for updates,

    Edit: Rephrased after a frustrated first post. Thx for the feedback guys.

  • I've been analyzing the problem for a while.

    One thing which I did not know yet is that there are actually sites selling to crack reCaptcha.

    I also found out about the fact that reCaptcha does not use the "most secure" setting by default. That is hidden in the "advanced settings" tab you normally don't look at.

    I've changed the setting one week ago, and so far only "real" users have registered.

    Therefore I am re-enabling the registration activation by email and looking forward to a spam free 2017 :)

  • maybe here is sth. We could use?…ecapctha-support-wcf-1-1/

    Just ideas and results of a little search... ^^

    A nice to have scenario would be:
    - New users get a role called "new users"
    - this role is only changeable by a mod/admin
    - New user has a specific possibility of create threads ans replies
    - when New user is identified as "no spambot" by mods/admins, he raises to role "comfirmed user"
    - also confirmed user should have the possibility to report New user as spam user. When a New user is reported by e.g. 5 confirmed user, he will be autimatically locked till a mod/admin unlock him

    Don't know if this is technically feasible

  • Don't know if this is technically feasible

    The software is not making our job easier, if there was a button that would let us ban a user and delete all his posts this would not be such a big problem. Sadly our options are very limited.

  • Thanks for the tips.

    Moderation and enabling users to post should be kept at a minimum level. Either you do that, or you'll engage with answering questions. On the other hand - enabling more users becoming moderators is also possible.

    We're using the latest WBB4 which includes WCF2.1 so plugins must remain compatible to that. I've seen that there's WBB5 with WCF3.0 coming but doubt that this will solve any spam issues.

    KeyCaptcha doesn't work well on mobile devices, and might introduce other issues. See that (old) discussion here:…03-recaptcha-alternative/

    I'm not sure whether stopforumspam will properly work, also since the plugin here is still in beta:…creatr-wcf2-stopforumspam

    The mentioned honeypot plugins you'll certainly find on the internet are not working with the current WCF implementation.

    Another idea was to add an addition question to the registration, but this will probably not hinder any real user to use google to find the correct answers. Remember, we're not talking about bots here, but human beings getting paid to register spam accounts.

    The main issue remains that the posts don't provide any URLs. You could block newly registered users from posting external URLs with plugins, but that is not the case here.

    Different idea - disallow to register from any volatile mail service, and hotmail.* and others. Guess this will harden the spam registration, but also the normal user experience.

    2 factor auth is something which doesn't feel properly integrated. At least I haven't found anything comfortable and useful.

    One thing which sounds tempting is to use external auth providers such as Github, Twitter, FB and Google and purely disabling the internal registration. Guess I'll try that on the weekend.
    That also is something I consider useful if we ever go for Discourse. One thing which bugs me about that - the whole Docker architecture involved including your own mail server. That'll be lots of hours and days getting this to work in a timely manner.

    Kind regards,

  • I can see the IP addresses and they originate not only from China but also US, Europe and so on. Could be a Botnet abused as Proxy, TOR endpoints, etc. - I did not dig deeper mainly for the reason that I cannot ban such an IP range.

  • could you implement something like the spamhaus rbl, for known bots and bad networks?
    Don't know if something like that exists.

    Linux is dead, long live Linux

    Remember to NEVER EVER use git repositories in a productive environment if you CAN NOT control them

  • That's the stopforumspam thingy, but as already said, that plugin remains in a beta mode so probably it is not finished or got some bugs. I might try that on the weekend too (although I plan to refactor the Vagrant-Box Puppet code entirely, let's see about that).

  • I've manually reviewed newly registered users in the past weeks. There was no spam-ish activity anymore, and therefore I'm re-enabling registration with email activation again. The announcement banner is gone. In case you've found a spammer, please send me a private message or click the report button.

  • Yeah, well. Turns out it did not work, thanks for reporting the spammers. We'll keep looking for alternatives with external auth providers and spam prevention.