Spambots targeting Drupal sites are already a plague, so we should force reasonable default policy for new accounts registration, as below:
* Visitors, but administrator approval is required (forced default)
* Require e-mail verification when a visitor creates an account (enabled)
If you wish to disable e-mail verification or set "Who can register accounts" to "Administrators only" or "Visitors", you must create a control file in sites/foo.com/modules/disable_user_register_protection.info
and then change these settings in the site.
Wed don't force "Administrators only", because it could immediately break many commerce or community sites essential features. But for other sites, "Administrators only" is strongly suggested.
It is also a good idea to check (really, do this, you may be surprised) if your sites are not already "taken over" by spambots - we have seen too many sites with 10k or even 50k spambots accounts created, not to mention *tons* of spam added, which even if not published, can slow down your site seriously anyway.
Comments
Comment #1
omega8cc CreditAttribution: omega8cc commentedCommitted in HEAD only: http://drupalcode.org/project/barracuda.git/commit/b768b7b
Comment #2
omega8cc CreditAttribution: omega8cc commentedRelated fix committed to HEAD: http://drupalcode.org/project/barracuda.git/commit/3b85755
Comment #4
Jim Kirkpatrick CreditAttribution: Jim Kirkpatrick commentedOK so this actually MAKES spam accounts happen. I realise there's a fix (make the control file) but I think BOA has overstepped its remit here...
My site was set to 'Admin only' for user account creation for years, then I updated, now I get loads of (blocked) spam user accounts because there's a change of behaviour and I haven't yet put in the disable_user_register_protection.info file. This logic is backwards!
My point is that BOA shouldn't be changing this at all outside some specific platforms (like Feature Server). It's a site-level config change that might well be wanted to be changed by a non-techie at many times during a site's lifetime. BOA shouldn't be forcing such changes IMHO. There are dozens of use-cases where an admin might want to change this.
I would like to see this feature fixed so it does not interfere with already built sites, and their administrator's work. Correct behaviour/Fixes would therefore include:
FWIW the sentiment behind these fixes is a good one, but the execution is clumsy. Another approach would be to include the either/both the excellent BOTCHA or SpamBot modules in the Octopus contrib modules and force-enable one of these -- it's a smarter way to stop spam IMHO.
Thank you.
Comment #5
omega8cc CreditAttribution: omega8cc commentedHave you read related docs?
This is a kind of one-time inconvenience to provide an absolute minimum of protection for hosted environment without introducing problems for the end-users - sites visitors, since we can't assume that you control/administer all sites hosted on the system.
HTH
~Robert
Comment #6
Jim Kirkpatrick CreditAttribution: Jim Kirkpatrick commentedThanks. I didn't know abou the docs because they're new and were not linked in this issue, or in either commit.
It's just strange that an anti-spam feature actually allows spam where there wasn't any. It's not properly designed IMHO.
I'll make the appropriate control file.
Comment #7
omega8cc CreditAttribution: omega8cc commented"It's not properly designed" is a bold statement. Feel free to suggest something better, which would work not only for your own use-case.
I would recommend to watch our Twitter and/or App.net streams for updates, or at least subscribe to our RSS feeds on the site, as we have announced this there.
~Robert
Comment #8
Jim Kirkpatrick CreditAttribution: Jim Kirkpatrick commentedHi Robert, (and Grace and all the others that make BOA so good)...
Poor choice of words by me there, sorry... I completely appreciate all the thought, dedication and hard work that goes into BOA, and in turn the making my hosting of my client's sites a happier experience. In this case I was just surprised because I only ran
octopus up-stable o1 platforms
to install a platform and the next morning my inbox was full of spam account requests from several of my sites.So in this (rare) case I think the decision to do this a hosting/server level wasn't ideal. It's a site-level thing, and the implementation made some assumptions that didn't work at all well for me. Already follow @Omega8cc, missed the announcement this time.
I think BOA is fantastic, but I have a suspicion that the global.inc logic is on the verge of needing a refactor, or even a Drupal/Aegir helper module. This way, the performance/bot stuff that should be done before Drupal boots can be done in global.inc, but the 'make drupal safer/cleaner/better site prefs can be managed from within Drupal where it logically sits. Another idea would be a 'local-boa-config.inc' on both site and platform levels that are included early in global.inc which can control these things more cleanly (kinda like the custom.global.inc approach) and allow a standard set of defaults to be more cleanly overridden.
I suppose what this boils down to is that I believe control files are great for many things outside Drupal (in Bash/Perl), but since we're already in PHP at this point a standardised config file and some nice clean functions might be more appropriate as the system grows. And, if those settings were editable from Aegir or the site itself then that would be really great -- not to mention better UX/DX since the help would be right there by the settings.
FWIW I'd be happy to assist in this should you guys be at all interested.
So I'm re-opening this one last time so that these thoughts can be commented on and if you consider these ideas as having potential please let me/us know how we can engage and build something nice. Otherwise close this and thanks for your help.
Comment #9
omega8cc CreditAttribution: omega8cc commentedWell, the way this change was handled was for sure unfortunate.
In fact, it was introduced in an emergency mode, because many of our servers suffered from sudden and random load spikes for a few weeks, and we have determined that it was because of some wide spread spambots attacks we have never seen before on that scale, affecting sites with too open new accounts registration policy.
We have tried to fight this for a few weeks, hunting for sites targeted and improperly configured, but it was not effective enough, so to protect all our clients who do care about security and proper configuration like you do, from being indirectly affected by this new wave of spambots attacks emerged, we have decided to force settings, which introduce protection for unprotected sites, but also don't break possibility to self-register, when required, and introduce a one-time inconvenience as a price for a long-term protection from systems instability.
Also, we have applied this to the stable, because the head is not yet ready for production. We normally announce such changes on BOA releases and upgrades, but since there is no new Drupal core version expected this month, so probably also no BOA new release, we could only announce this on our website, Twitter and App.net - we should probably do this better, post something on g.d.o etc.
So, we are open for any good ideas. It just almost never happens that we could review someone else patches, just requests for features etc. so if you have an idea on how to do this particular change/feature better, please share the concrete ideas!
Note also that almost everything included in the global.inc simply can't be converted to module, for rather obvious reasons. And scattering this around in many sub-sub-includes etc sounds like a recipe for serious trouble to me. There are already two includes in the global.inc supported for early and final overrides.
I'm postponing this until there will be some patch for review! :)
~Grace
Comment #10
mattman CreditAttribution: mattman commentedBecause I too was affected by this on two of my sites, I would like to point to my proposal of #2034391: Document all control files and make it easy to find.
A registry of control files, with notifications when one or more is added, would be a nice direction.
While Twitter and App.net are great, they are not the most ideal solution to being notified about such changes. Personally, I rarely have Twitter open because I don't like distraction based working.
If you can show me 9 out of 10 people who DON'T open up email daily, then I will grant you that I am behind the times and should be checking Twitter just as much as I check email.
sendmail is already on the box and .barracuda.cnf has my address. ;)
Comment #11
Anonymous (not verified) CreditAttribution: Anonymous commentedWhat about the user_verify module (drupal.org/project/user_verify):
"
This module extends Drupal's user verification in order to bug site spammers' lives at least a little bit. For sites configured to allow user registrations without admin approval, new users are not immediately activated but remain in status "blocked" and an additional verification code is being generated. This code may be sent out instantly as well or (recommended) with a configurable delay so the efforts to configure a spambot will at least increase a bit. The new user remains blocked until he verifies properly and if he does not within a custom time limit, his account will be deleted automatically and in the background. There is some more little bullying - hardly harmful to serious users but annoying for the unwanted ones.
Remember:
Although the user's chosen password is valid instantly after registration, all login attempts will fail until the user has verified with the special token. If he tries too early and too often, he will remain blocked and if he fails to validate, he will be auto-removed after a configurable time. However: No spam prevention is perfect or eternal as spammers evolve. But if playing cat and mouse helps it for a while, why not try.
It is strongly recommended to alter your registration email templates on the accounts settings page to clearly instruct your new users about the verification process.
"
Installing it automatically bypasses the normal user registration flow, so would this boa control file still be needed?
Regards,
Ed
Comment #12
Anonymous (not verified) CreditAttribution: Anonymous commentedAdditionally, re the original post - In order to get modifications to the user registration settings to be saved - so the change appears in the admin GUI, I had to disable user locations from the location module, make the change, which then did show as changed in the GUI, and then re-enable user locations. This does not mean that the change was actually having an effect - just that it appeared changed in the admin GUI.
Comment #13
omega8cc CreditAttribution: omega8cc commented@EdNet - Using extra module doesn't solve the problem and even makes it harder to solve.
Comment #14
omega8cc CreditAttribution: omega8cc commented@mattman - The correct solution to this is to simply never modify Stable Edition like this and just release new Stable when any change like this is required, so we can use normal and expected communication channels -- release notes, changelog and upgrade e-mail.
Comment #15
geoff CreditAttribution: geoff commentedOuch! After this recent update, about 200 sites that where set to "Admin Only" have started to have spam accounts being created. They have all be forced down in security so now they are open to abuse.
I agree with the locking up when "Admin approval was NOT needed" - but it should never have locked down if the "Admin only" was set.
A better solution would have been to lock out the insecure option and to upgrade security for anyone with that set. But allow changes between "Admin Only" and "Admin Verification" - without needing the config file.
Comment #16
omega8cc CreditAttribution: omega8cc commentedI think that both the "fix" and the way it was introduced was really a bad idea. While it is not possible to determine on the global.inc level if the site already has secure settings and what security measure would be best etc. we should do this in the /var/xdrago/daily.sh script instead, where we can:
1. Check the value of the actual variable per site.
2. Create an "OFF" control file only if the registration is wide open and there is no "ON" control file present.2. Force/set secure variable in the DB directly, but only if the registration is wide open and there is no "ON" control file present (site and platform level)
The implemented method to force "Admin only" mode per platform and per Octopus instance is for sure useful, but the other part of this "fix" must be changed.
Comment #17
omega8cc CreditAttribution: omega8cc commentedThis should be fixed in the commit: http://drupalcode.org/project/barracuda.git/commit/5bbb203 (will be applied also to stable, since we don't have any ETA for a new release yet)
We no longer force anything live in the global.inc file (with exception of feature_server and hostmaster profiles). Instead, we use the running daily.sh maintenance script to detect actual variable per site and set it in the database directly, only if needed. This allows us to avoid opening moderated registration if the site already has "Administrators only" mode turned on. The logic for control files, as explained at http://omega8.cc/node/273 remains the same - we just use it in the running daily.sh script instead of check them live on every request. This allows to force safe defaults daily and to override them still in the site admin area (until the next daily.sh run).