We are getting about a dozen spam user registrations per hour. This spike in spamming is over the weekend. Prior to that it was maybe a few a week. The user registrations generally follow the pattern of registering, posting some spam links in their User Profile, and never logging in again.

1. We have already implemented Mollom, and then switched to Captcha, and then reCaptcha. We have tried image puzzles, math puzzles and word puzzles. None of them have prevented user registration spam.

2. We do have email verification in our Drupal user configuration.

3. We are currently running 6.17 and there are no modules with a "security" upgrade required in our Upgrade Status report.

4. The only way we have found to stop the spam registrations is to set registration to "administrator only" which for our site is only a temporary solution. Our business model demands that legitimate people be able to register for an account on their own.

Whatever techniques these spammers are using it is circumventing our measures to stop them.

What next? Any tips on how to stop this nonsense?

Comments

Codeblind’s picture

Sometimes people add an extra text input and hide it with CSS and/or Javascript. Bots will typically add some junk in every field, but they don't normally bother rendering the page or running javascript, so if you set this field to fail authentication if it isn't empty, it will stop a lot of them. If your site is large and/or popular, a good bit of the registrations may be actual people who are being paid to register spam accounts by hand, so they'll be difficult to stop. Another thing you could do is block addresses that register more than n-accounts in an hour.

Stoob’s picture

Thanks

By block addresses that register more than n-accounts in an hour you mean IP addresses? Is there an IP address block/throttle Drupal module you recommend.

CiviCRM specialist

Codeblind’s picture

I don't know of any modules, but it seems like the contact form's flood control system has most of the logic you'd need to build a module for registration flood control.

lordrt21’s picture

if you want to block ips try the login_security module, http://drupal.org/project/login_security, but as far as i know it is used only when users login to the website instead of registering...

piersg’s picture

Can't admin/user/rules in core block by IP address?

silverwing’s picture

Found this - haven't tried it http://drupal.org/project/spamicide

~silverwing

lordrt21’s picture

could also give this module a try, http://drupal.org/project/register_preapproved, but i've never used it and do not know exactly how it performs in a system

SweeneyTodd’s picture

I had a problem a while back and most of the spam account had email addresses that all followed the same pattern. In my case they were gmail addresses but the names were the same, just moving the dots around made them unique. Other attacks I have had all had email addresses from the same domain. I used the built-in Drupal user registration access rules to match the patterns. For example:

h%e%r%r%o%d%m%c%c%u%l%l%o%u%g%h%@gmail.com
%@mailforspam.com

It took a bit of effort to set up as there were over 20 pattern, but that and Mollom stopped it in the end.
Do you have Mollom or other Captchas enabled on user registration?

-- SweeneyTodd

dewcansam’s picture

Probably not recommended.
I installed the "Advanced User" module, then created a hack that displays the users registered email address. Then set user reg to 'admin approved' and then just check the user list every so often and deleted the spam user reg. It took me 3 days and all spam user registrations quit. I tried captcha but it didn't stop them either.
I realize you said that you can't set it to 'admin approved' but i am just offering what i did to stop them.

You can check out my solution @ http://dcs777.homeip.net/?q=content/how2-add-email-address-display-layou...

p.s. i am a advanced php programmer and a noob to drupal. so it's easier for me to create a quick hack than mess around for days trying to find a solution. I am trying to learn to the drupal api and to make modules, till then hacking will have to work.

How can one avoid confusion when a date like 08/04/02 has at least six different interpretations around the world?
Welcome to clarity - ISO 8601 - http://www.iso.org/iso/en/prods-services/popstds/datesandtime.html 2009-09-20 14:46

doitDave’s picture

that Drupal as "the" user based CMS did not yet come to deal with spam registrations in core. (Besides, I still do not understand what benefit a registration spammer gets out of his action; they never do anything else than register, at least at my projects. However.)

Before migrating to drupal, I used a quite simple process which successfully kept them at least away from my "serious" users:

- New User has to register by setting username, password and email address (just as Drupal does upon registration WITHOUT email verification)
- New User is generated but not set to "active"
- New user receives a keycode (sometimes with a certain/randomly generated delay)
- New user has to enter the unlock code and cannot log in until he does so (and this is different from Drupal, where he either sets up his password at the beginning and will be logged in automatically _or_ he receives his password instantly by email and can login then, both is a workflow pretty programmable into bots - while randomly delaying the access data would expect more attention from the bot operator)
- New user is set to active now
- A Cronjob deletes all users not having verified after a certain time

Acting that way, I never had any spam user annoying my community.

As I said, I was really surprised Drupal does not deal with this by default. So I have seen no other option than migrating my process to Drupal, that is, I have quickly created a module modifying Drupal's default behaviour to my process.

I am not yet familiar with sharing modules here (and not either with the CVS here). So if anyone is interested, let me know (and probably assist me in sharinging my work).

DanChadwick’s picture

I believe that LoginToboggan can be set up to work just as doitDave suggests. I'm going to try it to see how it works at prevent spambot registrations.

Update: LoginToboggan did indeed work pretty well. I set it to delete users who don't verify within 3 days. To further prevent the registrations from event starting, I installed Spamicide and set it for the registration form. Since then, I have received no spam registrations. Thank you to the module developers.

drupalshrek’s picture

Hi doitDave,

Assuming your module is all in a single directory, bundle it up into a zip and attach it here. It'll give interested folk (like me) chance to take a peek.

If you get the module to the state you'd like to publish it more formally, CVS application is here:
http://drupal.org/cvs-application/requirements
or maybe someone will ask if you'd like them to polish it to be public-ready and publish it for you.

drupalshrek
Please fill in my Learning a foreign language questionnaire if you have a moment.

doitDave’s picture

Hi shrek, all,

sorry for having been off that long. As for most of us, other duties called meanwhile. Now I have some time again.

My module has been working now since my last post, very reliable, only 1 out of probably 300 spam registrants passed it by in the meantime.

However, the link you posted 403s. Then, I am still a bit unsure on how to handle all that stuff. Finally, I see now way attaching the ZIP here (anymore? has that changed?).

I would really appreciate someone probably co-maintaining this with me and introducing me to the related procedures. Whoever wants to, just let me know (PM). The ZIP is ready for upload.

drupalshrek’s picture

The broken link I guess is because Drupal is moving from CVS (which is what my link related to) to Git (see http://drupal.org/help-test-cvs-git-migration)

I don't know the exact equivalent to the old link, but a link which I hope helps is:
http://drupal.org/node/1011698

drupalshrek
Please fill in my Learning a foreign language questionnaire if you have a moment.

doitDave’s picture

Thanks... however. I am currently working on "polishing" a couple of my custom modules and then will "have to" learn that. It cannot be that difficult after all... hopefully...

ahmedhanyfawzy’s picture

Sine my site is a news website i found the The easy solution is to make Administrators only Who can register the new user , for drupal 7 i explained here how can we prevent spam user registration using this settings

abhishek2’s picture

I'm also managing many sites and I've placed questions like "Name any airline or car brand, bank etc" in registration and I've seen no bot registrations ever.
Looks like yours is high PR and high traffic site. Stoob can you please mention your site name so that we can analyze and suggest.

Also I want to know the country of spam IP's.

The maximum attack is wrought on the free public forums like PHPBB. Read what PHPBB people recommend: http://area51.phpbb.com/phpBB/viewtopic.php?f=71&t=30531

http://www.phpbb.com/customise/db/mod/advanced_block_mod/faq/f_548

designate’s picture

I always wondered how and when to use the settings at /admin/user/rules. To avoid spam subscriptions, mostly from mail.ru, simply add a rule here which denies "%@mail.ru".

Designate web development
www.designate.nl
+31 (0)229 27 44 38

Xagarsan’s picture

Hello,

I've the same problem with registration in my site, the user with domain doghairprotector.com rule repeatedly sent the request to create accounts on my website and think it's spam. Every time I have to delete recorded user, so finally I decided that the site administrator is the only one who can approve new users. I don't like too much but I can't find another solution.

Xagarsan

AlainLux’s picture

We got a similar issue on a mediawiki wiki.

In order to be able to post to our wiki, you need to register via a confirmed e-mail adress, to which a code is sent, which needs to be entered in order to be able to create or change articles.

This was adequate for a long time: indeed, most spammers signed up with a bogus e-mail, and thus didn't have the code.

However, since the turn of the year, we are seeing a new breed of smarter spammers: they do indeed sign up with their real e-mail, read the code, and log in.

Initially, they were using well-known "free" email providers (hotmail, outlook.com, yahoo), until we forbade all of those using a custom extension.

Then came doghairprotector and its breed. What they basically do is register lots of domains with a bulk registrar, and use those as e-mail drops.

... but we noticed that all these were served by the same name server!

(as found out by dig -t ns doghairprotector.com)

So we just blocked connections to udp port 53 on these spammy name servers:

ip=x.x.x.x
iptables -I OUTPUT -d $ip -p udp --dport 53 -j REJECT

This way, our wiki software is no longer able to send mail to doghairprotector (because it can't look up the name), which stops this breed of spam dead.

For very bad cases, look up the nameserver's nameserver.

With just 73 blocked name server IPs our wiki spam level dropped from tens per day to basically zero...

Btw, loudly complaining to said nameserver's abuse team also helps, that's why you now see parkingcrew.net on it, without an MX. Hastalavista Baby!

hohl’s picture

I too have to deal with "@doghairprotector.com" spam (it tries to set the user "googles"), bypassin re-captcha.

[Drupal 6.24, recaptcha 6.x-1.7]

Patroclas’s picture

I have found that Spambot http://drupal.org/project/spambot works pretty well for registrations and Mollom for contact forms, comments etc.. A few bogus users get through so I still need to check those that do, and I have strict registration rules - must have a 'proper' username (eg an actual name), must activate the account within 24 hours, email address must be verifiable (I am usually suspicious if a search on the email address brings up nothing, or 'unusual' results).

But I don't get too many registrations each day so it's manageable. I think having a role that cannot post at first registration which is upgraded after a few days (Rules) is helpful.

alar’s picture

Too many registrations per day is relative ;) Without a full-time sysadmin I am currently over-whelmed with new user registration. Plus how to determine if the user is a legit user. Black-list works for some sites but what about if you want to allow *.ru ??
or *.hotmail?? (LOL)
While I've been using Captcha and verifying email up until now, this is no longer enough. Currently I block users until admin approval -- that's not a real solution. I am considering Spambot and Mother May I. I also don't want to have to enforce the wait a few days rule on some more news-worthy active sites...
A secret question might work. Mother May I. But not for 'all' sites. I also host an author site and I know he would prefer if the World could be involved....
Spambot maybe?
Thanks guys. Feedback welcome.
:)

I'll post back my 'finds' as well...

doitDave’s picture

@alar and @all,

I already mentioned it in a comment here and would really appreciate you to test http://drupal.org/project/user_verify (available for D6 and D7). It extends the email verification and so you can easily add it to your existing antispam process chain.

Issues and opinions are welcome!

ikeigenwijs’s picture

i will give this a try

Adam Wood’s picture

Just thought I'd chime in with an explanation as to how these accounts are being created and using what tools, so that we can try to beat them more effectively.

These automatic accounts are being created by SEO systems such as SEnuke XCr and XRumer, that automatically create accounts on any site with registration, with the aim of then posting spam. As doitDave pointed out, they rarely do anything further, as not many Drupal sites have user blog posting etc. This does become more of a nuisance however when you have other actions that happen when a user registers. In one of our cases, it adds them to a third-party email marketing system.

This video shows you exactly how these systems work: http://www.senuke.com/blog/?p=215

In that video, you'll see the four options that the poster has for bypassing captchas, including Death by Captcha. With their kind of success rates and low cost, most types of Captchas seem unable to stop them, however our logs show that captcha stops them 5-10 times before they succeed.

IP Blocking is out of the question, as these systems use proxies. We've never had the same IP register a spam account twice.

As Codeblind pointed out, most (all?) of the systems don't render the page or have JS when they register, so I think a JS solution could be the best way forward.

The question is, what's the best way to prevent users without JS from registering?

ikeigenwijs’s picture

double post

dwillcox’s picture

You might try:

Mother May I. This works pretty well if your target audience is fairly small, though probably not appropriate if you're trying to attract a wide ranging, diverse clientele.

Captcha Riddler. I just recently stumbled across this when I was looking for something else. I haven't tried it, but it looks like it has potential.

NonProfit’s picture

Here's what is believed to be a complete (for the moment) list of anti-spam modules: http://groups.drupal.org/node/77093

rositis’s picture

Subscribe

Christopher James Francis Rodgers’s picture

Subscribe

(I thought d.o was incorporating "Follow" buttons on pages,
or did I dream that?)

"All the best; intended."
- Chris
___

Drupal 8 is great.

Re: Drupal 9,000
Three-minute Video on the problem
of technology out-pacing users.
http://great-grandma.com/gil_bates-dead_at_42/index.html

vaccinemedia’s picture

I have a website with required profile fields on the user registration page and user accounts (for spam) are appearing which haven't filled in the required fields. Anyone know how this is possible? I can see from the logs that the activation ink in the email sent out is also being used

I'm a Drupal Website Developer who also produces Gigapixel Virtual tours.

dwillcox’s picture

To vaccinemedia -

It would help if you said which version of Drupal you're using. The implementation of user profiles is very different. (If D7, you aren't using the Profile module are you?)

But it would seem to me that this isn't so much a question about spam elimination as about user profiles: Why is a registration request being accepted without a value in a field that should be required? (Just curious, are you sure the field is empty as opposed to containing blanks?) That probably depends on your answer to the above.

(I probably won't be able to answer even knowing your version, but hopefully it will help someone who can.)

vaccinemedia’s picture

As it turns out I have a different issue: registrations were coming in from bots and I thought they were signing up using some other method. Turns out they were filling in all the required fields but they were not being saved. I've installed spamicide and this seems to have helped the issue. Now to find out why profile fields are not being saved! They used to so it mush be to do with a core / module update...

I'm a Drupal Website Developer who also produces Gigapixel Virtual tours.

joecanti’s picture

I am testing a simple solution at the moment:

When my users register, they have to select a role. The first role on the list is a bogus role. It can be called something like 'Please select a role' - or 'No access role' or something.

Then, when they register, I know that all the people with this role are either automated spammers, or human spammers who haven't taken the time to read the instructions.

They can either be deleted en mass using vbo, or denied registration by the rules module.

I also have spambot running, and block anonymous links.

If this still presents problems I might try botcha.

Its a real challenge to manage this when you have many users. I don't have that many, but already it takes up valuable time in my day. Hopefully the techniques above will save me hours!

All the best, Joe

majid.ali’s picture

I have been running a Drupal site with thousands of users. Few months ago i faced the same problem. I used Honeypot module and it worked for me. Since then it detected aprox 3 thousand spammers. In your case i think you should use combination of different techniques. I have written a article about it in my blog if you want to read it http://www.mindyourcode.com/php/drupal-spam-protection-by-using-non-capt...

Veerendra Darakh’s picture

Hi,

Could not find the link:

http://www.mindyourcode.com/php/drupal-spam-protection-by-using-non-capt...

Pls look into it.

Regards,

veeren

alar’s picture

Hi majid, Just to confirm, honeypot is a fine solution!
Cheers,
alar

ashishupadhayay’s picture

Hi,

I had the same issue with one of my site and I managed to fix it. I also wrote a blog post about it.
http://www.ashish.com.au/blog/2013/03/02/securing-your-drupal-site-spammers

If you now have lots of user account created, you can refer to this article for doing a cleanup
http://www.ashish.com.au/blog/2013/03/02/remove-drupal-spam-user-accounts

Let me know if you need any help.

Cheers,
Ash

--
Cheers,
Ashish Upadhayay
Web Developer
http://www.ashish.com.au

saihukaru’s picture

Maybe this can help you
http://drupal.org/node/1945616

barrabasah’s picture

There is one solution - in my work, I have added an extra field to enter the registration, the total number - for example: enter a number less by one than the 8 - bots will not go to admin / config / people / accounts / fields add a new field, enter an integer Force.

I hope you understand - I used a translator.
U see my solution on http://tupulpo.pl

Rafal Lukawiecki’s picture

barrabasah’s picture

@RAFAL write to me PM i trye to help u .

frobinrobin’s picture

We've installed captcha with limited success, after some reading up - it appears that spambots can circumvent this protection.

Honeypot sounded like a good second form of protection and after a bit of digging I discovered Botcha (https://drupal.org/project/botcha) which works as an API - it offers 5 'recipes' as default which include two types of honeypot plus additional protection such as timegate and obscure-url.. but you only need to click the link to read the project page and all that it can do!

We've put it on our live site yesterday and it stopped 90% of the spam registrations (compared to the previous day)... A massive improvement and I'm confident we can tighten it even more with a custom recipe to combat our specific spambots.
I also suspect that the remaining spam registrations are actually human.

Note: We do not use catpcha, so normal human users are unaware of the protection in place and do not even get challenged... I would imagine a captcha would also improve botcha's ability to identify bots.

Northern_Girl’s picture

Hi,

Can the https://drupal.org/project/rules be used to block specific emails or domains? Can a blacklist of emails be built using Rules?

If so, how?

Thanks

Drupal in the snow

bwinett’s picture

I think Drupal already has what you are looking for in core. Not sure about D7, but in D6, go to admin/user/rules.

Northern_Girl’s picture

Drupal in the snow

ju1i3’s picture

Sorry, this is off on a tangent but I find few mentions or parkingcrew (.net or .com). I have become aware of them this week for the first time after changing one of my domains from being forwarded to being hosted. Immediately after that my domain started going to parkingcrew. I don't know how or why. Now that the nameserver changes have gone ahead, it appears to work on IE and Chrome but only partially works on Firefox (once any links are clicked they go to parkingcrew).

I will post an update if I can find out anything else.

Julie

drupalfan81’s picture

Great post and A LOT of great ideas here. Actually I just got hit today...woke up this morning with 500 emails! So I ran into the same issue as the original poster.

I thought I would share my battle with these cockroaches. So, I have a rule that sends me an email alert everytime a new user registers just to keep tabs on things. Luckily I had this, otherwise I wouldn't have caught it so quickly. These bastards were hitting me with about 50-100 registrations an hour. I haven't been hit like this for some time now. Basically I was getting quite a few spam registrations before and then I installed Mollom to handle this. Great module by the way, love it! Mollom took care of most of it and I rarely saw a fake user register. Like once in a blue moon. I also use Mollom to check content submissions and comments. So far, it has been doing a fantastic job (i.e. I no longer need to administer anything, all automated).

Then a few months ago, I decided to enable anonymous user comment posting. I wanted to encourage users to post comments and interact on the site, even if they weren't registered. Mollom was enabled on this so it also stopped spam comments, HOWEVER, once I enabled this, the following day, the scum of the earth (spammers), caught on and started flooding my site with comments. Now, Mollom caught most if not all of these, but then I had to go and administer them all. Which again, takes up my time. I found that the reason they were commented, was because Drupal by default, has a field called homepage for when anonymous users posts. Incredibly stupid on so many levels. I have no idea why Drupal has this there, especially since most people don't even have a home page and most don't even know what that word means anymore. Homepage is so 1995. Anyway, they were posting, because they could put a link to their Chinese junk website. So I figured, okay, let's remove this dumb field and I'm guessing the spam postings will stop. I found a few posts on drupal.org on how to remove it. In the end, I used a hack to hide the field using my template.php file. Check out the tutorial here: http://www.digett.com/blog/06/29/2010/how-theme-comment-form-drupal-6.

Once this field was gone, Surprise Surprise, no more crap postings by spammers. Yeah! Another battle won....until today's battle!

So again, as others have posted here, I have no idea why these people waste their time or set their posts to register these accounts, as they can't do anything with them, because they don't bother to verify the account, so basically they are not active and able to do anything. So why waste the time creating the accounts????? Another thing I don't understand is how they are getting by Mollom, as Mollom is no doubt showing the captcha, but they seem to be able to bypass. So either humans are doing this, or they have a smart bot system.

And of course, the spammers were from China based on the IP address. So I started by adding these IP addresses to the Mollom blacklist to prevent the user registrations. Each IP would register about 50 or so accounts and then switch to a new IP address. By adding these to Mollom, it slowed them down, but then they would pop up using another IP address.

After a few hours of the battle, I started noticing them still registering accounts, but at a much slower pace. The weird thing here was that they did show an IP address. I have a view that displays users grouped by IP address. This is a great way to spot spammers. You can easily open the view page and sort by the largest group and you will see a bunch of different users tied to one IP address. So you can easily spot the spammer. But after I started adding these IPs to the blacklist, the most recent registrations were coming up with NO IP addresses. Not sure how they were able to do that. DOES ANYONE KNOW HOW THEY ARE DOING THAT? That's the only piece of the puzzle I haven't been able to figure out.

So at this point, I just closed down user registration like others mentioned. So limited only to admin user. Which I can't do for my site, but for the time being, it was the only way to stop these guys.

I re-enabled it an hour or two later, and within minutes the registrations started again. Looks like some asshole in China really wants to cause problems. Anyway, so after reading this thread, I decided to try out spamicide. Easily installed and enabled, changed the default field name and so far so good. No more Chinese spammer registrations.

So the battle ends today, and the good guys win. Hopefully you others that find this thread, find this post useful. It's annoying as hell dealing with these people, but it's so gratifying to know you beat them. Hopefully this helps. So in conclusion I have D6 running with Mollom and Spamicide and it seems to be all that's needed.

I would still like to setup a D6 Rule to automatically delete users that have last access NEVER after a week or so. Anyone know how to setup a rule to accomplish this?

Jaypan’s picture

I thought I would share my battle with these pieces of s***.

Anyway, they were posting because they could put a link to their s***** ad ridden website.

Please save the swearing for a more appropriate environment.

Thank you for editing and removing.

drupalfan81’s picture

Does anyone have any suggestions on how to block these spammers from even registering? Basically after monitoring this situation over the past few days, I can see spamicide successfully blocking the registration of users, but these jackasses are still trying to register a new account roughly every 30 seconds which is obviously taking away resources from others on the site.

I know I can block the IP address using htaccess files, but there are just so many IP addresses. It's not like they are all coming from one IP, I have counted at least 10-15 so far. Any ideas on how to combat this?

Northern_Girl’s picture

If this can help someone...

I have this combination and I have NO robot registration. Ever. But they do try by the hundreds every hour to get in...

https://www.drupal.org/project/honeypot
https://www.drupal.org/project/user_restrictions
https://www.drupal.org/project/captcha (math).

As for blocking robots from trying to register, I think that the only solution is to block IP addresses at the server level : they reach the server, the server checks the IP address and then decides if the «user» can access the site or not.

There is a solution for this : https://www.projecthoneypot.org/.

NG

Drupal in the snow