Closed merpdotcom closed 7 years ago
vangheem
commented
8 years ago If they are making full accounts, I'd like to make sure it's not configuration related with the multi-site deployment because it should not be happening. If you have it set to require approval, the only way accounts should be getting created is if you have approved them.
Have you changed anything recently? Is this the same site it was happening on before?
merpdotcom
commented
8 years ago I responded with more details via email. I am not aware of any changes made since things were fixed back in November. Had a good couple of months seemingly free of any registration spam on all sites.
merpdotcom
commented
8 years ago Looking through the honypot-ted event.log... Looks like just the one site alone had 516 registration requests in about 15 hours. Looks like many different IP addresses, do not see any one specific IP more than any other. Does not look like they are doing it through another site as in past, it appears to be the correct domain/site url. Does look like requests happen in batches of 2 to 4 requests at a time. Often each minute, then spaced a few minutes apart before the next cluster of requests from other IPs. Almost none of them show that Recaptcha passed. So most of those may have been stopped by the Recaptcha at the first step as desired? As for completeness of accounts, it seems to be varying, it looks like they are creating the accounts through bypassing authentication, but it is not creating their user folders because they were bypassed creation process created accounts. So, there appear to be 12 legitimate accounts (though 2-3 of those I'm not sure how legit really, but I think I authorized them since went through correct process, and they have folders due to that). There are 12 other accounts that show up in the website Site Setup > Users & Groups list. They show checkmark in "Member", but do not have folders, and were not authorized by me to be created.
vangheem
commented
7 years ago I haven't heard anything about this for a while so I'm going to close this issue. I imagine this is part of the same problem as before with multi-site deployment isolation issues.
merpdotcom
commented
5 years ago your wonderful add-on was working great for years on 4.3. Since undertaking the slow moving of 30+ sites from 4.3 to 5.x I hadn't enabled allowing the public to register until about a month ago. I installed both the recaptcha2 add-ons and the emailconfirmationregistration and verified they are working. But it looks like once again the bots are able to create accounts en masse without going through any of the verification processes. In just the last 2 days I have about 50 new bogus accounts created on one site. Today I have had to once again turn off allowing people to create their own accounts on this community site. Appreciate any suggestions on how to address this. Last time (years ago) this happened this much, it turned out to be a security issue that triggered a hotfix. I don't know if this is collective.emailconfirmationregistrations fault/responsibility (but could be totally mistaken), it seems like it may once again be core Plone issue as before? I provide version information, example bogus registration bounced email, and details here: https://github.com/collective/collective.emailconfirmationregistration/issues/11 Thanks for any help.
vangheem
commented
5 years ago Unfortunately, I don't have the bandwidth to work on this.
For reference if anyone is paying attention, this was also reported here: https://community.plone.org/t/severe-registration-spam-is-back-in-5-1-despite-recaptcha2-and-email-confirmation-for-registration/8003
I figured I would let you know they are starting to crack through again.. While I am getting the admin authenticate option for some, "they" are once again starting to create accounts that I never received notification to enable. It looks like different accounts are in different states of completeness, I think they are trying different approaches and so some are getting through better than others. It is only around a dozen or so accounts, but that has mostly been just the last couple days, so that does not bode well. How would you like me to proceed? Thanks!