I have fake users or members signing up for my website by the 100's. I received the emails that they have signed up and 100s of them with fake email addresses and info. How can I stop this from happening. It is driving me crazy trying to maintain this and delete all the pages and pages of fake members.

http://mj.109wd.com/admin/people?page=20

Comments

VM’s picture

A) don't delete fake users. Block them. The the email address can't be used again.

B) investigate the honeypot.module or other spam modules in contrib.

a link to the admin of your drupal install doesn't really help anything.

dwillcox’s picture

Yeah, ain't it a royal pain?

There was a good discussion of this issue in How to prevent spam user registrations?

And check out this list of spam blocking modules.

But short answer, you at least need to:

  • Make sure your site is configured so that new user accounts require administrative approval before any access is granted. (Or, even more restrictive, only allow accounts created by the administrator.)
  • Add at least Captcha on your account registration page. It won't block everything, but a lot.

For me, Mother May I (full disclosure, it's my own module) works pretty well, but it may or may not fit your needs. It's meant for sites that are only expecting logged in accounts from a limited population.

dwillcox’s picture

I took a quick look at your site. Looks like Mother May I will probably be more restrictive than you want. But at the at the very least you'll want one of the Captcha options on your registration page. Nothing is 100% effective, but reCaptcha (for example) will cut down the volume by quite a bit.

Jeannie109’s picture

Thanks to everyone who responded. I didn't expect so much help, so thank you all for the advice. I do have Authorization Required and they are NOT gaining access to my site, but I get an email that they tried to register and then immediately I get another email from the mailer daemon saying their email address is bogus. Yesterday I had to delete over 1100 of them. I will certainly try the Captha and honeypot modules to try to stop this.

I have a very small membership, at least right now, so at most, I hope to get less than 100 members. I do like the idea of a Secret Question -- I will try that right now.

Thanks again for your responses and help.

Jeannie

tryitonce’s picture

.... here you added one more aspect - the emails bombarding you.
Just turn off the email notifications for registration and for telling you they are bogus. Just set them to inform you when a user successfully registered / logged-in.
This can easily be done with rules and triggers.
Thanks for reporting back as well, this thread will, no doubt, be of interest to others.

Jeannie109’s picture

I still haven't found a solution to get rid of these spammers. I get nearly 400 a day that I have to delete and these are definitely people not bots. They use a bunch of letters @hotmail.com for each entry but then just fill in a bunch of letters for the required fields.

I was so desperate to end this, I actually deactivated the User Login block and they are still getting to register even though I can't see the login fields now myself.

Now, I am not even sure how to log back in myself.

What a mess! How can this be happening? Any help would be appreciated.

Jeannie Bernard
http://mj.109wd.com

VM’s picture

login @ yoursite.com/?q=user/login

registration page is at yoursite.com/?q=user/register

check the IP addresses. are they all from the same IP? if so you can block the IP from accessing the site by utilzing .htaccess

dwillcox’s picture

Spammers know to go to yoursite.com/user/register, even if you don't have a link to that. Removing the link is only a small help.

The pattern you report for the fake registrations? Those are definitely bots.

I went to your site. You don't have any kind of registration blocking set up for user registration. You definitely need to have something.

At the very least, install recaptcha. My own site gets a goodly number of spam user registration attempts (as does any website with any kind of user capability), but recaptcha blocks the majority of them. Not all, but the majority.

Adding a second-level blocker would eliminate most of the remnant. You might try Mother May I, for example, with a question like "Name one of the Mah Jongg melds" would block most bots and humans who know nothing of your subject matter.

Since doing something equivalent on my own site, I haven't gotten a spam user registration in months. Now mostly what I have to deal with is spam from the "contact us" form, but that's a whole different issue.

(That was me who just did an account request on your site, by the way. No spam intended. Just demonstrating that it's way to easy too do.)

tryitonce’s picture

... well, not sure what drives spammers. It's a bit like kids without sufficient playgrounds - or playgrounds that are not exciting enough. Maybe we need spam modules that direct them to sites that will make the art of hacking them fun and reward these poor souls.

To your problem or that of others who come across this thread - you may not want the restriction of admin approval. In that case the first thing to do is to set user subscription to "email confirmation required". This will stop people from registering with fake emails and they need to go through the activation process.
This is not stopping them from "stealing" you bandwidth by trying to register/entering.
Another way for some may be to restrict access through IP address lists by region. You can black or white list them. I use the Troll module in D6 for this.
For ex - blacklist - If you have site that has no business in China, Russia, and some of the other top spam/hack countries, just add a list of all or (spam) IP addresses with the troll module.
Or the opposite for the white list - if you business is just around the your country just add a list to only allow access here.

dwillcox’s picture

... well, not sure what drives spammers.

Most often these are "search engine optimization" systems. I don't know a lot about it, but apparently they include services you can pay for. Basically, they go looking for as many sites as they can and try to create accounts on them. When they succeed (or find sites that allow anonymous comments), they start posting comments or forum entries that are completely off-topic, but have links to the site they're trying to "optimize."

The expectation is that search engines (Google, Yahoo, Bing, etc.), as they do their web crawling, will find lots of links to the spammer's site, and thinking that said site is somehow "relevant" will move it closer to the top of their search results.

majid.ali’s picture

I have been running a Drupal site with thousands of users. Few months ago i faced the same problem. I used Honeypot module and it worked for me. Since then it detected aprox 3 thousand spammers. In your case i think you should use combination of different techniques. I have written a article about it in my blog if you want to read it http://www.mindyourcode.com/php/drupal-spam-protection-by-using-non-capt...

iandickson’s picture

using captcha but your own question - something that only Mah Jong players or San Diego residents will know the answer too.

E.g. "If you drive from here to Mexico, which CV do you go through?"

or

"The Red, Green, White ........"

I used this for a local site - to post you had to know "which river is our town on?" and I had maybe 5 spam joins in a year, PLUS the locals loved it - everyone hates captchas but this one was on their side :-)

Anonymous’s picture

Mollom is an amazing service, and they offer a free solution with Drupal that scales to a very large site before you even need to consider a subscription. I have found it to be a lifesaver and incredibly accurate:

http://drupal.org/project/mollom

rubyji’s picture

I have the same problem on hastac.org. Dozens of fake users a day for the past 2 years or so. If you haven't yet, you should definitely require e-mail validation. At least they will need real-ish e-mail addresses.

Mollom does not seem very smart and it's hard to believe it is learning as it claims to be. It will allow 40 posts in 1 hour from 1 user all with "cialis" in the title to go through, for example. In addition, Mollom only looks at content, not users.

The honeypot-type solutions won't work for me as these are most definitely humans (probably paid pennies a day in miserable conditions) filling out the user registration form. I've tried a wide variety of CAPTCHAs and they always walk right through them.

Would love to hear other advice people have for Jeannie109.

VM’s picture

There is no way to stop humans. Spam modules are mostly intent on stopping bots. I can't speak for mollom but that certainly sounds like something that should be reported in the issue queue of the module in question. As the tools to combat spam evolve so do the spammers. I would think one of the spam modules includes a filter which may ease some of the spam. If "this" word is included in the post consider spam and should work regardless of whether the it's being posted by a human or a bot.

iandickson’s picture

was that the question was vague UNLESS you understood the context of the site. The answer is NOT in the question. It is not computable or even multi try guessable - the way math ones and "what is the third letter" ones are.

Even the dollar a day guys couldn't justify investing the time in looking for the answer.

And that's the key to dealing with humans - for them, time matters, and if you can suggest to them that "the fastest way to achieve your goal of joining another site is to ignore this one and hit the next, because that will have a normal captcha", they move on.

Obviously it can't be used for big catch all type sites, but how many people build those? Most sites are focussed on a subject area, and you can assume a certain level of domain knowledge in anyone you want posting.

DanZ’s picture

There is no way to stop humans.

Not all, but you can stop a lot of them.

Block IP addresses from countries of these sweatshops. India and Pakistan are notoriously bad. If you don't have legitimate users from a country, block it. Some other commonly-blocked countries are China, Russia, Ukraine, North Korea and South Korea.

Require e-mail registration confirmation.

Require operator approval of new accounts.

Install content detection like Mollom.

Require moderation for comments/content from new users.

Install address-based bot/spam detection like Spambot or ZB Block. Both of these use http://stopforumspam.com, which collects e-mail address and IP addresses of forum spammers, whether from bots or humans. ZB Block is not a Drupal thing, but stops a lot more garbage very effectively and quickly.

Install a Q&A registration question that only legit users of your site would know the answer to.

Do all of this, and you will have nearly zero forum spam.

Also, go to admin/config/content/formats and set up your Filtered HTML text format to insert rel="nofollow" on links. This won't stop the spammers, but it means that if they do get through, they won't get any Google page rank from links they post (which is why they exist). It also means that your site won't lose page rank due to their spammy posts.

--
www.ztwistbooks.com. Math books that are actually fun.

WorldFallz’s picture

Some other commonly-blocked countries are...

just an fyi... drupal.org's single biggest offender for bulk spam was vietnam ( on the order of thousands per week for a while).

eeric49’s picture

mattokeefeitaxhlx has applied for an account

These e-mails are very annoying!!
Kenya Safaris

dwillcox’s picture

Full disclosure, it's my module. But Mother May I might help.

It requires the user to answer a site-specific question before allowing an account registration request. It serves a similar purpose as Captcha variants, but spammers generally don't figure it out.

It's true, the module description suggests that you use some reasonably obscure question with an answer that would only be known by your intended audience. But in practice, bots can't figure it out. Even something as simple as "Please type X four times in this box" would probably be sufficient to block virtually all of your spam registrations.

I haven't gotten a single successful spam account request since installing the module. And looking at the logs, it's obvious that the spam requests don't even try to enter a reasonable answer to the question. Most either leave the field blank or fill in a random set of characters, maybe thinking it's a password field. Both approaches fail.

Christopher James Francis Rodgers’s picture

re: "Install a Q&A registration question that only legit users of your site would know the answer to."

How is this achieved, please? Thanks.


All the best; intended.
-Chris (great-grandpa.com)
___
"The number one stated objective for Drupal is improving usability." ~Dries Buytaert *

iandickson’s picture

For a Mah Jong site, where you want people to be players

Q : Which K do you really really want?
A : Kong

For a site for people who live in, or come from, Nottingham
Q : What river runs through our city? The ....
A : Trent

Trust me, almost no spammers will be bothered.

But now I love HoneyPot Module, catches bots like a frog catches flys.