Can you advise me on techniques for enhancing signup protection?

Sploggers here, sploggers there, sploggers, sploggers everywhere.

It appears that since Anti-Splog is young and still learning, it is not yet fast enough to keep up with the twits who want to use my bandwidth in their attempt to scam Google rather than use their brain the way Google wants them to do.

Can anyone suggest a preferred enhancement to my registration system that will cut down even more on these leeches?

Among the things I know of are ...

Anti-Splog
Signup Code
Numeric Captcha
Visual Captcha

Is the Signup Code worth considering?
Are there other systems?

  • Kirk Ward

    What's not working with anti-splog?

    Anti-Splog is not putting any blog creation signups in the suspect queue.

    I have not tried the rename signup option as I am also using the "Login With Ajax" widget to have a login form on the home page. The form has a link to the Register page, and wasn't sure using the rename feature would work with a plugin that "expected" the signup to be in a certain place.

  • Kirk Ward

    Checking the first posts is really the most powerful part

    I sense that. However, since these folks seem to be putting them up for customers, I'm thinking that they're hoping to get "link juice" just from the blog. They haven't been putting any posts up. Only clue I see is the website in their admin email.

    Idea - Is it possible to add a function that would not only mark the user as a spammer, but the domain they are representing as a spammer unless it is on an approved list (thinking gmail, yahoo, hotmail, etc, here) ?

  • Kirk Ward

    The normal pattern we see is lots of blog signups, then they wait for a few days to a month or so before pushing out a few posts

    That makes sense, and seems to be what is happening.

    I think they are selling the already made blogs to spammer clients

    I was thinking that the domain names in the email address were a key and was preparing to build a domain list to block, but it appears that after I limited signups to one per day, the domain names in the emails started changing and the velocity of signups increased. My guess from that is that I may have been recognized by a botnet and they are propagating my site name through their system.

    If I have been recognized by a botnet, then how do botnets confirm emails? Is their system installed on a domain's email server?

  • tishimself

    Hi,

    I've been using the signup code effectively until 5/20/2010 when the floodgates opened and users have been adding themselves by the dozens. I changed my signup code(v1.0.1) from 6 digits to a HUGE string w/o any relief. Two more have signed up while I've been typing! I was going to rely on the Signup Code to ensure only users with the code would be able to sign up, but I haven't even given out the code! Question#1, how are they getting around entering the proper signup code?

    I tried to see if I could signup by deleting one of these spammer IDs & blog and using their email address to signup. The signup code stopped me.

    I enabled Paypal on PayToBlog with a Zero Demo Period. Naturally, there have been no payments.
    Q2: Will this stop them from adding blog content?

    The Power Tool has been very handy.

    Kind Regards,
    Larry

  • eborg9

    You may be interested in Buddypress Registration Options, the guy finally upgraded it and it's working now.
    You can set it to hold all blog registrations for admin approval. Many spammers see that and understand immediately that all registrations are being monitored.
    http://wordpress.org/extend/plugins/bp-registration-options/

    You could also just use the fake out. You can tell new sign ups that all registrations are subject to admin approval before they even start typing, even if you don't have anything installed...it's still a deterrent..they don't know the difference. It's like a car alarm..it won't stop the pros, but it will stop the kids.

  • Kirk Ward

    If I have been recognized by a botnet, then how do botnets confirm emails? Is their system installed on a domain's email server?

    I was actually wondering about the ones with non-webmail addresses, like kaley6299223@clevelandcar-insurance.com (an actual registrant). It seemed to me that either clevelandcar-insurance.com had hired a spammer, or their system was compromised, as the same domain, with several different users appeared regularly in the list of new blogs.

    If it was a user at gmail, hotmail or yahoo, I would presume they are automating signups through dummy accounts. This looks like a "throwaway domain" being used, or someone hired a spammer.

    Edit: - No new registrations today as I added these domains to the list of banned domains. We'll see what the future holds.

  • Kirk Ward

    An Observation

    I have just noticed that there appears to have been a change made to the "Log In With Ajax" plugin that I use.

    I edited the code to "enhance" the layout for my site. Today, I noticed that the layout had returned to a near approximation of its original state. I have NOT updated the plugin.

    Could the sploggers be exploiting a hole in the security of the plugin or the registration system?

  • eborg9

    Oh, now I see, you are getting bot registrations...I thought you were just having a problem with manual registrations.

    I assume that you are offering free blog registration? Sounds like you made it on someones list.
    You may have been compromised here as well.
    http: //linkfarmevolution. com/ (Don't want to leave a live link)

    It's one of those harvesting/spamming MU sites services, and the bot software to spam them.
    Always good to see what the other side is up to so you know what you are up against.

  • dslone

    I installed the http://wordpress.org/extend/plugins/bp-registration-options/ plugin and it had no affect on these. nameXXXXXXXX (numbers) sign ups.

    I have also noticed that in every case "they" click the forgot/reset password link

    I am marking these all as spam but so far the anti splog has caught 0 but it has caught several legitimate blogs as suspected spam.

    In addition these sign ups are completely bypassing the required fields on registration.

  • tishimself

    Hi,

    I changed the password on one of these spambot accounts and logged in. Paytoblog prevents them from using the blog that was created for them, tho I did not test with rigor.

    In my case, I am not offering free registration/signup. I even have the Signup Code plugin installed.

    My concern is that the Signup Code plugin is no longer stopping them, are quickly overrunning my site.

    Regards,
    Larry

  • dslone

    I dont understand why the blogs that these people are creating go active before they confirm their account. You'd think the WPMu would not be set up to do it that way.

    It has been said that we should just mark members as spammers but they still show up in activity stream and recent member avatars.

    I am tired of marking these as spam too and have decided to not allow auto creation of blogs for now. I will try to let members know that in order to setup a blog they will have to contact me. Perhaps I will use a contact form plugin to create a blog application. In the meantime deleting all spam blogs and 'members'.

    When deleting blogs you have to click each one. Strange there is no option to "check all"

  • Aaron

    @lwmcmahon, @dslone it sounds to me like you are getting spam user signups probably for BP. It's important to understand that antisplog only checks blog signups.

    I am getting multiple signups per IP address and always with format name followed by numbers (ie brenda6675436 )

    Anti splog isnt "noticing" any of them

    I'm thinking that you are talking about user only signups, as if they were blogs those would most definiltey be on the suspect list at least.

    I dont understand why the blogs that these people are creating go active before they confirm their account.

    If an existing user creates a blog they don't have to confirm it.

    It has been said that we should just mark members as spammers but they still show up in activity stream and recent member avatars.

    Ya, that's a wierd (unacceptable) thing with BP. I think they need to fix that.

  • drmike

    I dont understand why the blogs that these people are creating go active before they confirm their account. You'd think the WPMu would not be set up to do it that way.

    That's been brought up a number of times on the regular mu forums. We always tell folks that they have to go through the logs for the ip address and track down how those users are doing it. Usually that's followed by a "Huh?" by the poster and we never hear back from them.

    Ya, that's a wierd (unacceptable) thing with BP. I think they need to fix that.

    Is there a trac ticket on that? :slight_smile:

  • tishimself

    Hi,

    Starting on 5/20, I've had hundreds of users of the form blahblah#####.yaddayadda.com signup on my buddypress site and request blogs. There were also lots of Password Lost/Changed email notifications to Admin.
    1. I have your signup code plugin implemented and it does not stop them. I think this needs to be investigated. I thought this plugin would stop these signups.
    2. It appears the PayToBlog kept them from using their blog.
    3. Now that I have disabled registration and turned off notification of new registrations, I'm getting bombarded with the Lost/Changed email notifications and more users are signed up again.

    Maybe this is where I will find a solution: http://wordpress.org/support/topic/396036.
    SI CAPTCHA Anti-Spam seems to have promise.

    Question, could I add a field to the signup form that would be the same color as the background with a default value of my choice that would cause the signup to be rejected if altered from the default value. I have used this effectively on email forms. The notion is that people don't see the field and bots will and change it.

    However, they are getting past the signup code, so I don't see how any change to the signup form will help.

    Regards,
    Larry

  • tishimself

    Hi,

    I've been looking for some help from the wpmudev folks for Support code, but based on Aaron's comment this is BP issue:

    it sounds to me like you are getting spam user signups probably for BP

    From what I'm reading about BuddyPress, this is a fairly long standing issue. Since I have disabled new registrations and new accounts are still getting created, it seems that BP must be fixed.

    But I would still like to know why Suppot Code is getting bypassed. It would be helpful if it was working

    Regards,
    Larry

  • Aaron

    Larry, I know you are saying that the signup code is getting bypassed, but also saying that registrations still get through even when they are turned off. It seems that there is some other signup form somewhere on your site other than the built in BP one that spammers are getting to. Do you have a separate install of bbpress on your system? I've heard of spammers using the registration form on that. Or possibly a plugin you've installed that creates a new registration opening?

    If it comes down to it check out their IP then search for it in your logs to see how they are hitting your server.

  • tishimself

    Hi,

    There is no seperate install of BP. To my knowledge there is no other way to sign up other than the one installed with BP. It is a pretty basic install of BP and I paid pSec to install it so I doubt they opened a backdoor.

    That said, I changed added a bp-custom.php with a
    define ( 'BP_REGISTER_SLUG', 'joinwoodcraft' );

    Oddly enough, the signup button works but the BP_corporate JOIN US HERE button no longer does, so I suspect it has a problem with using custom slugs. Hopefully, it is not using a seperate signup process. Is this easy to fix?

    In the mean time I have started to take measures:
    Changed the signup slug.
    Started adding domains to be excluded.
    Banned a number of IPs that accessed wp-config/signup/ just for grins.
    Removed footer info on Buddypress cause it seems these bots may search for it.

    WIth registration reenabled, I will keep an eye on my site logs going fwd.

    Doubt me if you will, but IMHO they are somehow getting around the signup form and it may be related to the lost/forgotten pw process.

    Regards,
    Larry

  • Qlof

    You may have to either remove the register link or replace it with our function so it will always point to the right place.

    This works, people. I've replaced wp-signup.php with the auto generated url from the anti-splog plugin (that changes every 24 hours) and splogs has gone from a couple of hundred/day to 1/week. I'm getting regular signups too, so there's nothing wrong with the actual signup form.

  • tishimself

    Hi,

    You may have to either remove the register link or replace it with our function so it will always point to the right place.

    I have no idea what you mean by the above comment.

    SInce I'm using BP, I just deleted wp-signup.php per Aaron's suggestion.

    I'm still not clear how the very long Signup Code value got bypassed except that wp-signup.php may not use the form at all. Guess I could put it back and try using it to see how it words.

    I need to find this "Join Us Here" button to get it fixed.

    Regards,
    Larry

  • Shawn

    @lwmcmahon:
    I've had SI CAPTCHA Anti-Spam installed for about a week on one of my WPMU+BP sites, and DURING that time I had over 300 splogs get past it. IMO, it's not very effective. However, within 3 minutes of activating the anti-splog plugin from here it caught two splog signups. Yay!

    To change that line to use the custom slug replace replace:
    <?php if($bp_existed == 'true') { ?> /register><?php } else { ?>/wp-login.php?action=register"><?php } ?>

    With:
    <?php if($bp_existed == 'true') { echo BP_REGISTER_SLUG.'>'; } else { ?>/wp-login.php?action=register"><?php } ?>

  • tishimself

    Hi,

    Thanks for the slug/link tip.

    Last nite I lifted the Signup Code so registration was open. I have 4 SPLOGS created today.
    The server log below shows these events for that time for that IP address; I have replaced the key used with another char string, tho I don't know that the keys are of any value. The four "/activate?key=" 302 redirects seem to correspond with the id creation. And with wp-signup.php deleted, they are not gettting in using it. The custom registration SLUG was not effective either.

    I did NOT block this IP yet but did put the signup code back in play. In this way I hope to show that the the signup form was bypassed, tho I think the log below indicates the signup form was not used. Please note that the 4 ids were not marked as SPAM.

    Host: 72.10.146.212 •
    /wp-signup.php?new=toytrumpet
    Http Code: 404 Date: Jun 02 10:08:16 Http Version: HTTP/1.1 Size in Bytes: 9573
    Referer: -
    Agent: curl/7.19.6 (i386-pc-win32) libcurl/7.19.6 OpenSSL/0.9.8k zlib/1.2.3

    /wp-signup.php
    Http Code: 404 Date: Jun 02 11:02:45 Http Version: HTTP/1.1 Size in Bytes: 9558
    Referer: -
    Agent: curl/7.19.6 (i386-pc-win32) libcurl/7.19.6 OpenSSL/0.9.8k zlib/1.2.3

    /activate?key=xxxxxxxxxxxxxxxx
    Http Code: 302 Date: Jun 02 11:42:53 Http Version: HTTP/1.1 Size in Bytes: -
    Referer: -
    Agent: curl/7.18.2 (i386-pc-win32) libcurl/7.18.2 zlib/1.2.3

    /activate?key=xxxxxxxxxxxxxxxxx
    Http Code: 302 Date: Jun 02 11:43:01 Http Version: HTTP/1.1 Size in Bytes: -
    Referer: -
    Agent: curl/7.18.2 (i386-pc-win32) libcurl/7.18.2 zlib/1.2.3

    /activate?key=xxxxxxxxxxxxxxxx
    Http Code: 302 Date: Jun 02 11:43:10 Http Version: HTTP/1.1 Size in Bytes: -
    Referer: -
    Agent: curl/7.18.2 (i386-pc-win32) libcurl/7.18.2 zlib/1.2.3

    /activate?key=xxxxxxxxxxxxxxxx
    Http Code: 302 Date: Jun 02 11:43:18 Http Version: HTTP/1.1 Size in Bytes: -
    Referer: -
    Agent: curl/7.18.2 (i386-pc-win32) libcurl/7.18.2 zlib/1.2.3

    /activate
    Http Code: 200 Date: Jun 02 11:43:20 Http Version: HTTP/1.1 Size in Bytes: 11982
    Referer: -
    Agent: curl/7.18.2 (i386-pc-win32) libcurl/7.18.2 zlib/1.2.3

    Regards,
    Larry

  • tishimself

    Hi,

    I deleted all the bogus accounts, but I do have all the email registration notifications. I did turn off notification after a while, but I have several hundred emails.

    While the ids are similar, like hillary2074372 from today and hillary5298712 from 5/17, they are not identical. I looked at the old email subject lines and no two IDs are identical, the number part of the id is always different.

    But you know what, there is a BP_ACTIVATION_SLUG. Changing that should stop this cold.
    For now I will hold off until I have given my "signup code" time to guage the effect.

    I think it would be best to customize all the BP SLUGS. What does SLUG stand for?

    Aaron, thanks for giving this your continued attention.

    Kind Regards,
    Larry

  • Kirk Ward

    I have been watching my notifications and marking each splog manually as soon as it is created, or within 24 hours. I have left them in the listing as I was led to understand this would help train Anti-Splog.

    When I review the sites listed on the Anti-Splog "Recent Splogs" page, they are each listed and showing 0% "Splog Certainty." That is not good. If I have to leave the splogs active until a post is made in order for Anti-Splog to recognize it, then the script is working more as an anti-spam plugin such as Akismet, rather than an anti-splog plugin. Under that scenario, my site will be filled with ninteen thousand gazillion splogs before the first one is recognized by Anti-Splog.

    Is there a complete summary anywhere of how Anti-Splog works? I would like to know more about what to expect.

    Thanks,
    Kirk

  • Aaron

    There is a very detailed explanation of the plugin here:
    https://premium.wpmudev.org/project/anti-splog
    I even created a detailed flowchart there.

    While the signups are annoying, I would argue that it's not technically a splog until spam content is posted to it. Unfortunately technologically there is only one extremely effective automatic way of identifying spam, and that is Bayesian analysis (http://en.wikipedia.org/wiki/Bayesian_spam_filtering). There is a very limited set of data that can be analyzed on blog signup, and the bots are very effective at obscuring that. We try our best based on previous patterns but they still get by. But when it comes to actual spam content there is not much they can do to hide that, so that is core of our Anti-Splog plugin, along with the ability to moderate suspicious blogs about 100 times easier than the built in blogs page with all our instant previews, mass spamming, and the like.

  • Sue

    @Kirk Can you remind me is your site a WPMU or BuddyPress site?

    Also have you gone to Anti-splog > Settings and changed your "Limit Blog Signups Per Day" If not I would change it from unlimited to 1 or 2. This will limit the number of blogs that can be created in 24 hours from the same IP address.

    In terms of spamming the splogs using Anti-Splog I recommend you spam their registered IP by clicking on Spam action link next to their IP address and then clicking OK. This shows you how many blogs that have been created from the IP address and how many blogs have already been spammed from that IP address. I find this method really effective for spamming large numbers created from the same IP address - especially if not all of them have started posting.

    Another method that works well on our sites is we use limit the email domains that can register. Unfortunately this probably isn't an option for you however it works really well with education email domains.

  • Aaron

    @Larry, you are correct, and new signups go through a list of about 10 different tests currently, one of them being a count of numerical digits.

    I also have a list of about 10 additional checks and tweaks I want to add to front end signups, and promise to get to it as soon as possible. Unfortunatley I have a queue of other projects ahead of me (ecommerce, etc.) before I can implement that.

    I very welcome your feedback and ideas though, and will add them to my list. There has been a lot of discussion about digits in blog domains/userids, and the conclusion is that there is a large enough group of sites here where that is common (dates, etc) for normal signups so we can't set that too low in the API. On the todo is an individual choice built into the plugin for number of digits to allow.

    The biggest thing I can use advice on is how to check blog names/domains/userids for keywords. Specifically I can't think of any way to tokenize them for machine learning. Without spaces or punctuation i'm not sure how to divide up the the strings in an effective way. Just scanning for known keywords is ineffective and error prone from experience.

  • Sue

    @Kirk Oh no, looks like you might be the first member on WPMU DEV to have to pay up with a chocolate penalty (and not once but twice) for use of 'old'. Or maybe it is a cultural thing?

    I'm not convinced long term how effective IP would be because the sploggers adapt and I'm now seeing more sploggers changing their IP address every couple of blogs whereas once they would create large numbers from the same IP.

    However, one thing that does work well if you have had the Post Indexer plugin ((https://premium.wpmudev.org/project/post-indexer) installed for a long time is using keywords with Anti-splog.

    Some of our sites have had the Post Indexer plugin on them since they were set up. So when Anti-splog is first installed I can use the keywords I've generated from splogging on Edublogs to go through the site to locate and spam large numbers of splogs. All I need to do is located one to spam a large number by IP address.

    Benefit of the keywords with the Post-Indexer plugin is it will search the blogs back to the original date of when the Post Indexer was installed -- if they've used that key word it will find them. Whereas without keywords and Post-Indexer plugin you need to wait until the publish their next post to be detected -- and some only write a few posts then move onto setting up new splogs.

    I should create a video showing how well Anti-splog works with keywords where Post-Indexer plugin has been installed for a long time with spamming by IP address as it is amazingly cool. LOL I could have a whole video series on my splog spamming techniques :slight_smile:

  • Kirk Ward

    Or maybe it is a cultural thing?

    I hereby claim cultural privilege due to my ancestry who migrated here as indentured servants from Merry Old England back in Ye Olde Colonial days.

    LOL I could have a whole video series on my splog spamming techniques :slight_smile:

    With WP 3.0 coming out, I'll bet dollars to doughnuts that could be a very profitable info-product. My opinion is that there will be a lot of folks who get surprised by the splogger industry.

  • tishimself

    Hi,

    So here is another example of an BP id+blog being created w/o going thru /register. In this case, I tried deleting the id and executing the cmds in the server log myself to no avail. my admin id was emailed a new user registration, new blog creation and a Password Lost/Changed email. Time to try changing the Activate slug.

    Host: 173.201.182.196

    /activate?key=xxx
    Http Code: 302 Date: Jun 06 13:08:24 Http Version: HTTP/1.1 Size in Bytes: -
    Referer: -
    Agent: curl/7.18.2 (i386-pc-win32) libcurl/7.18.2 zlib/1.2.3

    /activate
    Http Code: 200 Date: Jun 06 13:08:26 Http Version: HTTP/1.1 Size in Bytes: 11982
    Referer: -
    Agent: curl/7.18.2 (i386-pc-win32) libcurl/7.18.2 zlib/1.2.3

    /wp-login.php?action=rp&key=xxx&login=keven4063772
    Http Code: 302 Date: Jun 06 15:41:47 Http Version: HTTP/1.1 Size in Bytes: -
    Referer: -
    Agent: curl/7.18.2 (i386-pc-win32) libcurl/7.18.2 zlib/1.2.3

    /keven4063772/wp-login.php
    Http Code: 302 Date: Jun 06 15:53:32 Http Version: HTTP/1.1 Size in Bytes: -
    Referer: -
    Agent: curl/7.19.6 (i386-pc-win32) libcurl/7.19.6 OpenSSL/0.9.8k zlib/1.2.3

    /keven4063772/wp-admin/options-writing.php
    Http Code: 302 Date: Jun 06 15:53:33 Http Version: HTTP/1.1 Size in Bytes: -
    Referer: -
    Agent: curl/7.19.6 (i386-pc-win32) libcurl/7.19.6 OpenSSL/0.9.8k zlib/1.2.3

    Regards,
    Larry

  • Kirk Ward

    It would be nice to be able to rename wp-login.php to a custom name. Is this possible w/o major surgery?

    It may be major surgery, but you could download the entire core and do a global text string search and replace, replacing the string "wp-login.php" with something like wp-mxplytzk.php everywhere, including the actual file name.

    Don't know if it would work, but I don't see why not, unless the filename is stored in and pulled from the database. (Don't see any reason for that, but I aren't no coder.) The entire operation (after downloading) could be done in two minutes with a piece of software like "Global Text Find."

  • Erik

    Aside from signup security, I would control the login numbers.

    wordpress currently has no option to limit login attempts. It doesn't even notify you when a brute force attempt is obviously taking place..

    I would recommend login limiter plugin. I have detected and blocked two brute force attempts in the few months I've been using it (these were from random spammers in latvia that are known to the honeypot project already)... You can mu-ify this plugin by moving the control panel into 'site-admin' and hardcoding your settings into the plugins php file. Then set it to be auto-activated for all users with a plugin manager.

    You can find my explicit instructions for mu-ifying this plugin in the comments at the plugins homepage.

    -Erik

  • Shawn

    Based on the logs here, it's very obvious to me that the majority of sploggers are using curl to signup. Even if they *can* add UA headers to avoid being blocked, the easiest solution would be to simply block curl (.htaccess):

    RewriteEngine on
    RewriteCond %{REQUEST_METHOD} POST
    RewriteCond %{HTTP_USER_AGENT} ^curl/ [OR]
    RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
    RewriteCond %{HTTP_REFERER} !.*%{SERVER_NAME}.*
    RewriteRule (.*) http://%{REMOTE_ADDR}/$ [R=301,L]

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.