miniBB ® miniBB®
miniBB Support Forums
 | Forums | Register | Reply | Search | Statistics | Manual |
How To miniBB Support Forums / How To /   

Validate User Registration by Email Confirmation / Verification

Page  Page 3 of 4:  « Previous  1  2  3  4  Next »  
Author sjach
Registered
#31 | Posted: 19 Apr 2014 11:11 
Hi again . I have idea how to checking proper email users registered . I thing there is solution in SMTP protocol . During sending message smtp server receiving message and first try find user in users database , if user doesn't exist replying message to sender " there is no such user" . Paul can you use this feature?

I have about 200 users every day registered , and every day have to erase them .

Author Paul
Lead Developer
#32 | Posted: 21 Apr 2014 23:05 
If I remember properly from the past, not each SMTP server would give you such error and not each would allow to send such a command to it. So this method is not quite stable to serve all of the sources. Also, actually, it would lead to spam report issues on the server end, if it would see someone tries to connect to it too often with false email addresses.

In your case, I'd recommend to enable $emailadmin of miniBB to let the admin get the info about all users registrations. There will be visible the IP address of each registration. Mostly, all of the false registrations are automated and come from similar IP addresses. Banning those addresses may stop registrations.

Another pre-filtering would be possible, for example, not allowing email addresses from Gmail, Hotmail, Yahoo etc. Each case is different, so the solution for your forum, with more chance, should be also customized.

BTW, do you have the Captcha module installed? With some tuning, it could kill about 90% of automated registrations.

Author sjach
Registered
#33 | Posted: 22 Apr 2014 00:05 
Yeah Captcha has been installed . It seems like some one made it manually. It is possible to use one session for register many users ?

Author tom322
Registered
#34 | Posted: 22 Apr 2014 01:34 
sjach:
It seems like some one made it manually.

In a case of a manual Chinese etc. spammer (that uses proxy/vpn server) there is nothing that could help. If he/she uses one IP then it's possible to stop but I doubt they use one IP only..

Author Paul
Lead Developer
#35 | Posted: 22 Apr 2014 02:16 
sjach:
It is possible to use one session for register many users ?

I have more advanced techniques how to extend Captcha, hopefully I could get to them tomorrow, will post here...
In general, yes, it's possible to use one session for authorization. But not for the registration process, only guest posting. Each authorization requires new code.
You may try to extend it with the current methods I've explained here.

Author Paul
Lead Developer
#36 | Posted: 22 Apr 2014 22:57 | Edited by: Paul 
Btw forgot to mention that you could set up to validate users emails like it's explained in the beginning of this thread.

With some little modification, it's possible to set a special field in database, and setting a crontab task, remove all accounts automatically, which say did not verified in 1 hour. Or even better, it is possible to set up a crontab task which will remove all accounts which did not post something useful in 24 hours, i.e. having 0 posts on the account.

Just another kind of the solution.

Author sjach
Registered
#37 | Posted: 27 Apr 2014 14:21 
" Or even better, it is possible to set up a crontab task which will remove all accounts which did not post something useful in 24 hours, i.e. having 0 posts on the account."

That could be good solution . I`m not found any info about this . Could you provide more details ?

Author Paul
Lead Developer
#38 | Posted: 27 Apr 2014 15:32 
Do you know what the crontab task is about? There is required to code a PHP script which would remove mySQL records following these statements:

$delTime=time()-86400;

delete from {$Tu} where user_regdate<{$delTime} and num_posts=0;

I'm out of office now and can't provide the exact code.

Author sjach
Registered
#39 | Posted: 27 Apr 2014 16:07 
I`m using hosting and haven`t access to crontab . But i try talk to them . Please provide all code.

Author Paul
Lead Developer
#40 | Posted: 30 Apr 2014 15:23 | Edited by: Paul 
I have provided more sophisticated protection codes for the Captcha module. Please check them now and apply on your end to try.

You see, removing what was done, is the last step of "improvement", that means there is no way on the pre-posting stage, and that's the most important to take care of. That's why if nothing helps, I could finally code this... not this time.

Most recently, we have also experienced the massive attack of flood registrations on miniBB forum. They were mostly coming from China, IP networks 27.153.+ and 27.159.+, one in about 5 minutes, so I'd expect it is automated process. The solution I suggested above, may improve the protection. I've temporarily added them to the banning list, and the amount of flood registrations significantly decreased.

For some time I didn't catch the idea of those registrations - what would be the main sense? To make the database of users larger and with false accounts?.. Stupid idea. Later, I've analyzed all of the registration emails I've got as the administrator, and they were about only @gmail.com emails registrations, which of course are thoroughly false. For example:

m.ai.nta.i.ne.a.c.y@gmail.com
m.a.int.a.in.ea.c.y@gmail.com

a.lchem.i.stet.hw@gmail.com
a.lchemi.s.t.et.h.w@gmail.com
al.chemi.s.t.et.h.w@gmail.com
al.c.h.emi.s.t.e.t.h.w@gmail.com
al.ch.emiste.t.h.w@gmail.com

s.ens.i.b.l.e.qxdi@gmail.com
s.ensib.leqx.d.i@gmail.com

or.di.na.n.c.eh.ne.n@gmail.com
ord.in.a.n.c.e.hne.n@gmail.com

and so on. It's obvious the coder takes some phrase, from the vocabulary or whatever database of words, in some case extends it with random chars, and then uses dots in random places to get even more "unique" emails to register. Surely, "usernames" also appear completely random phrases, consisting of chars and digits.

I have thought that this could some way be an attack on gmail server, because miniBB will try to send out the registration email to the address provided, and it will fail each time; so at some day, Gmail will think miniBB's server floods their service too randomly and too often, and it may block our IPs or domain or whatever.

Of course, there are TONS of ways to "register" randomized emails, but there are actually a few ways to fight such approach:

1) Do not send registration email to Gmail accounts at all. Alternatively, it's possible to supress any other public email service. However, it was only my expectation that flooders may "rape" servers that way. Also, this will not actually stop the registrations themselves.

2) Do not allow to register Gmail-based account if its username contains more than 1 (one) dot in it. It could help and it could be a not destructive solution to the core. Just add this to bb_plugins.php (before the Captcha code):

/* Registration - disabled some Gmail accounts */
if($action=='register'){
$chkEmail=strtolower($_POST['email']);
if(substr_count($chkEmail, '@')==1 and substr($chkEmail, -9)=='gmail.com'){
$spl=explode('@', $chkEmail);
$un=$spl[0];
$dots=0;
for($i=0; $i<strlen($un); $i++){
if($un[$i]=='.') $dots++;
}
if($dots>1) $correct=7;
}
}
/* --Registration - disabled some Gmail accounts */

and this to the end of your language pack:

/* Forbidden Gmail */
$l_userErrors[7]='Sorry, you can\'t use this email address for registration! Try another one.';

I've applied the same codes on miniBB forum. Let's see if it helps. You may try the same so far.

Author sjach
Registered
#41 | Posted: 30 Apr 2014 23:10 
I had spend last week for testing lot of variants of option on captcha module. For now have found some simple solution . The problem is that potential user/guest have to reload 2 or 3 times picture ,but it work. I just ask my new user for clicking few times (if need) because of spam robots. For now after 3 days only one spam user :)

I try paste my captcha options file but Anti-spam protection module blocking me :(

Author Paul
Lead Developer
#42 | Posted: 30 Apr 2014 23:22 | Edited by: Paul 
sjach:
I try paste my captcha options file but Anti-spam protection module blocking me :(

You may zip them and use the File Bank button above File Bank button to upload it to our File Bank. Later I will review them and attach to your post, if they do not contain any vulnerable parts :) Thanks.

Author sjach
Registered
#43 | Posted: 1 May 2014 00:02 
This is only few modification of colors and letter size , but working :)

Author sjach
Registered
#44 | Posted: 1 May 2014 00:14 
File bank not working . I try zip and plain txt file :(

Author Paul
Lead Developer
#45 | Posted: 1 May 2014 00:41 
sjach:
File bank not working .

What kind of error do you get?
It accepts .zip files up to 1 Mb in size, hopefully you are not trying to exceed this limit (which is enough for a little code).

Page  Page 3 of 4:  « Previous  1  2  3  4  Next » 
How To miniBB Support Forums / How To / Validate User Registration by Email Confirmation / Verification Top

Your Reply Click this icon to move up to the quoted message

 Short link for this topic:

 ?
Only registered users are allowed to post here. Please, enter your username/password details upon posting a message, or register first.


Before posting, make sure your message is compliant with our forum posting rules. If not, it may be locked or deleted with no explanation.
 
 
miniBB Support Forums Powered by Forum Software miniBB ® Features  Requirements  Demo  Download  Showcase  Gallery of Arts
Compiler  Premium Extensions  Premium Support  License  Contacts
Get the Captcha add-on: protect your miniBB-forums from the automated spam and flood.
Captcha Addon for miniBB