BuddyPress.org

I just clued in that these bots are probably all using proxy servers… and compiling a big list of them all would be futile. So I found this htaccess code that blocks servers based on their methods. I know this topic has gone beyond specific BuddyPress fixes… but I’ve done all of the BuddyPress fixed (and more) and I’m STILL getting SPAM signups. So perhaps this will help someone else.

RewriteEngine On

# block proxy servers from site access

RewriteCond %{HTTP:VIA}                 !^$ [OR]

RewriteCond %{HTTP:USERAGENT_VIA}       !^$ [OR]

RewriteCond %{HTTP:FORWARDED-FOR}	!^$ [OR]

RewriteCond %{HTTP:FORWARDED}           !^$ [OR]

RewriteCond %{HTTP:X-FORWARDED-FOR}	!^$ [OR]

RewriteCond %{HTTP:X-FORWARDED}		!^$ [OR]

RewriteCond %{HTTP:PROXY_CONNECTION}    !^$ [OR]

RewriteCond %{HTTP:XPROXY_CONNECTION}   !^$ [OR]

RewriteCond %{HTTP:XROXY_CONNECTION}	!^$ [OR]

RewriteCond %{HTTP:HTTP_PC_REMOTE_ADDR} !^$ [OR]

RewriteCond %{HTTP:HTTP_CLIENT_IP}      !^$

RewriteRule ^(.*)$ - [F]

Credit goes to: http://perishablepress.com/press/2008/04/20/how-to-block-proxy-servers-via-htaccess/

I’ll try. I just got a new registration from ANOTHER .info email address. Minutes ago. Ugh Unreal.

I’ve done everything mentioned in this thread and MORE. And no dice. Kind of at my wits end. How the heck are they signing up?! Unless it’s humans signing up. But I assume all SPAMers use bots. Even if it’s not a bot… I don’t know how you’d ever find the signup page with Google. It has a custom slug and I’ve gotten rid of the default BuddyPress text.

Anyway. Thanks Andrea.

I wonder if this would work in .htaccess

deny from .*\\.info.*

@Andrea_r How do your say “SPAMbots please screw off” in Latin? LOL. Maybe Google can translate for me.

No more SPAM registrations since my last post. Fingers crossed.

Did you find out how to use regex in the WPMU “banned domains” setting?

Okay… I am STILL getting SPAM registrations. I’ve done the following:

• Changed signup slug
• Installed hashcash (works with BP now)
• Disabled “Allow blog administrators to add new users…”
• Deleted BuddyPress credit in footer.php
• Deleted wp-signup.php
• Created a robots.txt file to disallow robots from my signup slug

Any more ideas? Short of Catcha? Altho’ I’m thinking even that won’t work.

You might like to get some anti bot plugins from wordpress. I have WordPress MU and Buddypress and use the following plugins to prevent bots from joining my site.

WP-SpamFree – An extremely powerful anti-spam plugin that virtually eliminates comment spam. Finally, you can enjoy a spam-free WordPress blog! Includes spam-free contact form feature as well. http://www.polepositionmarketing.com/library/wp-spamfree/

WPMU Super Captcha – Custom captcha program made to stop spam bots cold in their tracks. Features audio, word files, or random text. You configure it! https://wordpress.org/extend/plugins/super-capcha/

Or go to http://www.wordpress.org, click on extend and find them there.

So to sum up:

• Change your signup slug
• Add some required custom profile fields (or use the hashcash trick posted at the start of this thread)
• Disable “Allow blog administrators to add new users to their blog via the Users->Add New page”
• Delete BuddyPress credit in footer.php
• Delete wp-signup.php
• Create a robots.txt file with User-agent: * Disallow: /register/ (or whatever your slug is)
• If all else fails, use CAPTHCA or preferably a simple random question (what colour is snow)

Am I wrong or missing anything?

Also… all of my SPAM registrations were coming from .info domains. I added this to my .htaccess file but I’m not sure it’s correct. I found a million examples via Google search for how to ban full domains or subdomains… but nothing about blocking an entire extension (i.e… whatever.info). Anyway, this is what I wrote:

RewriteCond %{REMOTE_HOST} \\.info$

RewriteRule .* - [F]

I am seriously considering using a robots.txt file to noindex nofollow my sitewide activity page and members page.

Just to see what happens.. I have lost position for some keywords with the newer theme and setup now.. I also want to find where the alt-tage for my stie title is showing in the code so it is not alt-taged “home” – I think those things will help it get to where it was.

I’m starting to get hit now :o( I have had a custom slug for weeks. I added a robots file today disallowing bot access from /my-signup-slug/ and also installed invisible defender but I’m still getting spam registrations. I also just deleted my wp-signup.php file. I’m going to try hashcash. I’m also considering a htaccess file that simply bans ALL traffic to the entire website from Russia, China and any .info domains.

Google ‘robots.txt file’ for starters

the activity means someone who is active on the site… registrations have to be complete before being considered active… this is to avoid spam bots to be considered active on the site… so when the new members visit the site back and “do” something, they are tracked by the actvity stream.

All in all, here’s my approach that I use on MU/BP sites ~

1) modify the register/register.php wp-signup.php hardcoded default text and url slugs.

2) enable xprofile and require additional fields upon registration.

2) use a captcha ~ i’m fond of ReCatcha

3) make sure you and check the NO setting under “Allow blog administrators to add new users to their blog via the Users->Add New page. ” in wp-admin/wpmu-options.php “Admin > Site Options”

4) I ban or limit the registration domains (also in Admin > Site Options) so that the commonly used spammer domains are blocked from registration and then I add an email contact for owners of these addresses to manually request registration. I hide the email address from bots with HiveLogic EnKoder

5) I then firewall off entire blocks of IP’s from my servers from commonly used spammer IP ranges you can find at sources like spamhaus.org .. and considering that these are one language sites, the need for access for the IP blocks on the pan asia network or eastern europe are unlikely. If you have a multilingual site, this might cause issues to very few users. Cpanel, Plesk, BSD, etc have tools to do this.. if you’re on a shared server, ask your hosting provider if they can do it for you, and they may be likely doing it already.

6) I also recommend using Askimet.

Definitely remove the footer link if you haven’t already.

I noticed a issue with spammers using CURL to download /registration so blocked that in .htaccess (It’s been mentioned on a thread somewhere how to)

renaming the slug ‘registration’ is supposed to help.

For me deactivating blog signup improved things significantly. Didn’t need users to be able to register for a blog at initial sign up they can take a blog once they are members.

Despite all efforts and much study and approaches instigated one after the other to gauge effectiveness before adding next one I still am not sure how a few of the automated bots get through, human signups there isn’t much you can do about them apart from delete manually.

All my efforts still result in around 10 signups daily that require dealing with manually.

@tyler ~ I’ve now built two similar ‘medical related’ sites where the privacy was of utmost concern and I used my code from above beautifully. You could drop the plugin and the secondary install and just use that for any pages you want to keep private from both unregistered users and spiders/robots.

You lucky, the spambots that are after me figure out the new slugs after a few days.

I am actually considering setting up a botnet to jam up their IP’s and domains as payback lol

Any of you who continue this thread any further are simply staring the ‘gift horse in the mouth’ so to speak.

~ spam in a problem for every company, be it IBM, Google or WordPress. These companies spend millions combatting it and it’s a problem for almost any CMS, or site that has UGC. If you can’t install Askimet, and/or a couple other preventative measures on your site, then you should hire someone who knows what their doing or you have a compromised(hacked) site where once again, you should hire someone who knows what they’re doing.

while not naming names ~ I have watched ‘your’ post on this forum and you’ve offered very little contribution and quite a bit of negativity. That doesn’t bode well for an open source community who provides you a product free of charge. Perhaps providing some meaningful feedback about your experiences will help the community develop better solutions instead of glaring accusations and harsh criticism? In fact your post in this community are very much like spam for the very same reason. At this point, you’ve pretty much hit an all time low since your accusing developers, many of whom work for free, of turning a blind eye towards the issue of spam. If you’re unhappy with website, may i suggest move on to another piece of software that is magically immune to spam robots, where you’ll most positively be a great asset, not only to them, but also with your absence here on the Buddypress Forums.

The best trick I learned for fighting spam bots is to ask a question that only a human can answer and making them type it into a text box. If you change the question daily or randomize it, it makes it even tougher. Don’t do anything like math or captcha or something that a bot can calculate or decipher. Ask a question like “What color is snow?” or “How many sides does a triangle have?”

But if humans are filling out the forms, you are pretty much SOL.

IMHO – being overcritical will not solicit the best help. Like any community – you’ll need to fight spam regardless of the platform and requires ongoing patience to battle.

Some tricks I use

block all MSIE456 users, block bad bots, block known spammer country CDIR ranges, rename template pages, try whatever plug-in and tweak if needed.

I agree with you totally I also highlighted this issue in this thread:

https://buddypress.org/forums/topic/spam-domains-to-add-to-your-block-list

Not to sound rude but it feels like if the developers or the main people aren’t too affected by an issue then its not regarded as an issue.

SPAM is major problem and while a test site might work fine if you have niche sites around certain topics you might get more spam than others based upon the fact that spammers might come across your site through keywords specific to your site and as such the devs might not neccisarily experience such problems.

I have tried everything some spambots even seem to get around CAPTCHAs, the only option I have is to manually approve each new user.

@Cyndy: The two posts above you give alternatives to using captcha. It’s not the “only known solution”. SPAMers use bots. Bots look for known text and urls… like “Powered by BuddyPress” or http://www.mysite.com/register or whatever. Changing those things can help a lot. And invisible defender helps too. All without captcha. Which I think everyone will agree… sucks.

Here’s something else that might interest a few: I installed WPMU Super Captcha over the weekend (running WPMU2.9.1 & BP1.2rc). Since then, there have been no bot signups at all, and the plugin has blocked exactly 50 attempts. Plus, it logs each attempt that it blocks so I can keep track.

I’ve also added a comment on the registration form directed towards human signer-uppers with a support email address just in case. None of the 50 blocked attempts have used it, so…

Bots had managed to get around other plugins I’ve tried before, but not this one.

I have been running BP in Production since well before the 1st alpha release on the same url with the exact same registration slug AND requirements. Nothing is protecting on my site any more than a standard install – no captcha, etc. I can count on my hand the number of spam attempts to register. They are so few, I just delete them and use BanHammer once they try.

How? We have a specific (albeit small) set of required registration fields to fillout. That’s all. I love siple and fast registration as much as the next guy but, unless you want to enforce email address verification and a bunch more, those are your real options.

Changing the slug will work until it doesn’t …which won’t be very long. Consider how that spammer found you in the first place…with a bot – not by randomly coming across your site.. and just like in the matrix, the bots will find you again.

If you change the signup slug, ie. from to signup to regme, probably that this can be found easely by spammers. But if you change signup to bolimp or domybest or f_12gt_99xpm, probably not. And building a random letter word constructor to spam a wp install is probably too much also… As far as i know, the majority of wp users never look into the code. And robots like majority…

Anyway, the signup table would still exist… and accessing a db is not impossible at all i presume. So the only thing to change is the table name, 6 x by day if necessary. And this is not simple at all.

Happy coding !

The short answer is Yes. The long one is they are made for filling out forms and submitting them. A drop-down is just a field that they might encounter, so expect the functionality. On the other hand we are talking here about bots that look for WP/MU installations to exploit the default sign up or comment forms. As a rule of thumb, anything that you can do to change the default behavior, do it. It’s like Andy said: if you make it the default, the spammers will figure out a way to get around it.

Also: try very hard to stay away from the following in your URLs: wp-signup.php, wp-register, register, wpmu, wp, and anything that hints at a wordpress installation.

@guristu Right… but can bots submit drop down values? For instance, I have a drop down for “Training Level” which is a required field. If it’s left at “please select”… the form will return a required field error.