BuddyPress.org

Also; each “blast” of spam users/blogs appear to come from different IPs, but the username always has a 7 digit number pattern after a random name. They all appear to come from “.info” email registrations.

These registrations are bypassing the public registration form requirements somehow, but I believe they are legitimately activating their account (since I’ve had delays after disabling the registration form). There are entries in both _users and _signups tables that match.

Hope this helps if anyone else is having this issue. I’m open to any temporary solutions for this particular pattern, but more importantly is there a good way to solve this long term?

Is there a way to manually approve members? Maybe some step in between that would allow a manual send of the account activation email?

Update: After several days of manually adding users with a form (that matches the registration form); I attempted to re-enabled registrations. Immediately I got 2 new spam users and blogs.

New User: terrence1603615
Remote IP: 65.75.250.92
terrence1603615@LIEMAIL.INFO

New User: cooper7790557
Remote IP: 65.75.250.92
cooper7790557@THEINBOX.INFO

This is only happening on one of my installs (http://anglersites.com). Running WPMU 2.9.2/BP 1.2.2.1. My other install (http://fellowmoms.com) is running WPMU 2.9.2/BP 1.2.3 and is not having this issue.

Any reason to think BP update would resolve this? Looks like current version is 1.2.4.1.

Is anyone else experiencing this? Looks like disabling the registrations stops it; from my previous post these were delayed notices. As soon as I disabled registrations again, I recieved a flurry of “Password Lost/Changed” for a couple users (one of them was an active user that was not newly created). I marked this user as spam.

Surely someone else is getting hit?

I have a couple BuddyPress installs. The older of the 2 has received 150+ spam member registrations (and blogs) this weekend. All create members like bob45873675 and “Bob’s Blog”.

I have changed slugs, activated recaptcha and followed several blog posts on best practices. What’s interesting is they are somehow bypassing my registration page. I have required fields and have removed the “create a blog” from the registration page; but somehow they manage to create an account and a blog. I also receive “lost password reset” email notices for each account that is created, so maybe that’s a clue to where the issue is.

I was so fed up with it, I disabled registrations completely (only allowing blog creation by logged in users) — and I’m still getting new spam members and blogs (how is that possible??) This seems to be a pretty serious security issue that is different from previous “splogging”…

Vulnerability/hack in the registration or lost password, etc…?? I presume this could be WPMU not necessarily BP?

I am also having this problem – I guess everybody is. I also followed the tips you mentioned and initially, it reduced splogger registrations a lot.

However, I disagree with Terry: there are not real people setting up blogs and answering captchas, these are bots. As kiwipearls mentioned, if you go and try to sign up manually, you have to fill in the required fields.

There is a leak somewhere in BuddyPress/WPMU registration and all methods to stop the oil have failed until now. BP (haha) people say it’s WPMU and the other way around, I guess. The leak has been here for months and nobody seems to want to fix it. Maybe it’s some kind of corruption since the premium site Terry mentioned has a way to fix it.

@kiwipearls the only product I’ve fond effective (about 95%) is the antl-splogging @ http://wpmudev.org – it’s a premium membership site on he expensive side, but it’s working for me. (btw ~ i’ve used all the methods you listed above) – my thinking is that sploggers are hiring people to setup their blogs and answer captchas…

HELP!!!

Trying to get your e-mail adres or just a sloppy topic from someone who doesn’t know marketing.

Delete/Spam anyone?

you want to sell themes?
give us a sample delete this spam!!!

It would always get labelled spam on a forum of the type that helped people for essentially no return, on the technical forum that is my home we don’t allow posts like this.

Here’s a different take on the matter why not offer one or two themes for free download, BP is starved of finished themes for members, start a group for themes? people may be more inclined to accept the promotion of the paid for offerings then? or simply have a ‘Donate’ button like the plugin authors on the site who spend anywhere from 6 hours to possibly ten times that coding essential plugins for the community and for free accept for the optional donations people may make.

and this is where a report to mod for spam would come in handy.

It’s a lot easier to do the whole thing from MySQL. One query, one click to mark 95% of spammers as spammers (or delete them if you want) and you can modify the query to do anything with anything they left behind them. I clean up their ‘activity’. Marked almost 400 spammers last night and only had to manually check and mark 4 or 5 more.

Don’t hold your breath for a plugin – I did, and I went blue in the face

If you’re like me, and did not do a DB backup because you thought the upgrade would be smooth sailing (d’oh! thankfully this was only on a test install!), do the following:

1. Revert the $blog_ids variable in the bp_blogs_record_existing_blogs() function in bp-blogs.php back to this:
$blog_ids = $wpdb->get_col( $wpdb->prepare( "SELECT blog_id FROM {$wpdb->base_prefix}blogs WHERE mature = 0 AND spam = 0 AND deleted = 0" ) );

2. Then put this line in your theme’s functions.php:
bp_blogs_record_existing_blogs();

3. Go to your BP’s blogs directory and see your blogs repopulate.

4. Once you’ve verified that your blogs are back, remove the bp_blogs_record_existing_blogs() function line from your theme’s functions.php

doing a merge of the 1.2.3 and 1.2.4 – looks like this function changed and is called during the installation process. I don’t run WPMU/MS – if anyone can verify this is the problem and submit a trac ticket

1.2.4
function bp_blogs_record_existing_blogs() {
global $bp, $wpdb, $current_site;

/* Truncate user blogs table and re-record. */
$wpdb->query( “TRUNCATE TABLE {$bp->blogs->table_name}” );

$blog_ids = $wpdb->get_col( $wpdb->prepare( “SELECT blog_id FROM {$wpdb->base_prefix}blogs WHERE mature = 0 AND spam = 0 AND deleted = 0 AND site_id = %d” ), $current_site->id );

1.2.3
function bp_blogs_record_existing_blogs() {
global $bp, $wpdb;

/* Truncate user blogs table and re-record. */
$wpdb->query( “TRUNCATE TABLE {$bp->blogs->table_name}” );

$blog_ids = $wpdb->get_col( $wpdb->prepare( “SELECT blog_id FROM {$wpdb->base_prefix}blogs WHERE mature = 0 AND spam = 0 AND deleted = 0” ) );

Maybe we should ask this question in a spammer’s forum

Andy Peatling once told me it was more of a WPMU problem (are you using WPMU?). But I have also heard people reporting the problem only arises once BuddyPress is activated. I don’t know, sorry.

I reduced Sploggers to about 20 per day, which is OK for the time being to handle (but of course quite annoying). Looking forward to solutions – as we all are, I guess. I can’t imagine anyone not having this problem – since I have so much spam on a hardly known site.

@Dwenaus is spot on guy, (IMHO) sorry. Let’s face it, the examples he gave all put their listing here for viz purposes only. It’s almost spam-like. The photo gallery one is the worst infraction as it is the most misleading. Everyone in BP-land anxiously awaits a fully BP aware image plugin (we’re talking ones that integrate with xprofile, the activity stream etc) There are tons of gallery plugins on WP (I use NextGen Gallery a lot) but they are no different than this one. Why don’t they ALL get listed here? They shouldn’t. The only reason they added #buddypress to their listing was exposure. I have written that plugin dev many times to get clarity on this and they have disappeared. That’s because they just wanted exposure.

Are there useful WP only plugins in a BP world, of course. Should they be tagged as such? Debatable. Boone, Jeff, and others have done such great work in BP specific stuff that it becomes an insult and a disservice.

This is different than the WP plugin repo. It requires some moderation ( @jjj and @apeatling you listening?) because to build a BP plugin is non-trivial.

PMs are disabled on here for now due to spam; I’m guessing the old messages are still in the DB though.
Awaiting further word about this from Andy.

This is why we need to intercept spammers. This is a the first thing I saw when I logged in!

http://img337.imageshack.us/img337/3872/blahg.jpg

I couldn’t be more excited about the merge of mu into 3.0. Finally I can come out of the closet I’ve been hiding in for so long.

On most forums, as soon as I mention that I run mu, I get the proverbial, ‘not supported’, argument, whether it’s a theme or plugin purchase, or even a simple question. I suppose in the long run I should be grateful for the treatment I received most places as it really has taught me to be more self-sufficient. I actually spend more time now learning how to code then all other activities combined. As frustrating as it’s been, I have to say it’s been more than worth it. It’s almost a joke going back a year or two and reading the questions I had on other forums. And to think.. at the time I was running hundreds of client websites. Little did I know just how little I actually knew. It’s also important to mention that the absolute best wp coders that I have met all either run mu, or are intimately familiar with it. Many of those people are here on this site. Their level of expertise is head and shoulders above the normal wp user.

@johnjamesjacoby has it absolutely correct. The more time you spend on the theme of the site, and especially the back-end administration portion, the more the site really starts to shine. I’d say that I spend an equal part on modifying the looks and functionality of the backend as I do the theme. Basically every time one of my customers asks me how to do something that I believe they should be able to figure out on their own, I go back and try to find ways of making it more intuitive for them.

Most of my clients don’t even know they are running wp/bp. They simply wanted internal group communication systems, and it just turns out that bp fits the bill almost perfectly. What better system could there be than a system where I can give a client who has multiple locations a series of sites all connected together, cohesive, and simple to use. Gone are the days of having to stitch together or bridge multiple systems. I’m so glad that I will never have to write or pay for another bridge script again, only to have one of the products die a slow death on the vine. I really believe wordpress and possibly buddypress are here for the long haul.

It’s also important to mirror what JJJ said about site size vs. features. I have some very small client sites, where it would make no sense to turn on most features. Doing that would only confuse the users and make it look awfully lonely. Then again I have sites with thousands of users. Turning on most of the features for them would make perfect sense, as everyone finds their own little area of the site that they enjoy. Bp makes this very easy.

@shnooka30 I’m actually one of those people who couldn’t be more excited about the plugins to give sub-blogs their own bp installs. To me, that is the biggest current downfall of bp, other than privacy and spam which are being addressed.

The entire reason I went to wpmu in the first place was that it was horribly inefficient to run hundreds of separate installs. I spent way to much time having to update sites one at a time. Wpmu, literally saved me hundreds of hours a year in updating time alone. It’s only because of the plugin not being available yet that I don’t offer bp to many of my client sites. When the plugin is ready, then I hope to jump in with both feet. At least the wait has given me the time to get a real understanding of the bp code base before adding it to the mix.

Bottom line is those who run undermanned or lousy setups of bp on shared hosting, which is the majority of users, will die off very quickly. Everyone else who does it right will appear so different in both appearance and service, that the public won’t even put the two together.

Is there anyway to disable activation emails so that people do not have to click to activate their membership? We are using the s2member plugin and 95% of our paid users miss the email or it gets filed in bulk email.

Hi Jeff, I can’t make the chat Wednesday as I’m going to be on a plane between London and Hamburg, but I wanted to add to this:

1. wp-recaptcha — I’m working with the developer of this plug-in so that we have one fork that works everywhere, BP included. Given that this is the topic, let me try to get that basic code up. Even with simple recaptcha support, there’s a huge decrease in spam signups. It seems not to solve the smartest scripts, the ones that send PMs (at least not on our site), so I think once we get one recaptcha working, making the “failed” recaptchas more intelligent to avoid these automated bots would be great. Thanks for the ideas above — this is great fodder — so I’d encourage people to get involved on the same fork so we can put this into action sooner rather than later. Let me post a separate update within the next couple of days.

2. Since PMs are a big problem, and this thread is getting very, very ambitious, why not at least begin testing this with a separate plugin? I’d like to at least see something that stops mass-mailings and highlights that user, as that’d be an easy way to weed people out, at least as more comprehensive solutions are developed.

3. Reviewing core is probably worthwhile. A mistake in bp_signup_validate’s code was being exploited by hackers. I know this is part of 1.2.4, but I went ahead and applied the diff attached to this (now-closed) ticket to our current 1.2.3 install:
https://trac.buddypress.org/ticket/2289
— this made a big difference. I wonder if anything else follows this pattern, and how we might hunt it down.

Grand, wide-reaching plans sound terrific, but I’d hate if that derailed some short-term fixes; seems we can have both.

Closing this thread per Jeff’s comments, I think discussion should continue in the thread that Stas’ linked to.

As @sushkov states, the issue of spam in BuddyPress is currently being discussed in depth. Please search before you create a new thread. There are many threads on the same topic. Creating a new one does not help.

Hi,
there’s an interesting thread started on this subject:
https://buddypress.org/community/groups/requests-feedback/forum/topic/here-come-the-spammers/