BuddyPress.org

In MU, there *is* an option to block certain email domains. There’s a funny way to put in wildcards though.

,

Thing is Andrea that doesn’t appear to make a blind bit of difference, we had a number of signups from half a dozen email domains repeated over and over, easy I thought, first line of attack drop those domains in the block list. Didn’t do a thing those same email domains kept coming through. I suspect that when someone looks into it they will find that BP registration bypasses this check somehow! sadly!

That won’t harm anything, but it won’t stop signups from that domain, just requests.

In MU, there *is* an option to block certain email domains. There’s a funny way to put in wildcards though.

This should probably happen. Even so, if you mark the blog author as a spammer, it will also mark the blog as spam and remove all the posts.

@Peterverkooijen

as has been said to you many times before. if you don’t want to use forums, then turn them off. and please don’t spam the forums every chance you get with your comments about forums and bbpress. by now we’re all well aware of your opinion. cheers!

So to sum up:

• Change your signup slug
• Add some required custom profile fields (or use the hashcash trick posted at the start of this thread)
• Disable “Allow blog administrators to add new users to their blog via the Users->Add New page”
• Delete BuddyPress credit in footer.php
• Delete wp-signup.php
• Create a robots.txt file with User-agent: * Disallow: /register/ (or whatever your slug is)
• If all else fails, use CAPTHCA or preferably a simple random question (what colour is snow)

Am I wrong or missing anything?

Also… all of my SPAM registrations were coming from .info domains. I added this to my .htaccess file but I’m not sure it’s correct. I found a million examples via Google search for how to ban full domains or subdomains… but nothing about blocking an entire extension (i.e… whatever.info). Anyway, this is what I wrote:

RewriteCond %{REMOTE_HOST} \\.info$

RewriteRule .* - [F]

This is currently done when a user is marked as a spammer; this probably is best to go on https://trac.buddypress.org/ as an enhancement ticket.

When a user is marked as a spammer, all of their Activity data is deleted in the database. There’s no way to retrieve. They essentially start out as new users as far as BuddyPress is concerned; they’ll need to log in or edit their profile, etc, in order to appear throughout the site (on the members directory, for example).

“The only other way I can think of is that a member is “inviting” them via the “Allow blog administrators to add new users to their blog via the Users->Add New page.” on the WPMU options page, so I’m going to disable that as well now.”

That’s one of the first things I turn off.

I must be overworked or hallucinating. Signups are disabled, wp-signup was deleted some time ago, and they are still creating new accounts and blogs as we speak! How is this possible? For a while I kept entering the ip s in wp-ban and had given up on that plugin, but I noticed it caught about 600 attempts in the last 24 hrs. Still, a few dozen got through anyway.

The only other way I can think of is that a member is “inviting” them via the “Allow blog administrators to add new users to their blog via the Users->Add New page.” on the WPMU options page, so I’m going to disable that as well now.

We’re still a relatively small and young community and all these restrictions and jumping through hoops is hurting us.

I’m starting to get hit now :o( I have had a custom slug for weeks. I added a robots file today disallowing bot access from /my-signup-slug/ and also installed invisible defender but I’m still getting spam registrations. I also just deleted my wp-signup.php file. I’m going to try hashcash. I’m also considering a htaccess file that simply bans ALL traffic to the entire website from Russia, China and any .info domains.

Google ‘robots.txt file’ for starters

@Andrea_r good thought, how would that look like?

Block the registration page from the search engines. JUST the register page.

Well, I pretty much tried most of the suggestions here on this thread, and for a couple of days it was quiet. But since yesterday a new and much more aggressive wave is battering my poor little site with as much as 70 new accounts and blogs per hour.

The last wave started shortly after this log entry:

http://www.webwarper.net/ww/~av/www.google.com/search?hl=en&q=site:.NET%20inurl:%22register%22%20intext:%22Registering%20for%20this%20site%20is%20easy,%20just%20fill%20in%20the%20fields%20below%20and%20we%27ll%20get%20a%20new%20account%20set%20up%20for%20you%20in%20no%20time.%22&start=10&sa=N

These accounts don’t have ANY fields filled out from the BP registration form. Even if I re-write that page they’ll just pick something else to hunt for. I’m back to asking folks to contact me if they want to join the site, but that’s a major deterrent for most, understandably.

Hi,

This was an issue with looking for spam and deleted fields in the db. They were not there in wordpress install so I removed this contraint. I just checked in version 1.1.8 to fix this.

Thanks,

Dave

I don’t know if you’ve found a treatment, for this, but I’d suggest a plugin named HashCash from Donncha:

http://wpmu.org/wp-hashcash-for-wpmu/

Unfortunately I have the same problem as the two of you. I am running fresh installations – newest WPMU and BP.

It was running all fine.

Now I (admin) get no email notifications at all – users do not receive any either. The activation emails are not being sent. The WPMU ones are not sent out either.

I am using a catch-all email on my email host to be able to sign up with different emails on the same domain.

First thing I was thinking was whether BP or WP was thinking all this signup from the same email domain was SPAM and therefore closing down signups from my IP or whatever.

I have searched for answers and found this: https://mu.wordpress.org/forums/topic/13039

Apparently some hosts do not allow automated emails to be sent out.

(However, if my host do not allow this, how come it worked fine for two weeks?)

Only plugin I have installed is the cets-blog-defaults. I have tried to deactivate it, but it does not help.

This is really frustrating

In SocialGo’s defense, there’s nothing wrong with asking money for a service/product. SocialGo and Ning are good solutions for a certain class of users. The difference is “software as a service” vs self-hosted.

Another option is SocialEngine, which is self-hosted but not free and probably a bit more business-ready than Buddypress because of it – better member mgmt, anti-spam, photo + event plugins, etc.

My solution against spam:

I replaced the whole content of wp-signup.php with

header( ‘Location: http://mysite.com/register’ ) ;

Since than no more spam

Think it through … it is a kind of Microsoft moment

Spamming WPMY/BP is only popular enough because there are significant numbers of unmodified installations going on.

Because there are a significant numbers of unmodified installations going on we … and our servers … all take a hit on this crap.

So … disincentivize the platform by making that custom modification obligatory … for all … during the installation process.

Spammers would face a pretty impossible or unrewarding task and move their attentions elsewhere.

Does that work logically and technically?

It is not good enough just to point out one can change it … the problem is not enough people are and hence we are all paying for the vulnerability of the platform.

So shut that vulnerability off. Simple, no?

Use captcha, have one profile field be required and change the slug.

define( 'BP_REGISTER_SLUG', 'name-this-something-unique' );

oh and if you are on WPMU then you need to disable the ability for blog owners to add users via their admin section. This is an easy way for spammers to get entry.

Thanks everyone for the tips and tricks, I’ll be checking this page again!

It’s strange but the moment I upgraded to WP2.9.2 and BP 1.2 spam started again.

Previously, I just added SI Captcha and I went from getting 10-20+ spam registrations to none. I added WP-hashcash now and I’ve only had one registration since.

I’ve just disabled the blog registration on the signup page, hopefully that’ll help too.

By the way, there’s also a meta tag in the header of many templates :

<meta name="generator" content="WordPress 2.9.2" />

Removing that may help too….

the activity means someone who is active on the site… registrations have to be complete before being considered active… this is to avoid spam bots to be considered active on the site… so when the new members visit the site back and “do” something, they are tracked by the actvity stream.

I’ve now deleted the register pages inside the bbpress folders, and that seems to have halted the spam registrations for now. Fingers crossed