Disable BuddyPress and all other plugins. Does the blacklist work? If it doesn’t, it’s a WordPress problem. If they do work with WordPress, re-enable each plugin one at a time until it stops working. If BuddyPress is the culprit, please report a bug ticket on https://trac.buddypress.org/ using your username and password from this site.
I’m having this too…and it seems to have really gotten worse in the last 2-3 days.
I’ve recently bumbed to 1.2.3 and updated a handful of other plugins.
@mac -any luck finding the culprit?
Any chance 1.2.3 is doing this?
I can’t disable all the plugins, because my network is big, and there are many people. This problem I have for a very long time (from BP near 1.0).
It’s not 1.2.3 I’ve mentioned this but no one responded to the point . The feature doesn’t work or didn’t work in 1.1.2 and I think but am not sure yet that it’s not working in 1.2.2.
trouble is with disabling all plugins and buddypress is that on productions sites where the issue would be apparent – difficult to recreate in a local dev environ – one doesn’t really want to do this!
If you cannot rule out everything else other than BuddyPress, we aren’t going to track it down.
True, I keep a test install running live with minimal plugins other than BP, I can perhaps disable BP and take it back to WPMU and open registrations again and see what gets through and report that back which might help, but won’t be able to set that up till later.
I can’t experiment either and am getting 10+ spam signups an hour. yikes.
But there are many steps one can initiate to stem that tide of spammers, although the domain blacklist is an issue in not apparently working I have still had reasonable success in reducing spam signups to around a dozen a day and still have one or two steps that I haven’t taken yet
This has been a wordpress mu issue for a while off and on.. I discussed an idea about at mu forums:
https://mu.wordpress.org/forums/topic/13982
[blockquote]
I too have noticed that even putting domains in the block list seems to not stop future registrations. Here is a thought of mine.
MAYBE a spammer actually signs up 100 new accounts, and then only activates one a day. So even though we have added his domain to the ban list for signups, he still has 99 more that have been signed up, but not yet activated?
If this is the case I would like to see MU add core code that checks to see upon activation if the domain they originally used to signup has since been banned, and then prevent them from activating if it has.
Just a thought, not sure if this is the case – but it may be worth looking into.
[/blockquote]
It was suggested that I add this suggestion to the trac, ( https://core.trac.wordpress.org/ )
but I really don’t know how to use that thing…
not sure that it is a buddypress specific issues, but I DO believe that the spammers are looking for buddypress phrases when compiling their lists of sites to hit…
@Djsteve
This seems like a buddypress flaw, not a wordpress or mu issue.
Perhaps if buddypress can’t read the wpmu blocked domains, maybe BP needs it’s own domain banner.
There are multiple entry points for SPAM bots… so any one measure probably won’t accomplish much. I posted a list of everything I did in the “Spam, Spam and more Spam” thread. Worse case… you could try captcha.
Worse case… you could try captcha
Is there one you could recommend?
It would be great if some coder could write a simple admin defined question and answer plugin for the registration page.
I added captcha – and I still get multiple signups from the same dozen or so email-domains, even though they are already in my blacklist..
I am checking on another hunch today… I think there is a possibility that maybe having the same entry twice in the blocked domains could be causing an issue with it not working – that seemed to make it fail once before… I just pasted the domains I had banned into a spreadsheet and then sorted it alpha – and I had the same domain listed several times in several instances… now to clean it up and try it again.. I now have 437 banned domains in my list.. maybe there is an issue there?
Maybe these qualifiers should be added to the trac for fixing? on buddypress and maybe mu?
I will read the spam spam spam thread and see if there is anything else I can do as well.
FWIW, this wasn’t a problem for me until I upgraded to 1.2.3. Maybe it’s a coincidence, but I’d banned .info a few weeks ago and hadn’t gotten any registrations from them since. But since the upgrade, I get 30-50 .info’s a day.
Are we sure nothing changed in 1.2.3 that would effect this?
I have the latest versions of WPMU and BP, but I have tonnes of spam.
It’s a pity, there are not any antispam plugins for BP which work on the registration page.
I said I’d try and establish some test conditions to try and determine whether banned email domains were an issue in WP or BP, tests were not hugely conclusive sadly.
site running out of the box no modifications (WPMU / BP) – no anti spam measures in place. had been receiving ~ 10 -20 spam registrations daily (quantity of spam is governed to some extent by search engine ranking /prominence)
1/ Running WPMU 2.9.2 ALL BP plugins deactivated site open to user account registrations only.
24 hour period = no spam registrations at all – a surprising result!
2/ Conditions as above (1) but allowing blog to be registered
Start to receive spam signups – not many but only observed over a 6 hour period.
These do not match to any banned emails domains entered by me, so on the surface looks as though banned domains working BUT this is far from conclusive as they may simply not have attempted to.
3/ Activate BP 1.2.3 allow accounts and blogs to be registered.
Spam increases – not hugely though! of the 6- 8 received in a 12 hour period one is noted as having an email domain that matches to one entered in the banned domains list.
None of the above is that conclusive or useful sadly, it’s a difficult subject to run tests on. It does appear that BP probably does have some problem with the banned domain list, but then I get the impression that with each version 1.2.2.1 / 1.2.3 spam issues feel as though they are lessening but others may not be experiencing that.
A plugin or tweak that could get BP to recognize the banned list would be awesome…
“Banned Email Domains” only exists in WPMU. It exists in WP 3.0, but again only in a multi-sites configuration. BuddyPress doesn’t make use of it currently. This would be a good feature to add for BP 1.3, which will be the version that offers supports for WP 3.0.
*puzzled* have you just found that out then DJPaul?
I had made a small plugin (question) on the registration page (if somebody needs, let me know). Tonnes of spam disappeared, but some strange spammers still register.
I noticed, that they have empty needed fields in from registration form. Therefore spammers register not from BP registration page. But from where?
I’m getting several spammers signing up, I have the Anti Splog plugin (here) and the reCAPTCHA is turned on.
Email Activation is turned on.
AND I’ve blocked all of the emails on this list (here)
HOW ARE THEY GETTING THROUGH!
There actually is a function in buddypress but it is named different from the wpmu version, and I can see no way to administer it.
If you check your bp-core-signup.php file you will see:
`$limited_email_domains = get_site_option( ‘limited_email_domains’, ‘buddypress’ );`
Just change this line to:
`$limited_email_domains = get_site_option( ‘banned_email_domains’, ‘buddypress’ );`
This will solve signups from excluded domain list. Hopefully this will be incorporated in bpress core for compatability.
@rondilly I was eager to test your solution, but it does the opposite of what you propose. It will make it so ONLY BANNED DOMAINS can register. Essentially, you are defining limited domains (“If you want to limit blog registrations to certain domains.”) with the banned email domain list.
Has anyone made any progress with this? Will we have buddypress checking for banned email domains soon?
Will we have buddypress checking for banned domains upon registration and perhaps even again upon activation?
Can someone please add the possibility to add *.info in a way that works
I know this won’t stop all spam and splogs – but I am getting tired of deleting a dozen spammers every day that are mostly from the same dozen domain names that I have added to the block list. This would save lots of people hlaf the splog deletions, and that adds up to a lot of time saved.
BTW – has anyone tested buddypress with TTC Spam Bot Registration plugin (https://wordpress.org/extend/plugins/ttc-user-registration-bot-detector/ )to see if there are any issues? I am guessing it may still be bypassed by buddypress even if it worked in WP?
Ok. Here’s the code. Find this in bp-core-signup.php
if ( is_array( $limited_email_domains ) && empty( $limited_email_domains ) == false ) {
$emaildomain = substr( $user_email, 1 + strpos( $user_email, ‘@’ ) );
if ( in_array( $emaildomain, (array)$limited_email_domains ) == false )
$errors->add( ‘user_email’, __( ‘Sorry, that email address is not allowed!’, ‘buddypress’ ) );
}
BELOW IT, ADD THIS;
//MY HACK
$banned_email_domains = get_site_option( ‘banned_email_domains’, ‘buddypress’ );
if ( is_array( $banned_email_domains ) && empty( $banned_email_domains ) == false ) {
$emaildomain = substr( $user_email, 1 + strpos( $user_email, ‘@’ ) );
if ( in_array( $emaildomain, (array)$banned_email_domains ) == true )
$errors->add( ‘user_email’, __( ‘Sorry, that email address is not allowed!’, ‘buddypress’ ) );
}
//MY HACK
