Protecting your events against spam

It can happen at any time.  You’ve opened your event for registrations and you are suddenly inundated by obviously fake users and incomplete transactions.  Spam is everywhere (and we don’t mean the food).  It’s in your inbox, it’s in your comments, and it’s in your events.

Where does it come from?  A lot of spam — particularly the type of spam that fills up contact forms (and event registration forms) — comes from a specific kind of script designed to identify potential security holes in your site like this one.  These types of applications are designed for admins to check their site before deploying it live, but in the wrong hands can be run on a site, or a series of sites, automatically, and — at the very least — inject huge dumps of worthless code into your database and — at worst — obtain database access and the ability to manipulate the data stored on your server.  There are a few different ways you can protect yourself, your data and your event site against spam registrations.

The first option is the best solution and most recommended: Enable the mod_security module on your Apache installation. Most spam registrations come from bots or scripts that crawl a site looking for forms and fill them with data remotely (e.g. it’s not actually done by a human visiting your site, but a machine that is executing your code without ever actually hitting your site). The mod_security module protects your site against these kinds of remote submissions. If you do not have access to configure what Apache modules are enabled or disabled on your server, you might ask your webhost if it is possible to enable it. In my opinion, this should be on by default on all Apache servers (and IIS and nginx — which it also supports).

If enabling mod_security is not a possibility in your environment — either because you do not have access to your Apache configuration or your host is not able or willing to enable or install the mod_security package — you can use reCAPTCHA to require that attendees fill out a CAPTCHA form before their registration is recorded. reCAPTCHA is part of an initiative to digitize books, newspapers and radio recordings.  Every time you enter a response in a reCAPTCHA form, you are helping the software identify real words that a computer was unable to read.  Since the words that appear in a reCAPTCHA form have already failed sophisticated OCR technologies to translate them into text, spam bots aren’t likely to be able to read it, either, so you’re protecting  your forms when you require a CAPTCHA for verification.  While this can be arguably somewhat more annoying to the user, it will thwart any bot attempt to fill the form with garbage.  For more information about how reCAPTCHA works, check out the reCAPTCHA site.

You can also use the Event Espresso WP User Integration plugin to make all your events member-only and require your users to log in using the built-in WordPress user registration system. Even if you do not have some form of human verification on your site’s registration process (this is not recommended, especially if you’re already getting hit by spam registrations), the additional step that a bot would need to go through of registering for a site, and then logging in before it is able to register for an event means that you are safeguarding your events against a potential attack by a script. The benefit of this over using reCAPTCHA is that there are a number of options in addition to reCAPTCHA in which user registrations must verify that they are not a bot by answering an admin-defined questions like “what color is the sky” or “what is two plus four” as opposed to trying to decipher a hard-to-read CAPTCHA image.

Event Espresso runs sanitization and data validation checks on all information that is stored in the database.  This means that anything one of these scripts injects gets cleaned before being stored in the database, which, in turn, means that none of the data that gets dumped your system will be likely to cause any real damage to your site or expose any hidden passwords or personal information.  However, dealing with a site that has been hit by thousands of fake user registrations can be tedious and time-consuming.  Protect yourself, and your valuable time, by checking with your host about whether mod_security is enabled.  If you are seeing registrations to your events that are obviously fake, take one of the precautions mentioned above and save yourself a lot of headache.

For more information, head over to the support document for anti-spam and reCAPTCHA.

Related Articles

Share a Reply or Comment

Your email address will not be published.

Need help with Event Espresso? Create a support post in our support forums

Event Espresso
[gravityform id=116 title=false description=false]
<script type="text/javascript">var gform;gform||(document.addEventListener("gform_main_scripts_loaded",function(){gform.scriptsLoaded=!0}),window.addEventListener("DOMContentLoaded",function(){gform.domLoaded=!0}),gform={domLoaded:!1,scriptsLoaded:!1,initializeOnLoaded:function(o){gform.domLoaded&&gform.scriptsLoaded?o():!gform.domLoaded&&gform.scriptsLoaded?window.addEventListener("DOMContentLoaded",o):document.addEventListener("gform_main_scripts_loaded",o)},hooks:{action:{},filter:{}},addAction:function(o,n,r,t){gform.addHook("action",o,n,r,t)},addFilter:function(o,n,r,t){gform.addHook("filter",o,n,r,t)},doAction:function(o){gform.doHook("action",o,arguments)},applyFilters:function(o){return gform.doHook("filter",o,arguments)},removeAction:function(o,n){gform.removeHook("action",o,n)},removeFilter:function(o,n,r){gform.removeHook("filter",o,n,r)},addHook:function(o,n,r,t,i){null==gform.hooks[o][n]&&(gform.hooks[o][n]=[]);var e=gform.hooks[o][n];null==i&&(i=n+"_"+e.length),gform.hooks[o][n].push({tag:i,callable:r,priority:t=null==t?10:t})},doHook:function(n,o,r){var t;if(r=Array.prototype.slice.call(r,1),null!=gform.hooks[n][o]&&((o=gform.hooks[n][o]).sort(function(o,n){return o.priority-n.priority}),o.forEach(function(o){"function"!=typeof(t=o.callable)&&(t=window[t]),"action"==n?t.apply(null,r):r[0]=t.apply(null,r)})),"filter"==n)return r[0]},removeHook:function(o,n,t,i){var r;null!=gform.hooks[o][n]&&(r=(r=gform.hooks[o][n]).filter(function(o,n,r){return!!(null!=i&&i!=o.tag||null!=t&&t!=o.priority)}),gform.hooks[o][n]=r)}});</script> <div class='gf_browser_unknown gform_wrapper gform_legacy_markup_wrapper' id='gform_wrapper_116' ><form method='post' enctype='multipart/form-data' id='gform_116' action='/2012/08/protecting-your-events-against-spam/' novalidate> <div class='gform_body gform-body'><ul id='gform_fields_116' class='gform_fields top_label form_sublabel_below description_below'><li id="field_116_5" class="gfield gfield_contains_required field_sublabel_hidden_label field_description_below gfield_visibility_visible" ><label class='gfield_label gfield_label_before_complex' >What is your first name?<span class="gfield_required"><span class="gfield_required gfield_required_asterisk">*</span></span></label><div class='ginput_complex ginput_container no_prefix has_first_name no_middle_name no_last_name no_suffix gf_name_has_1 ginput_container_name' id='input_116_5'> <span id='input_116_5_3_container' class='name_first' > <input type='text' name='input_5.3' id='input_116_5_3' value='' aria-required='true' placeholder='First name' /> <label for='input_116_5_3' class='hidden_sub_label screen-reader-text'>First name</label> </span> </div></li><li id="field_116_1" class="gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible" ><label class='gfield_label' for='input_116_1' >What is your email address so we can follow up with you?<span class="gfield_required"><span class="gfield_required gfield_required_asterisk">*</span></span></label><div class='ginput_container ginput_container_text'><input name='input_1' id='input_116_1' type='text' value='' class='medium' placeholder='hello@example.com' aria-required="true" aria-invalid="false" /> </div></li><li id="field_116_2" class="gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible" ><label class='gfield_label' for='input_116_2' >Tell us about your concerns below<span class="gfield_required"><span class="gfield_required gfield_required_asterisk">*</span></span></label><div class='ginput_container ginput_container_textarea'><textarea name='input_2' id='input_116_2' class='textarea medium' placeholder='What kind of events are you planning?' aria-required="true" aria-invalid="false" rows='10' cols='50'></textarea></div></li><li id="field_116_6" class="gfield field_sublabel_below field_description_below gfield_visibility_visible" ><label class='gfield_label gfield_label_before_complex' >GDPR Agreement</label><div class='ginput_container ginput_container_checkbox'><ul class='gfield_checkbox' id='input_116_6'><li class='gchoice gchoice_116_6_1'> <input class='gfield-choice-input' name='input_6.1' type='checkbox' value='I consent to have this website store my submitted information so they can respond to my inquiry.' id='choice_116_6_1' /> <label for='choice_116_6_1' id='label_116_6_1'>I consent to have this website store my submitted information so they can respond to my inquiry.</label> </li></ul></div></li><li id="field_116_3" class="gfield gform_hidden field_sublabel_below field_description_below gfield_visibility_visible" ><div class='ginput_container ginput_container_text'><input name='input_3' id='input_116_3' type='hidden' class='gform_hidden' aria-invalid="false" value='' /></div></li><li id="field_116_4" class="gfield gform_hidden field_sublabel_below field_description_below gfield_visibility_visible" ><div class='ginput_container ginput_container_text'><input name='input_4' id='input_116_4' type='hidden' class='gform_hidden' aria-invalid="false" value='https://eventespresso.com/2012/08/protecting-your-events-against-spam/' /></div></li><li id="field_116_7" class="gfield gform_validation_container field_sublabel_below field_description_below gfield_visibility_visible" ><label class='gfield_label' for='input_116_7' >Email</label><div class='ginput_container'><input name='input_7' id='input_116_7' type='text' value='' autocomplete='new-password'/></div><div class='gfield_description' id='gfield_description_116_7'>This field is for validation purposes and should be left unchanged.</div></li></ul></div> <div class='gform_footer top_label'> <input type='submit' id='gform_submit_button_116' class='gform_button button' value='Send my message' onclick='if(window["gf_submitting_116"]){return false;} if( !jQuery("#gform_116")[0].checkValidity || jQuery("#gform_116")[0].checkValidity()){window["gf_submitting_116"]=true;} ' onkeypress='if( event.keyCode == 13 ){ if(window["gf_submitting_116"]){return false;} if( !jQuery("#gform_116")[0].checkValidity || jQuery("#gform_116")[0].checkValidity()){window["gf_submitting_116"]=true;} jQuery("#gform_116").trigger("submit",[true]); }' /> <input type='hidden' class='gform_hidden' name='is_submit_116' value='1' /> <input type='hidden' class='gform_hidden' name='gform_submit' value='116' /> <input type='hidden' class='gform_hidden' name='gform_unique_id' value='' /> <input type='hidden' class='gform_hidden' name='state_116' value='WyJbXSIsIjBiNjdjZjkyMDUzOWUxOWY5Y2NiZjIwMzM4YjA1Mjk4Il0=' /> <input type='hidden' class='gform_hidden' name='gform_target_page_number_116' id='gform_target_page_number_116' value='0' /> <input type='hidden' class='gform_hidden' name='gform_source_page_number_116' id='gform_source_page_number_116' value='1' /> <input type='hidden' name='gform_field_values' value='' /> </div> <p style="display: none !important;"><label>&#916;<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_2" name="ak_js" value="12"/><script>document.getElementById( "ak_js_2" ).setAttribute( "value", ( new Date() ).getTime() );</script></p></form> </div>