|
infosolwebadmin
|
October 24, 2013 at 2:14 pm
I’ve got a free event setup here: http://azbocug.com/register/ (all up to date, running MER, Calendar, and Recurring plugins)
We were using a different method to capture attendees and switched to EE a week or two ago. We started getting spam registrants, so I setup recaptcha and it appeared that the issue had gone away because I wasn’t receiving any more spam registrant email confirmations, only ones from legitimate signups. Today I had a few people register, so I went into my event overview and saw that we are still getting slammed by spam registrants. The weird thing is that:
A) I wasn’t receiving any email confirmations for these spam registrations and the emails are not in my junk folder in outlook and they weren’t caught in my work network’s spam filter either.
and
B) There are two required fields in the signup form that are check boxes and the spam registrants never check either. I’ve downloaded the excel list of attendees and these fields are either blank or have just a single quotation ” in them.
Any idea how this happens and how it can be stopped? They shouldn’t be getting through, I’ve gone through and left the required fields blank/unchecked, entered the captcha, and can’t get through (and no attendee record is created for my registration), so I’m not sure what’s going on there. Now I need to go in and delete all of the spam attendees. Mod_security isn’t an option on our current hosting account either.
Thanks
|
|
Josh
|
October 24, 2013 at 2:27 pm
One thing that may help is use a plugin that logs the IP addresses of the site’s visitors. These are likely coming from one IP address that can be banned.
|
|
infosolwebadmin
|
October 24, 2013 at 2:43 pm
Are there any particular plugins you’d recommend looking into? I clean out the spam comments on a few different WP sites we run that make it through our anti0-spam measures and they tend to be from an endless variety of IP addresses. Sometimes you’ll get multiple comments from one IP (I’ll then go in and block that IP), but it’s an uphill battle so I’m not sure it will be that easy. Blocking IP’s from countries other than the US might be an option, because anyone outside of the country (really just our state) shouldn’t be registering for events anyways.
That’s just throwing a bandaid on the issue though, curious to see how/why bots are getting past required fields and why I don’t get confirmation emails when they do. Something is up.
|
|
Sidney Harrell
|
October 24, 2013 at 3:35 pm
If they don’t hit the “confirm registration” button on the confirmation page, then they will get entered in the DB, but won’t get to the point where the confirmation emails go out. It is possible to avoid the required fields by altering the html in chrome’s element inspector, for example, to remove the “required” from the input’s class, but it takes some work. I’m stumped on how they are getting past the recaptcha, though. If you log into your google account where you get your recaptcha api keys, can you get a log of the uses of that key? I did notice it is using numbers, which may be easier for a character recognition program to read. Can you change it to words?
|
|
infosolwebadmin
|
October 24, 2013 at 5:09 pm
Are you able to change the code in EE so that registrants don’t get submitted into the database unless they hit enter on that last confirmation page? We are getting a lot of spam and I’m not worried about tracking whether or not someone got halfway through the registration process and then backed out since the only event on that site will always be free. I logged in and don’t see anywhere to find a log for the keys, if you find a way let me know and I can get that info. And apparently it switches between numbers and words, when I looked at the page in incognito mode (so captcha shows up) it was giving me letters/words. Had a coworker check and he got numbers and kept refreshing his browser to get a new set and after 4-5 refreshes he started getting words.
That’s clever using chrome’s inspect tool to bypass the required fields…have been using it all week to test out CSS changes before editing the live stylesheet and never would have thought to try/do that.
|
|
Dean
|
October 25, 2013 at 3:06 am
Hi Yolande,
Unfortunately changing the code to stop users being added at the confirmation page would change the underlying code of the registration process, so this isn’t something we can do and is not on version 3.1.X’s roadmap.
|
