Increase in spam account registrations - Implement reCaptcha #682
Comments
|
@kkilbey looked through the history of our spam prevention efforts for EYPD, and this is an ongoing battle, here's the list: I would recommend that we use reCaptcha if our current solutions aren't sufficient. Otherwise, we're pretty much stuck playing whack-a-mole with spam bots. This also could improve our user experience, as we currently require every user to decipher hieroglyphs when registering. @dshaykewich is looking into the official policy on using Google services, perhaps he can provide guidance, and a decision once he's got that information. I should also note that EYPD already relies on the Google Maps service to help users find events. So the same concerns should apply for this. |
|
@alex-418 , I support using reCaptcha. |
|
This week I have already deleted about 40 "Pending" accounts that were spam, and then exported the Users report from earlyyearsbc.ca and discovered that there are about the same number of spam accounts that are currently subscribers (learners) on the prod site. I started deleting those spam accounts and then decided to mark some as Spam and then remove the Role of Subscriber and adding "-spam" at the end of the Nickname in the account. This is more time-consuming that just deleting the accounts, but I am curious to know if there is a pattern to these new accounts that are being created. Are these email addresses valid? If so, is it better to mark the accounts as spam so new accounts can't be created with that same address? On the other hand, if the spammers are making these new email addresses (aliases?) so easily, then marking the accounts as spam is futile, as they will just sign up with other fake email addresses. Still annoying. |
|
@alex-418 Yes, it seems this issue is a continuation of #107 Domains with *.ru are common: Also, there are quite a few spam accounts with gmail.com addresses, which makes them harder to find. |
|
FYI, this morning, on the day after a long weekend, I deleted 22+ "Pending" spam users on earlyyearsbc.ca and also about 15 "subscriber" accounts that were also spam users. I deleted the Pending accounts and marked the "subscriber" accounts as spam and removed their role from the site. |
|
@dshaykewich to provide Google credentials to generate API key for reCaptcha. |
|
@alex-418 @dshaykewich @kkilbey I've just been checking and marking as spam the new spam accounts on the EarlyYears site and found that someone was able to register as an Editor and their domain name is not on the Validate by Domain list. Here is the New User Registration Email we received: Username: ceceb Email: info@ceceb.org This domain name "ceceb.org" is not on our whitelisted domain names, and when I go to the website "ceceb.org", then the first page looks like it may be a legitimate site for a place in Richmond. However, only the home page has "real" content. The rest of the site is template/boilerplate. There is no person's name listed in this account except "Elevating Childhood Education Division Association". So this may also be a spam account. I have changed the role on this account to "subscriber" only, so they can't post events. |
|
@alex-418 @dshaykewich The Validate by Domain plug-in is not working on earlyyearsbc.ca. I just tested signing up as an Organizer without using a valid domain name, and had no problem creating the account. I can now post events. This is not good. We now have Organizers who are not authorized to post events on the site. We had a similar problem before when I created the fake user.... it was to do with the activation code, in this issue: #526 |
|
@alex-418 |
|
@paulagaube @kkilbey @dshaykewich Can any of you recall why/when we might've removed https://github.com/BCcampus/validate-by-domain from both cert and prod? Currently https://github.com/BCcampus/validate-by-domain is installed on both, but that one is meant for PB. I checked our issue history, and can confirm the whitelist was added as a setting/feature in the dashboard to Validate by Domain, to ensure you guys could manage it the whitelist... anyways, at least we know why it stopped working, just not sure how we ended up removing it. |
|
@alex-418 I have no idea why that feature was removed! Can you tell when that was done? |
|
So we have this written somewhere: In our standup this morning, we determined that the Validate by Domain plugin wasn't missing, but was not named correctly. One theory for why this plugin is not working is that the field number changed when we added the extra email verification field. Here is a side-by-side screen shot of Prod and Cert. Note the different layout and the words underneath the fields are slightly different, when they should be the same.
|
|
Thanks @paulagaube I created #687 to tackle this, and #677 should resolve these other differences. I'm working on changes that will allow us to set the filed name, instead of the field number in these settings. Will update #687 for you to validate this there. This specific issue is getting kind of bloated, would like to re-focus it on implementing re-captcha so the work is clear and easy to validate on your end. |
|
Okay, sorry, @alex-418 ! |
alex-418
changed the title
|
@dshaykewich trying to login to the devops@bccampus.ca and it's asking for a verification code that got sent to a cellphone number that ends with 75. Hoping it's yours? Please send verification code. |
|
@kkilbey @paulagaube I've enabled recaptcha v2 ("invisible") so there's no challenge to the user but should filter out bots. We can try this version out and see if it's sufficient, otherwise we can go to v3. As you're doing tests on #687 in the registration page, please keep this in mind to ensure there's no issues with the form being submitted. Thank you. |
|
I see the reCaptcha on the cert sign-up page, but I don't think it's the invisible one (?). I was prompted to check the box and then click on certain images to verify I'm not a robot. |
|
@kkilbey great, yes I forgot to mention the invisible one didn't work as expected (was glitchy for me and wouldn't let me submit it) so I reverted to v2 "I'm not a robot" checkbox. |
|
@alex-418 Perfect! In that case, looks like it's working as expected. |
|
I'm not a robot reCaptcha checkbox appears and is working on PC and Mac on Cert. eypd.bccampus.ca |
|
Google's recaptcha v2 is now enabled for both cert and prod. Let's see if this reduces some of that spam! |
|
Working as expected on both Cert and Prod. We only had 1 spam user successfully register over the weekend and 3 spam users in "Pending"--given that we've had batches of 20+ spam users register overnight before, I'd say this is helping! I'll keep monitoring new registrations to track spammers. |
|
Excellent news, @kkilbey . |
Over the past few weeks, the number of spam users registering for accounts on EYPD has increased substantially. When I reviewed pending accounts today, 21 of 22 accounts were spam. Is there a way to prevent this?
The most common domains I see for spam accounts are "mail.ru" and "namnerbca.com"
The text was updated successfully, but these errors were encountered: