I have the captcha plug-in active, and have removed the 'website' entry from the sign-in form, and it doesn't show when you look at a user's details, but I am getting spam registrations where the 'website' field has been filled in as it is still visible on the e-mail sent to Admin.

So, I guess this is from some form of spam-bot as the website field isn't visible to human users, but how are they getting past the captcha?

It's difficult to say, if this is a spam-bot or manual registrations in your case. Sometimes on this board I am also seeing completely meaningless spam, which seems to be manual, as it also passed the Captcha "some way". There could be quite an easy way to program a script, which emulates one-time PHP session and starts from there; however I'm not sure on it, because it would work just for only one session and not multiple registrations (after each registration, session ID is renewed).

I did not get any of the issues regarding how the Captcha may be passed by this time. Despite I'm sure there could be some (difficult) way to create a database of all possible values and their encoded strings and automate it some way, changing the $secretTuringPass value will ruin all that approach. So I am not at the point to say it's 100% works, but also not sure if it could not be broken.

In your case, it would be better just to disable filling the website field at the scripting level. For example, pasting this in bb_plugins.php may work:

(it's one-line code with no breaks)

Well, the bb_plugins.php code has removed the website address, but the spam registrations are still coming thick and fast...

It really makes the Captcha plugin a waste of money - which is annoying.

What I really need is a way to stop the spam-bots bypassing the Captcha.

I'd recommend to wait a bit before making conclusions which have no proper way. Seeing you have disabled the website address, spammer may stop the action.

As I mentioned, to protect the captcha code on the different level, you can change:

- number of symbols displayed in Captcha
- secret phrase
- set the grid to make it less recognizable

All of this helps to protect from the possible automated attack which may been "cracked" the module; despite we even don't know if it's automate.

As about the manual spam, i.e. if somebody registers new accounts manually, nothing will help you in this, except of blocking the IP address, which is also a temporary action. China spammers are unbeatable in this case. You may get hundreds of manual registrations or actions completed from different IPs in a hour. Nothing will help you except hiring another Chinese who will remove false accounts ;)

There are also few ways of improving the registration process. You may set up the email verification which in most cases doesn't work for spammers, as they should have unique and live email address to complete it. Also, when fighting the spammers, do not remove their accounts, but just block them - this will keep their email addresses in the database and won't allow to register the same address anymore.

P.S. Common... don't call 6 dollars you have paid for this a "money", please. I can't even buy bread & milk for this money. You've got the intellectual product instead.

First, I totally agree about the 'money' - and I really didn't mean to suggest otherwise. I really appreciate all you have done with MiniBB - well done!

But, a point about this 'spam'.

It's interesting that when the 'Website' field was removed from user view, but still in the underlying info, the 'spam' registrations filled it in... doesn't that suggest the spam registration is 'automated'? If a real person can't see the field, how could they fill it in?

And this does take us back to an old post about Reverse-Captcha.

The idea being that as the 'Wesbite' field is not visible to real people, any registration that fills it in MUST be spam, so can be ignored...

Does that not make sense?

Steve

its quite possible to program an easy form which would take a captha session which would be entered manually, but all the rest of the data is submitted automatically afterall. We cant even imagine how tricky could be spammers regarding that.

Also its sad that spammers do not notice profile's URL Rule in minibb. Hyperlink is being transformed to a clickable one only for logged members. It has no sense for guests and so for search engines.

You may try to enable saving ip address during registration. Solution is here:
Saving IP address used during registration

Its not guaranteed but at least its a chance to follow if you have all bulk profiles from the same network or not...

I'm still getting a load of spam registrations.
Removing the website hyperlink did nothing to stop it.
I actually re-enabled it so I can easily see spam registrations.
But as the website link in the registration info is not human viewable when registering it must be a bot issue in some way - may be half and half as you suggest above.

What would work is to automatically refuse any registrations that fill in the website URL field.
Can that be done???

Try the option $closeRegister=1; in setup_options.php file (You must uncomment the entry to set the option). This disable the open registrations and would like to force user to "validate his email" upon registering. And delete the User Murks on your site .. thats from me ;-), but the email address is not valid. You should make spammers harder to get to the forum ?! :) This could reduce your spam registrations something ...

I would agree - validating email-address could avoid most of spam. Here's also the solution on extra actions regarding this option.

So, spammers just register accounts on your website, and do not post anything else?

Spammers could submit the form using their own tools, not what do you have on your public form. MiniBB's registration consists of two steps - one is displaying the profile form (action=registernew) and the second is submission of the form (action=register). Knowing miniBB structure (let's not forget it's open source), they could submit the data to action=register using their own tool, bypassing your public form. Not bypassing the Captcha - but they could read and submit its session some way. In computers world, there are ways to work around any public code.

Without seeing your website and without not knowing what happens, I can't provide any more public recommendations. However I am sure it could be stopped if the nature of the incoming data is known. I've solved tens of such issues in the past.

Sorry Jamie - other than the first comment about $closeRegister=1; I really do not understand the rest of your post...

Just me being thick I expect!

Thanks! ;o)

But: "And delete the User Murks on your site .. thats from me ;-)" what's that about?

In administrative panel, you have few options to search and delete users at once.
By Murks he probably meant... Murks :)

Steve Shaw
;-) I registered in your forum as a user with the name "Murks" and with an incorrect e-mail address :) I wanted to test how to allow the registration, and now go to the admin panel an delete the user with the name "Murks" or better set his profile as inaktiv.

LOL - I missed that ;o)

Ok - I'm still getting LOADS of spam registrations...

I have added the pre-mod plug-in to stop any registered user posting without their first message being verified, but I'd love to auto-ban spammers when they try to register.

It is easy to spot the spammers as they fill in the 'website field' as it is NOT human visible, but is filled in by the automated process they are using (after first entering the Captcha data manually I think)...

So, if there was a way to ban any user that fills in the 'website field' that would kill just about all the spam registrations.

Is there a way to do this?
What would it cost to have such a change added to the code?

Steve