News:

SMF 2.1.4 has been released! Take it for a spin! Read more.

Main Menu

Attack via password reminder

Started by Hawkmoth, July 12, 2011, 02:08:36 AM

Previous topic - Next topic

MiY4Gi

Install the Hide User Display Names from Guests mod. I'm currently using the mod and I love it. Here's a demo: http://theanimeclub.co.za/index.php?action=community

You can also bad the IP's of the guilty users. Go to Members > Ban list > Add new ban.
Check out my new website, MyAnimeClub.net. I plan to create the largest anime community, and most fun and user-friendly anime forum in the world. It's still in the development stage though.

Hawkmoth

Hi MiY4Gi

Thanks for your suggestion on the Mod.

As for the IP's. I have been banning them ofc but as quick as I can ban, the ip change. It's mainly an O2 account (mobile device i guess).

Still dosen't get round my main issue wicth is to lock down this password reminder issue.

Many thanks
Hawkmoth

MiY4Gi

#22
I find it hard to believe that a disgruntled user will constantly change his IP just to annoy you. This is almost definitely a bot. Both, the Captcha mod and the mod I suggested should stop the bot, unless it already has the usernames stored somewhere else, in which case I would suggest you ban the O2 Accounts IP range, wait a few days, then unban it, which will hopefully send the bot away to annoy some other forum.

If it is a disgruntled banned user as you say, one thing you can do is wait for that user to get bored and move on, or disable the password reminder for a while.
Check out my new website, MyAnimeClub.net. I plan to create the largest anime community, and most fun and user-friendly anime forum in the world. It's still in the development stage though.

Clara Listensprechen

I had a problem with not just reminders but also password guessing and cured both with this mod: http://custom.simplemachines.org/mods/index.php?mod=1665

A bot would have to know the email address to begin with to get anywhere.
I shall continue to be an impossible person so long as those who are now possible remain possible. {Michael Bakunin 1814-1876}

Hawkmoth


Hi Clara

Thats sound just what I'm after. Thank you so much for your suggestion.



Hi MiYaGi

Some systems change their IP regularily. The catcha mod wouldn't install as it's for the wrong version.

This user has been hassling us for over 3 years so I doupt they would be put off so easily.

Many Thanks
Hawkmoth

Hawkmoth

Hi Clara

Does this mod also for users to use emails even on a normal login?

or just on password recovery?

Thanks

MiY4Gi

I prefer to hide the usernames than to change the login to email addresses. Hiding usernames encourages lurkers (users that don't login) to login, since they would likely want to know who posted what.
Check out my new website, MyAnimeClub.net. I plan to create the largest anime community, and most fun and user-friendly anime forum in the world. It's still in the development stage though.

TOWBALL123

Hi everyone

We think we are  having an issue with spammers using the password reminder.

This is will get annoying for our members as they keep getting password reminders coming through.
Plus members are having to sign in each time they use the forum.

Is there any way to prevent this or perhaps adding a security question before a reminder is sent out.
We are running the latest version of SMF 2.0.11
Thanks in advance
TB

Kindred

Nope...  Really, the best way for the users to avoid this is to use a different display name from their login name...
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

CBS

The solution for me was to rename the Reminder script.

I have renamed the "Reminder.template.php" to something like "111Reminder.template.php" and the problem is resolved.

Hope that may help you.

Kindred

that will actually only cause OTHER issues...

you can't just randomly rename files
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

CBS

Thanks for your answer...

The only issue if you click the "Forgot your password", it moves you to the forum website and you see a small message:
reminder templates can't be load...Nothing more and nothing less :)

I don't need this reminder on the forum since this can be abused and my solution works for over 14 months now.

Kindred

it will also fill your errorlog with entries on both the server and the forum.

I'm glad you THINK it works...   but you addressed the issue with a chainsaw rather than a scalpel and basically purposefully broke the system.

I repeat - you can not just randomly rename template files (or other files, for that matter)


I will also repeat: The best way to avoid this is to recommend that your users use a display name that is different from their login name
or you can install the mod which requires used to use EMAIL instead of USERNAME to login.

either of those is a 1000x better solution than what you suggested.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

CBS

Quote from: Kindred on December 05, 2015, 10:24:15 PM
it will also fill your errorlog with entries on both the server and the forum.


No problem with this, all logs can be deleted. Sorry, in my case it did NOT broke any part of the system.

It is now too late to tell users to use a display name that is different from their login name.

If you can programming something for us, please advice. I can't.

Thank you for your comments and have a nice day.




Advertisement: