Bot Exploit In Vers 2.0.10

[njtweb]

There has to be an exploit somewhere in this script which allows bots to go around registration. I have tried every method beyond SMF Base security and nothing works, bots still register.

Testing all are used together:
- Security & Moderation>Anti-Spam>Require verification on registration selected
- Security & Moderation>Anti-Spam>Recaptcha, (overriding the default (visual verification)
- Security & Moderation>Anti-Spam>3 Verification questions about my site, (no math, no colors)
- Features & Options>Profile Fields>Added an additional hidden regex hidden field

I still get 5-10 bot registrations per day, and the weird thing is, they're all registering 'Without' the required email address. However, none of them are activated. I ban them then delete them. It's annoying as all 43ll.

[Kindred]

Are you using Tapatalk?

(and moving to support)

[njtweb]

Nope, no chat mods or mobile device apps.

[Kindred]

What modifications have you done (either custom hacks or mod packages)?

Because I can not see this as valid...

I use questions (10-20 of them, asking 3)
bad-behavior
and stop spammer...   and i have not had a bot register in 2 years...   actually, I haven't even had a bot get through into the stop-spammer queue for nearly that long as well.

3 questions is not enough.  Especially if those questions
a- have been on your site for a while
b- can be answered by google



So... you *MUST* have some other mod istalled which is allowing them to bypass the standard registration process 
(or possibly, you have not configured the "hidden regex field" correctly)

[Illori]

they are registering without an email address?? i dont think is even possible in SMF.
you say you dont have colors or math in your questions, but are they easy enough that googling them comes up with the answers? sounds like the questions may be too easy.

[Kindred]

Illori,

I believe that he means that they are registering without using his "hidden regex" profile field (which I assume is some sort of "enter the email address here" thing)

[Illori]

I still get 5-10 bot registrations per day, and the weird thing is, they're all registering 'Without' the required email address. However, none of them are activated. I ban them then delete them. It's annoying as all 43ll.

he clearly says they are registering without a required email address... unless that is not the SMF default field i dont know what that is.

to me in general it means his methods are not working and he needs to find new/better.

[njtweb]

I do not have any customization, (manual template editing done). I have tried all of the "BOT"/security measures the SMF mod repository has to offer.

The site is 3 weeks old. The bots have been registering with no email address from day one. They never activate though, I have no idea how they are bye-passing all of the security measures.

This is the first page of banned names I have before I delete them, they all register the same exact way:
carpinteyrokqm   
WarrenGaup         
StanleGeta         
JoanneStanfill         
CameronGara         
CharlesGymn         
Josephdot         
OliviaHumphreys         
FrederickPurves         
SergioMah         
ulezagewoke            
JustinPl            
Michaelgaft               
Abeliniyadefort         
StevenOl            
CharlescalP         
golzihcwm            
AntonisGeta


MOD List:
1.   Footer Menu v.1   v.1   
2.   RIAST: Remove Index & Add Smart Title   1.3.0   
3.   EzPortal   3.0.3a   
4.   Similar Topics   0.6   
5.   More Spiders   1.2   
6.   Google Translate for SMF 2.0   1.4   
7.   Users mass actions   0.1.1   
8.   Add Table, Td, Tr Button   1.0   
9.   SRAVC - Separate Replies And Views Column   1.9.4   
10.   Views and Replies + Table on Recent Posts   1.2.1   
11.   Child Board Hover   1.0   
12.   MessagePreviewOnHover   1.8   
13.   Enhanced PM Popup   1.0.1   
14.   Tidy Child Boards   1.4.1   
15.   SA Twitter   1.2   
16.   SA Facebook   2.0.5   
17.   Show BBCode to guests   0.1.7   
18.   markItUp! for SMF   0.5.4   
19.   SEO Sitemap   2.2.1   
20.   Float BBCODE   1.0.2   
21.   MicroData SEO Linktree   1.0   
22.   Responsive Curve   1.0 Beta 5   
23.   Bot Buster   1.1   
24.   Anti Bot: Are You Human/Bot?   3.0   
25.   Invitation Message In Your Face (IMIYF)   0.3.2   
26.   Socialize   1.8   
27.   Menu Buttons   1.1   
28.   SMFConnect   1.0   
29.   FARM - Font Awesome Responsive Menu   1.0.4   
30.   Add Favicon.ico Support   1.101   
31.   SimpleAds   1.0.1   
32.   New Topic Button   1.0   
33.   Yet Another YouTube BBCode Tag   2.5   
34.   Tagging System   3.0   
35.   SMF Trader System   1.7   
36.   Show JDALLAUI in Post and PM   1.2   
37.   reCAPTCHA for SMF   1.0.0   
38.   Profile Comments   2.2   
39.   Pretty URLs   1.1.2   
40.   NHL Video BBCode   1.0   
41.   Align submit buttons in posts   1.0.4   
42.   Say Thanks   1.3.3


These are my questions:
What does a hockey player shot with? A what? ----> stick
What is Wayne Gretzky's number? ---->99
What is the frozen surface hockey is played on? 3 letters. ---->ice


This is the regex required registration profile field:
What is the name of this website? ---->[copy and paste or type minorleaguelegends]

[Illori]

can you provide a link to your forum?

i think your security questions are bit too basic. try googling them if you get the answer on the first hit or first page they are too easy for bots to crack.

[njtweb]

I've tried all kinds of questions, 3 questions, 4 questions, 5 questions......All of the security measures together, nothing stops them.

Code Select Expand

http://www.minorleaguelegends.com/board/

This is the latest registration, 10 mins ago.

Another thing to note. They register with no IP address?


Username:Kayleighhacker4
Display Name: Kayleighhacker4
Email Address:None
IP Address:http://minorleaguelegends.com/wp-login.php?action=register
Last Online:Never
Total Posts:0

[a10]

wp-login.php?action=register  ??

[Illori]

do you have your log in linked/sync'ed with another web app? maybe they are registering with that and getting in. there is no way in SMF to complete the registration without an email address.

also for sure your verification questions are too easy.

[njtweb]

I'm using this plugin to connect my main wordpress site.

28.   SMFConnect   1.0   

[Kindred]

oh.,..      I see the potential problem --

Do you allow registration from facebook/twitter?
Both of those bypass the normal registration process, I believe...


also. SMFConnect?

Why do you have
RIAST: Remove Index & Add Smart Title
AND
Pretty URLs
? Don't they do similar things?
(and prettyurls is known to conflict with a variety of mods)


Finally...    If you have SMF registration connected to WordPress registrations.... then all bets are off....

[njtweb]

oh.,..      I see the potential problem --

Do you allow registration from facebook/twitter?
Both of those bypass the normal registration process, I believe...


also. SMFConnect?

Why do you have
RIAST: Remove Index & Add Smart Title
AND
Pretty URLs
? Don't they do similar things?
(and prettyurls is known to conflict with a variety of mods)


Finally...    If you have SMF registration connected to WordPress registrations.... then all bets are off....

Hi Kindred, FB and Twitter force a guest to register with email. I have two valid members who have used FB to register, no bots from either/or. RIAST adds meta to title and description, and pretty urls changes the URL format from Bulletin board to SEO format. Both mods are for search engine optimization and both do different things.

I'm going to turn off registration to the wordpress side and see what happens.

[Kindred]

Side note....  PrettyURLs provides NO Search engine benefit AT ALL....

The URL has negligible (if any) effect on search engine rankings and has not for well over 5 years.... (closer to 10)

[Night09]

Nope, no chat mods or mobile device apps.

I'm using this plugin to connect my main wordpress site.

28.   SMFConnect   1.0   

Disconnect that plugin and all those registrations will stop.

[njtweb]

I turned off registration on the Wordpress side, and created a custom block directing login and registration through SMF. So far so good. Ultimately I need the SMFConnect Mod in order to allow SSO throughout the video side and the bulletin board side of the site as a whole.