Welcome to the Question2Answer Q&A. There's also a demo if you just want to try it out.
Ask a Question

Is this abug that allows spamers to create fake accounts without ever verififying the email address?

+2 votes
3.3k views
in Q2A Core by
edited by

---------------------------
Update
---------------------------

After stopping all outgoing emails with the registration codes for 2 days, new fake accounts are not able to verify the email address and are also unable to post SPAM.

So I assume that there is not a bug on the code and unfortunately it seems that these are humans creating this accounts :(

Any creative solutions for this problem?

---------------------------
Original question
---------------------------

I am constantly having to delete face accounts inside my site.

After checking the users table, I see that some of those fake accounts do not have the email code generated.

Does the email code has to always be created or there is a bug that needs to be fixed on my site?

Edit: This are some captures I made on my server for a new SPAM, you can see a GET to register, then a POST to publish the SMAP but there is no GET to verify the email code, so they are somehow able to publish without receiving the email.

Note: This dump correspond to another user and not the ones shown above.

Data for first POST

Data for second POST:

 

Hope this helps to find the problem.

Edit: I have ReCAPTCHA enabled

 

Q2A version: 1.6.2
by
Interesting timing. I've been wondering the same thing. (A huge number of spam robots are successfully 'verifying' their accounts, which seems unlikely unless they're also able to parse SMTP/e-mail - which is not impossible, but seems unlikely in the case of most poorly programmed spam robots.)
by
Hi James, I've updated the post with new information.
by
Interesting. Thanks for posting the packet dumps. That ought to help a lot. Do you have ReCAPTCHA enabled on your Q2A site out of curiosity?
by
Yes, I do, let me know if you want the actual dump file.
by
I just can't follow this log. Are you 100% sure that those requests you've highlighted correspond to the same user?

If that is the case, then the user has not registered. The GET to the register is to load the form and then you need a POST to the register URL which would effectively register the user. You've highlighted a POST to a login URL, so it makes sense for the user to be able to post after successfully logging in.

By the way, I haven't checked the code but I noticed the emailcode gets removed after successfully validating the email address.
by
Sorry Pupi1958, this dumps correspond to another user created yesterday and not the ones on the first screenshot.
by
I will try to get a full dump tomorrow for another fake user and check also email and apache logs.
by
Interesting catch. I was also wondering about new registered users that even broke the stop-spam-plugin. So I guessed it is real human beings. When I assigned a captcha question that is "unbreakable" there were no new registrations. So my guess in the end, there is no bug. But it would be awesome if you find the reason for this general spam problem.
by
I will make my site send all email messages to me, and this way I will be able to verify if a fake user is able to verify his email address without receiving the email.
If he is able to do it, there is a bug, if not, it´s a human doing the work.
I will let yo know how it goes.
by
After stopping all outgoing emails with the registration codes for 2 days, new fake accounts are not able to verify the email address and are also unable to post SPAM.
So I assume that there is not a bug on the code and unfortunately it seems that these are humans creating this accounts :(
Any creative solutions for this problem?
by
Spammers → humans, wanted users → humans. If you block spammers by "creative" solutions, you probably block your wanted users. Sad story...

However, good news: With the stop-spam-plugin you can define words, part of words, URLs or part of URLs that will reject the posted content. This is how i got rid of them finally. Just block their URLs (domains) and they stop posting ;) http://www.q2apro.com/plugins/stop-spam

1 Answer

+2 votes
by
 
Best answer

Since there is not a bug on the code, I answer my own question:

After stopping all outgoing emails with the registration codes for 2 days, new fake accounts are not able to verify the email address and are also unable to post SPAM.
So I assume that there is not a bug on the code and unfortunately it seems that these are humans creating this accounts :(

I will try http://www.q2apro.com/plugins/stop-spam

Snow Theme by Q2A Market
Powered by Question2Answer
...