Announcement

Collapse
No announcement yet.

Bot Registration with required fields blank

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Bot Registration with required fields blank

    Hi,

    Using 3.6.0
    I had a registration last night where the required fields I have are blank.
    Only username, email address and birthdate were filled in

    There is a new user, Peter_Jon33
    Email Address : [email protected]
    Birthday : January 1, 1980
    Referrer: N/A
    IP Address: 63.166.111.6

    Obviously this is a bot, but how did it get around the required fields?
    From my apache log
    63.166.111.6 - - [30/Aug/2006:23:30:42 +0100] "POST /Forums/register.php HTTP/1.1" 200 13401 "-" "-"

    And then later it even confirmed it's email (fortunatly I still require manual activation by a mod)
    63.166.111.6 - - [31/Aug/2006:03:55:11 +0100] "GET /Forums/register.php?a=act&u=54&i=69359037 HTTP/1.0" 200 17224 "-" "-"

    Anybody else seen this?

    Andy

  • #2
    How do you figure its a bot?

    Comment


    • #3
      Hi Zachery,

      The post and get are the only two apache accesses, no other pages, css or images are requested.

      Searching back in my logs there is one other access to only register.php on 25th August from this IP (failed register attempt?)

      Andy

      Comment


      • #4
        And again after deleting user

        63.166.111.6 - - [31/Aug/2006:19:39:06 +0100] "POST /Forums/index.php HTTP/1.1" 200 26407 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6"
        63.166.111.6 - - [31/Aug/2006:19:39:07 +0100] "POST /Forums/login.php HTTP/1.1" 200 12215 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6"
        63.166.111.6 - - [31/Aug/2006:19:39:09 +0100] "POST /Forums/profile.php HTTP/1.1" 200 19822 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6"

        Then new user registration

        63.166.111.6 - - [31/Aug/2006:21:37:50 +0100] "POST /Forums/register.php HTTP/1.1" 200 17341 "-" "-"

        There is a new user, clear_air_force
        Email Address : [email protected]
        Birthday : January 1, 1980
        Referrer: N/A
        IP Address: 63.166.111.6

        It should also be noted that Birthday is NOT in the registration form.

        I hoped that the few unusual required fields would be enough to stop this sort of spam registration but it looks like I will have to switch on captcha

        Andy

        Comment


        • #5
          I'm having the same problems, after upgrading to 3.6 I've gotten bot registrations from freestuffo1.com burnacouplemore.com punkass.com tradedoubling.co.uk and others. is this a vbulletin issue or something I jacked up durring upgrade? i've never had problems with spam registrations

          Comment


          • #6
            Do you have image registration enabled?

            Comment


            • #7
              no, but I'm currently trying to get it enabled. but I've found it's not as easy as I hoped it would be. I'm having issues with GD and Imagemagick both.

              Comment


              • #8
                Interesting thread.

                We are still on 3.5.1 and have also gotten registrations from those addresses. We also believe they are bots, and have image station enabled.

                I have also noted a strange pattern - the referral field is now being filled in. One IP will come on as a guest and view the member list, then wih new registrations from bots, the referrals are now filled-in.

                btw - I found this thread when googling a new registration with the same IP as the first post.

                Comment


                • #9
                  I've just started getting these as well. I'm still running 3.5.4. Below is a list of the IPs that I have encountered.

                  87.106.20.213
                  87.120.71.8
                  63.166.111.6
                  64.34.161.90
                  128.2.141.33

                  I deleted all users created under these IPs and added them to the Ban IP list. I also went in and added the email addresses they used to that ban list as well. Inconsiderate people just don't care and will bot you to death without a blink of an eye. If anyone else is concerned with a possible bot user, it's best to check their signatures. This is where they try to get their advertising done.

                  Comment


                  • #10
                    I've started to notice these bots attempting to register on my forum. I have the Image Verification thing enabled, and it must stop them OK. I've noticed them coming back, and attempting to post messages, but of course they are stopped.

                    I also found this link while googling the IP: 63.166.111.6
                    My forum: http://dirtydozensbunker.com

                    Comment


                    • #11
                      Same problem, same address and a few others.

                      I don't really want to enable image verification, is that the only option?
                      John Diver

                      Comment


                      • #12
                        Hi,

                        Image verification did stop them and seems to be the only thing that can.

                        They are unfortunatly able to bypass required fields.

                        Andy

                        Comment


                        • #13
                          They could enter blank characters into them.

                          Comment


                          • #14
                            Bot signups

                            I have tried registering with blank characters and it does not allow it.

                            I am very convinced this is a script of some kind exploiting a whole in the registration system.

                            Please take a look into this.

                            Comment


                            • #15
                              It's possible that they're entering special characters that don't show up because you don't have that character set installed.
                              Best Regards
                              Colin Frei

                              Please don't contact me per PM.

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...
                              X