Friday, November 28, 2014

Shields Up

Ugh, we just had a spam blog entry (“Hey Friends, Now, You can find any new video/mp3 at [...] and simply download in just single click.”), which I’ve deleted. While banning the freshly created account I realised that we’ve had one thousand new EE accounts created and lurking since the ExpressionEngine upgrade - they’ve been arriving from the 3rd of November onwards, at a rate of hundreds per day. I’ve gone ahead and disabled new member registration temporarily, in case that spambot had returned the good news to its masters and an army had been mobilised. (If any humans are reading this and want to join the game, just contact an admin through other channels and we’ll sort something out.)

Prior to the EE upgrade we weren’t getting any spammers - I don’t know if that was security through obscurity, or if things were set up differently. Our current setup uses what seems to be a default captcha, which I assume has been cracked. I’ll take a look at replacing it with reCAPTCHA later today, unless any better suggestions are made in comments.


Kevan: he/him

28-11-2014 12:35:55 UTC

And actually, looking at the reCAPTCHA site it’s telling me that I’ve already got keys set up for, so that must have been what we were using before.


29-11-2014 10:52:05 UTC

Captcha crackers are built against reCAPTCHA, so yeah…. I use AYAH ( on my websites. It’s *practically* uncrackable, at least for the conceivable future

75th Trombone:

30-11-2014 06:02:54 UTC

I’ve got reCAPTCHA installed and turned on (Kevan, I created a new key since they’re free), but I didn’t turn registration back on yet. Doctor29, does your experience lead you to believe that the spammers stay ahead of reCAPTCHA more often than the opposite?

I have Akismet working, and apparently it’s been rejecting lots of signups, but not enough.

Is there any reason I shouldn’t mass-delete from the DB all users with zero posts and zero comments?

Kevan: he/him

01-12-2014 09:36:05 UTC

Have any comment settings been changed? I just got “Computer says your input might be spam, so it will be moderated first.” for a simple comment of “:FOR:”, and had to go into the admin comment vetting system to make it appear. There weren’t any other comments pending, though.

Mass deletion of zero-activity accounts seems fine, worst case I can think of is that some lurkers have to register their names again.

Kevan: he/him

01-12-2014 09:41:23 UTC

(And hmm, I got the same error message on posting that comment as well. I can’t see any obvious settings in the admin interface about this.)

Kevan: he/him

01-12-2014 09:44:30 UTC

(Clicking “mark as ham” when moderating the above comment - which was also filtered - seems to have let me comment again normally.)


01-12-2014 16:37:47 UTC

The same system is now filtering my votes as spam.

Kevan: he/him

01-12-2014 18:00:09 UTC

Have just manually approved Bucky’s comment and the most recent of two duplicates from him. Admins should keep an eye on this page for other pending comments.

75th Trombone:

01-12-2014 19:19:51 UTC

Sorry about that, I changed one option too many when I was setting up the spam filtering. That particular anti-spam add-on no longer checks comments.

Registration seems to be enabled and we seem to no longer be having a hundred bogus registrations a day — there was just one yesterday, and zero today so far. I also implemented EllisLab’s default Blacklist/Whitelist just now, so maybe that will reduce the number to zero.

ExpressionEngine’s member management stinks, though. It hasn’t noticeably improved in ten years. I’m starting to get the itch for another Switch.