Not a major issue as I approve accounts manually, it’s just the past couple weeks we have had a shed load of spam registrations from Russia, Holland and Finland.

Hosted at IPS community in the Cloud, not made any changes to captcha or security, but we’re getting maybe 5+ a day, sometimes 10.

Is there something wonky going on, my first obvious step is to change up the Q&A.

Just wasn’t sure if there was a known issue at all?

Would suggest switching to hCAPTCHA if you haven't yet as that is proven to be better at preventing spam. 

Changing Q&A is a good idea as well to help prevent human spammers.

You can also temporarily block those countries from registering under Spam Prevention > GeoLocation Settings.

Already running hCaptcha, been running that for a long time now.

Wasn’t aware geolocation was a thing, will set that up now

I'm still getting registrations from St Petersburg, St.-Petersburg, Russian Federation despite adding the country to GeoLocation

 

Hoping this isn't against forum rules as it's one of the IP's, however it's definitely spam, but also known to have tried SQL injections and brute force attempts. Been multiple registrations, each time the same IP with different last digits. Now done a wild card ban for 37.139.53.*

https://cleantalk.org/blacklists/37.139.53.17#reviewanchor

Wasn't sure if it was something you wanted to add maybe server level. Just sharing the info with you to do as you please. But yeah, the GeoLocation wasn't preventing that one.

5 hours ago, Day_ said:

 Now done a wild card ban for 37.139.53.*

https://cleantalk.org/blacklists/37.139.53.17#reviewanchor

 

I've had 10 or more signups over the last few days using that IP and all using either @kmaill.xyz or *@hmaill.xyz
 

5 hours ago, Day_ said:

But yeah, the GeoLocation wasn't preventing that one.

 

I get an error log when I try to use GeoIP blocks
 

 

Quote

 

GeoIP Error

Requested IP: Array

Response:
IPS\Http\Response Object
(
    [httpResponseVersion] => 1.1
    [httpResponseCode] => 414
    [httpResponseText] => Request-URI Too Large
    [httpHeaders] => Array
        (
            [Server] => CloudFront
            [Date] => Sat, 10 Feb 2024 20:09:56 GMT
            [Content-Type] => text/html
            [Content-Length] => 915
            [Connection] => close
            [X-Cache] => Error from cloudfront
            [Via] => 1.1 c1bfc7dbcf7f9782aa3be590b7ce3d6a.cloudfront.net (CloudFront)
            [X-Amz-Cf-Pop] => IAD12-P1
            [X-Amz-Cf-Id] => t8GCeEIKMI_yrmTw6QSL2l1BRd3PUp0zwLuV20xIEiFGkwt4r9IAyA==
        )

    [cookies] => Array
        (
        )

    [content] => <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<TITLE>ERROR: The request could not be satisfied</TITLE>
</HEAD><BODY>
<H1>414 ERROR</H1>
<H2>The request could not be satisfied.</H2>
<HR noshade size="1px">
Bad request.
We can't connect to the server for this app or website at this time. There might be too much traffic or a configuration error. Try again later, or contact the app or website owner.
<BR clear="all">
If you provide content to customers through CloudFront, you can find steps to troubleshoot and help prevent this error by reviewing the CloudFront documentation.
<BR clear="all">
<HR noshade size="1px">
<PRE>
Generated by cloudfront (CloudFront)
Request ID: t8GCeEIKMI_yrmTw6QSL2l1BRd3PUp0zwLuV20xIEiFGkwt4r9IAyA==
</PRE>
<ADDRESS>
</ADDRESS>
</BODY></HTML>
)

 

 

3 hours ago, Jelly Belly™ said:

I've had 10 or more signups over the last few days using that IP and all using either @kmaill.xyz or *@hmaill.xyz

That's the one, same email address on mine. Added a wildcard block *@*.xyz

Looks like they are targeting IPS sites

Although I've been okay regarding spam registrations (knock on wood), I got an email from Cloudflare this evening about a big spike in automated (bot) traffic.