Day_ Posted February 9 Share Posted February 9 Not a major issue as I approve accounts manually, it’s just the past couple weeks we have had a shed load of spam registrations from Russia, Holland and Finland. Hosted at IPS community in the Cloud, not made any changes to captcha or security, but we’re getting maybe 5+ a day, sometimes 10. Is there something wonky going on, my first obvious step is to change up the Q&A. Just wasn’t sure if there was a known issue at all? Link to comment Share on other sites More sharing options...
Jim M Posted February 9 Share Posted February 9 Would suggest switching to hCAPTCHA if you haven't yet as that is proven to be better at preventing spam. Changing Q&A is a good idea as well to help prevent human spammers. Link to comment Share on other sites More sharing options...
Ryan Ashbrook Posted February 9 Share Posted February 9 You can also temporarily block those countries from registering under Spam Prevention > GeoLocation Settings. Jim M 1 Link to comment Share on other sites More sharing options...
Day_ Posted February 10 Author Share Posted February 10 Already running hCaptcha, been running that for a long time now. Wasn’t aware geolocation was a thing, will set that up now Link to comment Share on other sites More sharing options...
Day_ Posted February 10 Author Share Posted February 10 I'm still getting registrations from St Petersburg, St.-Petersburg, Russian Federation despite adding the country to GeoLocation Link to comment Share on other sites More sharing options...
Day_ Posted February 10 Author Share Posted February 10 Hoping this isn't against forum rules as it's one of the IP's, however it's definitely spam, but also known to have tried SQL injections and brute force attempts. Been multiple registrations, each time the same IP with different last digits. Now done a wild card ban for 37.139.53.* https://cleantalk.org/blacklists/37.139.53.17#reviewanchor Wasn't sure if it was something you wanted to add maybe server level. Just sharing the info with you to do as you please. But yeah, the GeoLocation wasn't preventing that one. Link to comment Share on other sites More sharing options...
Jelly Belly™ Posted February 10 Share Posted February 10 5 hours ago, Day_ said: Now done a wild card ban for 37.139.53.* https://cleantalk.org/blacklists/37.139.53.17#reviewanchor I've had 10 or more signups over the last few days using that IP and all using either @kmaill.xyz or *@hmaill.xyz 5 hours ago, Day_ said: But yeah, the GeoLocation wasn't preventing that one. I get an error log when I try to use GeoIP blocks Quote GeoIP Error Requested IP: Array Response: IPS\Http\Response Object ( [httpResponseVersion] => 1.1 [httpResponseCode] => 414 [httpResponseText] => Request-URI Too Large [httpHeaders] => Array ( [Server] => CloudFront [Date] => Sat, 10 Feb 2024 20:09:56 GMT [Content-Type] => text/html [Content-Length] => 915 [Connection] => close [X-Cache] => Error from cloudfront [Via] => 1.1 c1bfc7dbcf7f9782aa3be590b7ce3d6a.cloudfront.net (CloudFront) [X-Amz-Cf-Pop] => IAD12-P1 [X-Amz-Cf-Id] => t8GCeEIKMI_yrmTw6QSL2l1BRd3PUp0zwLuV20xIEiFGkwt4r9IAyA== ) [cookies] => Array ( ) [content] => <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <TITLE>ERROR: The request could not be satisfied</TITLE> </HEAD><BODY> <H1>414 ERROR</H1> <H2>The request could not be satisfied.</H2> <HR noshade size="1px"> Bad request. We can't connect to the server for this app or website at this time. There might be too much traffic or a configuration error. Try again later, or contact the app or website owner. <BR clear="all"> If you provide content to customers through CloudFront, you can find steps to troubleshoot and help prevent this error by reviewing the CloudFront documentation. <BR clear="all"> <HR noshade size="1px"> <PRE> Generated by cloudfront (CloudFront) Request ID: t8GCeEIKMI_yrmTw6QSL2l1BRd3PUp0zwLuV20xIEiFGkwt4r9IAyA== </PRE> <ADDRESS> </ADDRESS> </BODY></HTML> ) Link to comment Share on other sites More sharing options...
Day_ Posted February 11 Author Share Posted February 11 3 hours ago, Jelly Belly™ said: I've had 10 or more signups over the last few days using that IP and all using either @kmaill.xyz or *@hmaill.xyz That's the one, same email address on mine. Added a wildcard block *@*.xyz Looks like they are targeting IPS sites Link to comment Share on other sites More sharing options...
FanClub Mike Posted February 11 Share Posted February 11 Although I've been okay regarding spam registrations (knock on wood), I got an email from Cloudflare this evening about a big spike in automated (bot) traffic. Link to comment Share on other sites More sharing options...
Recommended Posts