Day_ Posted February 9 Posted February 9 Not a major issue as I approve accounts manually, it’s just the past couple weeks we have had a shed load of spam registrations from Russia, Holland and Finland. Hosted at IPS community in the Cloud, not made any changes to captcha or security, but we’re getting maybe 5+ a day, sometimes 10. Is there something wonky going on, my first obvious step is to change up the Q&A. Just wasn’t sure if there was a known issue at all?
Jim M Posted February 9 Posted February 9 Would suggest switching to hCAPTCHA if you haven't yet as that is proven to be better at preventing spam. Changing Q&A is a good idea as well to help prevent human spammers.
Ryan Ashbrook Posted February 9 Posted February 9 You can also temporarily block those countries from registering under Spam Prevention > GeoLocation Settings. Jim M 1
Day_ Posted February 10 Author Posted February 10 Already running hCaptcha, been running that for a long time now. Wasn’t aware geolocation was a thing, will set that up now
Day_ Posted February 10 Author Posted February 10 I'm still getting registrations from St Petersburg, St.-Petersburg, Russian Federation despite adding the country to GeoLocation
Day_ Posted February 10 Author Posted February 10 Hoping this isn't against forum rules as it's one of the IP's, however it's definitely spam, but also known to have tried SQL injections and brute force attempts. Been multiple registrations, each time the same IP with different last digits. Now done a wild card ban for 37.139.53.* https://cleantalk.org/blacklists/37.139.53.17#reviewanchor Wasn't sure if it was something you wanted to add maybe server level. Just sharing the info with you to do as you please. But yeah, the GeoLocation wasn't preventing that one.
Jelly Belly™ Posted February 10 Posted February 10 5 hours ago, Day_ said: Now done a wild card ban for 37.139.53.* https://cleantalk.org/blacklists/37.139.53.17#reviewanchor I've had 10 or more signups over the last few days using that IP and all using either @kmaill.xyz or *@hmaill.xyz 5 hours ago, Day_ said: But yeah, the GeoLocation wasn't preventing that one. I get an error log when I try to use GeoIP blocks Quote GeoIP Error Requested IP: Array Response: IPS\Http\Response Object ( [httpResponseVersion] => 1.1 [httpResponseCode] => 414 [httpResponseText] => Request-URI Too Large [httpHeaders] => Array ( [Server] => CloudFront [Date] => Sat, 10 Feb 2024 20:09:56 GMT [Content-Type] => text/html [Content-Length] => 915 [Connection] => close [X-Cache] => Error from cloudfront [Via] => 1.1 c1bfc7dbcf7f9782aa3be590b7ce3d6a.cloudfront.net (CloudFront) [X-Amz-Cf-Pop] => IAD12-P1 [X-Amz-Cf-Id] => t8GCeEIKMI_yrmTw6QSL2l1BRd3PUp0zwLuV20xIEiFGkwt4r9IAyA== ) [cookies] => Array ( ) [content] => <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <TITLE>ERROR: The request could not be satisfied</TITLE> </HEAD><BODY> <H1>414 ERROR</H1> <H2>The request could not be satisfied.</H2> <HR noshade size="1px"> Bad request. We can't connect to the server for this app or website at this time. There might be too much traffic or a configuration error. Try again later, or contact the app or website owner. <BR clear="all"> If you provide content to customers through CloudFront, you can find steps to troubleshoot and help prevent this error by reviewing the CloudFront documentation. <BR clear="all"> <HR noshade size="1px"> <PRE> Generated by cloudfront (CloudFront) Request ID: t8GCeEIKMI_yrmTw6QSL2l1BRd3PUp0zwLuV20xIEiFGkwt4r9IAyA== </PRE> <ADDRESS> </ADDRESS> </BODY></HTML> )
Day_ Posted February 11 Author Posted February 11 3 hours ago, Jelly Belly™ said: I've had 10 or more signups over the last few days using that IP and all using either @kmaill.xyz or *@hmaill.xyz That's the one, same email address on mine. Added a wildcard block *@*.xyz Looks like they are targeting IPS sites
Mike G. Posted February 11 Posted February 11 Although I've been okay regarding spam registrations (knock on wood), I got an email from Cloudflare this evening about a big spike in automated (bot) traffic.
Recommended Posts