Products

Solutions

Resources

Partners

Community

About

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen

HomeHomeUsing DNN Platf...Using DNN Platf...Administration ...Administration ...How to stop scam registrations - junk in profile?How to stop scam registrations - junk in profile?
Previous
 
Next
New Post
5/20/2014 3:00 AM
 

based on the various IIS logs people have shared with me, this is nothing more than an automated attack -first the targets are found (likely using a google search for the "Membership for this website is public" text as someone previously suggested. After that an automated process does the register, generating the various details based on an algorithm - this can be seen both by the time between the pages and the profile properties. The IIS logs show only expected requests i.e. there is no evidence of some workaround/crafted url which avoids captcha, so it would seem that it's simply a well executed captcha cracker, possibly targeted at DNN. I will raise this with product and see if we can enhance this area.

If anyone has server level access I would be interested if they could run a network analyser such as wireshark so that the entire request (i.e. POST data, as well as url) could be captured for analysis. Alternatively perhaps someone could drop in a httpmodule such as http://stackoverflow.com/questions/38... . It would be good to capture the entire request to verify that there is not an issue in the post logic.


Buy the new Professional DNN7: Open Source .NET CMS Platform book Amazon US
 
New Post
5/20/2014 4:59 AM
 

Cathal,

I have that server access... I'll take a look at this today .

regards,
Duncan

PS. So far I've received 736 SPAM registrations! :(

 
New Post
5/20/2014 1:02 PM
 
Right now, i decided to turn of registrations because i have 977 SPAM accounts, it's REALLY annoying now. 

I know some of you may not want to stop registrations but the other way to stop is set up a new type of CAPTCHA type thing (LOL i don't know what it's called) but were you set it up to ask a simple question that a SPAM bot wouldn't know but a human would know (E.g What's the lightest color? or What's the darkest color?)  I'm gonna turn back on registrations and add the CAPTCHA question thingamajig and see what happens. I'll let you know how it works! I hope it works! 

Thanks,

Rhacodactylus. 


 


 photo Untitled-6_zps46c5526d1_zpsd6fa44c5.gif
 
New Post
5/20/2014 4:54 PM
 

I've got this same problem, I'm trying to implement reCAPTCHA on the registration page to replace the regular DNN CAPTCHA that clearly isn't working.

I downloaded the recaptcha.dll and added it to my /Bin directory (interestingly enough there was already a recaptcha.dll in there, but I used the newer one I just downloaded).

To my /DesktopModules/Admin/Security/Register.ascx file I added:

<%@ Register TagPrefix="recaptcha" Namespace="Recaptcha" Assembly="Recaptcha" %>

And also:

<div>

<recaptcha:RecaptchaControl ID="recaptcha" runat="server" PublicKey="[Public Key]" PrivateKey="[Private Key]" />

</div>

(obviously changing [Public Key] and [Private Key] to the correct values)

That makes the reCAPTCH appear correctly.

To my /DesktopModules/Admin/Security/Register.ascx.cs file I change this function:

        private void registerButton_Click(object sender, EventArgs e)

        {

            if ((UseCaptcha && ctlCaptcha.IsValid) || !UseCaptcha)

            {

                if (IsValid)

                {

                    CreateUser();

                }

                else

                {

                    AddLocalizedModuleMessage(UserController.GetUserCreateStatus(CreateStatus), ModuleMessage.ModuleMessageType.RedError, true);

                    userForm.DataBind();

                }               

            }

        }

To be this:

        private void registerButton_Click(object sender, EventArgs e)

        {

            if (Page.IsValid) {

                if ((UseCaptcha && ctlCaptcha.IsValid) || !UseCaptcha)

                {

                    if (IsValid)

                    {

                        CreateUser();

                    }

                    else

                    {

                        AddLocalizedModuleMessage(UserController.GetUserCreateStatus(CreateStatus), ModuleMessage.ModuleMessageType.RedError, true);

                        userForm.DataBind();

                    }               

                }

            } else{

                    AddLocalizedModuleMessage("CAPTCHA incorrect, try again! - refresh the page to try again", ModuleMessage.ModuleMessageType.RedError, true);

                    userForm.DataBind();

            }

        }

 

That correct checks the new reCAPTCHA, if it is correct and all the other fields are correct then the user is created. If the CAPTCHA is wrong or any other field is invalid then it reloads the page with an error message, this is where my last problem is. All the registration fields are reloaded, but the reCAPTCHA doesn't load.

 

So maybe that's helpful to some people, and maybe some people can be helpful in solving that last problem. Has something to do with javascript not working on a postback.

 
New Post
5/21/2014 12:55 AM
 

Changed the password strength to 11 or more for now. The bot's password is about 10 characters I think. No spam accounts after changing this to 11 in last 48 hours.

This is not a good solution. But I am doing this until we have a proper solution from the core team.

I believe, the core team should come up with a strong Captcha with the registration process.

 
Previous
 
Next
HomeHomeUsing DNN Platf...Using DNN Platf...Administration ...Administration ...How to stop scam registrations - junk in profile?How to stop scam registrations - junk in profile?


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out