Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Spam accounts are created even I have enabled the captcha

I'm using Vanilla 2.1.3 with basic registration, that has the captcha activated.

Also, I have enabled the "Require users to confirm email addresses".

Current behavior is:

  • people is creating spam accounts (it seems there is an unprotected URL somewhere and they can avoid filling the form with the captcha)
  • spam accounts can create content and tags, even they don't have confirmed their email (user role seems to be assigned before they confirm their email)

How can I protect my forum against this? Is really annoying...

Comments

  • hgtonighthgtonight ∞ · New Moderator

    Hello!

    Spammers could be doing many things to get into your forum. The two most likely are:

    1. Exploiting vulnerabilities in your version of Vanilla (Vanilla 2.1.11 is the most recent OS version)
    2. Creating accounts manually and then automating "content production"

    It also sounds like your permissions are not set up properly. Guest and Unconfirmed roles should not be able to add anything.

    You can also add/enable some SPAM addons like Akismet and StopForumSpam. I highly recommend both.

    Search first

    Check out the Documentation! We are always looking for new content and pull requests.

    Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.

  • mtschirsmtschirs ✭✭✭
    edited September 2015

    hgtonight is most likely correct, there is a user registration vulnerability in Vanilla 2.1.8 that is actively exploitet by spammers. That would also explain how they are able to bypass your permissions.

    Upgrading to 2.1.11 is the best solution. If you still experience such issues afterwards, think about upgrading to the master branch (more secure but less tested on alternative server configurations).

  • Perfect. Will update right away and wait a little to evaluate if I get new bogus users. Also will check those addons!

  • So far, no spam accounts are created since upgrade!

Sign In or Register to comment.