Registration Log

[RobSeegel]

Just a quick head's up. In the admin area, there was a registration log that had lots of entries that could not be deleted/cleaned up. I'm not certain what caused the problem, but I've manually cleaned out that area. I'm just mentioning it so that no one is surprised if they don't see all the entries that used to be there. They were all pretty old, and I suspect that they were remnants from the the last forum upgrade.

I can restore it if necessary, but I suspect no one is going to mind. It's been a minor nuisance for a while now.

[Semi-Native]

It's great to have someone with your extensive programming knowledge. Thanks Rob!

[brell]

I wonder how you did it - I never found a way. Thanks.

[RobSeegel]

6373646D6D010 wrote: I wonder how you did it - I never found a way. Thanks.

There was no way of doing it through the web interface. You had to delete the contents of a log file on the filesystem. Each entry contained a reference that didn't exist in the member area so they couldn't be deleted through the admin interface.

Also

I fixed the issue that we've been seeing for a while where we get a count of 71 or some very high number of Pre-registered users. There were orphaned accounts (actually files) under the Members directory that I'm guessing were left from an earlier version of the forum software. I went through and removed all that I found. They were easy to distinguish. So now the counts should better reflect actual pre-registered accounts.

[RobSeegel]

All right, I downloaded a small portion of the forum to my laptop so I could do some tests. So I applied the changes and it appears to work fine. To enable it, one has to disable the current Captcha implementation, which is easy enough:

Go to the Admin Center, and navigate to the Security Settings link under the Security Center (on the left side). Select the

Validation Image

tab. The first first item:

Activate Validation code on registration, forgot password, and send topic

Is the one that enables/disables the validation image/code.

If this is disabled and the SpamFruits mod has been installed, then it should just work, This effectively means that with the mod installed there will *always* be some form of additional validation enabled - either spamfruits or the captcha implementation. This is probably a good thing though, while I was testing (and trying to figure out how to enable SpamFruits) I accidentally disabled captcha on the real forum and realized my mistake about 10-15 later. In that time, 35-40 fake accounts had been created!! That should give you some idea of how often the board is attacked.

The modification changes three files on the server and adds two images. All of the changes are small. I've backed up the original state of the files, and sent them to Vern along with the modification distro for SpamFruits. It looks like it's not available any longer online - at least for now. That's actually kind of helpful... something that isn't widely available is less likely to be targeted.
Also, I took a hard look at the change, and it would be easy to customize to make it unique for the forum if that becomes necessary.

It will be interesting to see how this improves things

Rob

[RobSeegel]

The changes are installed and enabled and it looks good so far. Time will tell if it's helped. Please leave the captcha implementation disabled unless we're suddenly overwhelmed with fake accounts. The hope is that the SpamFruits mod will allow us to run without the difficult-to-use captcha.

update - I've been monitoring accounts, and the fix is looking good. I hate to get too optimistic about it though, because it's definitely beatable if someone spared a few moments to look at it closely. Probably worthwhile to start thinking of other modifications I can add to make it a little tougher. Not one fake account has been created since the change.

[Semi-Native]

Great, thanks Rob!

[RobSeegel]

You're welcome - it's nice to have something slightly different to bring to the table. Makes me feel  useful. Plus, it's been eye-opening (and a little interesting) to see the sorts of security issues I never see at work. I'm astounded at the level of spamming that seems prevalent for even a relatively small site like this.

[RobSeegel]

Has anyone else tried out the new validation checker used for registration? I've tested it once, so I'm pretty sure it works as I'd expect, but I'd appreciate it if someone else could give it a try as well. I don't think we've had a new account (aside from my fake one, which I've already deleted) since I made the change and I'm a little nervous about it.

[brell]

I tried to register but I had to let the system send the validation mail to a different e-mail than mine, so I can't complete. But it seems to work OK.