Web Wiz - Green Windows Web Hosting
Web Wiz Homepage Search Web Wiz

  New Posts New Posts RSS Feed - Spam accounts getting past registration
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

Spam accounts getting past registration
 Post Reply Post Reply Page  12>
Author
  Topic Search Topic Search  Topic Options Topic Options
frankied210 View Drop Down
Newbie
Newbie


Joined: 21 February 2012
Status: Offline
Points: 8 		Post Options Post Options   Thanks (0) Thanks(0)   Quote frankied210 Quote  Post ReplyReply Direct Link To This Post Topic: Spam accounts getting past registration
    Posted: 21 February 2012 at 6:57pm

I'm getting several new user accounts created each day that don't fill out all the required information in the registration form.

 I added 3 questions and made them required and location by default is required but in all these new accounts, none of the four have anything in the fields.
  I tried to create an account leaving them blank and got rejected so it appears the form is working so I conclude that this is somehow an injection expoite. Any suggestions on preventing new account injections like this? They don't activate the account so spam isn't getting posted but the sig lines and urls are all over the registration info and I don't want to help these people out with getting thier google rankings up or any new traffic.
  
Back to Top
WebWiz-Bruce View Drop Down
Admin Group
Admin Group
Avatar
Web Wiz Developer

Joined: 03 September 2001
Location: Bournemouth
Status: Offline
Points: 9844 		Post Options Post Options   Thanks (0) Thanks(0)   Quote WebWiz-Bruce Quote  Post ReplyReply Direct Link To This Post Posted: 22 February 2012 at 9:53am
What version of Web Wiz Forums are you using?
Web Wiz Forums Hosting
ASP.NET Web Hosting
Back to Top
Scotty32 View Drop Down
Moderator Group
Moderator Group


Joined: 30 November 2002
Location: Manchester, UK
Status: Offline
Points: 1682 		Post Options Post Options   Thanks (0) Thanks(0)   Quote Scotty32 Quote  Post ReplyReply Direct Link To This Post Posted: 22 February 2012 at 10:13am
Originally posted by frankied210 frankied210 wrote:

 I added 3 questions and made them required and location by default is required but in all these new accounts, none of the four have anything in the fields.

Do you use JavaScripts to make them "required" or ASP?

If you used JavaScripts it is trivial to bypass, as you simply turn off JavaScripts in your browser.
S2H.co.uk - WebWiz Mods and Skins

For support on my mods + skins, please use my forum.
Back to Top
WebWiz-Bruce View Drop Down
Admin Group
Admin Group
Avatar
Web Wiz Developer

Joined: 03 September 2001
Location: Bournemouth
Status: Offline
Points: 9844 		Post Options Post Options   Thanks (0) Thanks(0)   Quote WebWiz-Bruce Quote  Post ReplyReply Direct Link To This Post Posted: 22 February 2012 at 11:00am
It does use JavaScript for the validation for custom registration fields in version 10. 

However, from version 10.03 onwards there is more security on the registration, due to a Microsoft forum that we host that came under fire from a bot that was clever enough to read CAPTCHA codes all the way up till they got so hard even a human could not read them.

Anyway the up shot of this is that version 10.03 adds a number of extra security features to the registration pages, including having to have JavaScript enabled in order to be able to register.

We are planning to remove the CAPTCHA altogether in the future from Web Wiz Forums as CAPTCHA no-longer offers protection from newer more sophisticated bots that have very clever OCR that is designed specifically to read CAPTCHA codes and are able to read all CAPTCHA codes from all popular CAPTCHA vendors. I've run tests with these and you have to make the CAPTCHA so distorted with so much noise that no-one can read them.

This means that web developers are having to use much more clever systems for defeating bots, which are included on the registration page, and these types of protection will be extended to other areas of Web Wiz Forums so that CAPTCHA can be removed altogether.
Web Wiz Forums Hosting
ASP.NET Web Hosting
Back to Top
frankied210 View Drop Down
Newbie
Newbie


Joined: 21 February 2012
Status: Offline
Points: 8 		Post Options Post Options   Thanks (0) Thanks(0)   Quote frankied210 Quote  Post ReplyReply Direct Link To This Post Posted: 22 February 2012 at 2:27pm
Originally posted by WebWiz-Bruce WebWiz-Bruce wrote:

What version of Web Wiz Forums are you using?
I just upgraded to 10.3 and this has been an issue for my site since v7.x.  Could this be a SQL injection right into the database and a complete bypass of the registration form?
Back to Top
WebWiz-Bruce View Drop Down
Admin Group
Admin Group
Avatar
Web Wiz Developer

Joined: 03 September 2001
Location: Bournemouth
Status: Offline
Points: 9844 		Post Options Post Options   Thanks (0) Thanks(0)   Quote WebWiz-Bruce Quote  Post ReplyReply Direct Link To This Post Posted: 23 February 2012 at 7:57am
It would not be an SQL Injection as Web Wiz Forums has multiple defences against SQL Injections. The registration page also uses ADO to populate the database which adds an extra layer or protection against SQL Injection.
Web Wiz Forums Hosting
ASP.NET Web Hosting
Back to Top
frankied210 View Drop Down
Newbie
Newbie


Joined: 21 February 2012
Status: Offline
Points: 8 		Post Options Post Options   Thanks (0) Thanks(0)   Quote frankied210 Quote  Post ReplyReply Direct Link To This Post Posted: 23 February 2012 at 2:31pm
Originally posted by WebWiz-Bruce WebWiz-Bruce wrote:

It would not be an SQL Injection as Web Wiz Forums has multiple defences against SQL Injections. The registration page also uses ADO to populate the database which adds an extra layer or protection against SQL Injection.
 
I think you are right, not an SWL injection. I had a "real" user register yesterday and I noticed in his profile, he didn't enter anything in the 3 required questions I added to the registration page.
  I have tried several time to register a test account without these fields and I get an error when I submit the form (as I should).  Not sure why some new user accounts (mostly spammer accounts) are getting through this proccess and actually getting entered into the database.
 
Back to Top
WebWiz-Bruce View Drop Down
Admin Group
Admin Group
Avatar
Web Wiz Developer

Joined: 03 September 2001
Location: Bournemouth
Status: Offline
Points: 9844 		Post Options Post Options   Thanks (0) Thanks(0)   Quote WebWiz-Bruce Quote  Post ReplyReply Direct Link To This Post Posted: 23 February 2012 at 2:57pm
It maybe that they are entering a space for these fields and as only javacsript is used to validate these extra fields when enabled from the admin area they would be fairly simple to get round. Server side validation will be coming in the future.
Web Wiz Forums Hosting
ASP.NET Web Hosting
Back to Top
 Post Reply Post Reply Page  12>

Forum Jump Forum Permissions View Drop Down

Forum Software by Web Wiz Forums® version 12.08
Copyright ©2001-2026 Web Wiz Ltd.

Become a Fan on Facebook Follow us on X Connect with us on LinkedIn Web Wiz Blogs
About Web Wiz | Contact Web Wiz | Terms & Conditions | Cookies | Privacy Notice

Web Wiz is the trading name of Web Wiz Ltd. Company registration No. 05977755. Registered in England and Wales.
Registered office: Web Wiz Ltd, Unit 18, The Glenmore Centre, Fancy Road, Poole, Dorset, BH12 4FB, UK.

Prices exclude VAT at 20% unless otherwise stated. VAT No. GB988999105 - $, € prices shown as a guideline only.

Copyright ©2001-2026 Web Wiz Ltd. All rights reserved.