Website Registration and Bots

We have, of late, been plagued with bots creating user accounts on the website. At peak, these can be hundreds a day. Combatting these is a work in progress. This page documents work to date (17/5/2018).

These bots go through the entire signup process, including receiving the 'confirm you are real' email and completing the signup process from the link therein.

  1. For now I have made all signups require administrator approval. This means I get a steady stream of notifications, and I guess which ones are spurious.
  2. I observed that the most prolific bots use email addresses from the domains lexxip.com and wgz.cz. I have modified modules/registration/xaruser/register.php to not send mails to those domains, but otherwise act normally.
  3. I experimented with hidden checkboxes. The idea is that bots blindly check boxes, and so if a hidden one is checked you know it's a bot. I found that this does trap a few, but is generally not effective.
  4. I tried a visible unchecked I agree I'm not a bot checkbox. The idea was that bots would leave it unchecked. If the box was not checked, the UI would flag this as an error. Unsurprisingly, bots figured this out. There is a tension here between allowing the user to correct a mistake, and letting a bot know it needs to try something else.
  5. Froma suggestion on the list, I added a text field which the user must fill in. The question is professionalism in what?. I've also been logging responses. It appears that some of these bots involve humans in the chain at some point; the most prolific have now learned the correct response.

My next plan is to add a https://www.google.com/recaptcha to the page. I wanted to avoid a captcha, but I now don't think there is any alternative.

Later (21/8/2018)

There is now a recaptcha on the registration page. This has slowed down the volume of registrations, but not eliminated spurious ones. I have also added gmaail.com to the list of quietly dropped domains.

It turns out there is also a problem with having registrations subject to administrator approval. When an existing member changes their email address, the account is set back to PENDING and they need to reconfirm their email address. If registration is subject to administrator approval, this also requires approval, BUT for some reason the email to the administrator fails, so the site member is left in limbo.

For this reason I've changed back to automatic approval. The admin still gets emails for fresh registrations, and can retrospectively delete.

https://git.accu.org/jim/xaraya-website/issues/1.