<p dir="ltr">Depends where you live and if you trust your neighbors.</p>
<div class="gmail_quote">On Jun 21, 2013 11:03 AM, <<a href="mailto:support-request@drupal.org">support-request@drupal.org</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Send support mailing list submissions to<br>
<a href="mailto:support@drupal.org">support@drupal.org</a><br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
<a href="http://lists.drupal.org/mailman/listinfo/support" target="_blank">http://lists.drupal.org/mailman/listinfo/support</a><br>
or, via email, send a message with subject or body 'help' to<br>
<a href="mailto:support-request@drupal.org">support-request@drupal.org</a><br>
<br>
You can reach the person managing the list at<br>
<a href="mailto:support-owner@drupal.org">support-owner@drupal.org</a><br>
<br>
When replying, please edit your Subject line so it is more specific<br>
than "Re: Contents of support digest..."<br>
<br>
<br>
Today's Topics:<br>
<br>
1. Re: How to safeguard sites from unwanted users (Jamie Holly)<br>
2. Re: How to safeguard sites from unwanted users (Kamal Palei)<br>
3. Re: How to safeguard sites from unwanted users (Jamie Holly)<br>
<br>
<br>
----------------------------------------------------------------------<br>
<br>
Message: 1<br>
Date: Fri, 21 Jun 2013 10:00:02 -0400<br>
From: Jamie Holly <<a href="mailto:hovercrafter@earthlink.net">hovercrafter@earthlink.net</a>><br>
Subject: Re: [support] How to safeguard sites from unwanted users<br>
To: <a href="mailto:support@drupal.org">support@drupal.org</a><br>
Message-ID: <<a href="mailto:51C45C62.1040807@earthlink.net">51C45C62.1040807@earthlink.net</a>><br>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed<br>
<br>
The goal is to make it more difficult for people to register unwanted<br>
accounts. You aren't going to stop it completely. Email verification is<br>
just another hoop for them to jump through, one that is also accepted by<br>
a vast majority of regular users. It should always be used.<br>
<br>
Something I did for a client last year was a custom module. It did a few<br>
things. First we could set the number of registrations per IP in a given<br>
time frame. After that the account requires admin approval. It also<br>
recorded all the request headers so that I could look for a pattern,<br>
which I ended up finding. Once I was able to isolate that, I blocked<br>
that pattern from registering, which took a client's site from a few<br>
hundred spam registrations per day, down to one or two per week. Per my<br>
agreement with that client, I can't give out that pattern, but doing<br>
something similar on any site wouldn't be that complex.<br>
<br>
A common practice now is for companies to hire people to generate these<br>
accounts. They then use the accounts to spam your site. After that a<br>
company contacts you regarding the spam on your site, offering to "clean<br>
it up" and help your seo rankings. Very, very dirty indeed.<br>
<br>
The interesting part of that is what we found out. The registrations<br>
were happening from IP addresses all around the globe, yet the actual<br>
spam postings were mostly from U.S. IP addresses and over 70% were from<br>
hosting companies that offer VPS. We were successful in getting one<br>
hosting company to shut down an account, but most just ignore it.<br>
<br>
The whole morale of the story is vigilance. Things like CAPTCHA, email<br>
verification and keeping bad user accounts to prevent reuse of bad names<br>
and emails all give an extra layer of security (albeit not all that<br>
much). Or do you believe in leaving the front door of your home standing<br>
wide open, when you aren't there?<br>
<br>
<br>
Jamie Holly<br>
<a href="http://www.intoxination.net" target="_blank">http://www.intoxination.net</a><br>
<a href="http://www.hollyit.net" target="_blank">http://www.hollyit.net</a><br>
<br>
On 6/21/2013 1:56 AM, John Summerfield wrote:<br>
> On 12/06/2013 10:37 PM, Jamie Holly wrote:<br>
> > +1 to that! Also, they can't reuse the email. Make it harder on them,<br>
> > not easier.<br>
><br>
> Reread gmail's rules about its email addresses. One can generate any<br>
> number of alternatives for any one email address. Besides, unless one<br>
> requires email addresses to be verified during registration, users can<br>
> use anything at all, even <a href="mailto:fred@example.net">fred@example.net</a> or joe@domain.test (both of<br>
> which _can_ be valid).<br>
><br>
> Email hosts often allow +arbitrarySuffix to the localpart of email<br>
> addresses, but the "+" can be another arbitrary character, I've seen<br>
> hyphens used.<br>
><br>
> And then there are some domains where everything is delivered, if not to<br>
> a specific addressee then to a default address and that too is configurable.<br>
><br>
><br>
><br>
><br>
<br>
<br>
<br>
------------------------------<br>
<br>
Message: 2<br>
Date: Fri, 21 Jun 2013 19:45:03 +0530<br>
From: Kamal Palei <<a href="mailto:palei.kamal@gmail.com">palei.kamal@gmail.com</a>><br>
Subject: Re: [support] How to safeguard sites from unwanted users<br>
To: <a href="mailto:support@drupal.org">support@drupal.org</a><br>
Message-ID:<br>
<<a href="mailto:CALO8XuVd7N5-GyRPn6Ra_h_CyqRt8HgQXb391b47FDfXqPtVWA@mail.gmail.com">CALO8XuVd7N5-GyRPn6Ra_h_CyqRt8HgQXb391b47FDfXqPtVWA@mail.gmail.com</a>><br>
Content-Type: text/plain; charset="iso-8859-1"<br>
<br>
I am thinking of below solution.<br>
<br>
For my site, it is easy for us to find who are unwanted users using some<br>
mechanism. I am planning to write a custom module, that will allow<br>
administrator to list down unwanted users and these users references I will<br>
keep in a separate table , lets call it *table-a*. When a new user<br>
registers, I will check table-a, and if any entry found, I will use that<br>
entry's UID, for new user. Thereby over the time, anytime you see the<br>
unwanted users in my site will be less.<br>
<br>
Best Regards<br>
Kamal<br>
Net Cloud Systems, Bangalore-08<br>
<br>
<br>
On Fri, Jun 21, 2013 at 7:30 PM, Jamie Holly <<a href="mailto:hovercrafter@earthlink.net">hovercrafter@earthlink.net</a>>wrote:<br>
<br>
> The goal is to make it more difficult for people to register unwanted<br>
> accounts. You aren't going to stop it completely. Email verification is<br>
> just another hoop for them to jump through, one that is also accepted by<br>
> a vast majority of regular users. It should always be used.<br>
><br>
> Something I did for a client last year was a custom module. It did a few<br>
> things. First we could set the number of registrations per IP in a given<br>
> time frame. After that the account requires admin approval. It also<br>
> recorded all the request headers so that I could look for a pattern,<br>
> which I ended up finding. Once I was able to isolate that, I blocked<br>
> that pattern from registering, which took a client's site from a few<br>
> hundred spam registrations per day, down to one or two per week. Per my<br>
> agreement with that client, I can't give out that pattern, but doing<br>
> something similar on any site wouldn't be that complex.<br>
><br>
> A common practice now is for companies to hire people to generate these<br>
> accounts. They then use the accounts to spam your site. After that a<br>
> company contacts you regarding the spam on your site, offering to "clean<br>
> it up" and help your seo rankings. Very, very dirty indeed.<br>
><br>
> The interesting part of that is what we found out. The registrations<br>
> were happening from IP addresses all around the globe, yet the actual<br>
> spam postings were mostly from U.S. IP addresses and over 70% were from<br>
> hosting companies that offer VPS. We were successful in getting one<br>
> hosting company to shut down an account, but most just ignore it.<br>
><br>
> The whole morale of the story is vigilance. Things like CAPTCHA, email<br>
> verification and keeping bad user accounts to prevent reuse of bad names<br>
> and emails all give an extra layer of security (albeit not all that<br>
> much). Or do you believe in leaving the front door of your home standing<br>
> wide open, when you aren't there?<br>
><br>
><br>
> Jamie Holly<br>
> <a href="http://www.intoxination.net" target="_blank">http://www.intoxination.net</a><br>
> <a href="http://www.hollyit.net" target="_blank">http://www.hollyit.net</a><br>
><br>
> On 6/21/2013 1:56 AM, John Summerfield wrote:<br>
> > On 12/06/2013 10:37 PM, Jamie Holly wrote:<br>
> > > +1 to that! Also, they can't reuse the email. Make it harder on them,<br>
> > > not easier.<br>
> ><br>
> > Reread gmail's rules about its email addresses. One can generate any<br>
> > number of alternatives for any one email address. Besides, unless one<br>
> > requires email addresses to be verified during registration, users can<br>
> > use anything at all, even <a href="mailto:fred@example.net">fred@example.net</a> or joe@domain.test (both of<br>
> > which _can_ be valid).<br>
> ><br>
> > Email hosts often allow +arbitrarySuffix to the localpart of email<br>
> > addresses, but the "+" can be another arbitrary character, I've seen<br>
> > hyphens used.<br>
> ><br>
> > And then there are some domains where everything is delivered, if not to<br>
> > a specific addressee then to a default address and that too is<br>
> configurable.<br>
> ><br>
> ><br>
> ><br>
> ><br>
><br>
> --<br>
> [ Drupal support list | <a href="http://lists.drupal.org/" target="_blank">http://lists.drupal.org/</a> ]<br>
><br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <a href="http://lists.drupal.org/pipermail/support/attachments/20130621/f1de9b49/attachment-0001.html" target="_blank">http://lists.drupal.org/pipermail/support/attachments/20130621/f1de9b49/attachment-0001.html</a><br>
<br>
------------------------------<br>
<br>
Message: 3<br>
Date: Fri, 21 Jun 2013 10:49:27 -0400<br>
From: Jamie Holly <<a href="mailto:hovercrafter@earthlink.net">hovercrafter@earthlink.net</a>><br>
Subject: Re: [support] How to safeguard sites from unwanted users<br>
To: <a href="mailto:support@drupal.org">support@drupal.org</a><br>
Message-ID: <<a href="mailto:51C467F7.2030808@earthlink.net">51C467F7.2030808@earthlink.net</a>><br>
Content-Type: text/plain; charset="iso-8859-1"<br>
<br>
Why go through all that? You're reinventing the wheel. Just block the<br>
unwanted users and then a new user can not be created with the same name.<br>
<br>
Also consider that a vast majority of spammers use a program to randomly<br>
generate a user name. That means that their are huge odds of them never<br>
using the same name twice for registration.<br>
<br>
Jamie Holly<br>
<a href="http://www.intoxination.net" target="_blank">http://www.intoxination.net</a><br>
<a href="http://www.hollyit.net" target="_blank">http://www.hollyit.net</a><br>
<br>
On 6/21/2013 10:15 AM, Kamal Palei wrote:<br>
> I am thinking of below solution.<br>
><br>
> For my site, it is easy for us to find who are unwanted users using<br>
> some mechanism. I am planning to write a custom module, that will<br>
> allow administrator to list down unwanted users and these users<br>
> references I will keep in a separate table , lets call it *table-a*.<br>
> When a new user registers, I will check table-a, and if any entry<br>
> found, I will use that entry's UID, for new user. Thereby over the<br>
> time, anytime you see the unwanted users in my site will be less.<br>
><br>
> Best Regards<br>
> Kamal<br>
> Net Cloud Systems, Bangalore-08<br>
><br>
><br>
> On Fri, Jun 21, 2013 at 7:30 PM, Jamie Holly<br>
> <<a href="mailto:hovercrafter@earthlink.net">hovercrafter@earthlink.net</a> <mailto:<a href="mailto:hovercrafter@earthlink.net">hovercrafter@earthlink.net</a>>> wrote:<br>
><br>
> The goal is to make it more difficult for people to register unwanted<br>
> accounts. You aren't going to stop it completely. Email<br>
> verification is<br>
> just another hoop for them to jump through, one that is also<br>
> accepted by<br>
> a vast majority of regular users. It should always be used.<br>
><br>
> Something I did for a client last year was a custom module. It did<br>
> a few<br>
> things. First we could set the number of registrations per IP in a<br>
> given<br>
> time frame. After that the account requires admin approval. It also<br>
> recorded all the request headers so that I could look for a pattern,<br>
> which I ended up finding. Once I was able to isolate that, I blocked<br>
> that pattern from registering, which took a client's site from a few<br>
> hundred spam registrations per day, down to one or two per week.<br>
> Per my<br>
> agreement with that client, I can't give out that pattern, but doing<br>
> something similar on any site wouldn't be that complex.<br>
><br>
> A common practice now is for companies to hire people to generate<br>
> these<br>
> accounts. They then use the accounts to spam your site. After that a<br>
> company contacts you regarding the spam on your site, offering to<br>
> "clean<br>
> it up" and help your seo rankings. Very, very dirty indeed.<br>
><br>
> The interesting part of that is what we found out. The registrations<br>
> were happening from IP addresses all around the globe, yet the actual<br>
> spam postings were mostly from U.S. IP addresses and over 70% were<br>
> from<br>
> hosting companies that offer VPS. We were successful in getting one<br>
> hosting company to shut down an account, but most just ignore it.<br>
><br>
> The whole morale of the story is vigilance. Things like CAPTCHA, email<br>
> verification and keeping bad user accounts to prevent reuse of bad<br>
> names<br>
> and emails all give an extra layer of security (albeit not all that<br>
> much). Or do you believe in leaving the front door of your home<br>
> standing<br>
> wide open, when you aren't there?<br>
><br>
><br>
> Jamie Holly<br>
> <a href="http://www.intoxination.net" target="_blank">http://www.intoxination.net</a><br>
> <a href="http://www.hollyit.net" target="_blank">http://www.hollyit.net</a><br>
><br>
> On 6/21/2013 1:56 AM, John Summerfield wrote:<br>
> > On 12/06/2013 10:37 PM, Jamie Holly wrote:<br>
> > > +1 to that! Also, they can't reuse the email. Make it harder<br>
> on them,<br>
> > > not easier.<br>
> ><br>
> > Reread gmail's rules about its email addresses. One can generate any<br>
> > number of alternatives for any one email address. Besides,<br>
> unless one<br>
> > requires email addresses to be verified during registration,<br>
> users can<br>
> > use anything at all, even <a href="mailto:fred@example.net">fred@example.net</a><br>
> <mailto:<a href="mailto:fred@example.net">fred@example.net</a>> or joe@domain.test (both of<br>
> > which _can_ be valid).<br>
> ><br>
> > Email hosts often allow +arbitrarySuffix to the localpart of email<br>
> > addresses, but the "+" can be another arbitrary character, I've seen<br>
> > hyphens used.<br>
> ><br>
> > And then there are some domains where everything is delivered,<br>
> if not to<br>
> > a specific addressee then to a default address and that too is<br>
> configurable.<br>
> ><br>
> ><br>
> ><br>
> ><br>
><br>
> --<br>
> [ Drupal support list | <a href="http://lists.drupal.org/" target="_blank">http://lists.drupal.org/</a> ]<br>
><br>
><br>
><br>
><br>
<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <a href="http://lists.drupal.org/pipermail/support/attachments/20130621/41e08d76/attachment.html" target="_blank">http://lists.drupal.org/pipermail/support/attachments/20130621/41e08d76/attachment.html</a><br>
<br>
------------------------------<br>
<br>
--<br>
[ Drupal support list | <a href="http://lists.drupal.org/" target="_blank">http://lists.drupal.org/</a> ]<br>
<br>
End of support Digest, Vol 126, Issue 26<br>
****************************************<br>
</blockquote></div>