Re: Spam/bogus join requests
(messages to this thread were moderated earlier today because the thread was more than 2 weeks old. I've removed moderation on the thread).
On Fri, Mar 31, 2017 at 12:05 PM, Shal Farley <shals2nd@...> wrote:
I spent the last few hours investigating this. Here's what I've found and what I've done so far.
I went through a bunch of the NC pending members in Helen's group to see what was happening. There are around 25 NC people pending for her group, just in the last day. All the ones I checked had registered on the website. The email addresses are mainly gmail and yahoo. The addresses all appear to be valid. The IP addresses of the machines do not appear to be concentrated in any one area/service. The actions do not happen with a speed that would trip any reasonable rate limiter.
All of the signups I saw in the logs were the result of websites that had embedded the Groups.io signup form on their site (this is from the Promote page under the Admin menu). It appears that there is a crawler that goes around looking for sign up forms and inputs email addresses. It does not appear to be targeting us specifically. Our sign up form has some protection against crawlers, but clearly not enough.
I'm going to be a little vague here, but I've done a few things that should cut down on these bogus joins, at least in the short term. One of the things is that I updated the IP blocklists that I use to prevent connections from some parts of the Internet. I hadn't updated these lists in awhile; they were definitely out of date. That will take care of some of the bogus joins. I also did some other things that will block the majority of others, at least for now. I have no illusions that these actions will permanently solve the problem, but at least they should give some temporary relief.
It is clear that I need to harden the signup form some more against crawlers. And once I do that, people will need to replace the existing embedded signup forms with the new one. I will work on that the rest of today and try to get it out on Monday before I leave.
Longer term, I think we'll have to look at the idea of making people confirm their accounts before they become pending members. But that's a conversation for another thread.