I'm just wondering, I keep getting bots registering to my forum, how is this possible when the API system registration isn't working, and I have registrations disabled from the forum?

Are you certain they're bots?

There are spammers that are known for using a human to enter the image, and then henceforth allowing a bot to post further. Even sometimes humans do it purposely.

Ok either way the point is the registration system has been disabled on the forum, and the API registration I have is broken and wont write to the database, so no accounts should be getting made at all

Your registration system is enabled:

Disable Registrations: When enabled, only staff members will be able to register new accounts.

You've set it to disabled which means disabling registrations is turned off. I admit the wording on that needs much improvement.

I took a look at two of the users and they seem to have registered via the same server. If that is a proxy server or some kind of spam bot I do not know. I do not see how they could have registered without entering the captcha code. However I will run some tests and if I don't find anything I'll add some tracking to try and work out what is happening.

Hmm wow, ok the registration got re-enabled some how, Disable Registration was set to disabled and i know I had it on enabled

and ok

Is it something you changed recently? I may have saved over your change when I was making a change to a setting for all forums using a custom domain.

No i had it enabled a while ago, when i started working the the registration system. I did it so the forum would stay private till I have everything connected properly :/

Hi Dwight,

I cannot see any way that that could happen other than by someone accidentally changing it. I have one of the forums I setup using disabled registrations Do let me know if it changes itself again and do let me know if any other suspicious users register. As the last two seem to have come from the same IP we could just blacklist that on the server.

OK i'll keep an eye on it, and its completely possible I accidentally changed the wrong thing while editing the settings at some point and just never noticed.

Nope i'm sure there is something wrong. 2 more people registered, after I changed the system back to being disabled, so some how they are bypassing the registration system being disabled or are getting the API registration system working and I can't :/

I check and the last 4 accounts made are all from the same IP address.

OK, I think I have found the problem. Disabling registrations was not disabling the "import account" page. That could be how they were registering. I've fixed that so lets see if that fixes the problem. If it does, then I will implement some extra security on the import account functionality to stop it from being abused in the future

Ok now I went og o delete the accounts that had been made and i get this:

"An unknown error has occurred. Please contact our support forum (Log ID: 1261313690)"

But I go back and the accounts are gone.

I believe I know what it is trying to do. Nothing to worry about. As you say, the account itself still gets removed

Ok ross, the accounts are still being created 3 more accounts have been made and I don't know how. the registration system is still disabled, cause i know I didn't change it. And they all have the same IP address. So if you fixed the problem with the account import, and the registration system is disabled and the API registration doesn't work, any idea how they are registering?

I would just ban the IP, but I really want to find out how they're doing it

Leave it with me, I'll setup a load of tracking on the server later tonight, for every possible method of registering. Then next time they register an account we should at least be able to narrow down which method they are using (standard register, import account or API) and from there we should be able to pin point the exact problem.

Thanks for bearing with me on this

No problem, i'm kind of wondering myself how they are registering.

Could they not be disabling JavaScript in the browser which is bypassing the disabled registration allowing them to register?

I doubt that, disabling of registration isn't Javascript

Full tracking has been put in place. Now lets just wait and see...

If you could let me know when someone else registers on there that would be great. Just in case they are somehow getting past the tracking

Ok i will, the person seems to be registering 3 accounts very day so i'll have to wait till tomorrow to see if more get registered.

How are they able to know your forum? I don't even know it. You have it well hidden from the vF Directory, so who else could have gotten to your forum, other than your staff?

lol i don't know how that are finding it

the reason I have it hidden is because I ain't completely ready to fully setup the databases, unless I would have it completely up and running very room. Mainly need to complete the registration, and get a static IP address for my server, and then get it to that the databases are all in sync, and its all ready to go. Game and all

I am assuming I found it, which was quite easy really. I'll PM you on how I found your forum.

Ross, found the problem.... After all the times i've tried to register an account for testing with the api, it finally started working so they are registering via the api

I was guessing that it might be that. was 50/50 on that. I was like, that doesn't seem right, if he disabled registration, how on earth are they registering. Then I just found the register button on his site, and asked him if it was ok, and it worked. Of course it wouldn't let me login, but I was able to register.

you should be able to login. In fact it should of logged you in automatically but I noticed your account was made and you said it was from the api and i tested it and it went through the thing is I haven't changed anything on it in days. Either way the forums internal registration is disabled. Just need to find a way to disable the api registration, maybe for now just removed the code and save a copy to my desktop till i code in all the database writing.

Anyways Thank Ross and DM


Edit: Ross some think i've noticed though is that with the api, if the suer try to make an account and they use an preexisting username, it logs them in when they hit register, instead fo showing the error that the account doesn't exist, which based on what i've seen within the api, you already have those check in place, yet they ain't working.

No I was not able to login. Told me I had the wrong ID/Password. and logging in on the forum is a no go either.

But you are welcome.

If an existing username is used it depends on what settings are sent to the API. It can either just return a failure or try for X times to find an available username, eg. username2

@ Darkmage, is it possible the account was registered as username2, username3 etc? Try checking the most recent members on the forum or (if the API told it to send it) your welcome e-mail.

@ Dwight, most strange. Glad we've sorted how they're registering though. I haven't changed anything on the registration API recently other than add a load of tracking Maybe the system is so clever it debugs and fixes itself

Hmm ok well i ain't using the username finding at all, but its not sending an error at all, its just logging the person in. I've tested it a few times after DM realized the API is working lol.

Also the API is not sending an welcome email or confirmation or any form. But from what i was reading in the API notes, thats something I have to setup myself, but if its not then that don't work.

LOL maybe

Posted By dog199200 on 22nd Dec 09 at 10:00am

 

Hmm ok well i ain't using the username finding at all, but its not sending an error at all, its just logging the person in. I've tested it a few times after DM realized the API is working lol.

Also the API is not sending an welcome email or confirmation or any form. But from what i was reading in the API notes, thats something I have to setup myself, but if its not then that don't work.

LOL maybe

The API can send the welcome e-mail for you, if you tell it to. I checked the log I setup on there and your call to the API is sending the parameter "skip_email=1", when that is sent it tells the API to skip the e-mail sending.

I checked what the API is throwing back when you try to register an existing username and if there is an error it throws back a string, eg. "The requested username already exists (username)". For a success, it should be throwing back an array of the user data (eg. username, display name, profile data etc.)

Hmm I must of miss read how to set that, ok well its fixed now.

Hmm well its not giving the error. not on the password nor the username, I just tested it to make sure.

Posted By Ross on 22nd Dec 09 at 9:19am

 

If an existing username is used it depends on what settings are sent to the API. It can either just return a failure or try for X times to find an available username, eg. username2

@ Darkmage, is it possible the account was registered as username2, username3 etc? Try checking the most recent members on the forum or (if the API told it to send it) your welcome e-mail.

@ Dwight, most strange. Glad we've sorted how they're registering though. I haven't changed anything on the registration API recently other than add a load of tracking Maybe the system is so clever it debugs and fixes itself

Nah, it was "darkmage" as the username, and my normal password. I even checked the account my self and it was.

But I am able to login now. I just used the side bar login panel, and it worked, and then an email was sent after logging in for the validation key. So I'm fully logged in.

thats good to hear lol

Yeah. You can delete my account if you want.

Glad to help.