Automated spamming registrations despite "Catcha" verification code

Hello

A few days ago, a series of massive auto-registrations started to take place in my site. As I could see, coming mostly from Korea, Vietnam, advertising rubbish stuff. This is happening despite the verification code. I thought it was unbeatable. Other possibility would have been that they do it manually but I delete them in a bulk.

I changed the settings to not allow registrations until confirmation by email, and yes, they dont get to appear on the web, but now it is my email that is being spammed by those bastards. I went to see their registration page and I was surprised to see (or rather should have not been surprised) that they managed to register despite lacking the compulsory filling out of certain fields like last name, and description. This means they are registering through other way and not by passing through the script.

What I am thinking is that since this is opensource, they are using a script that exploits the registration "Join.php " one.

To make matters worse, the only way I have to be able (so far I know) to see their IP is when they are actual members and they are shown in the web, with no picture and their rubbish ads.

I also got an email that "the registration had been confirmed". Which has never been by me.

To send a complaint to "abuse" of their ISP is a joke. Those rubbish countries are another joke, they could not care less, they are all drug traffickers.

So, what can be done ?

thank you

Yeah the Capcha Dolphin uses was cracked a long time ago. If you're on a VPS or dedicated install mod_security and block all links. This stops most spammers from joining. If you're on shared hosting your options are limited. One way to stop the automated signups is to rename join.php to something else. After you rename the file you have to change the reference in these files also:

inc/design.inc.php
inc/admin.inc.php
inc/classes/BxDolProfileFields.php
langs/lang-en.php
member.php
templates/base/scripts/BxBaseMenu.php
templates/base/login_join.html

Then update the setting in admin under advanced settings that links to the join file.

Now just like any other code modifications this is going to be a headache if you ever want to upgrade.

Yes, the captcha was cracked. We have few clients complaining about this. We have helped them with a custom captcha from us. It works good now.

Yes, the usual captcha easy enough to hack to robots. This is because in last time so popular any custom/logic captchas. Some times ago I integrated one of such nice captchas for dolphin.

What can advice also .. Ok, even if robot joined successfully- what you can do, just close all possible actions after membership levels (as example). And, if some of your members will like to write blogs for your website - you always will able to grant him necessary level, isn`t it?

Or you can disable auto-approoving anywhere too (and approve new website content by self). This is some solution too.

That captcha is worse than the default one.

 I think I need it for my site. How can I get that?

 Thanks for this. I'm going to go ahead and make these changes. My spam stuff isn't that bad because I have custom fields in my join form but it still happens even when they can't verify.