07 January 2014, 14:09

Wondering if anyone has the same issue:

I turned off registration for all institutions on a 1.8. Spammers are still creating many accounts.

07 January 2014, 15:19

deleted my own update

07 January 2014, 17:19

Hi Dirk,

If you untick "Registration allowed" for all institutions then it shouldn't be possible for them to self-register new accounts.

Unless you're also using an external authentication method, and the spammers are creating accounts in the external authentication source. For instance, if you had an institution set up with an XML-RPC auth instance to an external Moodle site, and you ticked "We auto-create users", and the spammers were creating accounts in the Moodle site and then roaming over into Mahara. (At a glance, I see the auth methods that allow user creation are XML-RPC, LDAP, SAML, and Persona.)

Cheers,

Aaron

07 January 2014, 17:21

On a somewhat related note, I tried implementing ReCAPTCHA support to cut down on spam registrations here on mahara.org, back in November. It didn't work, and we continued to get the same number of registrations.

But, if you want to see whether ReCAPTCHA might help with your problems (assuming you want to turn normal self-registration back on), the code is linked to on this Launchpad bug: https://bugs.launchpad.net/mahara/+bug/1252098

Cheers,

Aaron

07 January 2014, 22:51

The site I'm running is also suffering from a large amount of Spam. Captchas never really worked for me so I'm thinking about other ways to restrict registration. I'd like to be able to only allow registrations from emails with certain domains. Has anyone managed to configure/patch Mahara to allow such a behaviour?

08 January 2014, 1:34

I'm having similar trouble, spam accounts requesting access to the one open institution I have..

Jens' idea sounds like a good one, but wouldn't work for me.

I see sites that discuss alternatives to things like (re)CAPTCHA (pictures, math questions, simple Q&A); I know they each have pros and cons...are any of these on the table?

08 January 2014, 11:11

Hi Don,

I implemented and deployed reCAPTCHA here on mahara.org in November. It didn't cut down on spam account creation here, possibly because the spam here is actually being carried out by low-wage human beings. If that's the case, then no captcha system will make a difference.

The one thing that has cut down on spam here is the "new user probation" system I deployed in early December. Since putting that in place, we've seen a drop in spam forum posts, spam wall posts, spam private messages, and spam page creation, to nearly zero.

On the other hand, we're still getting what look like spam accounts (except with no content) created at roughly the same rate as before! I'm hoping that eventually they'll realize that this site is no longer useful for spam purposes and will stop wasting their time creating accounts here.

Cheers,

Aaron

PS: Since the probation system has been effective, I'm planning on including it in Mahara 1.9. For now the code (which still needs some polishing) is here. I'm still undecided about whether to upstream the reCAPTCHA implementation since that had no effect on our spam rates.

08 January 2014, 13:20

Hi Aaron:

That probation thing sounds promising!

08 January 2014, 2:14

I made a quick and dirty patch to restrict e-mail addresses at registration to specific domains: https://gist.github.com/jensp/8299103

08 January 2014, 11:27

Yep, that'll do the job. For a less "quick and dirty" version, I'd suggest putting the check in the "auth_register_validate" method in htdocs/auth/lib.php . And, make it an optional per-institution setting, so that each institution that allows self-registration can have a different list of required email domains.

That would make it sort of like Facebook in the early days, when you had to have an email address from a specific list of universities, in order to register an account. On the other hand, I think fewer universities are giving out email addresses to students these days, so this may be of limited use.

I would have thought that in most cases if you've got a Mahara site that should only be accessible to people from a specific organization, you'd do best to turn off self-registration and use an external auth method connected to the organization's servers, or pre-create the users from a CSV.

Cheers,

Aaron