Fake users still appearing even after captcha and patching

datarazor's picture

Hi there,

Wondering what else I should check on my site.

D6 site, all latest security patches. Have captcha module enabled.

Cleaned out the site of dummy users but I am still getting them to appear on the site. Along with fake comments.

Both user registration and posting comments requires a captcha image verification, but somehow they are still appearing.

What other security methods should I be looking at, or other forms of vulnerabilities that I need to check, to see why they are still being made?

Before I patched with the security update I should mention that the index.php file was compromised somehow and was attempting to post some spam links on the page as part of the render.

No other files were changed and I have since flused the site with the files that are in the codebase (did a replacement of all files with those from GIT).

Site status shows no red flags (settings.php is protected etc.)



So, are you saying that

loopduplicate's picture

So, are you saying that somehow, people are creating accounts and posting spam comments? If so:

"Both user registration and posting comments requires a captcha image verification, but somehow they are still appearing."

Well, if all you have is a captcha there, then anyone can create a user or a comment. And once in awhile, a spam bot will get through a captcha as well.

How many comments and users are appearing every day? Have you tried using Mollom?

Sorry if I misunderstood you. Perhaps you mean that you created some test users and comments, maybe using Devel, and can't get rid of them?

Disclaimer: I'm just some Drupal dude, not on the security team or anything like that.


Thanks Jeff for your

datarazor's picture

Thanks Jeff for your thoughts.

I can indeed install Mollum, Honeypot or some other security method over the captcha image choice, but usually image captcha works -- the fact that the index.php was compromised leaves me a bit more worried though.

I don't think a human is entering accounts, and it is possible that the image captcha is being broken but I also just increased its complexity further and it is still being broken.

We are talking 30 or so fake users a day.

Fountain City Productions
Creative-Technical solutions
Beautiful websites built with Drupal

Could be humans...

bedlam's picture

Hi there,

Don't be so quick to rule out humans. We've seen lots of comment entry and user registration that's obviously been committed by people.

Mollom may help, as might honeypot—though with honeypot we've seen less technical, but legitimate users lock themselves out, so be careful with the settings.

In the end, you may need to disable un-moderated user registration.

@datarazor captchas are no

likewhoa's picture

@datarazor captchas are no match for automated bots these days and you need other forms of protection like mollum and bad behavior module.

Spam owners pay 'captcha solving' services to solve all forms of captchas.

bending technology to fit businesses.

Thanks for your comments and

datarazor's picture

Thanks for your comments and suggestions. I suspect myself captcha breaking algorithms taking place, so I'll work on setting up a different method of protection.

It definitely isn't a human though because the city chosen, for example, is in France but the country is USA. Or the street name is in German and it makes no sense... and then the user name sometimes is just digits like 24897345. -- It could be a human, but a very sloppy bad one.

Fountain City Productions
Creative-Technical solutions
Beautiful websites built with Drupal

With Mollom I still get fake

datarazor's picture

With Mollom I still get fake users and comments being added, so it isn't working any better than an image-captcha system.

I do see a good percentage of traffic from China, and the client suggested themselves to ban China from accessing the site since it is unlikely China would like to access their site for "legitimate" reasons.

I don't like the idea of censoring a site to an entire country, but maybe there is no other way in this instance?

These new accounts continue to add in addresses that are illogical, like giving a US city and then a zip code for someone who lives in the Netherlands (format of a Dutch zip code is 4 numbers and two letters: 1234 AB), with a hotmail email and a site link to some obviously spam thing (like perfume webpage)

Since the spam only goes to the moderated comments and then never appears on the site, I doubt any human being would bother doing this several times a day when they don't show up on the actual site and just bombard the client's inbox instead.

Country ban aside: Honeypot might be the way to go next, unless someone had a different suggestion.

Is country banning a common practice with Drupal security choices these days or should I avoid this at all costs (like my consciousness is telling me I should)



Fountain City Productions
Creative-Technical solutions
Beautiful websites built with Drupal

I'm not sure honeypot will help this

ktmom's picture

I use project Honeypot on all of my websites. It's purpose is to trap email harvesters. I think you may want the Bad Behavior Project;

Bad Behavior is a set of PHP scripts which prevents spambots from accessing your site by analyzing their actual HTTP requests and comparing them to profiles from known spambots. It goes far beyond User-Agent and Referer, however.

The problem: Spammers run automated scripts which read everything on your web site, harvest email addresses, and if you have a blog, forum or wiki, will post spam directly to your site. They also put false referrers in your server log trying to get their links posted through
your stats page.

As the operator of a Web site, this can cause you several problems. First, the spammers are wasting your bandwidth, which you may well be paying for. Second, they are posting comments to any form they can find, filling your web site with unwanted (and unpaid!) ads for their products. Last but not least, they harvest any email addresses they can find and sell those to other spammers, who fill your inbox with more unwanted ads.

Bad Behavior intends to target any malicious software directed at a Web site, whether it be a spambot, ill-designed search engine bot, or system crackers. It blocks such access and then logs their attempts.

Fake registrations

cswann's picture

I recently installed Drupal 7 cm_starterkit_moderate distribution.

The fake registrations started almost immediately.

Over the years I have installed and managed at least 1/2 a dozen different content management systems and have never had ANY fake registrations of this sort using just standard captchas as preventive measure.

I suspect somewhere in the code (core and/or modules) an alert message is going out alerting someone or a network when a Drupal site is brought online.

I would be curious to know from those experiencing the attacks if you installed Drupal core or a distribution. I would also be curious to know what type of spam is being posted to your site since I set administrator approval for registration from the beginning.

I am reinstalling just the Drupal core and will take it from there. For sure I will not run a package that does this. We know spam is a money maker and temptation can be great for low level developers.

From my web searches this issue has been going on for several years. I may have missed it but I did not see any meaningful developer feedback.

Let me take a look and see who the Drupal core developers are and where they are from.

Call me an old cynic who has been around a long time.........

My experience

arlingtonvoicellc's picture

I've been building websites with Drupal for years. Drupal's versatility allows me to quickly build complicated web-based applications that would not be conventionally possible with out-of-the-box solutions like Wordpress. I've also found the community to be fairly responsive in addressing development issues.

That said, I will be the first to say Drupal has MANY shortcomings as it relates to its user profile system.

I operate a local news website built on Drupal. We push hundreds and even sometimes thousands of visits each day. I have implemented Recaptcha, mollum, and e-mail verification and probably some other measures I'm forgetting. None have been successful in preventing spam user registrations. And I do get at least 5-10 each day.

I've searched for a solution to this problem for years and have turned up empty-handed.

The suggestion that a developer simply switch to a platform of moderating every piece of content submitted is simply not feasible on a website that pushes large volumes of traffic.

I know Drupal 8 is in development. I've noticed some things that are a big driver of this development -- such as mobile compatibility.

But I really believe the user registration spam issue is a major shortcoming that can turn-off bigger websites from using Drupal. User registration spam should be priority in Drupal 8.

We need more large websites using Drupal, as it adds to the platform's credibility. So if we can't provide a platform for these large companies that rely on user-driven content, how can we expect Drupal to become the leading CMS?

..And maybe that's never been the goal of Drupal. Who knows?

I will say that the user registration seems to not be getting any better. And there doesn't appear to be any effort from the Drupal community to seriously address this issue.

I would address it if I had the know-how, but I'm not a developer.

CSwann brings up a very valid point in that the broadcasting of new drupal websites could be driving spam. For example, modules receive data from websites that dowload the module. I'm not an expert in this field by any means, but I certainly think this deserves a look.

Is this creating a security loophole for spammers? If it isn't. Then what is driving the large amount of spam user registrations that don't seem to be apparent in platforms like Wordpress?

Would be happy to discuss to help work toward a solution.

Reliable alternative to CAPTCHA

eugeniqa's picture

Hi to all participants of this discussion,
I think I am late with the solution however dispite almost the year has passed I do it. I would not like to have it considered as an ad but it can be a real solution to prevent fake accounts (users) creating. I would like to propose to try Keypic http://drupal.org/project/keypic
We develop Keypic keeping in mind the unity spam protection+accessibility.
Keypic shows better results for blocking fake registrations, spam comments, spam contact forms submittings, etc. Along with effective spam protection you users do not need to prove they are humen (better User engagement, higher conversion and loyalty). We developed a special anti spam (spambots and spamers) algorithm that is more effective than CAPTCHA. Just try, it is available for free. I think you will see the difference. No CAPTCHA, No Spam!