MyBB Community Forums

Full Version: Spammers bypassing forum registration
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Our forum is only a few weeks old, and already we've been hit by spammers, even though the entire forum is closed to non-registered guests. I know there are a million posts here about what to do about spammers, and I'm slowly working my way through them. However, I have another related issue that concerns me...

A few of the spammers are somehow getting approved user accounts without either of the admins actually approving. We need to have Admin Approval activated for our site for various reasons, and we also have some required questions on the registration. These spam accounts are not answering the required questions at all. We only notice them because they show up - one user got as far as posting something spammy, but most of them we've been able to catch pretty fast. I've just been manually checking all the new users for the past few days to make sure none are spam.

How are they able to skip the Admin Activation part? Will the anti-spam plugins even help if they're just completely bypassing the registration? And of course... how can I stop it?

Forum addy is
bypassing admin activation part should not be possible. not sure how spam bots are managing that.
a couple of fixes are available for registration security questions plugin (1 & 2)
and there is an alternate plugin for the same purpose - Signup Questions
So, we had a legitimate person bypass the admin activation - not a spammer. I am wondering if this could be related to the Tapatalk plugin somehow? I have tried replicating it on various browsers and devices, but have been unable. Anyone else have issues with this?
^ there is possibility that TapaTalk plugin not considering MyBB system permissions ..
My forum has recently had a similar issue over the past couple of days. The "baddies" are somehow bypassing our 'required' custom profile questions. We don't have any of the listed vulnerable plugins installed. We don't require admin approval but we do require email verification. We also require the Location and Bio fields to be filled-in. They do do that with "China" and "Thanks" in those respective fields, which luckily makes them pretty easy to be recognized as 'baddies' right away.

So far I and my mods have been dealing with them manually by first banning those accounts and then I've banned the IPs followed by deleting those banned accounts.

P.S. We are running AdvancedProfile (3.0) by Alexandru21, if that helps.
I got a auto registration bot hit my site, so I have 30'000 waiting to be activated. how can I delete them, other than 20 at a time.
I am having the same problem. Spammers are bypassing the admin approval all together.

Tapatalk is an interesting thought though. I had an employee of Tapatalk email me saying there was an issue with SSO and he was asking for admin rights to fix the issue. I denied him, but I am wondering if that may be how they are getting onto my site. If that's the case, I will disable Tapatalk.
^ yes, I prefer uninstalling TapaTalk plugin.
Tapatalk have a feature called "User Group Assignment". And by default this group is Registered.
Change this setting and everything will be ok.