Severe Registration Spam is Back in 5.1 despite Recaptcha2 and Email Confirmation for Registration

Since undertaking the slow moving of 30+ sites from 4.3 to 5.x I hadn't enabled allowing the public to register until about a month ago.
I installed both the recaptcha2 add-ons and the emailconfirmationregistration and verified they are working.
But it looks like once again the bots are able to create accounts en masse without going through any of the verification processes.
In just the last 2 days I have about 50 new bogus accounts created on one site. Today I have had to once again turn off allowing people to create their own accounts on this community site.
Appreciate any suggestions on how to address this. Last time (years ago) this happened this much, it turned out to be a security issue that triggered a hotfix.
I don't know if this is collective.emailconfirmationregistrations fault/responsibility (but could be totally mistaken), it seems like it may once again be core Plone issue as before?
I provide version information, example bogus registration bounced email, and details here: https://github.com/collective/collective.emailconfirmationregistration/issues/11
Thanks for any help.

1 Like

Funnily, the same thing happened to me with my community website. However, I did something bad to overcome the issue. I wrote a custom view that overrides the default registration and implemented the following:

  • block registration that aren't browser based request (user agents).
  • recapcha
  • email verification, which expires in two days (user data is stored as annotated data until it is verified)
  • scheduled deletion of user registration data if no verification after the two days. Castle CMS has something similar to this out of the box.

So my approach is not really a good approach when it comes onto reusability.

Forwarded to security team

1 Like

Alas, problem has returned. I noticed some issues a few weeks ago with bogus accounts, so I deleted the 50+ bogus accoutns and then quickly installed emailconfirmationregistration. But today started getting a bunch of email bounces for account confirmation stage, but nobody waiting in the confirmation queue.

They are successfully injecting bogus accounts into the system. It looks like "they" have so far injected 26 bogus accounts into the Users listing.

I have both recaptcha setup and working, and collective.emailconfirmationregistration. They both seem to work when I test them, but somehow something is getting past that process?
So far only one of the 30+ sites in that Plone instance are showing this activity.
Version information (running on CentOS 7)
Plone 5.1.4 (5114)
CMF 2.2.12
Zope 2.13.27
Python 2.7.14 (default, Jun 26 2018, 10:14:38) [GCC 4.8.5 20150623 (Red Hat 4.8.5-28)]
PIL 5.1.0 (Pillow)

Suggestions?
Thanks!

Example bounce message (half dozen and counting so far today):

From: RPG Research Website rpgresearcher@gmail.com
To: trentburnell@s0ny.igg.biz
Subject: User Account Information for RPG Research - Studying the effects of all role-playing games and their potential to improve lives.
Date: Fri, 08 Feb 2019 16:31:01 -0700
Welcome Luther Aslatt, Your user account has been created. Your username is Luther. Please activate it by visiting http://www.accessiblerpg.com/rpgresearch/passwordreset/7c1f2e6b093e4214be850c86b109bef1?userid=Luther Please activate your account before Feb 15, 2019 11:31 PM
With kind regards,

RPG Research Website

I merged here your reply to another old thread

None of that logic belongs into a view. Roll your own PAS plugin for that.

Just checking in to see if there is anyone looking into this? Additional info anyone needs me to post to help track down? We've had to turn off registration on all our websites again alas.
Please advise. Thanks!

The security team is aware of this thread. We haven't yet been able to confirm this behavior or track down the root cause.

May you check the access log if there are unexpected requests giving us hints how this happens? @mauritsvanrees already checked the 2015 bug and it is not a regression of the old one, so this must be something new/different. You can send us the information to security@plone.org if you think its not a good idea to make it public.

Okay. I will check it out and see what kind of content is there. If it is sensitive will send via the email. If not risky will post here. Thanks for following up. Will do all possible to help track this down. It is happening on multiple installations across Centos and ubuntu on 3 different servers over the the past many months (we're consolidating back to just one server, with centos, currently). So it has been repeatable on our end on different configurations (VPS and direct hardware, and different linux variants) as far as being a problem. Will get back as soon as have a chance.