No logging for user validation emails?

I’m troubleshooting an issue with fake user accounts being created on one of our journals, running 2.4.8-3, and I can’t seem to find any logs, in the email_log table at least. Am I missing something?

It’s strange that these fake user registrations have spiked since we’ve recently updated to 2.4.8-3 in order to upgrade to reCAPTCHA v2. Is there any way to tighten up registration security more, either through reCAPTCHA or OJS?

Thanks,

Damian

Hi @drbauder,

See ReCAPTCHA broken in OJS 2.4.8-3 · Issue #3425 · pkp/pkp-lib · GitHub – there are two pull requests there, one for the OJS installation directory, and one for the lib/pkp subdirectory, that need to be applied to OJS 2.4.8-3 in order to get ReCAPTCHAv2 working.

Regards,
Alec Smecher
Public Knowledge Project Team

Hi @asmecher,

Thanks for the quick response! I just applied patches from the following sources: https://github.com/pkp/ojs/compare/ojs-2_4_8-3...ojs-stable-2_4_8.diff and https://github.com/pkp/pkp-lib/compare/ojs-2_4_8-3...ojs-stable-2_4_8.diff. Hopefully that takes care of it.

Can you give me any more details about how the updated code fixes the issue? I’m hoping this will cut down on fake emails/registrations, assuming they were able to submit because the captcha code was failing somehow.

Also, is there any option to log emails for user validation?

Thanks,

Damian

Hi @drbauder,

@ctgraham put those patches together and could probably tell you more about the issue.

Make sure that you’ve got the appropriate config.inc.php settings in place – look at config.TEMPLATE.inc.php for a sample (blank) configuration file.

The best way to watch for change is to keep an eye on the users table, using a tool like phpMyAdmin if you’re not comfortable with SQL. You should see a pretty quick change if you’ve been enjoying bot registrations without a working ReCAPTCHA test. You can also watch for unvalidated accounts by looking for entries with null values in the date_validated column.

Regards,
Alec Smecher
Public Knowledge Project Team

Hi, @drbauder.

When I initially implemented ReCAPTCHA v2 for OJS 2.4.8, I didn’t cover the use case of notification list subscriptions and I inadvertently broke (the now unusable) ReCAPTCHA v1. This was fixed in the patches @asmecher references.

Unfortunately, ReCAPTCHA alone will not stop all spam registrations. We’ve found several instances of botnets (or distributed mechanical turks?) targeting specific journals we host of publish. These registrations are completing the ReCAPTCHA challenge and in many cases are also completing email verification (!!!). We were experiencing these registrations on the order of hundreds per day.

We are piloting three new modules to help to address this:

2 Likes

@asmecher and @ctgraham, thank you both for your help and insight. I believe I have/had the reCAPTCHA settings in config.inc.php set correctly, but I’ll take another look and keep an eye on the database and reCAPTCHA stats in the meantime.

Cheers,

Damian

We observed the same: Botnets that target specific journals and are able to bypass ReCaptcha. Analysis of the logs shows that the attacks follow in most cases the same pattern. We are now able to exclude efficiently (>99.9%) unwanted bots or users from registering, login in or calling user profiles using additional code that protects the attacked pages. However, that might not work for every host. I think, the bot honeypot may be a good idea to follow up.
@asmecher, @ctgraham - you may contact me privately for discussing the matter and for getting my code.

Hi @mpbraendle,

Always open to proposals – drop me a private message if you’d rather discuss it privately.

Thanks,
Alec Smecher
Public Knowledge Project Team