I’m troubleshooting an issue with fake user accounts being created on one of our journals, running 2.4.8-3, and I can’t seem to find any logs, in the email_log table at least. Am I missing something?
It’s strange that these fake user registrations have spiked since we’ve recently updated to 2.4.8-3 in order to upgrade to reCAPTCHA v2. Is there any way to tighten up registration security more, either through reCAPTCHA or OJS?
Thanks,
Damian
Hi @drbauder,
See ReCAPTCHA broken in OJS 2.4.8-3 · Issue #3425 · pkp/pkp-lib · GitHub – there are two pull requests there, one for the OJS installation directory, and one for the lib/pkp
subdirectory, that need to be applied to OJS 2.4.8-3 in order to get ReCAPTCHAv2 working.
Regards,
Alec Smecher
Public Knowledge Project Team
Hi @asmecher,
Thanks for the quick response! I just applied patches from the following sources: https://github.com/pkp/ojs/compare/ojs-2_4_8-3...ojs-stable-2_4_8.diff and https://github.com/pkp/pkp-lib/compare/ojs-2_4_8-3...ojs-stable-2_4_8.diff. Hopefully that takes care of it.
Can you give me any more details about how the updated code fixes the issue? I’m hoping this will cut down on fake emails/registrations, assuming they were able to submit because the captcha code was failing somehow.
Also, is there any option to log emails for user validation?
Thanks,
Damian
Hi @drbauder,
@ctgraham put those patches together and could probably tell you more about the issue.
Make sure that you’ve got the appropriate config.inc.php
settings in place – look at config.TEMPLATE.inc.php
for a sample (blank) configuration file.
The best way to watch for change is to keep an eye on the users
table, using a tool like phpMyAdmin if you’re not comfortable with SQL. You should see a pretty quick change if you’ve been enjoying bot registrations without a working ReCAPTCHA test. You can also watch for unvalidated accounts by looking for entries with null values in the date_validated
column.
Regards,
Alec Smecher
Public Knowledge Project Team
Hi, @drbauder.
When I initially implemented ReCAPTCHA v2 for OJS 2.4.8, I didn’t cover the use case of notification list subscriptions and I inadvertently broke (the now unusable) ReCAPTCHA v1. This was fixed in the patches @asmecher references.
Unfortunately, ReCAPTCHA alone will not stop all spam registrations. We’ve found several instances of botnets (or distributed mechanical turks?) targeting specific journals we host of publish. These registrations are completing the ReCAPTCHA challenge and in many cases are also completing email verification (!!!). We were experiencing these registrations on the order of hundreds per day.
We are piloting three new modules to help to address this:
2 Likes
@asmecher and @ctgraham, thank you both for your help and insight. I believe I have/had the reCAPTCHA settings in config.inc.php set correctly, but I’ll take another look and keep an eye on the database and reCAPTCHA stats in the meantime.
Cheers,
Damian
We observed the same: Botnets that target specific journals and are able to bypass ReCaptcha. Analysis of the logs shows that the attacks follow in most cases the same pattern. We are now able to exclude efficiently (>99.9%) unwanted bots or users from registering, login in or calling user profiles using additional code that protects the attacked pages. However, that might not work for every host. I think, the bot honeypot may be a good idea to follow up.
@asmecher, @ctgraham - you may contact me privately for discussing the matter and for getting my code.
Hi @mpbraendle,
Always open to proposals – drop me a private message if you’d rather discuss it privately.
Thanks,
Alec Smecher
Public Knowledge Project Team