Spammers creating accounts and bypassing membership pro payment process

  • erixis
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
4 years 7 months ago - 4 years 7 months ago #127802 by erixis
I have a site set up using Membership pro to charge for membership. It is set up so that in order to create an account users must fill out a form, answering required unique professional questions and either pay, or choose to send a check option. Membership pro then creates their pending subscription, and we manually verify them for membership qualifications. A Joomla account isn't created until we approve them.

All this works well, but on several occasions this past week, somehow a spammer has managed to create a joomla account without going through membership pro component. I need to lock this down but I'm not sure where the hole is.

Their account is not activated, so they can't log in with it, but it is given a subscriber group privilege, but not admin privilege.

Joomla is 3.9.11
Akeeba Admintools latest version is installed.

Need some help before I get hacked.
Last edit: 4 years 7 months ago by erixis.

Please Log in or Create an account to join the conversation.

More
4 years 7 months ago #127804 by Tuan Pham Ngoc
Hello

1. Spam still happens but it does not mean that your site is being hacked. To avoid spam, you should configure and use recaptcha. See docs.joomla.org/J3.x:Google_ReCaptcha for instructions to setup

2. I don't understand why an account (without payment) is having subscriber group privilege? Maybe there is something wrong with your setup. You can submit a support ticket sending us super admin account of your site so that I can take a quick look at your settings and make sure it's OK

Tuan

Please Log in or Create an account to join the conversation.

More
4 years 6 months ago #128304 by Ira Adams
Was a solution for this ever reached? I am also encountering this issue. Spammers are submitting false registrations and somehow even able to fill in the transaction id from paypal.

Please Log in or Create an account to join the conversation.

  • erixis
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
4 years 6 months ago #128306 by erixis
Ira,
Yes, we were able to fix the problem. I deleted my Recaptcha keys and created new ones using invisible captcha for one thing. This helped.
We set two redirect plugins, both system and one provided by Joomdonation up properly.so that using Joomla's default signup form redirects to the membership pro sign up. Look for "system - redirect" and "Membership Pro Registration Redirect" in your plug in list and set them to redirect to your desired registration URL.
Also in the Joomla Users area, under the Options tab, set email domain options to reject subscriptions from the domain that is spamming your site.
While you are there, make sure that the default group for registered users is set to 'registered' not 'subscribers' and then if you do get spammed, they won't be in your paid user group, and therefore will still have limited access to content.

So far, after making these changes, we haven't had any fake accounts set up.
The following user(s) said Thank You: Tuan Pham Ngoc

Please Log in or Create an account to join the conversation.

  • erixis
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
4 years 6 months ago #128307 by erixis
Here is the info I used for the ReCaptcha config.

docs.joomla.org/J3.x:Google_ReCaptcha

For Joomla groups assignment see - membershipprodoc.joomservices.com/joomla-groups-integration for detailed instructions

I also enabled this plugin membershipprodoc.joomservices.com/miscel...tion-redirect-plugin
The following user(s) said Thank You: Tuan Pham Ngoc

Please Log in or Create an account to join the conversation.

More
4 years 6 months ago #128311 by Ira Adams
Thanks for your help!

Please Log in or Create an account to join the conversation.

More
4 years 1 month ago - 4 years 1 month ago #132325 by spitjack
:: set email domain options to reject subscriptions from the domain that is spamming your site

Whoever is doing this is spoofing domains like gmail and hotmail; the goal here is to stop them from even making someone go in and clean out 100 fake registrations every couple days.

__
a 'spit' is a rod upon which savory food was roasted, turned in ancient times by a 'jack', a middle English word for an ordinary laborer (eg jack of all trades, steeplejack, lumberjack). Today, this job is usually referred to as a 'pitmaster'.
Last edit: 4 years 1 month ago by spitjack.

Please Log in or Create an account to join the conversation.

More
4 years 1 month ago #132328 by Tuan Pham Ngoc
Yes, that could be an option. However, from my experience, there are real customers with gmail emails, so be careful with domains restriction

Tuan

Please Log in or Create an account to join the conversation.

More
4 years 1 month ago #132331 by spitjack
I think the redirect plugin will stop most of the attacks. We are open to suggestions about how to handle free 30-day trial memberships.

__
a 'spit' is a rod upon which savory food was roasted, turned in ancient times by a 'jack', a middle English word for an ordinary laborer (eg jack of all trades, steeplejack, lumberjack). Today, this job is usually referred to as a 'pitmaster'.

Please Log in or Create an account to join the conversation.