WordPress MU

I mean nothing.

site is here http://talkdelaware.com/blogs/

I have had 200 splogs register in the last 3 days.

I had security question setup as a password you had to email me to get. They got past that, I changed it, they still got past it. I have Re-Captcha, they get past it.

I DISABLED NEW SIGNUPS, they STILL are signing up. HOW IS THIS? Am I missing something here?

I thought it may be a vulnerability in the older MU so I upgraded yesterday, STILL getting in.

What could it be? HELP....please

-Caddy

Then you have existing SPAM USERS creating new splogs.

Captchas are actually pretty easy for splogs to get around.

If you are 100% positive you've gotten rid of all spammy users, there's other things you can do:
- moderated signups
- bots stoppers on the server level
- rename the signup file
- make sure you filled in all the banned email domains in Site Admin -> Options

can they create new spam users though? and I am 100% sure i dont have any spam users, i only have like 15 blogs and unless one got hijacked by a spammer i know all those people personally.

i have installed montyspam beta, tested it, and it is working as far as i can see.....now time to wait and see if it works....

if not ill take those extra steps, thanks andrea!

welp, monty didn't stop it.

I have double checked, all the blogs/users i have now are not spam.

i have disabled registration in admin

so now if i still get spam, what does that mean? someone is adding them via the database? or is there a vulnerability i dont know about?

If you still get splogs, start checking your access logs.

sorry for the newbyness, but how do i do that?

and yeah, i had 2 new users and splogs since i did that above...

Try the wordpress hashcash plugin.

that seems to be only helpful with comment spam. and fwiw i actually removed the wp-signup.php file in the directory and am still getting signups....

Access logs are server logs.
Do you have anything in the banned email domains field?
Have you started banning IP addresses?

no i havent done that yet as i am kinda a noob with WP, it is all new to me, I run vbulletin forums mostly.

but im reading and learning, thanks for you alls help. Ill check my logs at home, blocked here at work :(

It's not just for comment spam, it works with signups also.

I got the same problem.
Banning email, limited country signup, disable registration, delete the wp-signup.php, de-integrate bbpress, delete bbpress, use re-captcha, use signup question, upgraded to the latest version of wpmu, all of them can't stop splog :(

One of the splog signed up at my site is using the IP 65.171.115.141 so I looked into the access log...

65.171.115.141 - - [05/Oct/2008:08:05:09 +0700] "GET /wp-activate.php?key=365b3fcc9ef07937 HTTP/1.1" 200 3769 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

65.171.115.141 - - [05/Oct/2008:07:57:13 +0700] "GET /wp-activate.php?key=ec73c40f3b6383ce HTTP/1.1" 200 3662 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

65.171.115.141 - - [05/Oct/2008:06:23:44 +0700] "GET /wp-activate.php?key=5480009380c6b987 HTTP/1.1" 200 3653 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

65.171.115.141 - - [05/Oct/2008:06:06:31 +0700] "GET /wp-activate.php?key=f94ac39405a650f5 HTTP/1.1" 200 3653 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

65.171.115.141 - - [05/Oct/2008:05:46:52 +0700] "GET /wp-activate.php?key=701003000c6114ae HTTP/1.1" 200 3653 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

The IP address 65.171.115.141 just make directly access to the activation link, no referrer, no prior path.

Sorry for my bad English.

HashCash knocks em dead.

I like HashCash as well, but block them at the server as well. If you have Advanced Protection Firewall with linux, I would

apf -d 65.171.115.141

Sometimes spammers get creative and get through all the filters and blocking them at the server level is the only way.

Thanks Trent, I've added the line.

Hmm.. there must be something wrong, even I've added the deny list in /etc/apf/deny_hosts.rules for 65.171.115.141 I still got spammed by 65.171.115.141 :(

Will try HashCash now...

If you added it manually, did you restart apf?

if you do it as noted above, it flushes and becomes active immediately.

ok so i feel dumb after looking back at this...lol

i checked the emails i was getting, ALL the IP's were the same, so i did a disallow in htaccess and haven't had a 1 since.

@Caddy - Same me. I've added the IP to deny list in .htaccess and now no more splog :D

However, I still wondering how could spammer signed up while there is no wp-signup.php ?

Because they are hitting the activate-new-blog script. The functions for adding a new blogs are scattered in a few different files.

sorry for replying on this old thread but I need advice. Instead of creating a new thread, I'll just post here as I have the same problem.

I already did the following :
Akismet
hashcache
signup question
disabled registration
blocked certain IPs in .htaccess
checked wp_capabilities (no other admin)

Still, I get bogus registrations. No blogs were created but they were able to complete the registration. In effect, they can comment on the blogs.

My wpmu has only five blogs, all but one was created by me. The other is created by my friend. My wpmu installation has bbpress integrated with it.

Now, I also installed project honeypot in bbpress. Anything else you can suggest?

They're coming in thru bbpress. Disable the registrations on it.

Follow Andrea's advice for bbPress and also read Darcy Norman's article on restricting spam signups via .htaccess:
http://www.darcynorman.net/2009/05/20/stopping-spamblog-registration-in-wordpress-multiuser/

yes, they are coming thru bbpress based on the logs. so I implemented the simple plugin in http://bbpress.org/forums/topic/howto-disable-registration just now.

The fix thru the .htaccess is also good but the spammers has tons of IPs that even if I deny access on certain blocks, the list will still be too many to be placed on .htaccess. But I still left those that are persistent in .htaccess.

I'm also thinking of using the API of http://www.stopforumspam.com/ although they only allow up to 5000 queries per day. Although there's an option of creating my own API since the database of the IPs is downloadable.

I'll update the post on the result of the disabling o the registration. By the way, I stopped using bad behavior as it blocks me too.

Thanks to all!

after disabling the registration in bbpress, there are no longer.

I now have the following installed on my wordpress mu
Akismet
hashcache
signup question
blocked certain IPs in .htaccess