It’s been a very long time (over 3 years!) since I last wrote a line of code for this project, so my hiatus was obviously significantly extended. I’ll have more on that later, but I’ve decided once again to try to get back at it.
The first thing I did was log into the forum as an admin, only to find over 6272 registration requests. I’m sure that 100% of them are spam. Casually scanning the list, I’m seeing emails like toniagx18@ryoichi.hiroyuki73.kiesag.xyz and n.x.g.s.oft.wa.resolu.ti.o.n.s.co.m@gmail.com. These are not real people. I’ve been getting ~60 requests a day. ~44% are from a “.xyz” domain and ~39% are from “.ru”.
A long time ago (I think it was October 2018), I implemented the phpBB Q&A plugin spambot countermeasure. I choose a question that would not generate an answer if run on Google and would require a small amount of digging on the forum. Well, apparently sometime in July 2019 the spammers actually went to the effort of digging out the answer and programming it into their spambots.
I’ve now effectively disabled registration requests by requests by removing the answer to the Q&A, and it was easy enough to delete all of the requests from the admin panel, but I’m going to need to figure out a way to stop this. CAPTCHAs haven’t worked for a while. Email verification would probably help a ton, but I’d like a way to control registrations after the email is verified.
Also, I’m getting a slew of failed login attempt notifications as spammers try to brute force me admin password (I’m blocking IPs after 3 failure attempts) and and I still getting email spam even after changing the configuration to require being logged into email the admin (they might be guessing the email address).
This is going to require some thinking and research. I hate these people.