Lately I get a rash of users "signing up" in a very odd way - that is, they get authorized as "registered" - but do not have either our (mandatory!) "Free" subscription, nor our optional "Paid" subscription user group membership. It's almost like they are signing up for paid account, but then abandoning their cart --- EXCEPT there are no baskets ever found for the offending users. ( emails are mostly protonmail, outlook, and gmail)
A basket without a payment method selected will expire. So they're registering, reaching the basket, and leaving.
In any event, they somehow make an activated account, and then somewhere between hours and WEEKS later, they show up on our forum to spam it with a couple of posts. I'm torn between thinking they are actual humans solving the (multiple!) CAPTCHAs, and then dumping the credentials to a spambot factory - OR- its some kind of automated signup backdoor loophole (which is very concerning...)
To prevent them from being able to make their account active after having done this be sure "Allow Free Registered Users (without subscriptions)" is set to "No" within CBSubs > Settings > Global. If your free plan is a lifetime plan also be sure "Create Subscriptions also for free lifetime plans" is set to "Yes". This ensures an account requires a subscription.
You do not have some backdoor or loophole unless you've another extension that allows registration, but they wouldn't exist in CB if that was the case. They are just abandoning their baskets, which leaves their user behind. Since you require confirmation they are stuck until they confirm their email, which isn't hard for a bot to do. But if CBSubs is required to have a subscription the bot likely would get stuck trying to login and asked to subscribe.
It's a lot of work chasing them down, banning them, deleting their posts. I have put up a "hold new users first couple of posts for approval" on our forum, but it SERIOUSLY INCONVENIENCES our actual PAYING USERS, most of whom sign up and make a paid subscription expressly for the purpose of posting an urgent question on our support forum.
Yup, it's frustrating. Imagine how much spam we've to battle. We've used CB Auto Actions to implement blocking forum posts of new users if they contain a URL of any kind. Subscribers are exempt from this check. This catches 99% of the spam or at least makes the spam harmless and alerts us so we can clear it out. We've a tutorial on how we're doing this below.
www.joomlapolis.com/documentation/291-cb-auto-actions/tutorials/18810-blocking-kunena-forum-spammers
Despite me posting a clear notice on the signup page, the FAQ page, AND the welcome email - the vast majority of these users are oblivious to the "first couple forum posts are moderated" advisories, and instead repeatedly post their first message multiple times (up to a DOZEN TIMES!!!) expecting it to be instantly published... It's a big hassle for me to individually delete each of those repeat posts, too...
Yup, that's why we avoided enabling that in Kunena. If we could enable it only for non-paid users we would've used that instead of CB Auto Actions.
Any advice on this?
Ensure CB AntiSpam is installed and you've Captcha on your registration page. This will help at least stopping bots from registering, but won't stop humans. This is in addition to the CB Auto Actions usage above.
krileon
