Security and privacy

 
 
Picture of Greg Padberg
Re: Spammers Using Self Registration
 

In the past month I have had 193 spam users with "Email-based self-registration", even with the reCAPTCHA enabled.  This is more than 6 per day, which is still enough to bother me constantly.  I am revisiting my server config, and am very close with what I feel should be a very effective and yet proactive solution.  Today I started experimenting with this notion on my test server and have it mostly documented.  My solution is to use GeoIP to allow access to /moodle/login/signup.php only from my internal network and the countr(y/ies) of my choosing.  Unauthorized users get 403 Forbidden on the Moodle signup page.  This strategy should allow all / any authorized users to create Moodle accounts using any email address they wish, while nearly eliminating the exposure for creating spam accounts.  Because only the signup page gets blocked from all unauthorized countries (and not the remainder of the Moodle installation), valid users can login from anywhere after their Moodle accounts have been created and confirmed.  After I have updated my production server configuration and had some time to prove the setup I intend to document and share the info here.

 
Average of ratings: -
Picture of Rick Jerz
Re: Spammers Using Self Registration
Group Particularly helpful Moodlers

Please vote for MDL-19190.  I would like to see a self-enrolment setting that says "Delete users that are not in any course after xx days."

 
Average of ratings: -
Picture of Alan Hess
Re: Spammers Using Self Registration
Group Particularly helpful Moodlers

HI

Take a look at https://tracker.moodle.org/browse/MDL-39503 too.

Since I patched my code and renamed 'signup.php' to something meaningless all spam bogus accounts have stopped!

 

 
Average of ratings: -
Picture of Rick Jerz
Re: Spammers Using Self Registration
Group Particularly helpful Moodlers

Thanks for your ideas, and refernce to MDL-39503.

What I really meant to say in my previous post is that in Site Administration|Users|Accounts|Bulk Actions, there should be a filter for "Users that are not in any course after xx days"

Once again, what I (and others) am finding is that with self-enrollment features (even Captcha), these (sophisticated ) spamming systems are able to create users.  In my Moodle, every course requires an enrollment key, so these spammers have not figured out how to actually get into a course.  Moodle doesn't provide any way to easily delete "students not in any course".

 
Average of ratings: -
Picture of Glenn Pillsbury
Re: Spammers Using Self Registration
 

Exact same situation here.  Lots of email self-registration fake accounts but no enrollments because of enrollment keys.  Having another filter for those accounts would be great.  I've up-voted MDL-19190.

 
Average of ratings: -
Picture of Greg Padberg
Re: Spammers Using Self Registration
 

OK as of an hour ago I now have applied my GeoIP blocking solution to the signup page on my production Moodle server.  Now for some historical metrics before I remove all the disabled spam accounts I have collected.

Since enabling the ReCAPTCHA I have had 526 spam accounts confirm via email in the past 51 days, so an average of just over 10 per day.  The spam accounts list random countries but 4 of the accounts listed the country as Canada (which is the country where I am located), making the spam accounts slightly less obvious to filter out.

I did have some notorious spam email domains listed in my "denyemailaddresses" setting (.info .co.uk mailnesia.com frenchcuff.org) but with my new setup I will be removing them altogether.

I will check back with this forum in about a week to let you all know how things are going, and will document my solution if the upgrade proves successful.  FYI, my production server runs Linux (Ubuntu Server 12.04 LTS) and my documentation will reflect that.

 
Average of ratings: -
Picture of Greg Padberg
Re: Spammers Using Self Registration
 

I`m calling it good, no spam accounts so far since implementing my GeoIP blocking solution to the signup page on my production Moodle server.  Normally I had about 10 per day but none so far in the past 4 days.  New users still get created OK, no complaints from anybody, and silence from the spammers.  I`m not an apache guru by any stretch but I read the relevant documentation and tested a workable solution to vastly reduce the Moodle server`s exposure to creation of spam accounts.

 
Average of ratings: -
Picture of Greg Padberg
Re: Spammers Using Self Registration
 

Here is the example documentation for my solution to reduce spam exposure.

Geoip limit countries other than Canada for email registration page.
Unauthorized users get 403 Forbidden for /moodle/login/signup.php

This example is using a recent Ubuntu Server with Apache2 and assumes an already working Moodle.
Allows IP addresses from 10.0.0.0/8 and GeoIP Country Code CA (Canada) access to /moodle/login/signup.php and denies all others.
Vary the recipe accordingly to suit your taste.
The usual disclaimers apply, don't try this on a production server unless you know what you are doing.
If you break stuff, you get to keep all the pieces.

Install the GeoIP dependencies:
sudo apt-get install libapache2-mod-geoip

Uncomment the GeoIPDBFile line from /etc/apache2/mods-available/geoip.conf:
sudo nano /etc/apache2/mods-available/geoip.conf

Add the following line somewhere in your Apache server config (httpd.conf or equivalent), I appended it to my /etc/moodle/apache.conf:
GeoIPDBFile /usr/share/GeoIP/GeoIP.dat

Create the file /etc/moodle/denysignup.conf with the following contents:
<Files signup*>
GeoIPEnable on
SetEnvIf GEOIP_COUNTRY_CODE CA WhiteList
#SetEnvIf GEOIP_COUNTRY_CODE US WhiteList
#Add rules here to allow more countries if desired
Deny from all
Allow from env=WhiteList
Allow from 10.0.0.0/8
Allow from 127.0.0.0/8
Allow from localhost
</Files>

Symlink the newly created file into the Apache configuration:
sudo ln -s /etc/moodle/denysignup.conf /etc/apache2/conf.d/denysignup

You may need to review the file ownership or permissions on the newly created files (chmod or chown).

Restart Apache to apply the changes:
sudo service apache2 restart

The following web pages are provided as helpful reference:
http://dev.maxmind.com/geoip/legacy/mod_geoip2
http://ubuntuforums.org/showthread.php?t=1410627
http://linuxdatum.info/web-server/howto-install-mod-geoip-for-apache2-on-ubuntu-precise

 
Average of ratings:Useful (1)
Picture of Greg Padberg
Re: Spammers Using Self Registration
 

A quick update since geoip limiting /moodle/login/signup.php on my server (denies access to all IP addresses that do not reside within Canada). Email registration from within Canada works OK for any email address and once registered, Moodle users can login from anywhere. Moodle Admin and Users are all happy.

Only about 3 bogus accounts managed to get confirmed, from the networks of nobistech.net in the USA and OVH Hosting in Montreal (subsequently blocked).
All is quiet since adding the following networks to Security > IP Blocker > Blocked IP List:
142.91.0.0/16
142.4.192.0/19


In summary:

  • Opening up email registration to the entire world is a can of worms for sure.
  • Allowed email domains / Denied email domains setting within (Site administration > Plugins > Authentication > Manage authentication) can be effective, although it can also be quite restrictive for users wanting to signup using their preferred email. I was using this approach initially but have since abandoned it.
  • Enabling ReCAPTCHA should be the first line of defense (helps, but many still able to get through).
  • Installing and configuring libapache2-mod-geoip to limit access to /moodle/login/signup.php from outside of Canada was another significant reduction in the number of spam accounts.
  • Security > IP Blocker > Blocked IP List may need some tweaking / additions if any bogus accounts still make it through.
 
Average of ratings: -
Picture of Greg Padberg
Re: Spammers Using Self Registration
 

Another addendum.  I will mention the importance of keeping an updated GeoIP.dat file, as ownership of various IP address ranges seem to change over time (and defunct networks from Canada have since been taken over and likely re-used elsewhere).  In the case with Ubuntu Server, the geoip-database-contrib package provides the means to download a new copy of GeoIP.dat, and to keep it fresh with automatically checking for monthly updates.

I have found some bogus accounts created from IP address ranges originating from the now defunct Avante Hosting based in Toronto:

http://whois.arin.net/rest/org/AHS-136/nets

Also from OVH Hosting in Montreal...  http://whois.arin.net/rest/org/HO-2

Thus my Security > IP blocker list currently looks like this to block out all the networks owned by those 2 organizations:

142.4.192.0/19
192.95.0.0/18
198.27.64.0/18
198.50.128.0/17
198.100.144.0/20
198.245.48.0/20
199.195.156.0/22
192.241.8.0/21
192.119.144.0/20
66.248.192.0/19
192.161.192.0/18
198.52.128.0/17

 
Average of ratings: -
Picture of Greg Padberg
Re: Spammers Using Self Registration
 

Another update on my approach to mitigate spam accounts. It has been extremely effective! Last week I had a spam account created but it did not get verified so it disappeared after 7 days. I think there has been maybe a single spam account that got through since the summer, which was easy to find and disable. I also updated the rules to block my internal networks so as to encourage my users to use their existing LDAP accounts rather than sign up for a new Moodle account. The config file now looks similar to the following (my internal network has been changed in this example):

<Files signup*>
GeoIPEnable on
SetEnvIf GEOIP_COUNTRY_CODE CA WhiteList
#SetEnvIf GEOIP_COUNTRY_CODE US WhiteList
#Add rules here to allow more countries if desired
order allow,deny
#Deny from all by default!
Allow from env=WhiteList
Allow from 10.0.0.0/8
Allow from 172.16.0.0/12
Allow from 192.168.0.0/16
Allow from 127.0.0.0/8
Allow from localhost
# prevent users on internal networks from new account signup,
# they should use existing LDAP accounts instead!
Deny from 10.244.0.0/16
</Files>

I am drafting up some ideas to submit to the Moodle Tracker, as integrating this functionality within Moodle rather than at the web server config would make this solution more available to a wider audience of Moodle users. I am not a coder but would certainly be willing to help out with documenting this feature if it were integrated into Moodle.

 
Average of ratings: -
Picture of Greg Padberg
Re: Spammers Using Self Registration
 

I have opened MDL-43819 (Access Controls for Email Authentication) to integrate this functionality within Moodle, and make this solution more available to a wider audience of Moodle users.

https://tracker.moodle.org/browse/MDL-43819

Be sure to watch, and vote for it!

 
Average of ratings: -
Picture of Greg Padberg
Re: Spammers Using Self Registration
 

Here is the same configuration adapted for Apache 2.4, as we have migrated our server to the newer version of Ubuntu Server (14.04 LTS):

# Deny access to signup.php (email-based self-registration)

# Allow from within Canada (via set variable WhiteList)

# Allow from within 10.x.x.x address space (our learning partners)

# Block from our networks to encourage LDAP authentication instead

# Deny all other access to minimize spam

# For spam bots within whitelisted IP addresses, use the Moodle IP Blocker

<Files signup*>

GeoIPEnable on

SetEnvIf GEOIP_COUNTRY_CODE CA WhiteList

#SetEnvIf GEOIP_COUNTRY_CODE US WhiteList

#Add rules here to allow more countries if desired, see the following for info:

# http://dev.maxmind.com/geoip/legacy/mod_geoip2/


# Apache 2.4 has a new method of access control, see the following:

# http://httpd.apache.org/docs/2.4/upgrading.html

# http://httpd.apache.org/docs/2.4/mod/mod_authz_core.html#require

# https://blogs.apache.org/httpd/entry/require_and_friends



<RequireAll>


# allow Whitelist (above) or any 10.x.x.x IP address

<RequireAny>

Require env WhiteList

Require ip 10

</RequireAny>


# prevent users on internal networks from new account signup,

# they should use existing LDAP accounts instead!

<RequireNone>

Require ip 10.244.0.0/16

</RequireNone>


</RequireAll>


</Files>


 
Average of ratings: -