Trying to fight fake account spam / shared list of Denied email domains

Trying to fight fake account spam / shared list of Denied email domains

by john doe -
Number of replies: 2

Hey for months now we have been the target of fake accounts, referencing bots that "discreetly" create accounts with beautiful name's domain like freeliveadultcams and so on.

The only free solution i found was to manually identify those fakes accounts, they usually use a different country from my audience, the email domain is quite explicit, i have a user tour for new accounts but those bots don't "see" it (human user always start the user tour when i check the logs). Actually it could be a way of identifying automatically, delete the account and put the domain mail in denied email domains. Purging those fake accounts require quite a long time.

I'm using recaptcha, my website provider is ovh (mutualized). The other solution i found is to pay for bot management like cloudfare perimeterX imperva etc but the association can't afford the price.

An other solution is to only allow certain email domains like google yahoo etc, problem is my audience comes from a lot of associations that all have there own email domain.

You can copy paste this list (attached file) in site admistration > plugins > authentification > manage authentification > Denied email domains and maybe have an sql query to delete those accounts.

I'm not sure it will be usefull, maybe someone found a better solution than me or you could also share your denied email domain.

For those new to the problem make sure to check Reducing spam in moodle

Average of ratings: -
In reply to john doe

Re: Trying to fight fake account spam / shared list of Denied email domains

by Ken Task -
Picture of Particularly helpful Moodlers

Networking comes before Application ... application here is moodle.

So attempting to block, etc. at the application level means the bots etc. are already knocking at your door and the situation is making your application work harder (moodle is 'heavy' enough without the added).

So question: are you hosted on a VPS where you have root access?

Reason asked, modern day servers have a firewall of their own that can used to deny any access to  the server via the NIC (the network interface card).   Can deny a single IP or a range of IP addresses.

Rather than looking at emal addresses, look at server access logs for events involved and the IP address that event came from.  You might notice it's not a bunch but a few IP addresses.

It's a process using different cli only tools to discover those IP addresses and I'd rather not spend a lot of time describing IF you don't have a VPS and root!

'SoS', Ken

Average of ratings:Useful (2)
In reply to Ken Task

Re: Trying to fight fake account spam / shared list of Denied email domains

by Ken Task -
Picture of Particularly helpful Moodlers

Ok, briefly ... real server ... real log ...

ssl error Logs:
[Thu Aug 29 10:52:39.919165 2024] [proxy_fcgi:error] [pid 2900998:tid 2901031] [client 47.245.115.131:36326] AH01071: Got error 'Primary script unknown'

is a poke and probe - server not using any services from Alibaba Cloud.

whois 47.245.115.131
shows:
Organization:   Alibaba Cloud LLC (AL-3)

Not using anything on the moodle related to Alibaba

who is also shows ranges of IP addresses for Alibaba

47.236.0.0/14
47.246.0.0/16
47.240.0.0/14
47.244.0.0/15
47.235.0.0/16

So I block each range with firewall.

firewall-cmd --zone=drop --add-source=IPaddressrangeshownabove

The drop zone denies at the network layer - never gets to application (moodle) and the web service running it.

Above command for a RedHat Family Linux distro ... but Ubuntu/Debian distro's have similar.

No won't share my block list ... heck, if I did that, one of the ranges in my block list might be your server!

So there is a word of caution doing this ...don't inadvertently block yourself from your own server!

'SoS'. Ken

Average of ratings:Useful (1)