• Welcome to the Chevereto User Community!

    Here, users from all over the world come together to learn, share, and collaborate on everything related to Chevereto. It's a place to exchange ideas, ask questions, and help improve the software.

    Please keep in mind:

    • This community is user-driven. Always be polite and respectful to others.
    • Support development by purchasing a Chevereto license, which also gives you priority support.
    • Go further by joining the Community Subscription for even faster response times and to help sustain this space
  • Chevereto Support CLST

    Support response

    Support checklist

    • Got a Something went wrong message? Read this guide and provide the actual error. Do not skip this.
    • Confirm that the server meets the System Requirements
    • Check for any available Hotfix - your issue could be already reported/fixed
    • Read documentation - It will be required to Debug and understand Errors for a faster support response

I disabled the registration feature, but Spam can still be registered.

T

twm

Chevereto Member
I am sure I disabled the registration function. but Spam can still be registered account.
I am troubled by Chinese Spam, They use the Spam tool to register countless accounts, and the IP is different.

video
http://163.172.59.172/chevereto.mov

Edited. Please don't embed giant images into posts.
 
Last edited by a moderator:
If I understand this correctly, you are saying that people is able to signup even if signup is disabled? I disabled signups and I tried to hack the system without any luck. I wasn't able to signup if that setting is disabled so I guess that you just misunderstood the functionality. Maybe the translation is wrong.

"Enable signups" disables the ability of creating new accounts, nothing else. Enable = users can register themselves, Disable = Only admin can create users.
 
Rodolfo said:
If I understand this correctly, you are saying that people is able to signup even if signup is disabled? I disabled signups and I tried to hack the system without any luck. I wasn't able to signup if that setting is disabled so I guess that you just misunderstood the functionality. Maybe the translation is wrong.

"Enable signups" disables the ability of creating new accounts, nothing else. Enable = users can register themselves, Disable = Only admin can create users.
Click to expand...

I know Disable = Only admin can create users.

But the problem is that SPAM can register users after Disable


Screenshot:
disabled signup, But this SPAM signup is successful.

GET & POST

IMGSE.COM

IMGSE
imgse.com

IMGSE.COM

IMGSE
imgse.com

IMGSE.COM

IMGSE
imgse.com
 
Last edited:
Rodolfo said:
Honestly, I don't know how to help you with this.

Sorry.
Click to expand...

thank you very much, I will check it again.

I don't know why they can signup.
If signup is disabled, normal user access to xxxx.com/signup will show a 404 error. and only GET request.
but SPAM has GET and POST requests

IMGSE.COM

IMGSE
imgse.com
 
In case you don't know, you can forge a post but that doesn't mean that the request will be fulfilled. It just says the http method and the target url.
 
That are probably automatised bot proceses for registration on mass, but if you have turned off the signup function then u dont have to be afraid, they cant register than, but they will be handled as normal users in your logs trough the post request on the httpd.. even your ip will be there and will be the same output if you access as "guest" the signup page.. so dont worry, what you can do is to bann these ip's, collect all of them and bann them trough the firewall on your server or do it trough dynamic blacklisting of ip adsresses if you use nginx..
 
Or this would be perfect job for Fail2Ban 😉

"You can configure it to trigger on a regex match in a logfile and if it happens too many times per minute (not sure if it goes to second resolution but just multiply whatever you were thinking per second by 60) and it can drop the client IP into the iptables packet filter or whatever other action you want taken. "

Read this
 
Last night I set your website to disable singup and now I'm seeing the setting is enabled.

Honestly, I don't know how you can tell when some singup bypass the setting or not if you are constantly toggling that setting.
 
Rodolfo said:
Last night I set your website to disable singup and now I'm seeing the setting is enabled.

Honestly, I don't know how you can tell when some singup bypass the setting or not if you are constantly toggling that setting.
Click to expand...

Sorry, these days are too busy, I missed this reply.
I enable 301 Rewrite in Nginx, SPAM problems have improved, but s normal users cann't signup.
So, I enabled signup when there was no SAPM attack.
 
Today, SAPM has registered more than 200 accounts and created more than 6,000 albums.
It didn't stop until I enabled the 301 rewrite.

 
The reason of this post is the claim that people can register accounts even if the setting is disabled. You have been unable to prove that claim.

I'm sorry about the spam, but just like everybody else, you will have to manually monitor your website because is clear that you are suffering from a planned attack.

Try to enable recaptcha, ban ip ranges.

Please continue the discussion about spam in another topic as I won't label this as a bug.
 
You must log in or register to reply here.
Back
Top