How to Prevent / Stop Registration Spam From Fake Accounts in DNN
There has been a recent security vulnerability discovered in DotNetNuke that is allowing bots to fully automate the registration process on a site, creating many spam users in the site. Commonly referred to as "Fake Registration Spam," this issue has also been called DNN Registration Spam, DNN CAPTCHA Bypass, DNN CAPTCHA Spam, DNN Scam Registrations, DNN Spam Attacks, DNN Spam Site Aliases, and DNN Multiple Registration Spam.
DNN Software is currently looking into this issue. Without a CAPTCHA employed on the site, bots can easily complete the registration, although it is believed that the vulnerability is within the DNN CAPTCHA itself.
Here is an example of what you can expect to see:
Note that the address is just random places thrown together, like South Carolina and United Kingdom. A lot of the fake user bots will fill in the telephone numbers as a string of the same digits, as you see the 11111111 number above. Lastly, most of these users will have some nonsensical information in the Profile page, along with a link to another site. You can check that by clicking on the Edit icon of the user (pencil and pad), and then on the Profile tab.
If your site is experiencing this problem, we are currently recommending the following:
Option 1 - Upgrade to DNN 7.3.3
The 7.3.x series of DNN has addressed the registration spam issue in several ways, which can be read about in more detail in the changelogs. The summary is as follows:
- Removed the value of creating spam users by disabling links in profiles
- Fixed a bug that allowed bots to register multiple users based on a single captcha success
- Increased the variability of the default captcha to make it harder for bots to crack
Depending on how many spam users have already registered, you might not be able to successfully upgrade without removing users. This starts happening somewhere around 10,000-15,000 users. If you want to upgrade to 7.3.3 you'll need to stop the registrations another way and then remove the fake users before upgrading.
Option 2 - Configure your website to filter requests for the DNN register function
There are several types of bots currently in use. The most popular type calls the register function of DNN from the URL, which is very fast - so a lot of users can be created quickly. The following addition to your web.config file can stop these requests from being processed by having the web server filter them before DNN gets to process them. This should stop most bots from creating users entirely, but you may need to resort to other methods if your site is being hit by Virtual Browser type bots.
<system.webServer>
<security>
<requestFiltering>
<denyQueryStringSequences>
<add sequence="ctl=Register" />
<!--added by Managed.com due to Registration exploit-->
</denyQueryStringSequences>
</requestFiltering>
</security>
</system.webServer>
The web.config file is located in C:\inetpub\vhosts\<sitename>\httpdocs\
Make sure not to add duplicate <tags>, or the site will crash.
Option 3 - Create a custom registration page, and block the default registration page URL.
Option 4 - InteractiveWebs reCaptcha Module
Please Note: This module doesn't support DNN Version 9.1.1 at this time
These are some of the best fixes our engineers have found for this problem. As always, if you are a customer of Managed.com, you are welcome to contact our support team with any questions you may have. If you have trouble implementing the above fix, our team will be happy to help you with any additional questions or concerns.