[This article was updated with a new entry at the end - 2014-07-22]
For a quick recap: various vulnerabilities in DNN are allowing vast amounts of fake registration spam email to be generated by automated bots targeting DNN sites. The issue had become so prevalent that some DNN user’s sites were in danger of being blacklisted.
As we wrote in our June news item
on the issue, this could negatively impact your site, and your business.
The recent release of DNN 7.3 and the follow-up 7.3.1 maintenance update have not yet addressed this issue.
The DNN community is waiting for a fix
Our senior engineers have reached out directly to the team at DNN Software, and we have been assured that they are aware of the issue and actively working on a permanent fix (see issue timeline below). The only permanent fix will be a core code update from DNN Software that addresses the issue in the current and previous versions.
Unfortunately, as of yet, there is no official time-frame or release date for the fix from DNN Software. Even if you have sites set to “private” or “verified registration,” the spammers are taking advantage of a vulnerability in DNN that allows them to bypass those settings. The DNN community is still waiting for core changes that will put a complete stop to the registration spam issue, and all of the resulting problems it leads to.
Engineering Protection: Our obligation is to you
However, we have an obligation to protect our customers, their websites, and their data. Therefore, we have tested and implemented several proactive fixes to help combat the issue head on.
We have made changes in order to throttle the amount of confirmation emails being sent to registrants. This throttling was done to mitigate the amount of spam emails being generated, and to proactively protect our customers and their sites from being blacklisted.
Recently, our engineers implemented a script to help keep the relay clear of the large quantities of registration spam that is bogging down our DNN customers. One of the functions of this script is to remove any site-generated notice smaller than 2kb in size. Since the fake registration spam falls within that size parameter, this script has done a great job in keeping the relay clear and moving, as well as shielding our customers from the large volume of DNN registration spam emails.
The size limitation script proved very effective in blocking a large percentage of spam, but we quickly discovered that this resulted in an occasional false positive. Very small generic emails were being caught in the filter. We have since removed the 2kb filter and implemented stronger anti-spam filtering technologies to stab off as many spam messages as possible.
The new method entails using Bayesian spam filtering inference to directly target the large quantities of spam site notifications. We’ve applied this technology to our system, in addition to our standard anti-spam software.
So far this is proving to be even more effective at addressing the problem while drastically reducing false positives. To be clear, an occasional false positive may still result from these systems; however, the combination of these technologies and the anti-spam software are proving to be a strong solution for now.
Keeping your communication flowing
While these fixes are not ideal, we feel the above changes are some of the best available options at this time. However, these relay gymnastics are a simple (relatively) way to protect our customers, and their sites, from both the DNN registration spam issue and the possibility of blacklisting and all of the negative impacts that result from such a “non-trusted” listing.
We want to stress that even if one of your legitimate automated emails is inadvertently marked as a false positive, those emails are still in the system and are viewable by your authorized site administrators. Our team is also monitoring this system and working to remove as many of these potential pain points as possible.
DNN Software has promised a more permanent resolution to this issue, and we trust that they will implement those protective changes as soon as possible. The moment DNN Software puts a permanent fix in place we will implement it immediately to protect our customers — and the DNN community — from this increasingly pervasive issue.
If you have any questions, feel free to contact our support team. We will keep you appraised and advised on this rapidly developing issue.
Update July 22, 2014
We are currently working on a new, more advanced solution. Customers and development partners who are currently under MNDA with PowerDNN and are personally known to Jeff Hardy can send a request for an updated briefing on the new solution test by emailing Mr. Hardy directly.