Store Community Support Documentation

Ok, I need someone to check this out ASAP!

I set up my site as invite only.

I also set it up to verify the email address.

I logged in as a member I made with the membership of a registered user.

I then use the invite in the footer and invited a made-up email address.

123456@123456.com

and it said it was sent...ok

Then I opened another browser and went to the home page and put that email address in the invite box and it came up and allowed me to enter a Name, the same email address and a password.  I did that and bang...my account was made with no verification of email.  So I think a spammer could use excel spreadsheet and make a list of fake emails like obama@whitehouse.gov, trump@whitehouse.gov to something simple like 1@1.com, 2@1.com, 3@1.com up to 50 at a time and the system would let it pass through without verification that you even own that email address or worst yet...doesn't even exist.

Please, someone, check this out and tell me I am wrong!  I am hoping I am.

Jonathan Mitchell
#1

The spammer would first have to gain access to your site through the normal registration method in order to send out the fake invites....unless you have the invite link available to guests on the login/registration page?

JohnJr
#2

You are correct but the issue is the ability to create 60-100 users an hour by hand or even more by bot without any control is my issue.  Just because it is invite only doesn't mean a few bad apples won't figure a way to show up at your party.

awg
#3

when u first do a fresh install of phpfox, within a hour you will begin to get alot of fake profiles until you turn on captcha. It stops after its turned on.

JohnJr
#4

Captcha not available for invite only.  I just think that when I click on email verification as a requirement...it should work for invite only community as well as it is a one line call to that code.  I could easily do that..the issue next would be what happens if the verification fails...they are already in.

Jonathan Mitchell
#5

I have the invite disabled...as I have brought up issues with it here before. Since theres no way to limit amount of invites a member can send, anyone can load a CSV email file with a few 100 addresses into it and freeze your site up..then hosting will 'whitepage' your site because it sees it as spamming..

Kirk
#6

Disabling invite would be okay unless your site is invite only. So that's no good. I guess until it's fixed you could keep it disabled and invite via email. Then new members would have to go through the normal registration process. Still, I hope this is fixed soon (I don't use it but I'll bet a lot of people do).

::

By the way, I get tons of spam memberships on a new install even with captcha enabled. I have to go with the Q&A at signup in addition to stop the massive spam influx.

Last update on June 8, 6:54 pm by Kirk.
Jonathan Mitchell
#7

Never really liked captcha..instead I use the anti-spam question  .. I use a photo for it  like this:   

I rarely see any spammers

JohnJr
#8

That spam question is genius. Too bad both do not work in an invite only community :(

Last update on June 9, 11:31 am by JohnJr.
Kirk
#9

Holy cow! That spam question is brilliant!

JohnJr
#10

With that question, you could make the spammers work for it by adding the following - also put the letters in alphabetical order...LOL

Kirk
#11

Backwards. :D

JohnJr
#12

Where is phpfox?  Seems like a response would be nice.