ElkArte Community

Project Support => Support => Topic started by: Esteffano on November 07, 2022, 05:37:27 pm

Title: Empty Field Verification aka Honeypot: is it fully implemented?
Post by: Esteffano on November 07, 2022, 05:37:27 pm
Hello,

I have a massive problem with spam registrations at the moment.
The Method of Registration is set to "Admin Approval".
Apparently there is no double-opt-in for this method of registration in place. (Or is there a setting I've missed ?)

But the real question I have is: is the Empty Field Verification fully implemented?
When I turn it on I see a hidden field in the source code
<input type="password" name="autofill_honey_pot" class="hide" autocomplete="off">
however, there is no checking for the "autofill_honey_pot" field in the Register_Controller class (Register.controller.php).

The amount of spam, mostly from email adresses with a subdomain dot in the domain name, is overwhelming. Over 50 a day.

Best regards,
Esteffano.
Title: Re: Empty Field Verification aka Honeypot: is it fully implemented?
Post by: Spuds on November 07, 2022, 08:26:04 pm
I'd really need to take a look to be sure, but going by memory, that autofill_honey_pot  is just there to prevent password managers from auto-filling in the password field during registration.

The empty field verification should just be a hidden checkbox with a "verification_control" id on it.  I'll note that in 2.0 we really improved this option, not that does any good for 1.1, but in 2.0 the field looks a lot more tasty for bots to check.

For you I'd go with the ever simple, but oh so effective, verification question.  Its on the same page as the empty field (admin > security and moderation > anti spam)  Enter a question that is unique to your site, its purpose, its name or a question with the answer in it, like enter blue backwards and then enter eulb for the answer. 

Other than that, there are reCAPTCHA addons available as well, also very effective.
Title: Re: Empty Field Verification aka Honeypot: is it fully implemented?
Post by: Esteffano on November 08, 2022, 05:36:57 am
Hello @Spuds ,

thank you.

I will try the Question/Answer solution as you suggested.

I tried yesterday this trick in the do_register() method
Code: [Select]
if(!empty($this->_req->post->autofill_honey_pot)) {
       redirectexit();
}
and it worked, but probably it will also prevent some real humans from registering.
I removed it for now and will see how good the Q/A solution works.

Thanks and have a good day!