Full Board URL: https://www.kristshell.net/pnp/forum/
XMB Version: 1.9.11

Hello.

I help run a support forum for a mIRC script (I am the server admin)
We get a lot of spam registrations from users who most often put links to spam content by entering links to their crap in their BIOs, signatures or the URL fields.

When they register, they allmost allways use subdomains in their e-mail addresses when registering, e.g. subdomain.example.tld.

Is it possible to block all registrations when the email address contains a subdomain?
Idealy we would like to add this ban "*.*.*", but is that possible without blocking every single new registration in the proccess?

Have in mind that not all email addresses using sub-domain are evil. That could lead into potential problems of denying a completely legit user that tries to register.

The best thing would be to use some social login integration(facebook, twitter you name it) and completely abolish registering by e-mail. I doubt spammers would be able to create dozens of Facebook accounts every-time they get banned on your website. They would end up banned by fb staff before they even reach your website. The big companies handles spammers quite efficiently so login-in trough them saves you a great deal.


Now about the thing you wish to accomplish... There are 3 ways of doing that.


1st. Using an online email verification api. They usually aren't free, but does the job perfectly. You don't have to worry about losing legitimate users. It's very unlikely for them to false flag a spam email.

2nd. Using your own white(black)-list of email domains.

Something like that would do the job:

If you intend to use it don't forget to show "allowed email list" in the registration page, so users would know what kind of email addresses they need in order to be on your website.

Code:

<?php $email = $_GET['email']; if( filter_var( $email, FILTER_VALIDATE_EMAIL ) ) { $domain = array_pop(explode('@', $email)); } else exit('Invalid email.'); $allowed_domains = ['gmail.com', 'outlook.com','yahoo.com','mail.com']; //the more legitimate ones you add the better if (in_array($domain,$allowed_domains)) { print $email.' is allowed to register'; } else { print $email.' is not allowed to register'; }

For example:

janedoe@gmail.com would return true
janedoe@subdomain.gmail.com would return false
janedoe@othersubdomain.gmail.com would return false
Any other valid email domain that's not in "$allowed_domains" also would return false

3rd. Using regex to deny sub-domain emails. (It's more complex.)

You would have to preg_match an email address in order to detect the usage of sub-domain and deny it from registering.

First, sorry for the long overdue reply.
I totally forgot all about it.

And, thank you for the answer.

Quote: Originally posted by Jenny Lee

Have in mind that not all email addresses using sub-domain are evil. That could lead into potential problems of denying a completely legit user that tries to register.

I really do not care that there is a valid use for subdomains in email. We are explisitly mass-deleting every single newly registered user – with prejudice – which use a subdomain as the mail address.

The amount of link-spam from new users is unacceptable.
And they all have the fact in common that every new spam-user – yes, every single one – use subdomains as their email addresses. In all the years we have run this forum, we have yet to see a single valid user that use subdomains in their email addresses.

(The spammers usually only put links in their bio and homepage fields, but that is enough. It is not allowed in our forum. They are deleted, with prejudice.)

Quote:

The best thing would be to use some social login integration(facebook, twitter you name it) and completely abolish registering by e-mail.

Unacceptable. That is a privacy violation. We will under no cirtumstances force people to have some kind of social media account in order to register. If that is the alternative, we would rather disable new registrations all together.

Quote:

1st. Using an online email verification api. They usually aren't free, but does the job perfectly. You don't have to worry about losing legitimate users. It's very unlikely for them to false flag a spam email.

No can do. We don't have the economy to manage that. (Yes, we really do have a lot of spam registrations, we will go over the free montly limit within a week)

Quote:

2nd. Using your own white(black)-list of email domains.

We are NOT creating a list of all possible valid domains. That is also not an acceptable solution.

For example, we are banning Gmail, Hotmail, Outlook, any kind of disaposable email address provider. and so on, because the vars majority of spam registrations come from them. Even with those banned, we have a to large volume of spam users.

Quote:

3rd. Using regex to deny sub-domain emails. (It's more complex.)

This is exactly what we want – reject any email that uses a subdomain.
But we don't have the skills to code something like that, so we ask: is there an existing solution that does this?

Quote: Originally posted by solbu

Quote: 1st. Using an online email verification api. They usually aren't free, but does the job perfectly. You don't have to worry about losing legitimate users. It's very unlikely for them to false flag a spam email. No can do. We don't have the economy to manage that. (Yes, we really do have a lot of spam registrations, we will go over the free montly limit within a week)

Just found out that StopForumSpam .com is completely free.
So that would be an acceptable solution.

Now comes the part where one modify the XMB forum software to implement it. And I don't really know what I'm doing. :-)

Yey!
Did a new attempt at using «StopForumSpam» as discussed in viewthread.php?tid=776782 and it worked like a charm.

So this thread can be closed as resolved. :-)

Quote: Originally posted by solbu

Just found out that StopForumSpam .com is completely free. So that would be an acceptable solution.

Hope this solves your problems and no further problems will arise.

P.S. In regards of all sub domains denying and regexes... I could have coded it for ya but only for a small fee cuz it's an effort.

If you need any help querying SFS or integrating the XML request into your registration work flow let me know!

I can share our member.php file.