Topic: PunBB Unverified Users Problem

I was just trying to clean up some of the bot entries when I came across a rather disturbing couple of things

  • There were over 10'000 unverified users here

  • It's not possible to select more than 1'500 at a time (search returns a blank page)

  • It's not possible to search and filter more than about 2'000 entries at a time (search returns a blank page)

  • There doesn't seem to be an IP entry for those unverified users? (At least not via admin section) EDIT: Was wrong; you just need to click on username and you're shown the profile with IP

It was however possible to narrow down the search to 15 or 30 or 60 days days filtering only unverified registrations to get a list correctly shown and deletable.

This is also important to know for those admins changing settings, adding different CAPTCHAs or asking bot questions: There are potentially thousands of unverified users that can appear even after your new security measures are in place. All the bot herder needs to do is activate with his already received confirmation link.


Conclusion:

  • Any unregistered user should be auto-deleted after 7 days IMO. In the core.

  • Admins should search for unverified users and delete regularly in the meantime

  • Pruning the unverified users is very effective!

  • Go to Administration » Users » Searches and select unverified users *submit* - then prune those regularly.

PS: Added to http://punbb.informer.com/trac/ticket/355

Re: PunBB Unverified Users Problem

KeyDog wrote:

Any unregistered user should be auto-deleted after 7 days IMO. In the core.

Giving an option to choose time would be intersting too.  smile

Re: PunBB Unverified Users Problem

Audiofeeline wrote:

Giving an option to choose time would be intersting too. 

I personally would give them 12 hours tongue

Also I think the cracking bots can just try endlesly to register, once they succeed they'll receive the email and send another simpler bot to do the registration completion process... (speculation of mine anyway cos I see a ALTUSHOST IP every day for weeks - and others... but those never register!)

4

Re: PunBB Unverified Users Problem

KeyDog wrote:

Go to Administration » Users » Searches and select less than 1 post and unverified users *submit* - then prune those regularly.

I just select "unverified users" and click on Submit search.

Re: PunBB Unverified Users Problem

8k84 wrote:

I just select "unverified users" and click on Submit search.

¨

Yeah, it's just a prob if you have more than 1500-2000 entries that need to be shown...., imo

6

Re: PunBB Unverified Users Problem

I just meant to say that you don't need to use the "less than 1 post" criterium since unverified users can't post. Or can they? cool

Re: PunBB Unverified Users Problem

You're right of course big_smile

8

Re: PunBB Unverified Users Problem

Fixed on changest 1681

Re: PunBB Unverified Users Problem

Current solution: remove all unverified older than 72 hours.
Removing in register.php

Re: PunBB Unverified Users Problem

dimkalinux wrote:

Current solution: remove all unverified older than 72 hours.
Removing in register.php

I just put in the fix on one forum and set it to 12 hours so I can confirm tomorrow that it works. Then I think I will change it to 36 so that people who use bad e-mail services like Yahoo (where it can take a day to get your mail delivered) don't get screwed.

Re: PunBB Unverified Users Problem

It didn't delete unverified users after 12 hours, so I set it to 15 minutes. After a couple of hours, they were deleted. However there next batch is not disappearing after 15 minutes as I has hoped. It seems that there is some other timer involved. Any ideas?

Re: PunBB Unverified Users Problem

72 hours is minimum interval.
Unverified removes after 72 hours interval in moment of register (anybody try a register).

If no one register at this day,week,month - users not deleted.

13

Re: PunBB Unverified Users Problem

@Ole Juul: The code is triggered only each time someone tries to register  wink

Eraversum - scifi browser-based online webgame

Re: PunBB Unverified Users Problem

Grez wrote:

@Ole Juul: The code is triggered only each time someone tries to register  wink

Thanks, I see now where I was confused. The users who had "registered" before I changed the timeout still had time left on the "clock". Now that I have been looking at this for a while I see it works well. Right now I have it set to 2 hours and there is a constant 5 or 6 unverifieds in the cue.

I"m thinking that most people will check their mail right away and click on the link so two hours is way more than enough, although Yahoo mail users may not be able to make it in time - we'll see how it goes. Personally I think that 72 hours is much too high in a situation like mine. That represents about 400 user accounts.

15

Re: PunBB Unverified Users Problem

It's true that 72 may be quite long, but on the other hand - some people don't like this sort of deleting users at all...

There could be useful possibility to change the time / disable the option, but I don't think that is really "that" important to include it into administration. I think some constant, which can be defined in config.php (otherwise it will be set default, ie. those 72 hours as now) could do fine.

And as well I think users should be informed about this

->

./lang/English/mail_templates/welcome.tpl

Subject: Welcome to <board_title>!

Thank you for registering in the forums at <base_url>. Your username on the forums is <username>, as you requested. To complete your registration, you need to set a password for your account. You need to verify your registration in next <verification_time> otherwise your login will be deleted.

To set your password, please visit the following page:
<activation_url>


<board_mailer>
(Do not reply to this message)

./lang/English/profile.php

'Reg e-mail info'            =>    '<strong>Important!</strong> An e-mail with an activation link will be sent to the address you provide. You must click the link in the e-mail in order to activate your new account. You must do this %s hours after registration at the latest, otherwise your account will be deleted.',


I also deleted the sentence "You must therefore ensure that you enter a valid and current e-mail address." since it is obvious (and therefore unnecessary to write).

Eraversum - scifi browser-based online webgame

Re: PunBB Unverified Users Problem

I agree that it is not very important for people to change the timeout value. Someone like me who has a temporary need, will find it in the code fast enough. I plan to change the language too, but I'll wait to see if this (hopefully temporary) storm blows over, and then decide on an appropriate time.

Perhaps it's time for me to find some other solution, like a challenge test or something. I'm getting a steady 6 junk registrations per hour and that must also be generating e-mail noise for the servers.

17

Re: PunBB Unverified Users Problem

what happens when?

1. day 1 - email activation/verification is required
2. day 15 - i wanted to disable email activation/verification. (you may think why? bcoz many people are not getting mail correctly for a number of reasons including not reaching to inbox).
3. day 30 - i am pruning all unverified members.

now as the members who registered from day 15 to day 30 were not required to activate/verified, and I guess corresponding database table is not updated (marking them) 'verified' or something like that) automatically, will they be deleted  when I prune at day 30?

Thanks

Re: PunBB Unverified Users Problem

Thank you so much in help technical term PunBB

Re: PunBB Unverified Users Problem

In current forum register system user is unverified until his first login, even user activate account, not login - it unverified.
In [1699] i add checking for activation link and now deleted only unverified users who not setup new password (not activated by email). We can`t make bigger changes in this minor 1.3.5 release because it can broke some extensions. In next major release we change activation subsystem more.

Also modified messages in register form and activation email, as proposed by Grez - changes [1701].

Also added hook "rg_register_qr_delete_unverified" - use it for modify delete query ([1700]).

20

Re: PunBB Unverified Users Problem

Is there a way to delete all the unverified users in one shot ?

I upgraded from 1.2.x to 1.3.5 today, so new unverified will be deleted within 72h.

But what can I do with the 72'000 unverified users i've got from previous version ?

If I delete them in the Administration>Users>Search>Groups>Unverified, it will take about 5 hours to delete them all as it is not possible to delete more than 1500 at a time...