cathal connolly wrote:
Paul,
I don't wish to criticize in public, but I'm still waiting on responses to both my mails. My first mail also did not suggest that module, but rather asked for what filtering you're using (e.g. ISAPI, urlrewrite module or IIS request filtering) - pleas re-read it and respond accordingly. In my second mail I confirmed that the logs you gave me do not show automated registration but rather returning spam users attempting to view their profile page - as I indicated in that mail a simple filter to map those requests to a 404 would block ~95% of that traffic. That said, the logs show that this site receives less than 10,000 page views a day which in real terms in not large so I am surprised that its affecting performance of that site much at all. Note: the logs are dropping in size rapidly suggesting that the spam requests are dropping naturally as they fail to log in.
If you could respond to one of my mails I will continue to try to help, but I would prefer if you would not post inaccurate information to try to drum up public controversy as that's coming dangerously close to trolling (e.g. you've stated on a mail to our support lead that you spend $25,000 a year at the dnnstore but now you've said you've made 200 purchases - you also say you've been doing DNN for 14 years (we've been going for 11) these figures do not correlate well. )
Note: DNN is free and open-source - there should be no expectation of free support. The fact that you have hundreds of (paying) clients, does not make you different from any other user and expecting free support is unrealistic as it's not something we can offer to the whole community. As security team lead I've chosen to help you as I find it odd that you've been disproportionately affected (99% of others affected have simply applied one of the workarounds and the issue went away) and I want to analyse the reasons why to see if there are additional defence-in-depth measures we should add to 7.3.2. However my time is limited (I'm actually makes the fixes as we speak), so please keep all further correspondence with me to email responses.
thanks,
Cathal
Cathal.
Again, please read my response, what I said exactly was "If my post came across as ungrateful, then I failed to
write it correctly. I'm grateful for your help" and again in the second to last paragraph I state "If that sounds ungrateful, it's not meant to be". So twice I said that if I sounded like I didn't appreciate your help, I admit I failed in my response. And I specifically said that I am grateful for your help. Neither of these statements are any attempts to drum up any public controversy. I'll say it again, I am grateful for your help. Very grateful. All I'm saying is that none of what has been suggested has helped. Even now my server is maxed. I don't expect to be treated differently. I love DNN, it's the only CMS I prefer to build in, as I'm sure you can see on my portfolio page. I am NOT trying to promote other CMS's. I personally don't like WP, and would hate to switch.
Maybe I should have been more accurate in my phrase, I've been building websites for 14 years, and ever since DNN was released I've been using it, so you are correct, I've been using DNN for 11 years, not 14. It's just after using DNN for 90% of our websites it seems like I've used it for 14 years. Yes, when I check my purchase history, it's 20 pages of purchases, at 10 per page equaly 200ish purchases on snowcovered/dnnsoftware. That was an accurate statement. EIther way, I agree with you that this banter doesn't help anyone, I just felt the need to re-iterate that I stated in my previous post that I'm grateful for your help. And wanted to say again, I'm grateful for your help.
Like I mentioned before, we've stopped the registrations, we've hidden the profile pages so Google doesn't index the spam links. Our problem is that the 100,000+ spam registrations across several sites contintue to try and login to their now non-existent profile pages and it's consuming memory.
From this point on, I'll only respond to you by email. My public statements here were only to
1. Try and get help.
2. See if anyone else has the same problem after they stopped the registrations.
3. Publicly say again, I am grateful for your help.
Thank you.