How can anyone say they don't use real email addresses. The issue is they are using real email addresses because I have people emailing me about being registered or having a verification for registering.

Spammers are only interested in creating user accounts to add spam to the user profile. When verification is on, the user profile is not visible until the user is verified which can only be done with an email address they can receive an email to. Most of the reports we see are spam accounts with randomly generated emails (some of which then turn out to be real - but these users did not register). Note whave some evidence that they return at a later point and try to log in, as the user is not verified they cannot do so.

 Maybe not all but this is an issue which should make you even more concerned because it is making dnn based websites look really bad (for the owners). I upgraded to 7.3.2 the day it came out. It has not solved the problem. I have captcha on, it has not solved the problem. The ONLY one of many dnn websites I have that is not having the problem is one that I moved the login page to a new name (as suggested somewhere in the forums). That is a great idea.. and one that dnn could have scripted into 7.3.2 very easily.

The advice is to upgrade to 7.3.2 or above. Upgrading to 7.3.2 or above resolves this for the majority of users - some sites still see a small number of registrations, but at a guess we're seeing a tiny percentage of registrations succeed (i.e. automated captcha crackers still crack a captcha just one at a time, and not one cracked captcha used to create dozens/hundreds of accounts) - so if your site got 500 registrations before, upgrading to 7.3.2+ likely means you see no new registrations. Some sites that saw tens of thousands of registrations likely still see 5 or 10 registrations (short of getting peoples IIS logs I can't see for sure). Finally, regarding reCaptcha, I have reports that it doesn't fully solve the issue - it (similar to the 7.3.2 fix) dramatically reduces it. This suggests an increase in general spammer activity targeted at CMS's (if you check wordpress, joomla, drupal etc suffer from the same issue), alongside better automated Captcha cracking. The primary issue is that the DNN captcha from version 3.0-7.3.1 suffered from an issue where one cracked captcha could be reused (known as a "replay attack"). This was fixed in 7.3.2 so upgrading to 7.3.2 or above resolves that issue.

As to moving the login page that does not fix the issue, it's simply "security by obscurity" i.e. hiding the page defeats the current automated spammer. It would be trivial to change the script to make a request for a secured page (e.g. yoursite.com/host), then record the page it redirects to (the login page) and then use that to register accounts.

---

Buy the new Professional DNN7: Open Source .NET CMS Platform book Amazon US

Armin - I believe that logical questions are as easy to break as blurred images. Just because you have seen them on other sites does not mean they are any better. Do you have any real evidence that logical questions are better at identifying humans?

I do not see how DNN Core can 'fix' this. There is no hack. The spam registrations do exactly the same operations as a human operator does. How can they fix it? They can make it harder to register new users - that will mean more humans will be put off registering.

---

Best wishes,
- Richard
Agile Development Consultant, Practitioner, and Trainer
www.dynamisys.co.uk