The aftermath of being spammed

Each of the three moodle instances that I support that are open to self-registration have been spammed.  The spam taking the form of bogus accounts created which are probably posting to certain forums on the site with links to web sites that sell stuff.  I have looked that close to see if any of the bogus accounts have in fact posted to forums on the site or in a course, but that is what the moodle docs say happens, sometimes, when this feature is enabled.  Funny what you notice when its no longer abstract but in your face!  Today, when looking, I saw in two places where it warns that having email based self registration can be exploited by spamming bots, that will create bogus accounts and post to forums.

This is the text on the form below the option to turn this feature on:

"If an authentication plugin, such as email-based self-registration, is selected, then it enables potential users to register themselves and create accounts. This results in the possibility of spammers creating accounts in order to use forum posts, blog entries etc. for spam. To avoid this risk, self-registration should be disabled or limited by Allowed email domains setting."

Limiting domains does not help me because I an not a single college, like www.somecollege.edu.  If I were, I could specify that domain and leave the self registration open and it would only work for requests within the domain.  For me, our customers are from various k12 districts around the state.  Push come to shove, I could use this.  For example, the moodle instance I was cleaning up after yesterday that was spammed is a single k12 district.  I could leave the email self registration enabled, with their specific domain listed in the allowed domain setting.  That would probably work.  I think I will do that, in case the request comes in again to allow students to create their own account and self register.  Creating their own account is self registering.

Getting spammed really makes you thing and assess how necessary the self registering really is.

This moodle doc explains it well.  Not so abstract now!

Enabling ReCaptcha.

Well, I thought I had done this by simply choosing yes in the settings  

Site administration ► Plugins ► Authentication ►email based self registration

But, that was not the case.  I should have checked a little more closely.  I was careless!  If this service had been activated, like I thought it was, we would not have been spammed.  I doubt it anyway.

When I read more closely this paragraph on the moodle doc, I realized that i had not activated the reCapcha service with google. 

"In addition to enabling the reCAPTCHA element, email-based self-registration should be set as the self registration authentication plugin and reCAPTCHA keys should be set in the manage authentication common settings. "

I had to go to the google recapcha site to get the security keys being asked for in the moodle form.

Site administration ► Plugins ► Authentication ►Manage Authentication

I went to http://www.google.com/recaptcha to generate the keys for my site that I entered in the form above.

Once that was complete, I went to the create account form on the site and guess what appeared?

 

Moral of the story? 

If you want to enable self registration, prevent those annoying spam bots from doing their work by enabling the reCapcha service from google.  Register your domain address with the google service, get your keys, plug them in and be done.