[Feature Request] Disable Registration during installation

[kcmartz]

I'm sure i'm not the only one who gets spammers to register within a few hours after installing SMF. So what I'm requesting is a simple checkbox to enable/disable registration during setup which can be changed in SMF administration panel.

That would be helpful for sites (like mine) that get spammers all the time.

[norv]

It makes sense to me. (unfortunately)

[kcmartz]

Yea and it doesn't seem like it will add a whole lot, barely anything.
On Nov 20, 2012 10:07 AM, "Norv" notifications@github.com wrote:

It makes sense to me. (unfortunately)

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/237#issuecomment-10565708.

[Akyhne]

SMF should be adding a new kind of protection. No more captcha that no one can read.
A simple puzzle or click the right image.

I know some say that image selection & puzzles can be broken. But still, they give some slack to forum owners, until someone bothers making a crack for it. No one seemed to bother cracking my Avatar Verification mod, at least not that I know of. Well, it's not widely used.. and? If it was popular, it was probably already cracked.
I use it on a 100.000 views/month forum and in 5-6 other forums, most just test forums. It is the only protection I use, besides the lowest captcha level on some of them. I just tried to disable it a few days ago in one of my test forums that goes back to 2009. Most users online ever on that one, was 14 in 2010. Still, I've had 5 bots registering there in the last two days, after disabling my mod!
And honestly, I don't believe it is easy to crack. There's no system in the sessions generated, no bot can find any system in the JS generated. There is none! And images are partly stretched or tilted or zoomed on, in random order and random ways.

Maybe a new sequrity in SMF will be broken and widely spread within a year. And?! Then you just add another one. Giving up, is no solution. Make it hard for the spammers. Fight them!
Saying it's up to the forum users to protect their forum, is not good enough. The problem kcmartz mentioned, is by far the first time I heard about it. Install SMF and get spammers in a few hours. It gives SMF a bad reputation!

[kcmartz]

I think it's cause I used to have random content on it with no coherent
purpose. Now I have been installing/uninstalling SMF/Wordpress and I do get
spammers within (well only sometimes a few hours) a day or two at most.

Thanks,
Kenson Martz

On Tue, Nov 20, 2012 at 7:07 PM, Akyhne notifications@github.com wrote:

SMF should be adding a new kind of protection. No more captcha that no one
can read.
A simple puzzle or click the right image.

I know some say that image selection & puzzles can be broken. But still,
they give some slack to forum owners, until someone bothers making a crack
for it. No one seemed to bother cracking my Avatar Verification mod, at
least not that I know of. Well, it's not widely used.. and? If it was
popular, it was probably already cracked.
I use it on a 100.000 views/month forum and in 5-6 other forums, most just
test forums. It is the only protection I use, besides the lowest captcha
level on some of them. I just tried to disable it a few days ago in one of
my test forums that goes back to 2009. Most users online ever on that one,
was 14 in 2010. Still, I've had 5 bots registering there in the last two
days, after disabling my mod!
And honestly, I don't believe it is easy to crack. There's no system in
the sessions generated, no bot can find any system in the JS generated.
There is none! And images are partly stretched or tilted or zoomed on, in
random order and random ways.

Maybe a new sequrity in SMF will be broken and widely spread within a
year. And?! Then you just add another one. Giving up, is no solution. Make
it hard for the spammers. Fight them!
Saying it's up to the forum users to protect their forum, is not good
enough. The problem kcmartz mentioned, is by far the first time I heard
about it. Install SMF and get spammers in a few hours. It gives SMF a bad
reputation!

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/237#issuecomment-10583948.

[norv]

I completely agree @Akyhne . Of course. Disabling registration is like solving the wrong problem. But it still makes sense to me, and we can add new protections against spammers. They're not exclusive.

I'd keep this issue clear and separate from the other, so that if we reject this in the end, they're separate requests.
On the registration protection:
#238

[Akyhne]

A simple verification could be a matchstick test.
10 matchsticks are aligned vertical, but in various angles - not much, but up to 10 degrees. 3 of them leans to the right, the rest to the left (or vica verca).
The registrant then has to point out (click) the 3 matchsticks leaning to the right, within a minute, to continue registration.
The downside (as with Avatar Verification), is you need to use GD for this.

Verification Questions are also good, but in many cases crackable if your questions are to easy. Another downside, is that verification questions can't bet activated during installation with a general, english question.
A third reason is, we are humans and we think different.
"What is shining on you, on a good, sunny day?"
Answer could be "Sun" or The Sun", "sun", "the sun". And for people thinking different, the answer could be "Sky".

"What do you drive to work every day?"
Well, if I'm unemployed....! I could also be using my bike. Or I could be a minor and not understanding what is meant.
And no, the answer isn't obvious to all people.
Another issue is that there are lot of people who can't spell.

Then there's calculation:
"What is 5+7"
As I understand, many spam cracks can easily detect something like this.
Another downside is that not all people can calculate... even that simple calculation.

I've always found something you have to click, to be much more fast, than something you have to type. In the 5-6 homepages I have registered, where I had to use ReChaptca, I had to give up in one or two occations. Either there was an issue with the registration, or I simply just couldn't read the letters correct (I'm normally an ultra fast reader and very good at spelling). But the images were just so hard to read.

[IchBin]

The other downside to that is that it would not work for those who cannot see, or have very bad vision. Back to the main topic though, I don't see any reason we can't disable registration until the user has their forum setup. Put up a notice at the topic that tells the admin their registration is turned off until they are ready to turn it on for the first time.

[mikemill]

Being able to disable registration at install time does make sense. For one, the admin might not want to do the wide open registration setting that is the default.

[emanuele45]

What about simply keep the forum in maintenance mode during the installation? (and maybe until install.php is removed)

[ahrasis]

If i'm not mistaken, registration is not fully disabled during maintenance. That is why I write IDR mod. It is wise IMO to put a box to disable registration which by default is ticked when the installation is about to finish so that registration cannot be made until it is enabled. A notification/reminder/warning box with "Your forum registration is currently diabled. Click here to enable it." for admin at the top with link to enable it, will help the forum admin. Just another cent of mine, of course.

[kcmartz]

So I'm wondering, is this going to be implemented in 2.1, or later on?

[matthew-kerle]

It's a duplicate of something that's being worked on, if you look at the issues list.

[matthew-kerle]

Duplicate of #326