I have a community blog where the public can register to post entries and comment. I noticed I was getting several spam registrations per day. Username is 9 random lower case letters, email is from hotmail and always a URL from a french company. Obvious spam.
I have disabled comment registration and create entry. They were still appearing. I removed all the code from the site that had anything to do with registrations. I am still getting these registrations. Fortunately there are no permissions set. I also removed the general "add user" from the blog user list.
Any ideas how this might be happening? How to disable community for this Blog (have another private, protected blog also using the community addons.
Thanks,
Merv
PS: MT 4.35
Reported on Movable Type 4.3
Hi Merv,
I would recommend you to start from upgrading your movable type installation to v4.37.
The reason is that a couple of vulnerabilities related to the registration process have been fixed since v4.35.
Kind Regards,
Mihai Bocsaru
----------------------------------
Daily Movable Type Consultant
Web Development
Movable Type Consulting
Six Apart Partner
http://www.pro-it-service.com/
----------------------------------
Movable Type Demo
http://www.movabletypedemo.org/
----------------------------------
Open Melody Demo
http://www.openmelodydemo.org/
AHHH ... Thanks Mihai, will do.
You're welcome!
Merv:
In addition to what Mihai said, please note that Movable Type versions 4.35, 4.36, 4.361, and 4.37 have all been mandatory security updates.
For instance, if you take a look at the text of the Movable Type 5.05 and 4.36 Release Notes, you'll see the following:
Everybody reading this thread should review their Movable Type instances to make sure they are running the latest version of Movable Type on their release branch.
Thanks Dave,
I understand and appreciate "mandatory" from your standpoint. I also understand "mandatory" from my clients standpoint. I (my client) have been on MT since 2004 and have never experienced these issues. On Community since it was first released in MT 4.
Now that we have this issue, the upgrade to 4.37 is warranted if they (my client) concurs and willing to pay. Always a balancing act.
Thanks again.
Merv
Merv, unfortunately we all have this problem, at least the consultants that build up projects and then have to take care that the client is aware of a risk and is willing to pay for the upgrade service.
In my experience sometimes a client won't like to pay for upgrading an installation, even if the client understands the risk.
It's like believing it would never happen to them...