Bots or real users, too many fake regisrations

One of my websites : https://ventaredonda.com.mx/user/register (the registration page) gets too many fake signups, even though there is re-captcha there. :cold_sweat:

I have tried changing the URL of the sign up page, but the spams do not stop. I’m not really sure if this is the work of bots, or something else.

One pattern i have seen is - the name field is like FloridaKeec or BrennaBauma - first and last names join together, camel cased and without a space. Moreover, they all have different and strange website links, whose field is not in the registration form, but can only be filled after you signup and THEN go to your account and update it. :thinking:

I think i could check the names using REGEX, but this website is based on an old CMS; and it’s too messy to touch the code. I’m currently re-writing the site again, but for the time being is there some simple Cloudflare solution that can help??

I would really appreciate advice here, this has been going for years.

Thank you! :pray:

In that case, you should check if your CAPTCHA is actually properly evaluated. If it is not, you should fix that. If it is, these registrations won’t be automated ones.

Nothing out of the box. There are things like WAF and bot management, but most of them are paid and they won’t guarantee anything either.

You could create a custom Worker script which checks the respective request, but that would involve custom JavaScript code and might be paid if you exceed the Free allotment.

My advice, check your CAPTCHA as that - if implemented properly - should stop any automated signups and will be more secure than anything you can pull with Cloudflare. If these signups are manual however, you cannot really prevent them anyhow.

Thank you for your input @sandro . The Google recaptcha is quite properly implemented, i’m not sure if there can be more done on it. Each spam user seems to have a different IP address too. Very strange.

I think the proper solution is a home grown validation/coding.

Thank you and regards :pray:

In that case I’d assume these are manual requests and defending against them will be difficult and mostly involve blocking entire networks.

You can certainly come up with a Worker which checks the request body for mentioned strings, but depending on your traffic that could be costly and even allow them to raise your Worker costs.

Identifying and blocking the main networks is probably the best course of action, though they can certainly circumvent that too.

Cloudflare’s Bot Management product for CF Enterprise users might help to differentiate bot vs human traffic so you can block bots. But human spam would be harder. Your CMS/app needs to add support for some spam databases if you’re rewriting it though i.e.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.