fake user accounts

51 views
Skip to first unread message

George Weiblen

unread,
Nov 23, 2022, 1:20:08 PM11/23/22
to symbio...@googlegroups.com
Hi folks,

I'm curious to know if any of you have experience with your portal's
"create user account" function being targeted by bots? We first
experienced this in the run-up to the 2016 election when thousands of
fake SPAM-like accounts were created in a matter of days. We installed
ReCaptcha and the problem went away for a while.

Then the problem resurfaced during 2020 but it wasn't a big deal for me
to delete a few thousand accounts using SQL on a quarterly basis.

Things got completely out of control starting around September of this
year when the number of fake accounts jumped to something like 10,000
per week! By November it was up to more like 30,000-40,000 per week.
Enough to crash the User Permissions page when the pull-down menu failed
to load.

Its now reached the point where 5-6 new accounts are being created each
second! Perhaps bot AI has figured out ReCaptcha? Unless anyone has
other ideas, we might simply remove the "create user account" from our
landing page and create new accounts by personal request only.

Kind regards,

George

--
George D. Weiblen, PhD
Science Director, Bell Museum
Professor, Plant & Microbial Biology
University of Minnesota
140 Gortner Laboratory
1479 Gortner Avenue
Saint Paul, Minnesota 55108

Office: 1-612-624-3461
Web: http://geo.cbs.umn.edu

Michael Denslow

unread,
Nov 23, 2022, 2:31:35 PM11/23/22
to symbio...@googlegroups.com
Hi George, 

Sorry I don't have an answer at this moment, but I'm planning to look into it for the portal that I co-manage (SERNEC). 
A question, how do you know which accounts to remove? The ones presumably made by bots?

We don't have create user account on our landing page and while we have many users the list loads fine for us at the moment.

Best,
Michael



--
You received this message because you are subscribed to the Google Groups "Symbiota" group.
To unsubscribe from this group and stop receiving emails from it, send an email to symbiotagrou...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/symbiotagroup/ff38d7ad-570c-bfae-a8ca-0b6e1b923168%40umn.edu.

Miller, Andrew Nicholas

unread,
Nov 23, 2022, 5:35:45 PM11/23/22
to 'George Weiblen' via Symbiota

Both of our portals have reCAPTCHA enabled.

There are a lot of accounts of dubious origin, which seem more likely to put HTML links into the Biography field.

26 such accounts were created in the Biocoll portal today.

But nowhere near the 10,000 per week that George is seeing.

 

The simple solution would be to disable the create account option and provide a mailto link to request an account.

 

A long-term solution would be to add email confirmation to the registration process.


Andy
–––––––––––––––––––––––––––––
Andrew Miller, Ph.D.
Mycologist and Director of the Herbarium/Fungarium
University of Illinois
Illinois Natural History Survey
1816 South Oak Street
Champaign, IL  61820-6970

Office address:
Robert A. Evers Laboratory
Room 2003
1909 South Oak Street, MC-652
From: 'George Weiblen' via Symbiota <symbio...@googlegroups.com>
Sent: Wednesday, November 23, 2022 12:20 PM
To: symbio...@googlegroups.com <symbio...@googlegroups.com>
Subject: fake user accounts
 

--
You received this message because you are subscribed to the Google Groups "Symbiota" group.
To unsubscribe from this group and stop receiving emails from it, send an email to symbiotagrou...@googlegroups.com.

Benjamin Brandt

unread,
Nov 23, 2022, 6:18:13 PM11/23/22
to symbio...@googlegroups.com

I have been maintaining a fork of Symbiota (https://github.com/greentheorystudio/Symbiota) that has a multi-layered system for reducing spam accounts that has proven pretty effective. It has a built-in captcha that works just as well as the Google reCAPTCHA, but also still has some dubious accounts that get through. Once a new account is created though, the new user has to respond to a confirmation email that is sent to the email address linked to the account in order to activate it. The User Permissions page only displays confirmed accounts initially, but can be set to either include unconfirmed accounts, or show only unconfirmed accounts as well. An automatic process runs as every new account is created that clears out all unconfirmed accounts created more than 30 days prior. New users that have not confirmed their accounts can only access their User Profile information, where they can also have the confirmation email resent, in addition to the publicly accessible areas of the portal.

 

While this fork is significantly different than other forks of Symbiota, any of you are welcome to adapt the code, or approach, into the fork your portals are using.

 

You can see this Symbiota fork in action at:

Indian River Lagoon Species Inventory - https://irlspecies.org/index.php

calIBIS - http://www.cal-ibis.org/index.php

Flora of Wisconsin - https://wisflora.herbarium.wisc.edu/index.php

 

Cheers,

Ben

James Ryan Allen

unread,
Nov 23, 2022, 7:15:06 PM11/23/22
to symbio...@googlegroups.com
I am manually deleting fake users on the CU Symbiota Database, but it is generally in the hundreds per month along with a thousand or so checklists. As Andy noted you can kind of spot bad accounts; you start to see trends like addresses being used over again or use of the google address trick where you can put a period at any spot in an email. Bad web injection like <> in fields is also a giveaway. I am planning to move to the new version of Symbiota where checklist permissions have to be activated, that will help with checklists, but not bogus user accounts. It is also typically easier to spot bad checklists than it is to find bad users so I typically do a purge of checklists and then if I have a question about a user I can pull up the profile and you will see if there was an associated deleted checklist. If I deleted a checklist of user I also delete their account.

I suspect the Symbiota community is going to have to push for more security to combat AI/Bots getting passed the re-captcha.
Ryan

J Ryan Allen

Project Coordinator Southern Rocky Mountain TCN

Project Manager Biodiversity Informatics

University of Colorado Museum of Natural History
Herbarium (COLO)

350 UCB

Boulder, CO 80309

303-492-3216



From: symbio...@googlegroups.com <symbio...@googlegroups.com> on behalf of Benjamin Brandt <benjami...@gmail.com>
Sent: Wednesday, November 23, 2022 4:18 PM
To: symbio...@googlegroups.com <symbio...@googlegroups.com>
Subject: Re: fake user accounts
 

Greg Post

unread,
Nov 28, 2022, 2:57:50 PM11/28/22
to Symbiota
Hello,

In my experience the most common goal of creating fake user accounts is to publish 'commercial' content for link farming or paid backlink SEO schemes.

In July of 2022 the Symbiota codebase (https://github.com/BioKIC/Symbiota) deployed a new permissions mechanism that prevents brand new accounts from creating public content via checklists or datasets.

While this does not prevent bad actors from creating fake accounts, it does remove the motivation to do so. They cannot create any public facing content that can then be crawled or verified by the advertising systems that pay for this type of activity.

Since deploying this update we have seen a reduction in the number of fake accounts created on ASU hosted Symbiota portals. 

Improving the security of Symbiota portals is always a top priority.  Please feel free to send bug reports or feature request to our github discussions - https://github.com/BioKIC/symbiota-docs/discussions

Best regards,

Greg Post
System Administrator & Programmer
iDigBio Symbiota Support Hub
School of Life Sciences
Arizona State University
Reply all
Reply to author
Forward
0 new messages