Our client off late reported unusual user registration on their DNN websites. They experienced a peek in user registration. They asked for us to investigate the issue and eagerly obliged. It turned out that all registrations were taking place with unique emails and had address etc too. Soon it turned out to us that these are bots that are creating these users and then utilizing activity feed to share spam links.
Most of our clients were running DNN version 7.x.x however none of them were on Version 7.03.02. Now we had two problems at our hand
1) Delete all users which are spam
2) Find a way to stop bots from creating new accounts.
DO NOT FORGET TO BACK UP YOUR DATABASE
For the first part of the problem it is difficult to distinguish between the actual users and the users created by bots. Here is a query that might help you identify these users
SELECT * FROM {databaseOwner}[{objectQualifier}Users]
WHERE CreatedOnDate < '2014-07-01 00:00:00.000'
Run the above query that will list down all the user created after 1st July 2014. For running this query go to host > SQL and run the above query.
Note the user ids that you think are genuine and run the following query
UPDATE {databaseOwner}.
SET isDeleted = 1
WHERE UserID in (SELECT UserID FROM {databaseOwner}[{ objectQualifier}Users]
WHERE CreatedOnDate > '2014-08-20 21:39:58.577' and userid not in (ids that you think are not spam seperated by ','))
This will soft delete the user in DNN. Now all you need to do is to hard delete these users from your website. For hard deleting the user go to Admin > user Management go to the bottom of the page, find ‘Remove Deleted Users’. Click delete users button which will delete all the users who are in soft deleted state.
The other clean up task that you will have to do manually is to delete user folders which are present under the portal > users. Note if you are running DNN 7.03.01 then you need not do anything as user folder is deleted when a user hard delete.
Check again in admin > user management and you will find all users from above have disappeared.
Now that we have fixed this issue let us turn our attention on how to stop bots from creating new spam users. For doing so follow the steps below
1) Create a new page fill the following
a. Page Name =
i. [Your Site Name] New User OR
ii. [Your site Name] Registration
b. Title
i. Register a new user for your website OR
ii. User Registration
c. Description
i. Any description you like
d. Make sure that that include in menu is disabled.
2) Add Account Registration module to this new page.
3) Set this page as new registration page. For doing so go to admin > Site Setting > advance Setting tab. Find the Registration page option and set your newly created page to this.
4) Open a different browser and check if registration page has been set properly or not.
5) Repeat this for all the sites you have.
6) You will now have to block the default registration page. For doing so go to host > host settings > other setting (tab). Find ‘Enable request filter’ checkbox and check it.
a. Once the check box is checked a new form will appear below fill the following into the form
i. Server Variable = HTTP_URL
ii. Operation= Regex
iii. Match Value= (?<=\?)ctl=register|(?
iv. Location: empty
b. Click ‘save’
7) Scroll down and click update.
8) Test your website.com/register will now be showing an error.
That’s all you need to do to get going.
For more info please see http://www.dnnsoftware.com/wiki/page/replacing-registration-page-with-custom-and-blocking-the-default-register-page