Forum Registration FYI

READ THIS FORUM FIRST! Here are the rules and important information for you.

Moderator: FSAirlines Staff

User avatar
Mesquaki
Ticket Agent
Posts: 25
Joined: Tue Sep 27, 2022 9:49 pm
Location: CYYQ

Re: Forum Registration FYI

Post by Mesquaki »

joefremont wrote: Thu Aug 10, 2023 12:23 am I don't understand. When you register on the forum I have this text displayed on the page where agree to the terms.
This forum in intended for the members of FSAirlines.net, If your profile can not be matched to an existing FSAirlines.net member you forum account will be deleted. Your account will be verified in the next few days and you will receive a notification in FSAirlines when it is approved.

Important! If you want access to the forum, you must request assess on FSAirlines.net. Register on the forum then sign into you FSAirlines.net account and submit a support ticket requesting access to the forum. From the "Quick Links" on the right select "Support" and then "Submit Support Ticket" from the options. If you do not submit a support ticket we will delete your registration on the Forum.
Yet, not one person has submitted a support ticket asking for forum access. Is what I wrote above not understandable?

I understand the Russian hackers of which we get about half a dozen registrations a day are not going to do this, but what can I try? I have though about changing the the registration process so you have to create your FSA account and then have an option where you can create a forum account from your profile page, rather than register on the forum directly, but then if the main site is down you can't get on the forum at all.

What to do?
My wife and I have seen the influx of similar "registrations" on our forum as well when we used phpBB beside our website server software. Since we are involved with game asset design for game development, most registrations coming in are spam accounts as the usernames do not match the names in the store database, and we too make it very "clear" in order to have the forum account verified they need to contact us via our store page to let us know of forum registration. However, I ended up writing a forum that integrated into our website and uses the website database so that ended our issues.

My wife also has not registered on your forum yet so as I am typing this, she went to the forum to read exactly how you have the information. To her, it is very crystal clear. Coming short of holding their hand to help them understand the need to submit a support ticket, there is nothing more you could possibly do to make it any easier, unless drawing a picture with crayons would help- her words not mine.

The only other thing is to only have the forum link seen when logged into your FSA account on the site, but that would be moot if the link is bookmarked. This would also only be fool proof if you made phpBB tie into the FSA database to check and see if the user is actually logged into a valid FSA account. However, best to keep the two databases separate- don't want the forum to corrupt and take everything down with it. If the forum goes down, FSA still works.

There were some tools once upon a time for phpBB that allowed checking for valid emails used in registration, at least back when we had used it. There was also one that checked the IP against a database of blacklisted IP's and if it was in that list it was blocked. Unless you can find something similar to help assist you in verification, the question is how deep down the rabbit hole do you want to go? I think it is simple- someone registered on the forum but does not submit their support ticket through FSA as you requested, then it is deleted.
User avatar
joefremont
FSAirlines Developer
Posts: 3827
Joined: Tue May 16, 2006 5:46 am
Location: KSFO

Re: Forum Registration FYI

Post by joefremont »

The forum and the main site are totally separate, different service providers on different continents. I did recent figure out how I can have the main site call the forum to get a list of new registrations usernames, emails and IP addressers which it then compares to the pilot database and the MaxMind IP database so I can at a glance view where those new users are from and if they match the email or IP address of anyone who has logged into the site. Just now there is another from Moscow, which I just deleted.

The ultimate answer is probably turn off registration on the forum and have the main site push them to the forum via some secret back channel hack, but as you said that is another security rabbit hole I could go down a long way.

Sometimes you can just look at a registration and know its wrong. My favorite was when someone used 'CBD Gummes' as a user name. I did not even have to look that one up before it was deleted.
Image
I've sworn an oath of solitude until the pestilence is purged from the lands.
User avatar
Mesquaki
Ticket Agent
Posts: 25
Joined: Tue Sep 27, 2022 9:49 pm
Location: CYYQ

Re: Forum Registration FYI

Post by Mesquaki »

joefremont wrote: Thu Aug 10, 2023 5:30 am The ultimate answer is probably turn off registration on the forum and have the main site push them to the forum via some secret back channel hack, but as you said that is another security rabbit hole I could go down a long way.
I would agree this would most likely be the easiest on you- turn off registration, and would it hurt users to make their FSA account and then send a message or support ticket requesting a forum account? You could create it manually for them, assigning their username and password. They can change their password once logged in. I certainly would not have an issue if I had to register this way.
User avatar
joefremont
FSAirlines Developer
Posts: 3827
Joined: Tue May 16, 2006 5:46 am
Location: KSFO

Re: Forum Registration FYI

Post by joefremont »

12 forum registration attempts today, all bogus. 10 from Russia or adjacent countries, 2 claimed to be from the USA but there email addresses linked them to some South Africans dept relief company. None linked to the IP address or email of a registered user. All deleted.

I came really close to turning off forum registration completely, but need to have the alternative in place before I do that.
Image
I've sworn an oath of solitude until the pestilence is purged from the lands.
User avatar
Mesquaki
Ticket Agent
Posts: 25
Joined: Tue Sep 27, 2022 9:49 pm
Location: CYYQ

Re: Forum Registration FYI

Post by Mesquaki »

joefremont wrote: Thu Aug 17, 2023 5:55 am 12 forum registration attempts today, all bogus. 10 from Russia or adjacent countries, 2 claimed to be from the USA but there email addresses linked them to some South Africans dept relief company. None linked to the IP address or email of a registered user. All deleted.

I cam really close to turning off forum registration completely, but need to have the alternative in place before I do that.
Turn off registration, and have somewhere in the FSA site pages (either a link in the Quick Links or somewhere in the Terms and Conditions) that outline for forum usage a user needs to send a message to the admin to get a forum account created. I realize that will add extra work, but seems to be the best option to take.
User avatar
joefremont
FSAirlines Developer
Posts: 3827
Joined: Tue May 16, 2006 5:46 am
Location: KSFO

Re: Forum Registration FYI

Post by joefremont »

Today I log in and see nine registrations waiting on the forum, they all look bogus. I created a tool so I could quickly see if anyone real is registering, this is what I see.

Image

I deleted the first part of the emails, in the unlikely case they are real, which I don't think they are. But I can see that for all of them, there are no matches between the registration IP and login's on the platform, and none of the emails match any one who is registered. I did have someone last week where id did match email but the person never logged in a second time and never verified there email, so that got deleted.

I find it interesting that we have three registrations that end with .ru but they did not register from Russia based on IP address. Well I am off to delete them all.
Image
I've sworn an oath of solitude until the pestilence is purged from the lands.
User avatar
Cat
Chief Pilot
Posts: 883
Joined: Wed Jan 06, 2016 5:56 am

Re: Forum Registration FYI

Post by Cat »

This maybe a good time at year end to clean out the pilot roster too? For the number of registered pilots, we sure don't have many flying.
147 flights booked + 62 flying = 209 / 15,957 = 1.31%.
How many years can one sit dormant on the platform without being booted?
Image
User avatar
joefremont
FSAirlines Developer
Posts: 3827
Joined: Tue May 16, 2006 5:46 am
Location: KSFO

Re: Forum Registration FYI

Post by joefremont »

There was a time when if you did not log in for 90 days, we deleted your account. But then I spent a significant amount of time restoring the accounts of pilots who had there accounts deleted but wanted them back, so I changed it so that if they had flown at least 5 flights, instead of deleting at 90 days we just removed them from there VA, this allowed the airlines to be cleaned but keep the accounts of pilots who have actually used them. So I have not gotten a 'please restore my account' request is quite a while.

I have seen recently that we have been receiving a significant number of fake registrations, they never verify the email and, often the first and last names are ten random characters. For a while we got a lot where the first and last contained links to spam websites, these I am now blocking but the random letter thing I don't know. The volume is not that great its going to cause us a problem, I looked into blocking IP addresses but its essentially random. Currently we are blocking more than 95%, and any account that does not verify there email gets deleted in 7 days.
Image
I've sworn an oath of solitude until the pestilence is purged from the lands.
User avatar
Cat
Chief Pilot
Posts: 883
Joined: Wed Jan 06, 2016 5:56 am

Re: Forum Registration FYI

Post by Cat »

Makes sense on the pilot roster - you have enough work as it is. I was just curious.
Image
User avatar
joefremont
FSAirlines Developer
Posts: 3827
Joined: Tue May 16, 2006 5:46 am
Location: KSFO

Re: Forum Registration FYI

Post by joefremont »

Want to know something weird, the last 6-8 forum registrations have been real! Maybe the spammers have given up for now.
Image
I've sworn an oath of solitude until the pestilence is purged from the lands.
User avatar
joefremont
FSAirlines Developer
Posts: 3827
Joined: Tue May 16, 2006 5:46 am
Location: KSFO

Re: Forum Registration FYI

Post by joefremont »

In the last 24 hours we have gotten over forty spam registrations, and that is after I deleted 20+ yesterday.

If you want forum access please submit a support request in the FSA Platform.
Image
I've sworn an oath of solitude until the pestilence is purged from the lands.
User avatar
joefremont
FSAirlines Developer
Posts: 3827
Joined: Tue May 16, 2006 5:46 am
Location: KSFO

Re: Forum Registration FYI

Post by joefremont »

I have reactivated the registrations, before it was not to bad to delete spam registrations, only six clicks each, which was ok when I was getting 3-4 a day, but at 40 was too much, but I found a page in the forum admin where I can delete a bunch at a time, so its not as much of a burden. I will turn it on for now but am looking for another way.

Options:
  • Have something in the forum that calls the website at registration to check if the email used is the same as a registered and verified FSA User.
  • Have a 'create forum user' page on the main website which will call a secret backdoor on the forum that will create the user, with no registration on the forum itself.
Image
I've sworn an oath of solitude until the pestilence is purged from the lands.
Post Reply