Registration by invitation only????

In the admin we have selected the Registration by invitation only option.  We had a user sign up that was not invited. I did a search for this persons email address and it seems that he/she is a spammer.

My question is ....

1.  How did he create a user if he was not invited?

2. Now that he is there the register by invite has no effect  and anyone is allowed to register?

3.  When I delete the user the registration by invite screen returns to function correctly when  visitor clicks on the join button.

Any help would be appreciated. I am using 7.0.6 with many mods.....

The spammer most likely knows how Dolphin's invitation system works, which is how they got through it. I think it'd be better if the script used some kind of code system for invitations, instead of using member IDs.

Edit: I'm not sure what you mean by "Now that he is there the register by invite has no effect  and anyone is allowed to register?" Can you explain this a little more?

once this spammer has created his user name the join link now pulls up the signup form wheather the check box in the admin for registration by invite is clicked or not.

when you delete the spammers username the system returns to normal.

any of those deartmedia mods or ibellaweb mods?

the join by invitation only, does work, i have a client who runs three sites, all invitation only, and there are no spammers or joiners who were not invited.

so there is something in your 'many mods' that can be and most likely is, attributing to this. like did you get any of those mods from the modmysite garbage can?

I agree it works...accept for when these guys break it....

Yes I have mods from ibellaweb

This has happend a total of 5 times to our site. 3 of them prior to mods from ibellaweb.... I have the email address that the spammer used but am hesitant to post it....

I google searched the spammers email address and the address comes up mutiple times on other dolphin sites.

I wonder if they have found a way to install a method of stealing user info or something.....

Does the invitation feature break when you try inviting a new account (that you created) to the site?

No, it sends the email and you could register.  we have not registered during these period for fear that the spamer is also somehow collecting the data.

again once we delete the spamers user account the site returns to normal and all is good. with the feature...

That's odd. It's also odd how the account's email is also in use on a number of Dolphin sites. I don't suppose you could send me it with a list of your installed mods/modules, could you?

 I sent you a pm.

well i went and looked into this, and the registration by invitation only is a fluke, it doesnt work, and you can circumvent the invitation simply by creating your own URL

http;//www.somesite.com/index.php?idFriend=[ID]

put that in the browser, and you have your invitation.

even with email confirmation enabled, if you use one of the free email services, you can get the email sent to your spamming email account, in order to verify your email address. so even this is circumvented.

short of the admin having to manually approve every join, there is no known secure method for operating in this fashion.

there should be some code generated for invitations. \the way how invitation works now is a joke...

So what is the next step?  Is there a process for fixing/changing this?

some moderator should add ticket to trac

'Twas done yesterday.

http://www.boonex.com/trac/dolphin/ticket/2563

thank you for adding ticket nathan as curerent reg by invitation system is basicly one huge spam gate

I think when some users initialize invitation than there should be some code generated and encrypted and than  included in url. I also think that there should be an admin option which allow admins set validity of generated  invitation codes so for example if user initialize invite function and in admin will be set that lifespan of generated codes will be 14 days than after 14 days code become invalid and user have to do invitation again if user want invite same users again or other users.... if they want . This way old generated codes from for example members who are blocked or deleted cant be used anymore as their codes will be deleted from system after lifespam set by admin ... in summary even leaked out codes from site members or blocked members misuse will be limited if code will have only certain validity...

Nathan I think my extensionn of code idea is good..could you please add it to trac ?

I'll consult my magic bowling ball about it.

I would like to thank everyone involved with helping us.  I hope the result is a system that best provides for security as well as ease of use for the potential new user.  I think it important to consider that many of us use or will use our sites to generate revenue.

My experience is that a new user will not tolerate a complex registration process.  If I was requesting this as a custom module I would ask for the following to be included.

1.  The user that sends the invite is automatically established as a friend upon the new user sign up.

2.  The system accommodates importing of mailing lists from external sources or csv that generates a unique code for each invite.

3.  The system would display invite status using similar tools to other broadcast message programs.  Click tracking would be awesome.

4.  It would also be a nice feature to allow the invite to have a timed followup message feature that would potentially allow for a drip style campaign that would continue until the user signs up or clicks on an unsubscribe or stop sending me these link.

Again if I were ordering this as a custom..... :) thanks again Nathan, Dos Dawg and freakpower

ticket was removed :-(    I think person who remove it didnt properly underastood whats going on. It is not about that its not working but the way how its working is so weak that it render all invitation system unusable if site dont want to be spammed...

The ticket wasn't removed. It was closed, because there was a previous ticket for hashing invitations. It should be available in Dolphin 8.