Hello users!
Registrations are now back after a long period of being disabled. As you may have noticed, there was a large attack in which hundreds of thousands of accounts were registered in a couple days.
Found the issue. Over 70k accounts have been registered in the past 24 hours. It's causing issues with Prosody and making it hang. I've disabled registrations for now as they're posing a major threat to stability. We will need to work on the registration module & implement (1/2)
— XMPP.is (@xmpp_is) May 6, 2019
The abuser was able to bypass the terrible captcha that mod_web_register provides by default. It’s unfortunately easy to guess and as we saw, a person with enough dedication can make a script to spam register. As of now I’ve enabled Google’s recaptcha (begrudgingly) as a workaround for now. The public and private keys for that are injected via our prosody-secrets.sh script if you’re curious. The configuration on our GitHub did not need to be updated for this. We haven’t had much time to modify the Lua of the module, but plan to in the future with our git fork of the code github.com/unredacted/mod_register_web. If you’d like to contribute to that, we’d greatly appreciate it. If you have any questions don’t hesitate to contact!
~ Lunar