Snigle

I just wanted to say "Thank you" to Matt, John, and everyone else at WHMCS that has jumped in to provide solutions to counter the sudden uptick in spam. I really appreciate the swift and direct support you are providing to me and the other members of your online community. Keep up the good work!

I am chiming in mostly as a data point. I have been usings WHMCS for over 10 years and never had any major issues up until now. As of a few days ago I am getting hundreds of fake users per day which is taking an incredible amount of time to delete and try to mitigate. I have tried all solutions mentioned in this thread (with the exception of the rewrite rule, which I just added now) and typically whenever I block and IP, email, domain, add a custom field, etc. they just change their attack vector a bit and the fake accounts start to come back a few hours later. I hope the rewrite solution (mentioned above) fixes this.. but my hopes are not all that high. They will likely just switch to HTTP 1.1. I would not be surprised if they are following/reading this thread. I wish WHMCS would allow us to: 1) Mass delete users 2) Automatically delete all unverified user accounts within X hours 3) Have a better captcha system since it is obvious the attackers are able to bypass both the WHMCS captcha and Google's ReCaptcha