Thread: Recent spammers attack

This is probably a bot with time delay between post to bypass time-based security measures.
I don't like the idea of captcha for every new post. Это то же самое, что забивать гвоздь кувалдой.
For now, I will be doing activation of all new accounts by admin.

Originally Posted by MasterAdmin

This is probably a bot with time delay between post to bypass time-based security measures.
I don't like the idea of captcha for every new post. Это то же самое, что забивать гвоздь кувалдой.
For now, I will be doing activation of all new accounts by admin.

How that is supposed to stop the spammer? He (or she) will register, wait for the activation and then fill the board with spam again.

It is usually easy to see who is a spammer and who's not. Most spammers would move on to an easier target. They have 1000 more sites to spam and their time is limited.

So far all those porn-spammers (6 nicknames) have been registered here in April, May and June.

China
Age: 38
Occupation: Manufacturing, operations
Interests: Religion, spiritual

Originally Posted by Ramil

Originally Posted by Zubr

Может быть, спрашивать у пользователя, умеет ли он читать и писать (то, что ты называешь turing test) только в случае, если в сообщении есть такие слова как gay, porn, bitch, rent your home, и прочее?

Вообще, они очень изобретательны. К тому же, похоже, это целенаправленная атака. MasterAdmin - изучай логи. Что-то мне подсказывает, что кому-то не нравится именно MasterRussian. Или переходи на круглосуточное дежурство )))

Не нравится? Мне кажется им наоборот очень даже нравится

Просто нужна функция, ограничивающая количество новых тем или постов, которые может сделать новоиспеченный пользователь.

Буду заниматься вот этими добавками http://www.phpbb.com/mods/db/index.php? ... b=antispam

Here is some information that I have gotten bt our administrator of my ballroom forum. He said I could pass it along and hopefully it will help you.

From DC ...

I've been investigating our recent spammers, and I suspect that they are actually all the same person/group. Looking over the reports on stomforumspam for the various IP addresses they are using, I see a pattern. I've posted at the simplemachines forum to see if anyone has any idea how they are beating the Are You Human question (which I've verified is still working). But here's a scary thought: It seems that some spammers are paying people in Third World countries to go around registering on forums, and then sending the usernames to the spammers for them to run scripts on. If that starts happening on a large scale, it will be nearly impossible to beat. Worst case, it will force all forums on the Internet to either go to admin approval for registrations, or make registration by invitation only. Arrrgh!

Believe it or not, the "are you human" thing has made a significant difference for us. I think the key is that it puts the answers in a random order each time the page is accessed, so a script can't just assume that the Nth thing in the list is the right answer.

Each time a new user registers, if they don't post something on-topic right away, I take a look at their IP address and check stopforumspam.com to see if they have reports of spam coming from that IP address. I also look at things in their profile. They often put links to spam sites in their profile. If I see that, I ban them right away. I also ban them if the email is clearly bogus, e.g., "name@address.com". Things I regard as suspicious:

* hostname that corresponds to the IP address is clearly bogus (no such domain or .arpa domain)
* whois reports that the IP address is reserved or not assigned
* whois reports that the IP address is for a computer or network in a different country than the email host
* Email address is for one of the free email services like hotmail, gmail, or mail.ru

Also, there is an ISP in Russia that is notorious for being spammer-friendly. I'd say that at least half of all of the spam attempts we get at PDO come from that one source. The ISP is called Dragonara, and they own a set of IP addresses that all need to be banned. Let me go look at what I did and I'll post a followup here in a few minutes.

I just looked... Dragonara's IP addresses are 194.8.72.*, 194.8.73.*, 194.8.74.*, and 194.8.75.*. The forum operator needs to ban all of these.

Yeah, the "are you human" thing appears on the registration page and you have to answer it correctly. Just for fun: Log out of PDO, and then when it takes you to the guest index pages, go to the registration page. You'll see the question and the list of possible answers, some of which are rather humorous. The idea is that a person can easily figure out what the correct answer is, but a script has no clue. The answers are put in a random order for each registration attempt.

BTW, the one other thing I forgot to mention is that the forum operator has to stay on top of software updates. PDO uses software from Simple Machines (www.simplemachines.com; it's free), and they have released two security patches over the past two months. They seem to do a pretty good job of patching security holes promptly.