Chinese Spammers (again)

hal1989 · 2011-06-09 7:15 pm

I have only been a moderator on our forum since mid April. At that time we were being hit with some heavy spamming (12-15 posts at a time).

One thing that immediately caught my eye was that the most noxious spammers were from China. Furthermore, they all used a similar member id pattern, four consecutive alphas and 3 numbers, e.g. abcd123. Most of the IP's are 119.115.*.* (I have since banned that IP range).

What was more interesting was that they never spammed right after they registered; sometimes it was several days after.

Since that time, I have been busy banning registrations with this pattern and we have had no more "China Spammers". The only spammers are the less noxious ones who post a single spam post, usually in "Off Topic".

So, what is the deal with these China Spammers, any ideas?

Hal

pedigree · 2011-06-09 7:30 pm

ban china works for me.

Gaieus · 2011-06-09 11:46 pm

I have the same Chinese pattern in my custom profile fields (2 of which is required at registration). Many of them are not even listed here (yet) when the register.

I would not say that they never spam right away though It happens occasionally (although true that most of the times not).

I have banned whole ranges of the Fujian province network (from where I seem to have got most). Some still slip through.

qu.dawei · 2011-06-10 1:43 am

Although I know that much mischief comes from China, I'd just like to say that there are legitimate users from that country, and that one should probably just keep that in mind and not just automatically assume one is a spammer because one happens to be in China (as I am). For the record, I run a small forum and website, and I have also had quite a few spammers and so on from within China. However, my own particular problem countries are Russia and Ukraine.

My situation is different, at least on the forum. This forum is mostly for relatives and friends of my family to use so we can keep them up to date after we moved from the Uk to China. In this case, attempted registrations from people I don't know are easily identified as high-probability spammers. This is largely because there are comments about making themselves known to me via other means and asking me if they can register, or to wait to be invited to register. So, I have a much easier job than many of the others on this site, I imagine.

However, to get back to what I initially said, realize that there are some legitimate and sensible potential users from within China out there (for instance, many of the westerners who are currently within China, such as myself and my family, might fall into this category.)

busterone · 2011-06-10 1:54 am

Welcome to the site qu.dawei.

That does seem to present a problem for many forum admins these days. I used to block huge blocks of Chinese IPs myself, but do not anymore. Running SMF with stop spammer mod, httpBL/Project Honeypot, and Bad behavior Mod, I rarely get an actual spammer, no matter what country they are from. I have very few blocked IP ranges now.
I doubt there would be very many potential members for my niche forum in China, but if they want to join, they are welcome to as far as I am concerned. If they spam, I can always get them out quickly.

angie · 2011-06-10 2:43 am

qu.dawei wrote:

Although I know that much mischief comes from China, I'd just like to say that there are legitimate users from that country, and that one should probably just keep that in mind and not just automatically assume one is a spammer because one happens to be in China (as I am). For the record, I run a small forum and website, and I have also had quite a few spammers and so on from within China. However, my own particular problem countries are Russia and Ukraine.
My situation is different, at least on the forum. This forum is mostly for relatives and friends of my family to use so we can keep them up to date after we moved from the Uk to China. In this case, attempted registrations from people I don't know are easily identified as high-probability spammers. This is largely because there are comments about making themselves known to me via other means and asking me if they can register, or to wait to be invited to register. So, I have a much easier job than many of the others on this site, I imagine.
However, to get back to what I initially said, realize that there are some legitimate and sensible potential users from within China out there (for instance, many of the westerners who are currently within China, such as myself and my family, might fall into this category.)

I know it depends on the forum. I help admin an American only forum so in that case we have it blocking a lot of other countries (I am the only non-American on that one) yet my own I do not block those countries. My own I allow all of Canada and USA and UK and Australia and many others. I try not to block whole countries unless the forum is country specific.

Last edited by angie (2011-06-10 2:45 am)

qu.dawei · 2011-06-10 2:56 am

Thanks for the welcome.

I have not yet had a Forum Spammer successfully complete registration in my forum, since I personally have to approve of all applications, and in my situation, they are very easily spotted. However, the numbers of attempted registrations has been steadily increasing, and I am trying to find some way of reducing the job by automating some of it. My problem is that I'm a beginner at this, and the software I use for the forum (phpbb) is one for which adding modifications seems to me to be more involved than with some of the other software, and I'm beginning to wonder whether I should "re-start" the forum using some other system and with the extra knowledge I have gained in the meantime: the current set up is not so old and has not been used so much yet that would make a re-start out of the question. At the very least, however, I would need to ask the current users' opinions about any re-start.

lyndonaus · 2011-06-10 7:25 am

I add my welcome to you Dawei,
If you are thinking about trying different forum software, I can recommend Simple Machine Forum software (SMF) as I was in a similar situation. (I don't know much about programming).
I have been able to set up and run SMF with stop spammer mod, httpBL/Project Honeypot & Zaphod's ZBblock and my spammer problem has disappeared (Not bad for someone who turns 72 this year, lol)
Hope this is of some use to you.
lyndonaus

Erik · 2011-06-10 8:58 am

qu.dawei wrote:

Thanks for the welcome.
I have not yet had a Forum Spammer successfully complete registration in my forum, since I personally have to approve of all applications, and in my situation, they are very easily spotted. However, the numbers of attempted registrations has been steadily increasing, and I am trying to find some way of reducing the job by automating some of it. My problem is that I'm a beginner at this, and the software I use for the forum (phpbb) is one for which adding modifications seems to me to be more involved than with some of the other software, and I'm beginning to wonder whether I should "re-start" the forum using some other system and with the extra knowledge I have gained in the meantime: the current set up is not so old and has not been used so much yet that would make a re-start out of the question. At the very least, however, I would need to ask the current users' opinions about any re-start.

<sarcasm>
my god a legit chinese user a miracle has happend
</sarcasm>

to install phpBB hacks you have to edit the *.php sourcefiles and sometimes the templates(*.tpl) if you are a newbie this is not recommended as you could verry easly screw up AFAIK vBulletin is the only forum script that allows plugins (eg no sourcefile modifications)

Katana · 2011-06-10 12:29 pm

Erik wrote:

qu.dawei wrote:
Thanks for the welcome.
I have not yet had a Forum Spammer successfully complete registration in my forum, since I personally have to approve of all applications, and in my situation, they are very easily spotted. However, the numbers of attempted registrations has been steadily increasing, and I am trying to find some way of reducing the job by automating some of it. My problem is that I'm a beginner at this, and the software I use for the forum (phpbb) is one for which adding modifications seems to me to be more involved than with some of the other software, and I'm beginning to wonder whether I should "re-start" the forum using some other system and with the extra knowledge I have gained in the meantime: the current set up is not so old and has not been used so much yet that would make a re-start out of the question. At the very least, however, I would need to ask the current users' opinions about any re-start.
<sarcasm>
my god a legit chinese user a miracle has happend
</sarcasm>
to install phpBB hacks you have to edit the *.php sourcefiles and sometimes the templates(*.tpl) if you are a newbie this is not recommended as you could verry easly screw up AFAIK vBulletin is the only forum script that allows plugins (eg no sourcefile modifications)

That's phpBB2, erik. Your knowledge is out of date.

phpBB3, you modify .php files and .html templates, aaaand what's more, there's an automated way to do it (released by the phpBB Group themselves): http://www.phpbb.com/mods/automod/

Alex Kemp · 2011-06-10 1:35 pm

qu.dawei wrote:

Although I know that much mischief comes from China...

The following prevents very large parts of China from getting access to my site. When the Chinese ISPs / Government fix this, they will be removed from the site firewall:

AS4134: CHINANET-BACKBONE No.31,Jin-rong Street CN (#18 of 50 Bad Hosts & Networks, 2011 Q1)

hal1989 · 2011-06-10 1:41 pm

qu.dawei wrote:

Although I know that much mischief comes from China, I'd just like to say that there are legitimate users from that country, and that one should probably just keep that in mind and not just automatically assume one is a spammer because one happens to be in China (as I am). For the record, I run a small forum and website, and I have also had quite a few spammers and so on from within China. However, my own particular problem countries are Russia and Ukraine.
.
.
.
However, to get back to what I initially said, realize that there are some legitimate and sensible potential users from within China out there (for instance, many of the westerners who are currently within China, such as myself and my family, might fall into this category.)

Excellent point. That is why I somewhat disregarded the post that suggested that I ban China.

Realizing that our forum might have legit registrations from any country, I try to filter out only the registrations that follow a particular pattern (as stated in my original post). This has worked fine until today when, I regret to say, we got slammed with 20 posts from a member id that I had simply overlooked. BTW, that registration fit the pattern. Furthermore, today's spammer had registered on June 6, 4 days ago.

So, it does appear that these Chinese spammers do follow a pattern of registering and then spamming later.

Thank you for all of your posts.

Hal

Gaieus · 2011-06-12 4:13 am

qu.dawei wrote:

Although I know that much mischief comes from China, I'd just like to say that there are legitimate users from that country, and that one should probably just keep that in mind and not just automatically assume one is a spammer because one happens to be in China (as I am)...

True and we have a lot of legit (and valuable) contributors from China, too. Both native Chinese and Westerners working there (for some, who wants to share things on YouTube, which is banned as far as I know, I generally upload videos, too). This is a good example: a Chinese modeller winning a first prize in one category and a second prize in another.

So I do not ban Chine as a whole. This Fujian Province network has been getting on my nerves with dozens of spambot registrations a day (it's probably one gang using that network) but I do have a contact link on the front page and if anyone writes me an email from there, I allow access from that IP.

qu.dawei · 2011-06-12 2:45 pm

Thanks for all your comments on what I wrote. Interestingly, as I said, my problem is largely from potential spammers outside China, though my own situation makes them very easy to spot. Strangely, I've not had many attempts from China, even though the website and the forum are both hosted in the UK. so it isn't ju7st some simplistic "not pee in your own backyard" type of behaviour at work here. However, if anyone reads the website (which is a rudimentary state at the moment) and what was displayed in the forum, it would quickly become clear that China featured heavily in its content.

What I have found now, and I want to share with others, is the fact that a few days ago, I essentially hid all content on the forum from unregistered people and temporarily prevented user-initiated registration to call a temporary halt to the fake registrations that were happening. The announcement on the forum is also a clickable link. I gave some thought to where the link should point to, and at first I just pointed it to stopforumspam.com, since I had mentioned that forum spammers would be reported, and it seemed a good idea at the time. However, more thought coupled with a spam email (classic Nigerian money spam) I got from some dork apparently registered on stopforumspam itself (duly reported immediately), I decided that it was not a good idea as I may be just funnelling them to cause problems here. So, I replaced that link to one simply going to 127.0.0.1

It may be me, but since then, I have seen a dramatic reduction in all visits to the site from countries that are "troublesome" for my forum (in my case, Russia, Ukraine, Romania) This makes me wonder the extent to which (a) spammers talk to each other, (b) are really fewer in number than might at first appear (c) are little more than desperate "homeworkers" who are equally being scammed by a fewer number of "evil masterminds".

Of course, randomness is "lumpy" so I may just be getting a temporary cessation, and so I probably need to observe for a bit longer, but I am tempted to engage in a classic "Multiple Baseline" experiment (for those of you who know some experimental psychology), and allow registrations again to see if and if so, how quickly the registration attempts pick up again. I could cycle this a few times and see if the dips and highs in registration attempts largely followed my switches.

If I had enough data, I could statistically estimate the lag times, and work out how fast any information is propagated amongst them all. I'm not sure if it would be useful, but is it an intriguing question, though possibly only of interest to someone who has professionally been involved in the almost insurmountable problems of trying to infer things from information that logically can only be indirect (and very indirect at times)

Erik · 2011-06-12 2:55 pm

let them cause trouble here i love to piss them off and many other members will join the fight you could be right about the "homeworkers being scammed" briliant idea

CS3Regina · 2011-06-12 4:46 pm

For a long, long time I've just banned all numerals in user names. It has turned out to be quite effective. Many people on my forum I know from other forums and the TOS states up front that if someone wants a numeral as part of their User ID all they need to do is register without it and post in the proper area and I'll change their user name. I probably get one request a month to add numerals to someone's User ID. It cut the random accounts being registered for no good reason that I delete after a month of inactivity in half.

busterone · 2011-06-12 6:38 pm

The homeworkers idea is pretty accurate to some extent. These shady SEO sites claim to give a site owner thousands of backlinks for a set dollar amount. They then use automated software (xrumer mainly) to bombard forums and blogs. Since so may sites have anti bot registration protection, they pay live humans in 3rd world countries to do the spamming. Humans can beat the registration questions much easier than a bot. They pay them a pittance of around $1 for every 1000 links. The ones doing the work are desperate for any cash. There are others that are in this on their own, and set up all kinds of filter sites leading to their money site, but I tend to believe that a large portion of them are as you said- desperate and scammed homeworkers.

I blame the SEO sites more than anyone. They perpetuate the lie that one must cheat to get better Google and other search engine rankings. In all honesty, there is very little real SEO that can be effectively done on a forum. The forum is dynamic and you can't control what people post or their topic titles, etc. Google will find the site anyway, and the site's content is more important. The SEO'ers perpetuate the lie that backlinks and keywords are absolutely necessary. So many green forum owners fall for that crap and hire the SEO "experts", starting the spam cycle all over again.

Last edited by busterone (2011-06-12 6:39 pm)

CS3Regina · 2011-06-12 7:00 pm

Pathetic but true, I've seen ads via Google AdSense for hiring people to post links in forums (among other obvious scam ads) on extremely prominent websites like CBS's news site. Too many people are gullible enough to think that an ad on a website like that has to be legitimate. When I signed up for AdSense years ago my website had to go through a review process before I could get approval to run their ads. Apparently advertisers don't undergo the same scrutiny.

zaphod · 2011-06-13 5:03 am

I am debating about dropping the restrictions against China & Korea on my site. I know I will be flooded with hits...

But, I could have my custom blocker's 403 page include a line about "Free Tibet!", and "Free Falun Gong Political Prisoners!" along with links, so that any IP that loads that 403 error page a couple of times, gets the Green Dam/Golden Shield treatment. This would tend to self-regulate within China (at least) the attacks... or so I would hope.

Zap

busterone · 2011-06-13 5:36 am

I like that idea.

qu.dawei · 2011-06-13 8:17 am

zaphod wrote:

I am debating about dropping the restrictions against China & Korea on my site. I know I will be flooded with hits...
But, I could have my custom blocker's 403 page include a line about "Free Tibet!", and "Free Falun Gong Political Prisoners!" along with links, so that any IP that loads that 403 error page a couple of times, gets the Green Dam/Golden Shield treatment. This would tend to self-regulate within China (at least) the attacks... or so I would hope.
Zap

Is it just the access to your site (albeit with the opportunity to download a program) that is the problem, or does your site have facilities for registration, leaving comments, etc as well? If it is just the access to the site (and downloading a program) that is the issue, then the problem doesn't seem at first glance to be too serious, though I don't know what the risks are in having access to your program, or anything else, because I'm blocked from access at the moment.

One of the problems of doing what you are proposing would be to turn your own block into one imposed by the Chinese Government that might never be reversible easily. This would have three effects: (a) it would deny to legitimate users no possibility of getting your software for legitimate uses unless they take steps to circumvent the Great Firewall, (b) it may lead to people who try to access the site to become "known" to the Chinese Government and action taken against them, even when they have no other intention other than to legitimately try to access your software to help prevent spamming, etc, and (c) it would ultimately take away your own power to determine who accesses your site to some extent and give that power taken away from you to the Chinese Government via their Great Firewall, allowing them to decide: you would then have neither the ability nor the influence to alter that situation. I suggest this last option would be an ironic outcome for you.

So, I want to gently suggest that you need to ask yourself the question: do you wish to change your policy on denying access to your site to people from certain countries into something that on past experiences will become a block outside of your control, which in your own terms would actually be a form of political scapegoating, implemented against all people who have no real power to influence political decisions in this case?

If it is just a binary choice between keeping your block implemented as now to prevent a large number of spammers, though with a certain number of false alarms (i.e., everyone from those countries is blocked), and one which ultimately will convert it into a unremovable block on political grounds against people who have no influence on the politics, and which could lead to punitive action taken against them, with a very similar degree of false alarms, then if I were making the choice, I would sooner you continued to take the responsibility for administering and keeping the block as it is now, and retain control of any block yourself, since you are not some anonymous, impervious political machine over which none of us has any ability to influence.

I know I have emailed you asking you if there is some way I could get a copy of ZB Block to use myself, but if it would lead to the eventual exposing of other, quite legitimate people who wanted to use it to the potential dangers I have mentioned, I would sooner you forgot about the request, because I am a Westerner who theoretically can leave China at any time, but many of those people who would be exposed would have no such easy escape route.

Of course, there may be other ways of accomplishing much of what you want to do, other than the one you have proposed.

zaphod · 2011-06-13 6:56 pm

I will just state that...

Yes, I have facilities for registration (forums), and comments (blog).

The "poison pill" would only be shown to IPs that violated other rules of ZB Block. ZB Block is far more than just an IP blocker. Thus only due to attacks could China take action against connecting to my website.

Before I imposed the block on China, more than half of my (caught) bot attacks, and spam attempts came from China.

I have never had a valid user from China, except perhaps you in the future.

Several hackbots hide themselves under a Baidu hostname and/or user-agent. I suspect that Baidu also sells scriptable hosting space due to this.

By a preponderance of the evidence, what would you do in my place?

Zap

popupsteve · 2011-06-13 7:03 pm

hal1989, if you really want to block the range, do 119.112.0.0 - 119.119.255.255 (http://www.ip-adress.com/whois/119.115.0.0). Of course with China that most likely only covers 1% of 1% or 1% of the country. But it's a start.

zaphod · 2011-06-13 7:15 pm

If you really wanted to block China, in total, and aren't going to use ZB Block to do it...

http://okean.com/thegoods.html

Probably has what you want.

Zap

popupsteve · 2011-06-13 8:22 pm

Works for me Thanks. Got one for the old Soviet Block too?

#1 2011-06-09 7:15 pm

Chinese Spammers (again)

#2 2011-06-09 7:30 pm

Re: Chinese Spammers (again)

#3 2011-06-09 11:46 pm

Re: Chinese Spammers (again)

#4 2011-06-10 1:43 am

Re: Chinese Spammers (again)

#5 2011-06-10 1:54 am

Re: Chinese Spammers (again)

#6 2011-06-10 2:43 am

Re: Chinese Spammers (again)

#7 2011-06-10 2:56 am

Re: Chinese Spammers (again)

#8 2011-06-10 7:25 am

Re: Chinese Spammers (again)

#9 2011-06-10 8:58 am

Re: Chinese Spammers (again)

#10 2011-06-10 12:29 pm

Re: Chinese Spammers (again)

#11 2011-06-10 1:35 pm

Re: Chinese Spammers (again)

#12 2011-06-10 1:41 pm

Re: Chinese Spammers (again)

#13 2011-06-12 4:13 am

Re: Chinese Spammers (again)

#14 2011-06-12 2:45 pm

Re: Chinese Spammers (again)

#15 2011-06-12 2:55 pm

Re: Chinese Spammers (again)

#16 2011-06-12 4:46 pm

Re: Chinese Spammers (again)

#17 2011-06-12 6:38 pm

Re: Chinese Spammers (again)

#18 2011-06-12 7:00 pm

Re: Chinese Spammers (again)

#19 2011-06-13 5:03 am

Re: Chinese Spammers (again)

#20 2011-06-13 5:36 am

Re: Chinese Spammers (again)

#21 2011-06-13 8:17 am

Re: Chinese Spammers (again)

#22 2011-06-13 6:56 pm

Re: Chinese Spammers (again)

#23 2011-06-13 7:03 pm

Re: Chinese Spammers (again)

#24 2011-06-13 7:15 pm

Re: Chinese Spammers (again)

#25 2011-06-13 8:22 pm

Re: Chinese Spammers (again)

Board footer