heavy spam attack

Vansloneker · 2012-08-20 6:43 am

Our forum is under heavy spam attack. Since last night wiped well over two dozen of spam accounts what is a lot for our little forum, and they keep coming. They register with different IP's from all over the world. Russian Federation, Ukraine, France, Holland, Poland, USA, Venezuela etc. Most are given away by their usernames/email adresses but I still check everyone of them on SFS and everyone is a hit.
For the moment I have set account activation to admin approval so I can wipe them before they are exploiting our forum.

OnThePike · 2012-08-20 6:46 am

You supply no details. Have you seen and implemented any of these suggestions?

*Message to me... I need to write a support template.

lilguy43uk · 2012-08-20 8:02 am

I have seen an upsurge this morning from a few different IP addresses. Because I have stopped them at registration they haven't spammed so I haven't added them to the SFS database, although they are well represented there already.

Examples....

"luancrbty" luancrbty@gmail.com 37.59.75.50
"ruoiuxnrb" ruoiuxnb@gmail.com 176.31.18.156
"shuavgbry" shuavgbry@gmail.com 37.59.75.50
"yuanvghyb" yuanvghyb@gmail.com 37.59.75.50
"quantbjnc" quantbjnc@gmail.com 176.31.18.156

OnThePike · 2012-08-20 9:38 am

If you rid yourself of the spam tolerant OVH (a France ISP and web host), you'll not see these registration attempts. I've banned all of OVH everywhere.

insektenfang · 2012-08-20 9:38 am

Same here. Last few days has seen a big upswing in attempted registrations.

Vansloneker · 2012-08-21 7:22 am

OnThePike wrote:

If you rid yourself of the spam tolerant OVH (a France ISP and web host), you'll not see these registration attempts. I've banned all of OVH everywhere.

I don't understand exactly what you are meaning. Do all of these worldwide subscriptions come from just one ISP? Then how do I block that one?

pedigree · 2012-08-21 10:17 am

We jumped well over 1 million API requests in the last 24 hours, so expect the onslaught

LightZombie · 2012-08-21 8:45 pm

We're getting hit, too. We used to get 3 to 5 spam registration attempts per day, and between e-mail confirmation requirements and SFS, nobody ever got through. In the past few days, the rate has climbed and is closing in on 100 attempts per day. A dozen have gotten past the automated defenses in the past two days.

Most of ours are Russian. Half of the spam messages they've posted are written in Cyrillic, so I assume that's Russian, too. We're also getting a lot of attempts from Ukrainian and Swedish IP addresses, plus some from the US. The volume is so large that it's hard to find a Chinese flag on the "My Spammers" page, and that used to be almost all we got.

What I see happening is that they're creating a throwaway GMail address and doing the e-mail confirmation on a ton of sites at once. After they've gotten all of the accounts confirmed, then they begin spamming. By the time they start showing up in SFS, it's too late to keep them from registering.

zaphod · 2012-08-22 1:42 am

I see an increase in action by ZB Block, but nothing getting through.

Kinda like the Excelsior being hit by the Praxis explosion. Lots going on, nothing getting through shields.

Zap

AngelinaCat · 2012-08-22 3:14 am

Hi There:

I am a member of the moderating team for the BKForum.com, and we have experienced an upsurge in spammers joining as members. I have banned at least eight of these today alone, which is a record for us.

The Administrator/owner has safeguards in place, but I don't know what kind. I am not privy to that level of moderation.

Anyway, I wanted to express my thanks to you and this forum for providing the information I used to check that they are spammers.

I do have a list if you are interested. So far they are all folks that have appeared in your lists.

Thanks again,
AC

Last edited by AngelinaCat (2012-08-22 3:17 am)

Jrock · 2012-08-22 7:30 am

I too have seen a recent surge in 3 out of the 4 forums that I operate. Do spikes like this occur often? This time of the year? Or what, because I've never seen anything like this before. Thank you SFS for helping fight off 98% of them!

Vansloneker · 2012-08-22 9:06 am

Since the attempts come from various IP's maybe they use hacked computers.
Here to most registrations are gmail.

Roger Mayer · 2012-08-22 2:57 pm

I have just found this site as I too, have been hit hard by registrations from like ip's and email addresses as you.

I have been getting 20 to 40 registrations per day and they all have been redirected to a spammer or banned grouping.

The only thing is and if they are quick enough is they can add their link to thier profile or status update.

I am using IPboard and am trying to find a way to disallow this posting of their link.

Any ideas?

Roger

SillyColonel · 2012-08-22 3:03 pm

Use zbblock: http://www.spambotsecurity.com/zbblock.php it has support for IPboard and pretty much anything else php-based.

SillyColonel · 2012-08-22 3:21 pm

I chime in on the surge of spam since the 18th Aug. We used to get by with only reCaptcha, until now about 0.5 spammer / month managed to register. I added a automatic check at registration to check sfs and we had nil since then.

We have about 500 active users, 30 new users a month, 5000 users total, so 10 new users on a day stands out.

ZB looks cool aswell, I just have to test it in a non production environment first as we have a customized phpbb board.

John Darkhorse · 2012-08-22 3:32 pm

SillyColonel wrote:

I chime in on the surge of spam since the 18th Aug. We used to get by with only reCaptcha, until now about 0.5 spammer / month managed to register. I added a automatic check at registration to check sfs and we had nil since then.
We have about 500 active users, 30 new users a month, 5000 users total, so 10 new users on a day stands out.
ZB looks cool aswell, I just have to test it in a non production environment first as we have a customized phpbb board.

ZB Block has nothing to do with your PHPBB.

You insert a "require" into the top of your common.php, and once the known spammers slam into the zb block, the forum works as it usually does.

ZB Block is seamless, and I've not noticed any difference in how my customized phpbb is running with it in place.

zaphod · 2012-08-22 5:08 pm

Yes, but improperly set-up, ZB Block can conflict with applications using AJAX (there's a .ini switch for that), and some "friendly" URL systems (there's a compatibility layer file for that... weak URL), so yeah, unless the CMS/Forum/Blog is pretty plain vanilla, there may be slight collisions causing 403 blocks, and repeated violations (.ini settable as to amount/off), may cause 503 permanent bans.

Zap

John Darkhorse · 2012-08-22 5:12 pm

zaphod wrote:

Yes, but improperly set-up, ZB Block can conflict with applications using AJAX (there's a .ini switch for that), and some "friendly" URL systems (there's a compatibility layer file for that... weak URL), so yeah, unless the CMS/Forum/Blog is pretty plain vanilla, there may be slight collisions causing 403 blocks, and repeated violations (.ini settable as to amount/off), may cause 503 permanent bans.
Zap

I didn't read that in the README

In any case, I've implemented it across several websites I run/consult/maintain/oversee and haven't seen any issues yet . .

OnThePike · 2012-08-22 5:27 pm

Lengthy query strings will also be an issue, but usually from an administrative standpoint. I have fits getting ZB to cooperate with Coppermine, but I'm at a place where I'm semi-confident. With respect tp phpBB, the only bypass I recall was using the phpBB add-on gallery which also caused issues. I don't remember what I did to remedy but I bypassed something :-)

Black Spot · 2012-08-22 7:05 pm

Did this site just go down for a while just now? Is it related?

pedigree · 2012-08-22 7:48 pm

a couple of hours while PHP got a kick up the backside but since then, it looks like mysql completely ate itself and has been restarted now.

Walter · 2012-08-22 8:10 pm

pedigree wrote:

a couple of hours while PHP got a kick up the backside but since then, it looks like mysql completely ate itself and has been restarted now.

Boy, am I glad! Thanks.

pedigree · 2012-08-22 8:18 pm

things are going to be a little slow while all that caches warm up, especially the search page, which will likely time out now and then

AngelinaCat · 2012-08-22 8:20 pm

Walter wrote:

pedigree wrote:
a couple of hours while PHP got a kick up the backside but since then, it looks like mysql completely ate itself and has been restarted now.
Boy, am I glad! Thanks.

I just now got the same message while checking an IP address.....

LightZombie · 2012-08-22 8:59 pm

I've installed ZB Block on our Drupal 7.14 site. I'm seeing a little bit but not very much in the ZB log files, but I don't know if I'm supposed to expect much. I've temporarily disabled our site's IP blocks, which had been our main shields against this barrage, and I'm not seeing much activity in the Drupal logs, either. A few attempts to register that SFS nixed, and that's it.

#1 2012-08-20 6:43 am

heavy spam attack

#2 2012-08-20 6:46 am

Re: heavy spam attack

#3 2012-08-20 8:02 am

Re: heavy spam attack

#4 2012-08-20 9:38 am

Re: heavy spam attack

#5 2012-08-20 9:38 am

Re: heavy spam attack

#6 2012-08-21 7:22 am

Re: heavy spam attack

#7 2012-08-21 10:17 am

Re: heavy spam attack

#8 2012-08-21 8:45 pm

Re: heavy spam attack

#9 2012-08-22 1:42 am

Re: heavy spam attack

#10 2012-08-22 3:14 am

Re: heavy spam attack

#11 2012-08-22 7:30 am

Re: heavy spam attack

#12 2012-08-22 9:06 am

Re: heavy spam attack

#13 2012-08-22 2:57 pm

Re: heavy spam attack

#14 2012-08-22 3:03 pm

Re: heavy spam attack

#15 2012-08-22 3:21 pm

Re: heavy spam attack

#16 2012-08-22 3:32 pm

Re: heavy spam attack

#17 2012-08-22 5:08 pm

Re: heavy spam attack

#18 2012-08-22 5:12 pm

Re: heavy spam attack

#19 2012-08-22 5:27 pm

Re: heavy spam attack

#20 2012-08-22 7:05 pm

Re: heavy spam attack

#21 2012-08-22 7:48 pm

Re: heavy spam attack

#22 2012-08-22 8:10 pm

Re: heavy spam attack

#23 2012-08-22 8:18 pm

Re: heavy spam attack

#24 2012-08-22 8:20 pm

Re: heavy spam attack

#25 2012-08-22 8:59 pm

Re: heavy spam attack

Board footer