#1 2007-12-21 8:33 am

luanghans

Member

Registered: 2007-12-21

Posts: 1

Banning IP's vs. username vs. email address

IP's are randomly assigned. 
Every time the modem connection is turned off and then on again a new IP is assigned.

This is also the case if the connection between a user and his server is temporarily interrupted due to line static and such.

As IP's are computer generated, a banned IP may have been reassigned to a legitimate surfer at some later time.

Banning user names may similarly ban legitimate surfers.  Many names are repeatedly used over the internet at different servers.

A person can use a different name every time he registers with the same e-mail address

Banning email addresses seems to be the most logical.

I would appreciate "comments" on my "opinion"

At the same time I would like to request that your list format be altered so that (as an example) the list of e-mails can be copied and pasted into banned lists.

my gratitude for this forum

luanghans

susato

Member

Registered: 2007-12-01

Posts: 18

Re: Banning IP's vs. username vs. email address

Individual IP's are often randomly assigned by ISPs (internet service providers) to their dial-up or cable clients, but the blocks of IP addresses owned by the ISP are stable. 

You can get information on the "owner" of an IP address by doing a whois query.  These can be executed from the command line in all major operating systems, or you can go to a website which will get the info for you, for example samspade.org or dnsstuff.com.  You can also get the IP address of a domain name by doing a DNS Lookup (see "reverse DNS lookup" at dnsstuff.com)

A single IP address may also serve multiple domains.  For instance, browse to www.fanmail.com.  You can sign up there for a free email address in dozens of different domains.  I've had forum spam problems from a few of them, so why not ban the whole IP block? (that would be 216.180.38.185 by the way, a single address)

It's worth banning by IP address if multiple email domains are involved or if the address is in a "bad neighborhood" of the 'net.  Some mail admins ban all IP address ranges in Brazil, China, Czechoslovakia, Ukraine, Turkey, Korea, Poland, and Russia because loads of email spam come from those parts of the world.  This is different from banning *.br, *.cn, *.cz, *.ua, *.tr, *.kr, *.pl and *.ru because some ISP's don't use their country suffix, for example Hanaro.com and Daum.net in Korea.  (Note, these are not necessarily (current) spam sources, just examples of nomenclature) I work at a university with a large international student population, and faculty who correspond with colleagues worldwide, so we can't ban by country code.  We do use certain IP address ranges in our spam filters, though.

BTW, banning by username is useless, at least for forum spam.  Some spambots even now generate multiple usernames for each email address they use. (This makes it harder to identify a user as a spambot just by googling the username) Check the spammer list on the front page of this website and you'll find plenty of examples.  Even when a single username is chosen it can be made "un-googleable" by choosing something that already has tons of hits, anything from JuliusCaesar to banana_bread to nanotech.  (Apologies to anyone who followed a Google link from those terms to this post)

I ban by domain name regulary, and by IP address occasionally when I've had a run of spammers from a particular address,  or when multiple spammy domains arise from a single IP address.

Russ

Guest

Re: Banning IP's vs. username vs. email address

This is why when I record spammer info it's done in a triplet - IP, username, and email.

You are correct in that IPs are not permanent and do get recycled from time to time. And most spam comes from compromised hosts, usually Windows-based machines that are vulnerable to exploit from the spammer. Once the host is taken offline or cleaned, the IP is no longer the source of the threat.

Usernames aren't as reliable to check either, however they do tend to be more unique than ubiquitous, I suspect just to ensure registration doesn't fail because a name was chosen that's already taken on the target site.

Email addresses are the only part that's somewhat permanent. Spammers need good email accounts to complete registrations on a lot of sites, and they usually get them from providers who have very lax terms and policies when it comes to abuse.

The best way to use the information is probably with a scoring mechanism, to determine the likeliness that a registrant is a spammer based on multiple pieces of info. I think it would also help to age the entries so that when querying the data you can make a determination based on date last seen, too. If it's older than a certain amount of time then it's likely not as much of a threat anymore.

I am currently working on an export feature that would let you turn any search query into a data format useful for processing, such as CSV. That way you could export a whole list of email addresses and add them into your banlist easily.

TeMerc

Member

From: Phx. AZ

Registered: 2007-12-19

Posts: 51

Website

Re: Banning IP's vs. username vs. email address

I'm all for domain blocking when it comes to email.

I block all freeware domains and add whenever I find another. This includes all the biggies, AOL, YaHoo!, Gmail and Hotmail too. Since doing this and I realize it's a tick extreme, my spambot problem has gone from at times as high as a dozen per day to almost nil, maybe a few per week. I'm running phpBB software and I'm not real confident at installing mods. Tho the newest version 3.x is supposedly better in ban control, so I'll be checking that out soon.

IPs I find I always check before banning. If it's from Russia, China or places of known spam abuse, bang, into database they go.

I also ban several of the well known abuse TLDs. For the so very few people who may by chance want to join, they'll have to get another email domain that's not on my ban list.

For names many of these are obviously spammers. Ones which I think could be someone legit, I won't add it.

mj12

Member

Registered: 2007-12-12

Posts: 11

Re: Banning IP's vs. username vs. email address

I've noticed a *lot* of spammers using the domain @yahoo.co.uk. The user name most always starts what appears to be a first name, followed by an underscore character, followed by what appears to be a last name; i.e.

  alberto_delphi@yahoo.co.uk
  sharri_andria@yahoo.co.uk
  melvina_jacalyn@yahoo.co.uk

I hate to ban the entire domain, and with the dynamice nature of IP addresses that are handed out by ISP's, keeping ahead of these jerks is like a dog chasing it's tail. Anyone else running into this?

Russ

Guest

Re: Banning IP's vs. username vs. email address

Blocking free email providers by domain is certainly effective, but it comes at the cost of inconveniencing your visitors. Of course when you admin your own site you can set the rules however you want, it just depends on what you're comfortable with.

I too have seen a lot @yahoo.co.uk and don't have any idea why that might be. Maybe yahoo.co.uk's signup policies are more lax or something so spammers are flocking to it.

TeMerc

Member

From: Phx. AZ

Registered: 2007-12-19

Posts: 51

Website

Re: Banning IP's vs. username vs. email address

One thing I've noticed is that some of these spambots register almost simultaneously using different email domains, but the same user name.

You can see this occasionally @ Spam Blog

stixx

Member

Registered: 2008-02-07

Posts: 1

Re: Banning IP's vs. username vs. email address

I prefer to ban email addresses and certain offensive names (due to the amount of porn spam) rather than IP addresses.  Although recently I chose to ban IP 85.12.46.92 due to around 20 'users' joining my site in the space of a few days.  I didn't realise just how many of these obnoxious 'people' were out there! Stupid of me i know lol, but i'm learning everyday. Thanks to sites like this I just might get ahead of them one day. Keep up the good work.

TeMerc

Member

From: Phx. AZ

Registered: 2007-12-19

Posts: 51

Website

Re: Banning IP's vs. username vs. email address

Well I've finally gotten the newer phpBB software installed and I have the CAPTCHA 'noise' level, which is what makes it rather difficult to read, at max. So far no spambot registrations at all.

As a matter of fact, I even removed the ban on Hotmail, AOL, GMail and YaHoo! just to see how well the CAPTCHA works. Its been two weeks.

I actually stopped adding names to block into the database, concentrating more on domains and IPs. the names are so much easier for them to change, all they have to do is switch one letter and you have a new user.

They seem to use the same domains, mostly of the free ones. So I stay on top of that and check IPs to see where they're from.

Kaitou Ace

Member

Registered: 2008-04-02

Posts: 2

Re: Banning IP's vs. username vs. email address

I have only had my forum for about two months and have had lots and lots of these spammers, banning their IP's seems to make no difference.  They can just keep coming back.  The only thing that kinda' halts their progress is banning e-mails and usernames.

Even at that it's pointless.   I just delete their accounts and have made all accounts must be activated by an admin.

VinceTheAlive

Member

Registered: 2008-03-17

Posts: 4

Re: Banning IP's vs. username vs. email address

Lately, I've been finding that it's the equivalent of shovelling the driveway during a blizzard. Monday mornings are the worst as I don't do spam maintenance on the weekend, leaving me with 72 hours worth of spam.  Banning IP addresses works for about a day or two, and then it starts up again. I can take some comfort in knowing that my company is taking the site offline within the next few months, but in the meantime, they're not going to be installing humanizers or anything to slow down spammers.  CAPTCHA has long since failed too.  Oh well.

Banning e-mail address domains works for a while, but most of them are coming from gmail.com, so I can't just go ahead and ban the domain.

pavemen

Member

Registered: 2008-01-17

Posts: 17

Re: Banning IP's vs. username vs. email address

I find it easier to just ban all three when a spammer does make it through the registration process. My ban notice gives legit users contact info to ask me to look into their bans. Most of the time its IP bans that effect them and I simply ask them to reboot their router and all is well.

I use the StopForumSpam API to test for all IP and email and block the registration process with a note about being a known spammer and I get an email listing the attempt.

I do not use CAPTCHA and I no longer block free email accounts.

The amount of spammers that gets through is 1-2 a month, maybe. However I get 15-40 emails a day of attempted spammer registrations that have been blocked.

You guys don't need to make it just a huge effort if you get smart about it.

Here is a sample bit of code that I use for checking against the API

$email_spamcheck = file_get_contents("http://www.stopforumspam.com/api?email=".$email);

if(stristr($email_spamcheck, 'yes') && stristr($email_spamcheck, 'success="true"'))
{
    $reg_success = "N";
    $reg_message = "Your email address is black listed as a forum spammer. Your registration is denied. If you feel that you have received this message in error, please contact the Webmaster at webmaster[at]mydomain[dot]com.\n";

    $headers = <set headers here>;
    mail(<contact email>, 'Stop Forum Spam Catch', 'Spammer Catch - Email: '.$email, $headers);
}

I use the $reg_success and $reg_message variables when testing all parts of the registration process so I can track if specific parts of the registration fail and report them back to the user all at once. For non-spammer issues, I use append variable rather than replacement

$reg_success .=

rather than the

$reg_succes =

that is shown above.

Also, $email variable comes out of the registration form and if I use IP test, then I use the $REMOTE_ADDR variale after testing for the HTTP_FORWARDED_FOR

My site has 14,000 members and 932,000+ posts. Its busy but spam is no longer the headache it used to be

Last edited by pavemen (2008-05-15 3:03 pm)

Ben

Member

Registered: 2008-04-28

Posts: 1

Website

Re: Banning IP's vs. username vs. email address

I have a similar routine to pavemen but I don't automatically block registration.  I fetch stopforumspam.com results for username, email, and password and then show a score (0-3) in the PHPBB user list (mod I use).  I did this to make sure I wasn't banning legit users.  But I like it because it lets me see spammers easily, contribute variations, and only investigate suspect registrations.  This combined with some auto-blocking for bot submissions has cut spam significantly.  I do block large IP blocks from China, Russia, Ukraine, and many RIPE managed segments.

pavemen

Member

Registered: 2008-01-17

Posts: 17

Re: Banning IP's vs. username vs. email address

I apologize that I was not clear. My first paragraph above is how I deal with spammers that made it through registration and posted spam. I ban all three info bits.

The code portion is my in the registration phase, where the spammer is trying to register. I check this sites list and block the registration if needed.

I do not automatically ban spammers. Sorry for any confusion