Unusual spammer’s registration attack.

crow · 2012-09-04 3:40 pm

I went to the board first thing this morning and thought WTF, it had been unusually inundated with spammer’s registrations and spam posts, in which took me quite awhile to clear them off from the board. I then went to here to add the ones that spammed to my spammers list and found the site was offline, due to maintenance. Oh, I thought, so that is the reason for the unusual inundation of spammers. - When the cats away the mice will play.

I don’t know what I would do without SFS. Thanks.

Last edited by crow (2012-09-04 3:41 pm)

AngelinaCat · 2012-09-04 3:59 pm

The forum that I help moderate, also got slammed last night. I also found that SFS was down. I certainly am glad it is back up.

Some of our spammers are finding ways around the Spam-O-Matic software that our Admin installed last week, by coming up with usernames, edresses, and IP addresses that are not in SFS's databanks. I am duly entering them....

WindowsBBS · 2012-09-04 8:54 pm

Yea SFS was down some 6+ hours.

I have resorted to using an IP block on all of China, Korea, Russia, Ukraine, Belarus, Bulgaria, Czech Republic, Romania, Latvia, Estonia, Kazakstan, Moldavia/Moldova, Poland, Serbia, Siberia, Slovakia, Slovenia, Azerbaijan.

I just block them from accessing the registration page

pedigree · 2012-09-04 10:34 pm

AngelinaCat wrote:

The forum that I help moderate, also got slammed last night. I also found that SFS was down. I certainly am glad it is back up.
Some of our spammers are finding ways around the Spam-O-Matic software that our Admin installed last week, by coming up with usernames, edresses, and IP addresses that are not in SFS's databanks. I am duly entering them....

excellent

Norm · 2012-09-04 11:37 pm

WindowsBBS wrote:

Yea SFS was down some 6+ hours.
I have resorted to using an IP block on all of China, Korea, Russia, Ukraine, Belarus, Bulgaria, Czech Republic, Romania, Latvia, Estonia, Kazakstan, Moldavia/Moldova, Poland, Serbia, Siberia, Slovakia, Slovenia, Azerbaijan.
I just block them from accessing the registration page

Please explain how you did that. It sounds very useful.

jonboat · 2012-09-05 2:38 pm

Norm wrote:

WindowsBBS wrote:
Yea SFS was down some 6+ hours.
I have resorted to using an IP block on all of China, Korea, Russia, Ukraine, Belarus, Bulgaria, Czech Republic, Romania, Latvia, Estonia, Kazakstan, Moldavia/Moldova, Poland, Serbia, Siberia, Slovakia, Slovenia, Azerbaijan.
I just block them from accessing the registration page
Please explain how you did that. It sounds very useful.

Here's a little php script for fetching the country code for a given IP:

<?php
$country = '';
$IP = $_SERVER['REMOTE_ADDR'];
$key = 'ip:' . $IP;
$memc = new memcached();
$memc -> addServer('127.0.0.1', 11211);
if (($country = $memc->get($key)) === FALSE) {
   $country = @file_get_contents('http://api.hostip.info/country.php?ip='.$IP);
   $memc->set($key, $country, 86400); // 86400 = 24 hours
?>

You can add to it, any logic you want to include or exclude countries of choice

AEG · 2012-09-05 5:53 pm

I've had it with Indian, Bangladeshi and Chinese spammers so I think it's time to put a country block on. Where do you put that script?

Is it sufficient just to put the following in User Banning Options (vBulletin):

115.
116.
117.
118.
119.
120.
121.
122.
123.
124.

etc?...

Last edited by AEG (2012-09-05 5:55 pm)

jonboat · 2012-09-05 6:40 pm

AEG wrote:

I've had it with Indian, Bangladeshi and Chinese spammers so I think it's time to put a country block on. Where do you put that script?
Is it sufficient just to put the following in User Banning Options (vBulletin):
115.
116.
117.
118.
119.
120.
121.
122.
123.
124.
etc?...

That script merely retrieves the country code, It needs logic added to do something with that country code. Mine simply looks to see if it is US or CA and allows registration, all other countries get a registration denied page that tells them to email me if they have legitimate reason to join. I have never worked with vBulletin, so I'm not sure exactly where it would go, or how banning is set up. I'd imagine that vB has fairly granular banning controls - like disallowed email addresses (can ban with wildcards like *@bademail.com) and a banned ip list. severamethods for banning depending on what you as the admin is looking to accomplish. Both phpBB and MyBB (free software) have these options, so I would imaging a paid-for BB software like vB would have even better controlls.

My board uses phpBB and the call to the "countrycheck.php" script is the first line of my registration page php file.
If they're from outside the USA or Canada, then they never even get to access the registration forms.

Farelf · 2012-09-06 12:02 am

AEG wrote:

I've had it with Indian, Bangladeshi and Chinese spammers so I think it's time to put a country block on. ...
...
124.
etc?...

Well, not all 124 (124.0.0.0/8) is China. Some of it is Australia too. You want to select your sign-on candidates? The trouble with selection is it is always far easier to reject - with attendant risks (babies and bathwater situation).

In Invision Power Board I could simply add 115.*.*.* (etc) to my "Ban Control" (filter) console but would be checking the scope before doing that. From what I've seen, country blocks are tricky to keep up to date. Even the countries.nerd.dk DNSBL is a little bit famous for not catching everything all the time.

webmaisterpro · 2012-09-06 2:23 am

I used to get same spam attach few weeks ago, which continue for quite a long time. At the end I decided to blog all proxies that I found in my cPanel and it seems that it worked and I get less fake profiles.

Patti L. · 2012-09-06 4:23 am

You blog, not block?

Last edited by Patti L. (2012-09-06 4:24 am)

WindowsBBS · 2012-09-09 8:52 am

Norm wrote:

WindowsBBS wrote:
Yea SFS was down some 6+ hours.
I have resorted to using an IP block on all of China, Korea, Russia, Ukraine, Belarus, Bulgaria, Czech Republic, Romania, Latvia, Estonia, Kazakstan, Moldavia/Moldova, Poland, Serbia, Siberia, Slovakia, Slovenia, Azerbaijan.
I just block them from accessing the registration page
Please explain how you did that. It sounds very useful.

Get the IP addresses from a list like http://www.wizcrafts.net/chinese-blocklist.html

Then, in your Apache config file for the domain add

<FilesMatch "(register.php)$">
order Allow,Deny
Allow from All
deny from xxx.xxx.xxx.xxx/xx
deny from xxx.xxx.xxx.xxx/xx
</FilesMatch>

You'll need Apache mod_authz_host

Foxhack · 2012-09-09 3:32 pm

I use SFS at my website and a friend uses it at his forum, and we had a couple of spambots get through during the downtime! Glad to see it was basically a bug caused by the service being down and not just the bots getting around the blocks somehow.

crow · 2012-09-09 5:08 pm

I had quite a number of spam registrations again today, noticed that SFS was offline. On a Sunday, don’t these spammers ever have a rest day?

Snowhog · 2012-09-09 5:47 pm

And on the seventh day God ended his work which he had made; and he rested on the seventh day from all his work which he had made. (The spammers however, did not!)

Piperdane · 2012-09-11 4:13 am

crow wrote:

I went to the board first thing this morning and thought WTF, it had been unusually inundated with spammer’s registrations and spam posts, in which took me quite awhile to clear them off from the board. I then went to here to add the ones that spammed to my spammers list and found the site was offline, due to maintenance. Oh, I thought, so that is the reason for the unusual inundation of spammers. - When the cats away the mice will play.
I don’t know what I would do without SFS. Thanks.

On the two forums I help administrate (vBulletin) we use Glow Host which checks all new registrations against the data on SFS. I have adjusted the Glow Host settings so that the forum blocks any/all new registrations if/when the SFS site goes down.

Legitimate candidates for new registration will then use the 'contact us' forum to ask why they were blocked at that moment. I get very few requests for that information, indicating that the spammers are possibly aware when the SFS site goes down and start hammering all the forums. With it fixed to block registrations, the spammers are blocked too ... everyone is blocked.

AngelinaCat · 2012-09-11 4:38 am

crow wrote:

I had quite a number of spam registrations again today, noticed that SFS was offline. On a Sunday, don’t these spammers ever have a rest day?

Snowhog wrote:

And on the seventh day God ended his work which he had made; and he rested on the seventh day from all his work which he had made. (The spammers however, did not!)

LOL! I love it.

Last edited by AngelinaCat (2012-09-11 4:39 am)

#1 2012-09-04 3:40 pm

Unusual spammer’s registration attack.

#2 2012-09-04 3:59 pm

Re: Unusual spammer’s registration attack.

#3 2012-09-04 8:54 pm

Re: Unusual spammer’s registration attack.

#4 2012-09-04 10:34 pm

Re: Unusual spammer’s registration attack.

#5 2012-09-04 11:37 pm

Re: Unusual spammer’s registration attack.

#6 2012-09-05 2:38 pm

Re: Unusual spammer’s registration attack.

#7 2012-09-05 5:53 pm

Re: Unusual spammer’s registration attack.

#8 2012-09-05 6:40 pm

Re: Unusual spammer’s registration attack.

#9 2012-09-06 12:02 am

Re: Unusual spammer’s registration attack.

#10 2012-09-06 2:23 am

Re: Unusual spammer’s registration attack.

#11 2012-09-06 4:23 am

Re: Unusual spammer’s registration attack.

#12 2012-09-09 8:52 am

Re: Unusual spammer’s registration attack.

#13 2012-09-09 3:32 pm

Re: Unusual spammer’s registration attack.

#14 2012-09-09 5:08 pm

Re: Unusual spammer’s registration attack.

#15 2012-09-09 5:47 pm

Re: Unusual spammer’s registration attack.

#16 2012-09-11 4:13 am

Re: Unusual spammer’s registration attack.

#17 2012-09-11 4:38 am

Re: Unusual spammer’s registration attack.

Board footer