You are not logged in.

#1 2017-07-10 9:22 am

conaero
Member
Registered: 2017-06-21
Posts: 5

Forum Spam Registration Attack

After 7 or 8 years of a spam free forum, about a month ago, we started getting hammered again with LIVE FEED and url links to sporting events such as Cricket and Rugby.

I have never changed the SFS settings as its worked beautifully for years but now the only way to block it is to enable the IP address blocking in the SFS Vbulletin 4.2 settings.

As a result of this I am now getting loads of genuine users getting blocked and having to manual add them.

Whats changed, is the SFS database dying or do I need to do something else?

I have enabled a secret question and enabled Captcha, but the spammers are still getting through if IP address blocking is off.

Appreciate your help and advice.

Offline

#2 2017-07-10 10:14 am

pedigree
uıɐbɐ ʎɐqǝ ɯoɹɟ pɹɐoqʎǝʞ ɐ buıʎnq ɹǝʌǝu ɯ,ı
From: New Zealand
Registered: 2008-04-16
Posts: 6,570

Re: Forum Spam Registration Attack

Can you give an example of legitimate user that was blocked?  Nothing has changed other than heavily abused throw away domains are being added to blacklists (eg fhafhi.myemail.xyz).  it sounds like you have the curse of manual spammers, people hitting your site instead of the more tradition automated software spamming.  These are harder to block.  Anything that you can provide would be helpful to see what's going wrong.

Offline

#3 2017-07-10 1:21 pm

conaero
Member
Registered: 2017-06-21
Posts: 5

Re: Forum Spam Registration Attack

Here are 2 emails I received today and have manually added in the back end, leaving IP SFS filtering on, you can see their IP addressed and I have left their email domain visible:

--------------------------------------------------------------------------------------------------------------------------------

Hi there,
I attempted to register (to see some pics in forum) but the system did not allow me for reasons that i am a "spammer" ... don't know what sofisticated AI is behind that conclusion though.

Could you pls fix that for me.
Many thanks.
Andy

---

Referring Page:
IP Address: 88.101.197.209
User Name: Unregistered
User ID: 0
Email: *************@seznam.cz

--------------------------------------------------------------------------------------------------------------------------------

Hi guy's can't seem to register?

Brendan

---

Referring Page:
IP Address: 88.145.177.123
User Name: Unregistered
User ID: 0
Email: **********@gmail.com

--------------------------------------------------------------------------------------------------------------------------------

Last edited by conaero (2017-07-10 1:21 pm)

Offline

#4 2017-07-10 1:28 pm

conaero
Member
Registered: 2017-06-21
Posts: 5

Re: Forum Spam Registration Attack

Here is my registration statistics, you can see how many attacks I am getting in the past 4 weeks:

http://www.sportsmaserati.com/uploads/stats.jpg

Last edited by conaero (2017-07-10 1:32 pm)

Offline

#5 2017-07-10 1:39 pm

conaero
Member
Registered: 2017-06-21
Posts: 5

Re: Forum Spam Registration Attack

and here are the last couple of days, you can see the spammers, they have the same Username as the first part of their bogus email addresses:

http://www.sportsmaserati.com/uploads/register.gif

Last edited by conaero (2017-07-10 1:41 pm)

Offline

#6 2017-07-10 2:13 pm

Maikuolan
Member
From: Perth, Western Australia
Registered: 2011-08-09
Posts: 683
Website

Re: Forum Spam Registration Attack

For the false positives: The IPs don't seem to be listed on SFS at the moment when I checked just now, at least. How about their email addresses? Are they actually listed on SFS at all?


phpMussel file upload protection (v1.1.0, 2017.10.29).
CIDRAM IP blocker (v1.2.0, 2017.10.29).
SFS Mass IP Checker (v0.1.3, 2016.09.10).
IPv4+IPv6 IP/CIDR Aggregator (v1.1.0, 2017.10.29).

Offline

#7 2017-07-10 3:08 pm

conaero
Member
Registered: 2017-06-21
Posts: 5

Re: Forum Spam Registration Attack

Sorry, how to I check the listings, I cant see how to do it. It used to be on home page of the old SFS website.

[Mod addition:- it is hidden under Search]

Here is a short list for checking, saving anyone having to type it:

stifinlulag     stifinlulag@gmail.com     23.229.3.6
stifinlulaf     stifinlulaf@gmail.com     206.123.159.159
selenagomez     only4selenagomez@gmail.com    172.94.65.109
stifinlulae     stifinlulae@gmail.com     172.111.152.15
stifinlulah     stifinlulah@gmail.com     185.101.33.206
agregorasshtolzea3013     agregorasshtolzea@hotmail.org     178.73.201.235
toninsloa     toninsloa@outlook.com     172.111.244.204
bbobbynry7981     bbobbynry@gmail.com     104.236.13.100
blgautopa6894     blgautopa@hotmail.com     109.163.234.2
bpatickmtexaxdy983     bpatickmtexaxdy@hotmail.com     89.40.116.171
Benbuhagiar     Benbuhagiar@me.com     86.143.214.125
bannetaetsay7405     bannetaetsay@gmail.com     50.4.209.178
abrdattsy1109     abrdattsy@gmail.com     113.53.231.203
mioajdospak     mioajdospak47@gmail.com     158.69.160.186
behnztopa3643     behnztopa@hotmail.net     144.217.31.225
stifinlulai     stifinlulai@gmail.com    172.111.200.89
lecturtupi     lecturtupi@gmail.com     103.247.148.32
umansoixi     mdazizul5659@gmail.com     158.69.160.185
lasmetore     lasmetore@mailinator.com     185.118.76.51

Last edited by conaero (2017-07-10 3:13 pm)

Offline

#8 2017-07-10 3:45 pm

Maikuolan
Member
From: Perth, Western Australia
Registered: 2011-08-09
Posts: 683
Website

Re: Forum Spam Registration Attack

Are those the false positives, or the spammers?

A brief terminology rundown:

False positive: Details WERE flagged, but should NOT have been flagged (wrong inference).
True positive: Details WERE flagged, AND should have been flagged (a listed spammer; correct inference).
False negative: Details were NOT flagged, but SHOULD have been flagged (an unlisted spammer).
True negative: Details were NOT flagged, AND should not have been flagged (not a spammer; correct inference).

Last edited by Maikuolan (2017-07-10 3:46 pm)


phpMussel file upload protection (v1.1.0, 2017.10.29).
CIDRAM IP blocker (v1.2.0, 2017.10.29).
SFS Mass IP Checker (v0.1.3, 2016.09.10).
IPv4+IPv6 IP/CIDR Aggregator (v1.1.0, 2017.10.29).

Offline

#9 2017-07-10 4:48 pm

pedigree
uıɐbɐ ʎɐqǝ ɯoɹɟ pɹɐoqʎǝʞ ɐ buıʎnq ɹǝʌǝu ɯ,ı
From: New Zealand
Registered: 2008-04-16
Posts: 6,570

Re: Forum Spam Registration Attack

There is a search box directly under the donate button, top right hand corner, or www.stopforumspam.com/search or www.stopforumspam.com/ipcheck/104.236.13.100

or from your server (or browser), the api at http://api.stopforumspam.org/api?json&ip=104.236.13.100

104.236.13.100 is an IP in a large data center, ie not a home or business user, so I tend to not trust these as they're usually "hit and run" proxy/VPN servers

Offline

#10 2017-07-10 4:54 pm

pedigree
uıɐbɐ ʎɐqǝ ɯoɹɟ pɹɐoqʎǝʞ ɐ buıʎnq ɹǝʌǝu ɯ,ı
From: New Zealand
Registered: 2008-04-16
Posts: 6,570

Re: Forum Spam Registration Attack

That list all looks like spammers to me, without even having to check

eg https://www.stopforumspam.com/search/agregora

Offline

#11 2017-07-10 5:11 pm

Alex Kemp
Moderator
From: Nottingham, England
Registered: 2009-12-02
Posts: 1,894
Website

Re: Forum Spam Registration Attack

Here are spam-checks on that earlier listing.

conaero wrote:

key:

stifinlulag     stifinlulag@gmail.com     23.229.3.6
stifinlulaf     stifinlulaf@gmail.com     206.123.159.159
selenagomez     only4selenagomez@gmail.com    172.94.65.109
stifinlulae     stifinlulae@gmail.com     172.111.152.15
stifinlulah     stifinlulah@gmail.com     185.101.33.206
agregorasshtolzea3013     agregorasshtolzea@hotmail.org     178.73.201.235
toninsloa     toninsloa@outlook.com     172.111.244.204
bbobbynry7981     bbobbynry@gmail.com     104.236.13.100
blgautopa6894     blgautopa@hotmail.com     109.163.234.2
bpatickmtexaxdy983     bpatickmtexaxdy@hotmail.com     89.40.116.171
Benbuhagiar     Benbuhagiar@me.com     86.143.214.125
bannetaetsay7405     bannetaetsay@gmail.com     50.4.209.178
abrdattsy1109     abrdattsy@gmail.com     113.53.231.203
mioajdospak     mioajdospak47@gmail.com     158.69.160.186
behnztopa3643     behnztopa@hotmail.net     144.217.31.225
stifinlulai     stifinlulai@gmail.com    172.111.200.89
lecturtupi     lecturtupi@gmail.com     103.247.148.32
umansoixi     mdazizul5659@gmail.com     158.69.160.185
lasmetore     lasmetore@mailinator.com     185.118.76.51

Note:-
As ped said, these are all spammy-looking usernames. However, folks can be reported to the SFS database when - and ONLY when - they spam your site.

Offline

#12 2017-07-10 6:38 pm

GarryRicketson
Moderator
From: Mexico
Registered: 2011-08-19
Posts: 1,314
Website

Re: Forum Spam Registration Attack

The way pedigree did it gets more results eg:https://www.stopforumspam.com/search/stifin
-------------------
https://www.stopforumspam.com/search/bpatick
-------------------------------------------------------------
https://www.stopforumspam.com/search/abrdat

Just did a couple randomly,...
https://www.stopforumspam.com/search/blgaut
blgautopa6894     blgautopa@hotmail.com     109.163.234.2
https://www.stopforumspam.com/search/ 109.163.234.2

================
And then :

Hi there,
I attempted to register (to see some pics in forum) but the system did not allow me for reasons that i am a "spammer" ... don't know what sofisticated AI is behind that conclusion though.

Could you pls fix that for me.
Many thanks.
Andy

---

Referring Page:
IP Address: 88.101.197.209
User Name: Unregistered
User ID: 0
Email: *************@seznam.cz

-----------------------------------------------

https://www.stopforumspam.com/search/@seznam.cz
https://www.stopforumspam.com/search/Andy

I think maybe "Andy", should have been told to try using a better user name, and not use a e-mail service
known for hosting spammers.

Hi guy's can't seem to register?

Brendan

Brendan as well :
https://www.stopforumspam.com/search/Brendan
Many people use gmail, and to many spammers as well, on many sites gmail,hotmail,yahoo are not acceptable e-mail addresses,  .....
----------------------------------------

pedigree---- it sounds like you have the curse of manual spammers, people hitting your site instead of the more tradition automated software spamming

The bots would not take the time to contact you, but a human spammer would.
Interesting comment "Andy" made:

---don't know what sofisticated AI is behind that conclusion though.

It seems to be more aware of the existence of AI software, and bots, but it can not spell, or maybe it is intentional to make it look more human. There are some very sophisticated AI bots out there, and I would not be surprised if some are
even "trained", to send a registration request, if and when they can not register .
But then again, Andy may be is human , it is getting hard to tell now a days. In any event, as long as it does not actuall post any spam on your forum, it won't matter.

Offline

#13 2017-07-10 7:24 pm

Alex Kemp
Moderator
From: Nottingham, England
Registered: 2009-12-02
Posts: 1,894
Website

Re: Forum Spam Registration Attack

GarryRicketson wrote:

The way pedigree did it gets more results eg:https://www.stopforumspam.com/search/stifin

Yes Garry. But 'stifinlulag' is still NOT part of that list. And, if all you want is lots of results, https://www.stopforumspam.com/search/sti will get you even more.

My advice?

  1. Make a general access-block by IP-Address via a RBL site

  2. Use email-address to block forum-spammer Registrations via the SFS API

PS
You will still get human spammers even using the above suggestions.

Offline

#14 2017-07-11 10:39 am

Alex Kemp
Moderator
From: Nottingham, England
Registered: 2009-12-02
Posts: 1,894
Website

Re: Forum Spam Registration Attack

conaero wrote:

After 7 or 8 years of a spam free forum, about a month ago, we started getting hammered again with LIVE FEED and url links to sporting events such as Cricket and Rugby.

Appreciate your help and advice.

The situation that you report is normal (and sorry, because I know that no-one wants to hear that, but it is unrealistic to expect to be spam-free). Those folks even try their spam stuff on this site, which is a bit like the way flies throw themselves at those Electrical Bug Zappers.

The idea is to report each & every spammer to the SFS database. That will protect every other user of the SFS API from those that spammed you, just like you are protected from those that spammed other folks (you may think that it is bad now - try unlinking the API).

It seems that the spammers have decided to try to evade detection by rapidly evolving new usernames (and connected email-addresses, in the way that you pointed out) in a process that is effectively a sh*tstorm. If the email providers would police their users & quickly shut-out all those that spam then your problem would rapidly fade. However, until Utopia arrives, report those that spam your forum to SFS. And try to be realistic - you can only ever hope to reduce spam; even StopForumSpam gets spammed.

Postscript
Recently a FluxBB update switched off SFS changes to the standard Board software & made it possible for new SFS users to personalise their Profiles. Neither Admin nor Mods spotted this for many days. In the meantime, spammers were running riot, creating hundreds of new Profiles & immediately spamming them.

The FluxBB snafu has been fixed, but spammer signups continue (they cannot spam their Profile, but occasionally forum-post+spam) Here is a (filtered) collection of recent SFS signups that look like spammers (and notice the similarity to your own situation):-

2017-07-06:

  • jagunjagun
    Jebmyldvt
    Jebmpldvt
    Jebmpidvt
    Jenmpidvt
    Jeompidvt

2017-06-30

  • Shbwpidat
    Shbwpldat
    Shbwpldct
    Shbwqldct
    Shbwqldet

2017-06-23

  • Shbwqldzt
    Shcwqldzt

2017-06-22

  • Shawqldzt
    Shawbldzt
    Shewbldzt

2017-06-20

  • Jeswuldztr
    Jeswqldztr

2017-06-19

  • Fruchtquark

2017-06-17

  • Sivqldxtel
    Sivqldvtel
    Sivqldstel

(...and so it goes on)

Offline

#15 2017-07-11 4:55 pm

zero-tolerance
Member
Registered: 2013-02-25
Posts: 276

Re: Forum Spam Registration Attack

Alex Kemp wrote:

The situation that you report is normal (and sorry, because I know that no-one wants to hear that, but it is unrealistic to expect to be spam-free

...

And try to be realistic - you can only ever hope to reduce spam; even StopForumSpam gets spammed.

Then I must be unrealistic. And abnormal. smile

Last edited by zero-tolerance (2017-07-11 4:56 pm)

Offline

#16 2017-07-11 7:23 pm

Alex Kemp
Moderator
From: Nottingham, England
Registered: 2009-12-02
Posts: 1,894
Website

Re: Forum Spam Registration Attack

zero-tolerance wrote:

Then I must be unrealistic. And abnormal. smile

And unhappy.

Offline

#17 2017-07-11 9:32 pm

zero-tolerance
Member
Registered: 2013-02-25
Posts: 276

Re: Forum Spam Registration Attack

If I got spammed, then I would be unhappy.
I think spam is preventable; and if people don't believe that, they'll settle for just slowing it down.

Offline

#18 2017-07-11 9:53 pm

sklerder
Member
Registered: 2012-10-11
Posts: 223
Website

Re: Forum Spam Registration Attack

Hi !

Spam is preventable, of course, but not 100% ...
The challenge is to be the closest to 100% smile

If I get spam, I'm not happy, but if I didn't have any spam attempt, I wouldn't be no more happy.
This would be that my website is of no interest !

Offline

#19 2017-07-11 11:03 pm

zero-tolerance
Member
Registered: 2013-02-25
Posts: 276

Re: Forum Spam Registration Attack

It depends on the situation. Some sites may be able to do better than others. But fatalism will make people give up too soon, or put up with more spam than they need to.

Offline

#20 2017-07-11 11:46 pm

Alex Kemp
Moderator
From: Nottingham, England
Registered: 2009-12-02
Posts: 1,894
Website

Re: Forum Spam Registration Attack

People say “I want a clean kitchen”. An admirable objective. But if you say “I want a kitchen with zero bacteria in it” you have just set yourself up for failure. Indeed, if you use an anti-microbial wipe you may even induce resistance in the bacteria through gene-change & defeat the original objective (either of them). Better, surely, to say “I want a kitchen that doesn't give anyone food-poisoning” & thus make sure that you clean up after food-spills.

Too much spam in your forums will drive customers away. Just keep it under control, and don't go crazy about it.

Offline

#21 2017-07-12 9:05 am

Alex Kemp
Moderator
From: Nottingham, England
Registered: 2009-12-02
Posts: 1,894
Website

Re: Forum Spam Registration Attack

conaero wrote:

After 7 or 8 years of a spam free forum, about a month ago, we started getting hammered again with LIVE FEED and url links to sporting events such as Cricket and Rugby.

...

Appreciate your help and advice.

And to underline this point to the nth degree, here is the latest spam (this morning) in SFS, advertising a Real Madrid sports shirt:

It is about 1 a day. And yes, that is one too many, but when SFS had it's snafu (earlier post) it became one hundred a day, just for Profile spammers.

In different circumstances we could easily be suffering one thousand spam a day. Back in the early part of the new Millennium my Freeserve website was immensely popular & the domain suffered a Joe-Job which across 2 days escalated to a permanent 15,000 mails a day. I lost use of that domain.

It is possible to spam SFS only if you are a human, and it is impossible to stop them if they have a currently-clean email address (it is only clean for one day, of course). Be pleased if you have a handful of human spammers each day; without SFS it would be many hundreds each day. Report each spammer to SFS & know that you will never see that one again, and nor will any other SFS user.

Offline

#22 2017-07-12 10:59 am

zero-tolerance
Member
Registered: 2013-02-25
Posts: 276

Re: Forum Spam Registration Attack

I see roughly 70000 registrations attempts per year, of which about 1% become members. I think if I saw as much as one spam leaking onto my forum per year, I would be installing more counter-measures. As it is I haven't had to take any action to prevent spam for several years now, so I'm not exactly going crazy about it. I'm sure I'm not alone in this. I just wanted to point out that it's not hopeless, and you don't have to put up with it, unless you don't believe it can be stopped.

The principle is very simple: raise the barrier for entry, and remove the pay-off for doing so. Raising the barrier will keep out the bots, and removing the payoff will stop the humans. Allowing spam onto your site and visible to search engines - for even a few minutes - *is* the payoff - because some small fraction of it will get indexed, which is all it takes. As long as that's happening you're actually attracting them. There are ways to completely prevent that payoff, but apparently people don't. You can queue new member posts for moderation (which is labour-intensive), you can delay guest access to all posts for a day (which isn't). I can think of other ways.
Lots of people install bug zappers, but they're not keeping the meat in the fridge...

My site is very hard to get into and there's no payoff, and I think this is a large part of why we see no spam.

Simply hiding the registration question so people have to follow instructions to go looking for it has been amazingly effective. The fact that the answer requires domain knowledge and is not easily googled also helps. Since we don't get spammers coming through we can vet new registrations manually, as there are only a couple coming through a day. If we had an incursion they probably wouldn't get any further than that. And if they did, there's no payoff, because any spam they posted would be removed before it was visible to the search engines rather than sometime afterwards. To anyone who can read well enough to get into our site, this situation is perfectly clear.

Probably not every site could work this way, but I think many could do more against spam than they realise..

Last edited by zero-tolerance (2017-07-13 1:57 pm)

Offline

#23 2017-07-13 10:44 am

Alex Kemp
Moderator
From: Nottingham, England
Registered: 2009-12-02
Posts: 1,894
Website

Re: Forum Spam Registration Attack

zero-tolerance wrote:

I haven't had to take any action to prevent spam for several years now … My site is very hard to get into … and I think this is a large part of why we see no spam

One thing to underline:- spammers do not give a damn about a single site that they spam. It is entirely a numbers game for them, and they seldom check back on any individual site.

If your server admin puts the following into the Firewall at the correct place then you will have zero problems with spam:

$IPT -A INPUT -p ALL -d 0/0 -j DROP

Of course, no-one else will be able to get in either, including you (except via the console). Another alternative is to remove power from the data-centre (or city/district if you are truly paranoid).

For everyone else it is a balancing act, just like the rest of life.

PS
Edited after I re-read zero-tolerance's post & understood that he already realised that almost all spam is posted by bots (only the human spammers get feedback).

Offline

#24 2017-07-13 1:57 pm

zero-tolerance
Member
Registered: 2013-02-25
Posts: 276

Re: Forum Spam Registration Attack

Edited:
Well I apologise if the tone of my post was challenging - that was not my intention. I do think that the situation is not as hopeless as it's usually portrayed here. That's what I was trying to get across, along with some description of what's worked for me.

Just in case you misinterpreted me: the rate of new memberships on my site has not actually slowed since I improved the registration barrier, so it's not as if I'm shutting out the world.

Last edited by zero-tolerance (2017-07-13 5:20 pm)

Offline

#25 2017-07-17 1:25 am

jimmie 48
Member
Registered: 2011-02-18
Posts: 20

Re: Forum Spam Registration Attack

Just an FYI from me, an Admin with limited powers {the owner of the board has ultimate power} and the manual adding of members.........
I used to manually add people when I got emails that stated "... and I can't register ...." and other similar wording.   I quit doing that because EACH AND EVERY TIME it was letting a spammer or troll access to the board.   

I simply tell them, now, that the chosen username and/or the IP and/or email address was marked as belonging to a spammer.   If they desired access to our board they would need changed one, two or all of the items.  I end my remarks with a smile and that pretty much ends any further emails from the person. 

A legit person, in my experience, will continue to try to register and, if successful, often times will send an email thanking me for the helpful hint.

Offline

Board footer

Powered by FluxBB

Close
Close