You are not logged in.

#1 2017-12-12 9:23 pm

kpatz
Member
Registered: 2008-10-09
Posts: 1,295

If spammer comes from more than one IP, which one(s) to submit?

Sometimes spammers will come from more than one IP.  They may register from one IP, activate their account from another IP, update their profile from another IP, post their spam from another, and so forth.  This isn't common, but I have seen it happen on occasion, at least from registration to activation, or their post comes from a different IP especially if they didn't post their spam right away.  In this instance, which IP is the best one to submit?

Currently I use the registration IP when I submit spammers, but I do check the activation IP against the API if it's different and use that as part of my "is this a spammer" automated check on registration and activation.  My spamcheck admin page will also show the IPs of the last few posts, if they are different from the registration and activation IPs.

How about, for example, a spammer registers from IP 1.1.1.1, activates his account from 2.2.2.2, and makes 3 spam posts, from 3.3.3.3, 4.4.4.4 and 5.5.5.5.  Which IP is the recommended one to submit?

Last edited by kpatz (2017-12-12 9:24 pm)


We need better spam proofing technology - preferably the kind that electrocutes spammers with 50,000 volts 100 amps the moment they click "Post".

Offline

#2 2017-12-12 10:03 pm

sklerder
Member
Registered: 2012-10-11
Posts: 286
Website

Re: If spammer comes from more than one IP, which one(s) to submit?

Hi.

In order to submit, you should furnish a spam link or a proof of spam, so, I'd submitted every spam posts (3.3.3.3, 4.4.4.4 and 5.5.5.5), one submission for each post (in order to keep its weight to the confidence info for later requests, cf. this discussion, in which you contributed).

To keep in phase with rules for submitting :
- The activation IP doesn't give any proof of spamming, so you should not submit it.
- As the bot succeeded to register, the "automated registration" argument is not adequate, even if they contributed, directly or indirectly to the spam action.

This is my own opinion to be in conformance with rules for submitting, but it arrived me to submit IP/nickname/email when having no proof, just a feeling. And it could arrive again.

Pedigree would probably say "it's not correct", but when you are sure it's a spammer, I feel it's better helping database users than ignoring a spammer (furthermore if it has not been submitted in database).

Offline

#3 2017-12-13 12:18 am

Papa Parrot
Moderator
From: Mexico
Registered: 2011-08-19
Posts: 1,538
Website

Re: If spammer comes from more than one IP, which one(s) to submit?

Here, I submit the IP they used to post,  if I do happen to notice it is different then what they registered with,
I include the one they registered with in the evidence.
But any way, I use the IP they have when they login and post,...not the registration IP.

Offline

#4 2017-12-13 1:22 pm

kpatz
Member
Registered: 2008-10-09
Posts: 1,295

Re: If spammer comes from more than one IP, which one(s) to submit?

Thanks... I'll bear these in mind next time I have a chance to mess with my anti-spam code. smile

vBulletin captures the IP of registration as well as the IP of each post.  My mods also capture the IP of activation, because I needed to check SFS anyway at activation to determine whether to put the member into suspicious, registered, or spammer usergroup.  While I was in the code for activation, I figured I'd use that IP as part of the "am I a spammer" score if it's different than the registration IP, though I don't submit that IP (I do include it in the evidence).

Changing the code to submit the IP of the post included in evidence wouldn't be that difficult.  Submitting every post is a bit more complex, especially since I'd have to add checkboxes to each post so I could pick which ones to submit, in case the spammer makes some non-spam posts before dropping their payload.  Currently I just include their last post in evidence.

Lastly, vBulletin does not capture the IP used for profile or signature changes, so to submit a link spammer before they've posted with that IP, I'd have to insert an additional code modification to record the IP of profile updates.

Another argument for submitting the registration IP:  most SFS forum plugins check SFS at registration time rather than post time.  If a spammer consistently registers from one IP and posts from another, and the post IP is submitted, SFS mods checking at registration will miss that and allow the registration.  Submitting the IP of registration aids in blocking future registrations from that IP.

Hopefully Ped will chime in with his thoughts.


We need better spam proofing technology - preferably the kind that electrocutes spammers with 50,000 volts 100 amps the moment they click "Post".

Offline

#5 2017-12-13 5:59 pm

sklerder
Member
Registered: 2012-10-11
Posts: 286
Website

Re: If spammer comes from more than one IP, which one(s) to submit?

Hello !

I fully agree with you that the IP used when registering can be as naughty as the one used to post.

I see sometimes, in the logs of my forum, bots using up to three IP addresses to register (because registration is done in three phases), but my mod submits only the IP used to finish register phase. My mod checks IP against SFS at every posting (as my site is not very active, its not to heavy for SFS smile)

Offline

#6 2017-12-16 7:58 pm

pedigree
uıɐbɐ ʎɐqǝ ɯoɹɟ pɹɐoqʎǝʞ ɐ buıʎnq ɹǝʌǝu ɯ,ı
From: New Zealand
Registered: 2008-04-16
Posts: 6,636

Re: If spammer comes from more than one IP, which one(s) to submit?

submit them both smile

Offline

#7 2018-03-13 6:49 pm

owencat
Member
Registered: 2018-03-13
Posts: 3

Re: If spammer comes from more than one IP, which one(s) to submit?

Thanks for starting this discussion about spammers w multiple ISPs.

Am dealing with a forum spammer who uses a variety of ISPs to spam our site.

This person's username appears in the StopForumSpam database. The little darling is now
using a whole new set of ISPs.

A clever operator.  Registered in January, clean email. Began spamming us 3 days ago -- a sort of sleeper agent tactic(?)

Again, thank you all for your service and for this discussion.

Offline

Board footer

Powered by FluxBB

Close
Close