Spam spam spam

Started by Qube, November 08, 2018, 06:44:03

Previous topic - Next topic

Qube

Just dealt with 21 posts over 3 topics thanks to another one of our Russian spammer friends. Luckily members don't get to see any of this as every new members posts are put on hold until approved. So even if they spam the boards with 1000 posts nothing shows up.

Why oh why do they target this little forum? :(

For those who speak Russian and are interested in said spam, here's a screen shot for you :

Mac Studio M1 Max ( 10 core CPU - 24 core GPU ), 32GB LPDDR5, 512GB SSD,
Beelink SER7 Mini Gaming PC, Ryzen 7 7840HS 8-Core 16-Thread 5.1GHz Processor, 32G DDR5 RAM 1T PCIe 4.0 SSD
MSI MEG 342C 34" QD-OLED Monitor

Until the next time.

Derron

They target _you_ as you use a default SMF forum. They google for SMF footer links - and for certain text output (themes/template-structure). The bots know how to handle SMF and so a default bot can already register, post ...

One non-trivial step would be to replace "action=post" (and "edit") with custom stuff so that simple bots are already stopped. Only the more smarter bots (going to the forum view, looking for an <input type="submit" name="preview" value="Preview" ... -html button) will still be able to post.

Instead of manual approval I use forum-specific questions (I suggested that multiple times already). Means it needs human help to register the accounts - this reduces amount of registrations by a big big big bit (I have < 1 spam post per month, maybe 3-4 a year).
I also disabled web links to untrusted URLs. In my case only domains under my control or which I know are trustworthy (and so often used that it is useful to add them to the php scripts) can be set as clickable links.
You could disable (clickable) links for users with less than eg. 5 posts.

You could add a captcha for the user's first X posts (a bit annoying but just write the explanation/reason right above the captcha so new users know that this will vanish later on).


You could check for the user's IP during registration and if he is on a spammer list you could deny registration - or at least add a second level captcha (forum specific).



bye
Ron

Amon

That's some good info Ron. Saved.

Holzchopf

Is that the reason why sometimes some threads have the "new" flag indicating new posts even if there's nothing new (visible for me)?

blinkok

Just a suggestion
On another forum they added a question to the login screen;
What product do you use?
Im sure everyone here would answer one of the following (maybe a couple others);
agk
blitzbasic
unity
darkbasic
The point was it did put the bots off.

Derron

@Holzchopf

I think it happens if one edits the latest post after your visit. So the "last modified value" changes: max(updated,created) > lastVisited.
The forum cannot store what threads you have read and what not (m:n relation ship ... not nice for CPU load ;-)). So time comparisons are used - and maybe some helpers like "threads/forum"-read. So it is no longer a members:post-relation ship but only a members:thread+post relation ship. This would explain why only the latest post is taken into consideration - as you do not need to have another lookup for "latest modified post in thread"-time.

But my knowledge might be outdated (based on punbb/fluxbb which I use for 10+ years now). SMF might do it differently.



@ what products
You would need to take care of all spelling mistakes and variations (Blitz Max, BlitzMax, Blitz, BlitzMaxNG, ...). I used forum specific stuff - on a car selling website I added questions like "how many tires does a normal car have?", "at  which traffic light color you are allowed to drive?" ... so it was still answerable for the "average joe". Of course this allows more "human spammers" to register without hassle, but it still stops the bots.

Maybe Recaptcha 3 is helping more too (less "mark bus"-things than in RC2).


bye
Ron

Qube

QuoteInstead of manual approval I use forum-specific questions (I suggested that multiple times already). Means it needs human help to register the accounts - this reduces amount of registrations by a big big big bit (I have < 1 spam post per month, maybe 3-4 a year).
Yes and as also said multiple times there are human based questions when you sign up :P - Perhaps your forum isn't as busy as this one which explains less spam? Or your forum isn't as popular on search engines? ( just guessing ).

QuoteYou could check for the user's IP during registration and if he is on a spammer list you could deny registration - or at least add a second level captcha (forum specific).
That's in too but unfortunately nothing is 100%

Luckily it'll be very rare for members to see the spam crap.

QuoteIs that the reason why sometimes some threads have the "new" flag indicating new posts even if there's nothing new (visible for me)?
That would be possible if the spam posts are hidden from members or genuine new 1st posts waiting for approval.
Mac Studio M1 Max ( 10 core CPU - 24 core GPU ), 32GB LPDDR5, 512GB SSD,
Beelink SER7 Mini Gaming PC, Ryzen 7 7840HS 8-Core 16-Thread 5.1GHz Processor, 32G DDR5 RAM 1T PCIe 4.0 SSD
MSI MEG 342C 34" QD-OLED Monitor

Until the next time.

blinkok

QuotePerhaps your forum isn't as busy as this one which explains less spam? Or your forum isn't as popular on search engines?
Yes! Probably all of the above lol!

Derron

I've got some thousand visits (and a multiple of hits) a day for the forum (avg concurrent visitors count: 40-50 - many of them spam bots or search engines) . I think it is also the popularity of the forum _software_. Things need to get automated and I assume not all bots have plugins/instructions for punbb/fluxbb - while they have them for phpbb, smf, wbb, ...
Dunno how the google awareness is as my forum does not provide mobile-views it should get a lower "high rank"-score than before.

Maybe even bots have some forums they are more interested in (language, possibilities, ...) So in my forum they won't find so many external links (as they are not possible for most domains). Maybe this already removes some attraction?!


@ captcha
You (Qube) already added 4 or 5 different questions/riddles/puzzles for a registration ... that is really "hefty" - and without looking at the source code you might even have one more (an invisible field which bots fill while they shouldn't). Do you have some captcha-stuff for the first X posts too? That way the "human registrator" needs to do the first posts too (registration is done by humans which then sell the credentials to the bot users).


bye
Ron

Matty

May I hijack this thread momentarily?

I just checked my spam folder in my Gmail account.  Somehow from the 30th October at 9pm a cron job was switched on and created to run every 10 minutes on my website to email myself 'this is a test' which all went to spam for the last 2 weeks!

Deleted cron job.  Not sure how it got there- I don't normally go in that part of my server.

Derron

was the first "this is a test" already classified as spam?
My daily server reports (spam statistics, load averages, backup results) were classified by my spam filter as spam too - had to train it long enough (moving mails out of the spam folder ... = ham) now it is properly marked as non-spam so that my local sieve/imapfilter can move it into the corresponding "server"-folde (I have a "ingoing" and an "ingoing.clean" folder with the ladder being the one I subscribed for "push" in my smartphone mail program - means I only get the "interesting" mails pushed to the phone, not invoices, certain newsletters, ...).
A cron job every 10 minutes means you did not receive too much mails yet - when I sent Newsletters some years ago (with ~20.000 subscribers) I did not setup the "sender" email properly so all the bounces (full mail boxes, invalid addresses, ...) came back to my inbox. A mail server tries to send mails multiple times if they fail for certain reasons. So I ended up receiving some thousand emails within 2-3 hrs. Some few years ago I had run a managed server, so not my own mail server. I had times in which I received some thousand spam mails within 1-2 hrs. Gladly these "spam waves" are long over as many mail servers get configured in a better way and there is modern stuff to avoid spam or at least enable classifying it as spam right before it reaches a users inbox. Eg. there is "graylisting" which requires a mailserver to send an "first contact" email two times (first one is rejected with a certain status, second one then gets delivered properly). Many "fire and forget" spammers do not handle it. And of course there are "spam lists" in which you check the sender first. And with some secure measurements you could block mails which do not secure against faked sender names.


Sorry for derailing even more.


bye
Ron

Matty

Yeah they all went as spam..cron job started 30October 9pm....but 'wait there's more!'

Not only was a 'cron job' set up (user logged in to my website two weeks ago and edited part of it- setting up an automated script) but my private journal..I checked this morning...which is inaccessible supposedly to casual browsing (password protected)....has been read by over 1500+ different ip addresses since July last year - and these are not my IPs.


Interesting? (I measure how long they read it for as well - so it's not just bots)


Interesting..since it should be inaccessible but instead over 1500 ip addresses or more have since July last year been reading my blog...which should not be visible...what they'd find intereresting who knows?

Matty

From my jpurnal...

   Curious "Carl"

There's a user on my space game "Carl" who in the last little while has supposedly played 800 to 900 battles.

Normally I'd be highly pleased with this. Why not though?

If that many battles were played I'd have that many replay files on my site-each about 4 to 5mb.

My site would be telling me that I've exceeded my storage capacity.

This means that user "Carl" has not actually played the game but has done one of two things.

1. Directly entered a number into the database.

2. Entered data manually by calling a script that is mostly hidden from public view with secret codes known to myself and the program.

So...combined with the cron job being set to run on the 30th October at 9pm (which I can verify was not created by me nor set to run delayed by me in advance and forgotten) plus the apparent viewing of my private blog by thousands of unique ips demonstrates that while my public pages are relatively uninteresting to users at least some people have taken an interest in my private information.

Very curious indeed. Most curious.

They may not all be linked, but they also may be.

Thanks.

Derron

You might simply have a bug somewhere increasing the play count but not storing replays - or increasing the count multiple times for a single game.

As you surely store the time when a game was started/finished/... you can check if it is a "duplicate" error. If that is not the case then double check if there is a possibility for a replay not getting stored (eg player hits "back" right when seeing that his ship is dying ... your game already has sent the "game finished" step but the step to save the replay wasn't reached as the game was still "running" when the user informed the OS to abort the game by pressing "back").


@ private blog
Instead of using simple password-authentification you can also blacklist "non-your-area" IPs - or whitelist the ones you know you are using often. If you think the one is also near you when hacking (public Wifi in a cafe you often use) then why not only whitelist your IP at home - and connect  via VPN to your home computer if you really want to add/edit when not at home?
So in the end: having a "private diary" in the internet... is a bad idea. To not secure it properly, an even worse idea.

Is it a 3rd party diary-software-script or a custom solution? 3rd parties tend to have security flaws people can find on mailing lists. For custom software it always requires the author to do some stupid stuff (so bots can break in already by doing some fuzzy-attacks) or a serious interest by some human "hackers".



bye
Ron

Matty

Well Derron...the user Carl just changed their name to Samson which is impossible in my interface without entering the back end.  So that explains it's not been done through a script or an error in my code.