The vb forum spammers have found us

U

User1

RETIRED Admin, pm OFF
We have been getting silently attacked by spamming bots for about a year now, ever since I put 'Son of Xweb' online, these bots have been hammering away at our registration page, members list, user profile pages etc, this is to be expected since there are myriad vb forum spamming bot programs out there, but very early on I implemented a number of "countermeasures" to prevent these bots ever getting through the door or being able to access these things...

But now, it seems, there are a few spammers out there who are taking it to the next level... I have had to perma-ban 2 new user accounts in the past 48 hours that were created by forum spammers... so, it seems, someone out there has an actual human doing the signup procedure to create spammer accounts here... Mark, Eric, Gregory, when I retire at the end of April, you guys are going to have to keep a sharp eye on new user registrations to preemptively ban these idiots when they sign up...

So far, the trend is, they're entering "123456" in the "about my X1/9s" field of registration... if you see that, don't even bother waiting for them to make a first post, just permaban em. I am going to have to figure out some new custom preventive measures to add to the signup process, that can even screw up a human spammer, but as well, we're just going to have to shoot em down as they show up.

In the future I'd prefer to set up a means by which we can just delete them completely from the db, but for now, its important that we put their accounts in permanent ban status as opposed to just deleting them. Permaban will take all their signup info (emails, ip addys etc) and prevent those from future signups, whereas deleting the account would allow them to sign right back up again with same credentials.. it hardly makes a difference since they use ip scramblers/forgers and have hacked gmail so the likelihood of dupe info on signup is remote anyway, but ...
 
crap data

I wish we could do something to 'blow em up' but there's not much. We really are fighting a tech countermeasures type of battle with them. Like speeders vs cops, cops get radios, speeders get scanners, cops scramble and digitize the frequencies, speeders buy digital trunking scanners, cops get radar, speeders get radar detectors, cops get laser/lidar, speeders get laser/lidar detectors... cops get speeders red handed, speeders get attorneys ;) this ongoing internet-wide battle between forum operators and spammers is very much like that... and it is by its very nature and a sort of software Moore's law, an ongoing open-ended concern, not something either side can definitively 'beat'...

It is just the price of admission / cost of doing business of running an internet forum these days... cant see the spammers quitting any time soon either

What I have done with 'Son of' so far has pretty much gone like this:

Stock out of box, our system (vb) has numerous identifiers all over it from its makers. I paid extra initially for licensing this forum software to Xweb to run 'stealth' (all those identifiers removed forever from our specific installation) as bots were/are using google queries to find forums running this code to go attack. Their counter was to develop queries that search things even the stealth mode vb still has embedded deeper in its code (the way certain functions of the site are hard coded for example) to search for instead...

The counter to that is email account verification. We tweak the forum to force everyone signing up to do so with submittal of a valid email address to log and the forum actually verifies its validity via email link one must click to validate before ever completing registration. Their response is of course to develop bots that can hack fake email signups at sites like gmail, yahoomail etc for the purpose and autorespond as well.

The counter to that is for us to implement 'vericode' signup process. This is the jpg or gif image of random text you have to enter to complete signup. Their response is to develop bots that are capable of scanning such images and extrapolating the text to send to the server replicating a human response to proceed.

The counter to that is for us to implement unhackable 'vericode' boxes for signup - we now use one called "ReCaptcha", which is the same principle but evolved to a more secure degree. It is to my knowledge currently the ONLY one left that has never been successfully cracked by bots, so the spambots can no longer get accounts. The spammer response to this, while they are doggedly working to crack that, which one day they probably will, has been to hire actual humans to perform the step the bots cant. The bots find sites to hit and the list is reviewed by a human who will then go perform the step the bot cant get past, then turn it back over to the bot to complete the reg and subsequent posting to forum..

So far the forum owners' responses to that are varied. Loads of IP blocking not only at the forum admincp level but at the actual server cpanel level so not only can they not get to the reg page, they cannot even land on the site domain period. As we speak the 'Son of Xweb' server itself is blocking loads of bots away from even seeing the site at all from various locales in Russia and China and some neighboring areas... this works fine to a limited degree but if you have to block too many this way eventually it will snowball to a point where you are no doubt having to block out SOME legit users for being in the same region as spammers...

Other forum owners are doing things like embedding "hidden/secret" form fields in the reg page, so a bot cant see them, that a human has to answer some 'custom' question in type to get past and the bots choke on it, the developers/spammers respond by building features into the bots to detect hidden fields and throw some garbage into them.

The webmasters then get more specific and make you answer site related question (in our case something like a math problem you have to read and comprehend in order to answer, or a question like "what is the name of the webhost of the original Xweb?" (Network54) that even a human spammer would not be able to accurately answer out-of-hand, but legit users probably could, but even still, if you make it all too much of a pita, even otherwise legit would-be-users will not bother to sign up, so, its a balancing act all the way down the line...

Right now, 'Son of Xweb' is right about here in the battle. What we do next, I am not certain, we may have to implement some more human X1/9 oriented Q&A into the reg process.... stay tuned....
 
If there's a person signing up,

Even veri-code won't help you. WE, on the other hand, will help you by letting the mods know. Ultimately, your best defense:jedi:.
 
Last edited:
Agreed

100% that is correct. The only "real" way to defeat them is to shut their accounts down (ideally their any hope of getting accounts, but realistically...) the very instant they have somehow revealed their presence here. Users can do that by clicking "report this post" in the top right corner of any spam post on the site and this will give you a form that IDs you, and that post, to Mark, Eric and Gregory at once via email. Or if you see a suspect profile sitting silently in the members list, you can use the 'contact us' link at the bottom of the forum to notify the guys of that username to look into as well

For us mods, I have been actively reviewing every individual signup on the site as they occur. I google emails, ips, usernames, this human googling verification of new signups is to date the fastest and most effective way to spot spammers before they ever post. I do not know whether the guys are going to go to that length once I'm retired, but in either case, even before a spammer ever posts, you can almost always tell why they are here by just looking at their new account's user profile page in the Xweb members list, there will most likely be some garbage links to non-X stuff or a sales pitch for some online pharma or similar bs etc.

When I ban these I actually go in admincp and blow all that out, banning also shuts off their PMs (these bots, some of them, can also send pms on our system if they have a functional user account here, so you could get pm spam as well as them just posting junk, this, and the fact a valid account can also view the full members list and send email via that to users who have enabled 'allow others to email me' in usercp, is why we're trying to be highly preemptive in shutting them down "asafp" when any of them successfully complete reg...)

In the end though yes no matter what lengths we go to in our battle to defend Xweb's turf from spammers of the world, there will always inevitably be a few that still get through and arrive here. That is where we can only do one thing else -- blast em! :guns:
 
I suggest forcing users to verify their email address upon registration. Also enable the re-captcha system, or consider enabling the "Respond to a question" system.
 
In the German X1/9 Forum we have NO spam bots since January 2007. :thumbsup:
This was a serious problem before.
I´ve modified the registration php script a little bit. I´ve added an individual additional question, and now it is quiet.

- Dierk
 
we already did

All those options I enumerated above were 'historical' to get readers up to speed as to what has already been implemented here. The only thing I mentioned that we have not already put in place a long time ago are the possible custom site-specific Q&A addition, which is where we are now... and I am about to go do that as soon as time permits...

Just keep your eyes peeled on the "newest member" area of the index page, folks, and to any user accounts enthusiastically profiling some non-X content or '123456' X1/9s :rolleyes: on their memer list profile... and report any spam you ever find in any forum section (df, wf, fsw, nfc, calendar, profiles, pm) by clicking "report post" in the top right corner of any post, or 'contact us' at the bottom of any page. That is about all we can do else for now ...
 
yes yes yes

'Son of Xweb' is right behind ya! :D ;)

What concerns me more than the custom q&a is what comes next from "them"? I keep hearing rumors on the webmaster scene that it's gonna be "any time now" that ReCaptcha gets popped... what then? I guess we'll see..... :rolleyes:
 
Just yesterday I deleted a post by a spammer. I assume you've banned the account? I didn't know to do that, so thanks.
 
You did?

Oh I wonder whether it was our new friend 'Lestjesttubs' or our other new friend 'JasminBerkova'? :hmm:

It's fine, I did briefly talk spammer recon/cm with you guys a while back but I never went into this depth of detail on it, at the time we had more pressing concerns to go over (servers accesses, future wiki cfg, the mirror, vb & n54 'care and feeding' etc)

We'll be ok... we just have to continuously keep an eye on the spammer development front vs vb, and be ready to respond with whatever new site hacks/mods as time goes on... thats about all there is to it. I'm going to go hack the reg for custom q&a now
 
I like the Quiz idea...

We can grille 'em on stuff like what is the first gear ratio on a 1981 X, how many head bolts on a 1985 X, how many different distinct instrument panel styles have there been, etc...

Or you could implement this tried and true system:
[ame="http://www.youtube.com/watch?v=y2R3FvS4xr4"]http://www.youtube.com/watch?v=y2R3FvS4xr4[/ame]
 
Updated countermeasures installed

I have just added today a couple of new things to the registration process (invisible to user view) to hopefully aid in reducing successful spam signups...

First I further modified our server's "robots.txt" file to disallow all bots (for good or ill) from most pages of the site that are of the nature spammers want to reach (reg, post, calendar, profiles, memberlist, etc) while still (in theory) permitting google yahoo etc to crawl our post archive. Not all bots (especially the rude ones) pay any attention to the txt file but it may catch some so its still worth doing

Next Ive implemented an aftermarket vb hack or two to the reg process itself. I (for now) did not add any site specific challenge questions, but instead, I've added some additional hidden fields that have hash values in them that must be retrieved from and exactly resubmitted to the db for validation (this is invisible to a user but kills bots that try to submit reg data directly to server bypassing the signup page) and imposes a limit on how fast the reg page submittal can be made (most bots submit inhumanly fast) so only someone taking the time to fill out the form, or a bot programmed with a ridiculously long delay, would get past that hurdle as well..

I've tested the new reg setup and it did allow me (a human) to get all the way through without giving any errors during the process :) so its working. This still is not going to stop all, especially if there are humans doing it, but for now, it is a substantially stronger (bot-wise) authentication setup in general. I may yet still add some X-oriented challenge question to top it all off, but I'd like to wait a bit now to gauge what impact (if any) these tweaks have had...
 
Hey Mac. How about having one sign up for Members (requiring VIN numbers for cars) This way you will know the day the new owner of the (silver) car shows up...:eyepop:

And one sign up for Guests...:)
 
hi jjay ,

that's a good idea about the vin number , because being new to the this site and "x" cars I would not have a clue about mechanical questions ?
and fail to get on here ! :(

Phil
 
No good idea. Not all have an X. Some have more than one and other don´t want to tell the VIN.
 
IP range blocking.

Mac, what about just blocking ranges of IP's from "known bad" IP ranges. I have seen these available and that this can be done. I mean....we'd of course be losing that wiley X1/9 contingent from Nigeria and surrounding areas, but hey, maybe they can live without us as there are plenty of X1/9 craigslist ads to spam.
 
my new house post ...

my new house post with photos was deleted ......
I always wanted to ask why .......
was it consider it a spam ?:huh:
 
You must log in or register to reply here.
Back
Top