News:

Bored?  Looking to kill some time?  Want to chat with other SMF users?  Join us in IRC chat or Discord

Main Menu

Multiple Similar IPs, Legitimate Members, and Spam

Started by mcpheex3, April 28, 2016, 12:01:00 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

mcpheex3

April 28, 2016, 12:01:00 PM
I have been getting numerous member requests from similar IP addresses. Several of them are identified as SPAM on BotScout. However, then I had one new member that I know is a legitimate person and her IP address is similar to the spammer's. Also, once people have registered and been accepted, their IP address is somehow now different.

For example the following list was all on the same day (starred ones came up as spammers and I realize not all will show up so could still be spammers):

108.162.245.236
108.162.221.91*
108.162.216.69*
108.162.245.217
108.162.2456.247

But:
108.162.250.244 (paper_M) is a legitimate person, nonspammer who requested membership at the same time.
However, here is another weird thing: 122.150.132.80 (Jane_L) also requested membership that day and responded to my email request with a normal, appropriate response. (I ask why they want to join.)

However, the person (Jane_L) when she registered, her IP was: 122.150.132.80. It is now showing on the forum as 108.162.250.246. So what gives?

At the same time, I have another set of IP numbers doing the same thing:

162.158.38.52
162.158.255.48*
162.158.255.51*
162.158.166.25

And then I have 162.158.152.41 registered as PeetG. PeetG has emailed with an appropriate response. So I approved him. Then I checked his membership and suddenly his IP was 127.0.0.1 which has 15 pages of spam reports on BotScout!!! So I deleted him and now he is emailing me again asking what happened.

Help! What is happening? Is the IP masked for the request for membership and then the real IP shows up once they are members or vice versa? How did real member, 108.162.250.244 get mixed up in all this?

Thank you in advance for any insight.

Illori

#1
April 28, 2016, 12:14:10 PM
127.0.0.1 is your local machine ip address. it should not be an address used on the internet. if you see that address being used maybe question it, but i would not just go delete accounts just because their ip address is listed on some site somewhere. do some futher research into the ip addresses and the user behind the ip address then consider banning or deleting the account.

a10

#2
April 28, 2016, 12:28:17 PM
QuoteHelp! What is happening?

hint: cloudflare
2.0.19, php 8.0.23, MariaDB 10.5.15. Mods: Contact Page, Like Posts, Responsive Curve, Search Focus Dropdown, Add Join Date to Post.

mcpheex3

#3
April 28, 2016, 12:31:22 PM
Interestingly enough, this all started immediately after I moved the site to cloudflare.

Kindred

#4
April 28, 2016, 12:33:41 PM
Basically -- trying to identify or ban spammers by IP address is worse than useless.
they can change their IP address in 30 seconds....   and then a real person might get that IP address in random assignment and you have now blocked them

the anti-spam databases should really stop listing IP addresses as spam-identifiers.

If you are having issues with spammers, then you are going about it all wrong.
http://wiki.simplemachines.org/smf/Spam_-_my_forum_is_flooded_with_spam,_what_can_I_do

the best thing you can do is add 10-20 questions, asking 2-3 from that pool at registration


also, cloudflare is basically useless for forums...
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

mcpheex3

#5
April 28, 2016, 12:36:47 PM
If that is true, it should not be, but it is.

So how does someone register with the IP address 108.162.221.80 and then after the registration is accepted, their IP address is suddenly listed as 127.0.0.1.

Sorry, not sorry, but I will delete an account every time if I think it is a threat to my forum and then re-add the person later if it turns out not an issue. Clearly, someone is trying to gain access to my forum.

Quote from: Illori on April 28, 2016, 12:14:10 PM
127.0.0.1 is your local machine ip address. it should not be an address used on the internet. if you see that address being used maybe question it, but i would not just go delete accounts just because their ip address is listed on some site somewhere. do some futher research into the ip addresses and the user behind the ip address then consider banning or deleting the account.

mcpheex3

#6
April 28, 2016, 12:40:07 PM
I already do this. I have two questions out of ten that must be answered to apply for membership. Then I approve each member. Then they must answer 2 out of ten questions each time they post for the first few posts. This has eliminated all spammers. However, I am getting membership requests from the repeat IPs. I'm not going to approve them unless I know they are legitimate members.

Quote from: Kindred on April 28, 2016, 12:33:41 PM

If you are having issues with spammers, then you are going about it all wrong.
http://wiki.simplemachines.org/smf/Spam_-_my_forum_is_flooded_with_spam,_what_can_I_do

the best thing you can do is add 10-20 questions, asking 2-3 from that pool at registration


also, cloudflare is basically useless for forums...

mcpheex3

#7
April 28, 2016, 12:43:05 PM
So can anyone answer how I can have 20 member requests with a similar IP address in one day if it is not a spammer?

Illori

#8
April 28, 2016, 12:48:55 PM
if your ISP sets you up for a dynamic ip address, it changes everytime you reconnect to the internet. so if your internet connection is not stable you may end up with many ip addresses in one day.

mcpheex3

#9
April 28, 2016, 12:49:10 PM
Quote from: Illori on April 28, 2016, 12:14:10 PM
...but i would not just go delete accounts just because their ip address is listed on some site somewhere. do some futher research into the ip addresses and the user behind the ip address then consider banning or deleting the account.

I did that as well. So PeetG requested membership about 5 times all with different usernames and emails. I sent him an email after he inquired about his membership request and asked, "Can you explain why we have had multiple sign ups throughout the week all using your IP address?"
He responded, "I did not properly read the message that I need to wait for the confirmation from admin - therefore I tried numerous times to get access/login.  When you had to answer the two questions it gave me error messages and I tried several times before it was eventually accepted."

So is this a legitimate member and he is thinking of something completely different from what I am asking him or is he a spammer trying to gain access to the forum? (That question is semi-rhetorical.)

mcpheex3

#10
April 28, 2016, 12:50:00 PM
Quote from: Illori on April 28, 2016, 12:48:55 PM
if your ISP sets you up for a dynamic ip address, it changes everytime you reconnect to the internet. so if your internet connection is not stable you may end up with many ip addresses in one day.

OK, but not with different usernames and emails.

mcpheex3

#11
April 28, 2016, 12:57:30 PM
Quote from: a10 on April 28, 2016, 12:28:17 PM
QuoteHelp! What is happening?

hint: cloudflare


OHHHH! I get it now. Ugh. Thank you.

chrishicks

#12
April 28, 2016, 01:09:47 PM
http://custom.simplemachines.org/mods/index.php?mod=4072

I use that with Cloudflare on my site and I see regular IP's.

mcpheex3

#13
April 28, 2016, 01:31:17 PM
Thank you chrishicks! That is very helpful.
Print
Go Up Pages1
User actions
Advertisement: