Simple Machines Community Forum

SMF Support => SMF 2.0.x Support => Topic started by: Oscworth on November 16, 2012, 04:37:52 AM

Title: Spammers Registering even with Registration Disabled (reg'd not activated)
Post by: Oscworth on November 16, 2012, 04:37:52 AM
Last night I started getting spammed on my forum so did the usual remove posts ban user.
The spammers just kept registering so after about another 10 users registered I decided to disable registration but they keep on coming.

This morning I set registration to admin approval and got 8 waiting for approval in a matter of minutes.
Now I've taken the forum offline until I find out how to stop it.

Has anyone got any suggestions?   
Anyone else having this problem?

How are they registering with it disabled?

SMF 2.0.2 
Title: Re: Spammers Registering even with Registration Disabled
Post by: ziycon on November 16, 2012, 04:42:42 AM
Have a look at using the below mod, make sure you set it up with and api key from the honeypot project.
Title: Re: Spammers Registering even with Registration Disabled
Post by: Storman™ on November 16, 2012, 04:43:55 AM
Also, do you have any Registration Verification questions set-up ?

If not, then set a few up in:

Admin --> Configuration --> Security and Moderation --> Anti-Spam

Add at least two questions.
Title: Re: Spammers Registering even with Registration Disabled
Post by: Oscworth on November 16, 2012, 06:08:37 AM
Thanks for the very quick replies  ;)

I already had the captcha with 2 questions setup and up, until last night seemed to be working with only the occasional reg from a spammer. 

Trying to setup the honeypot stuff at the moment but finding a bit confusing in my current stressed out state.
What worries me the most about this is the fact they can register even with SMF set to "disable registration"   What else are these people able to do..... :o

How secure is SMF?????? 
I've had this forum running since 2007 and this is the first time it's ever been attacked like this....
Title: Re: Spammers Registering even with Registration Disabled
Post by: ziycon on November 16, 2012, 06:10:43 AM
Have you any mods installed relating to registration?
Title: Re: Spammers Registering even with Registration Disabled
Post by: Oscworth on November 16, 2012, 06:16:44 AM
These mods are installed atm

1.    View Voters at Polls 1.0
2.    Team Page 1.1.6    
3.    Users Online Today    2.0.1    
4.    Aeva Media    1.4w    
5.    Quick Translation 0.7 beta
6.    New Hooks    0.2
7.    Dream Portal    1.0.5    
8.    Welcome Topic Mod 2.1    
9.    Highslide 4 SMF
Title: Re: Spammers Registering even with Registration Disabled
Post by: Oscworth on November 16, 2012, 06:51:22 AM
The Honeypot is now active   ;D 

24 new members in the time taken to setup the honeypot....see attached

I really appreciate the advice  thank you!
Title: Re: Spammers Registering even with Registration Disabled
Post by: Oscworth on November 16, 2012, 07:33:53 AM
As far as I am concerned I've setup the honeypot correctly but I'm still getting members.

Reg disabled didn't stop them from registering and they could still post.
Reg set to admin approval allows the reg but they cant post.

Title: Re: Spammers Registering even with Registration Disabled
Post by: ziycon on November 16, 2012, 07:40:36 AM
This may be an issue with the Dream Portal mod, does it handle registrations when installed? Maybe pop over to the Dream Portal mod support thread and ask if this has been reported before.
Title: Re: Spammers Registering even with Registration Disabled
Post by: Oscworth on November 16, 2012, 07:44:48 AM
I was just wondering the same thing.  I know they have recently released an updated version perhaps I should look into that.

Would disabling the portal be an accurate test to see if it helps?
Title: Re: Spammers Registering even with Registration Disabled
Post by: ziycon on November 16, 2012, 08:11:48 AM
Uninstalling the mod should tell you if the mod is responsible or not.
Title: Re: Spammers Registering even with Registration Disabled
Post by: charlottezweb on November 16, 2012, 08:18:13 AM
For the record, in the last 24 hours we've seen HUGE increases in spam registrations -- 100's in a day for several different sites that would get 1 or 2 a week otherwise.
Title: Re: Spammers Registering even with Registration Disabled
Post by: Oscworth on November 16, 2012, 08:21:36 AM
I've uninstalled the portal....

members waiting for approval is up to 31 now....I'm just keeping track (action:uninstalled DP)
Title: Re: Spammers Registering even with Registration Disabled
Post by: Oscworth on November 16, 2012, 08:32:29 AM
Also just for the record,  the forum is running within a joomla 2.5.8 website and this hasn't had any new registrations since the forum started being attacked.

Edit: The 2 aren't linked and are kept on seperate DB's
Title: Re: Spammers Registering even with Registration Disabled
Post by: mrintech on November 16, 2012, 09:05:57 AM
Get this mod: and configure it properly :)

AFAIK this MOD is pure PITA for bad bots ;)
Title: Re: Spammers Registering even with Registration Disabled
Post by: Oscworth on November 16, 2012, 09:10:22 AM
Since uninstalling Dream Portal I have had 4 new spam/member joined. 

I'm pretty sure the Honeypot is working as the amount of new members has slowed down.
I have been putting IP's from the list into the IP checker on the honeypot site.  The latest ones to join the forum weren't on their list of known spammers but quite a few are on there, which to me says it's blocking and slowing the amount joining.

Thanks mrintech I will check it out.
Title: Re: Spammers Registering even with Registration Disabled
Post by: ziycon on November 16, 2012, 11:02:03 AM
Good to see it's slowing down for you, keep any eye on it over the next day or so.
Title: Re: Spammers Registering even with Registration Disabled
Post by: Oscworth on November 16, 2012, 11:27:06 AM
I've had 10 new registrations in the past 4 hours.
Title: Re: Spammers Registering even with Registration Disabled
Post by: Oscworth on November 16, 2012, 01:03:30 PM
With the registration set to admin approval I stopped the spambots posting but when I started adding the accounts waiting for approval to the bans list and then deleting the accounts they started registering as fast as I could remove them.
Even accounts that were already added to the bans list were able to register.  I now feel like I've lost control and my faith in SMF's security.

I have now put the forum into Maintenance Mode and this is stopping them  (he says expecting it to start again soon)

I am at a total loss what to do  :(
Title: Re: Spammers Registering even with Registration Disabled
Post by: GreenMotion on November 16, 2012, 01:09:42 PM
I have the "Stop Spammer" MOD installed and it does a great job identifying the spammers and not giving them access to my forum.

But with that said, I have seen a HUGE increase in SPAM requests in the last couple of days. During the weeks and months leading up to this week I've only had a couple of spammers a week, at most.

However, since yesterday or so, I have started to experience hundreds of spammers a day. No idea why there is such an influx of a sudden. Very annoying!

I cleared all the spammers out a couple of hours ago and when I just logged in, I had a notification that 45 spammers were detected and awaiting my review with acceptance or denial. Crazy!
Title: Re: Spammers Registering even with Registration Disabled
Post by: Oscworth on November 16, 2012, 01:22:04 PM
Hi GreenMotion,

Very sorry to hear you are being hit as well.  I appreciate your suggestion to try "Stop Spammer"
I have spent all day trying to stop this happening and removing them but now feel due to the fact that these bots know how to circumnavigate even turning off registration that they have the upper hand on SMF.

Perhaps I haven't setup what I've tried properly but the fact that I'm not the only one suggests that maybe the developers of SMF might need to look at how these spammers are getting through.

Title: Re: Spammers Registering even with Registration Disabled
Post by: Kindred on November 16, 2012, 01:48:36 PM
ok... I don't know what you specifically have configured... but if they are bypassing regsitration restrictions, then you definitely have something MISconfigured.

I have a forum with 2 questions, the badbehavior+httpBL mod and the stopSpammer mod.
I get ZERO spam registrations that get through.
For the first few weeks I got 10-20 flagged registrations/week and just deleted them (did not bother to ban anything)
now I get maybe 1-2 a month.
(and I have user-activation as my registration method)

So, there is nothing wrong with SMF's security
Title: Re: Spammers Registering even with Registration Disabled
Post by: ziycon on November 16, 2012, 01:58:14 PM
I would recommend that if your worried about the security, disable all mods and set the default theme for the site and make sure the registration verification question is set, make sure it's not something simple like a yes or no question, make it a question specific to the genre of your forum.
Also make sure that httpbl is installed and working, if you want me to double check this for you, let me know by pm.

I have httpbl as the only anti-spam mod and a registration verification question and I get no spam registrations for the past year.
Title: Re: Spammers Registering even with Registration Disabled
Post by: Oscworth on November 16, 2012, 02:07:30 PM
Up until last night when this started I only had smf anti spam with 2 questions and no other spam stopping mods installed.
I only ever had user activation and never had more than 1 or 2 spammers a month with occasional peaks but nothing to worry about.   It has been this way for years.

Today I setup httpBL which says it is configured correctly in the admin cp I also installed a firewall mod which I don't think is properly setup as I've spent most of the day removing unwanted members.
I'm not an expert with smf but I have been using it since 2007 and also have other smf forums with just captcha that aren't being attacked
Title: Re: Spammers Registering even with Registration Disabled
Post by: Kindred on November 16, 2012, 03:14:14 PM
Unless you know what you are doing, the firewall mod is dangerous... because you can lock yourself out of your won site if it is improperly configured.
Title: Re: Spammers Registering even with Registration Disabled
Post by: Oscworth on November 16, 2012, 03:38:53 PM
Thanks for the heads up Kindred....tbh I didn't want it but was willing to try it.

I once locked myself out of one of my Joomla sites using something similar  :-[  Took me awhile to get back in.
Title: Re: Spammers Registering even with Registration Disabled
Post by: tttonyyy on November 16, 2012, 05:06:47 PM
Glad to see we're not alone.  We run this site (smf 2.0.2):

...and got a sudden influx of Russian spammers.  Figured they must be human to get past our very specific registration question, so turned off registration altogether figuring these humans would get bored after a week or so - and yet they still they are registering.

Someone has figured a way past the registration system, which must be a serious security breach with SMF.

Mods are:

Ignore Board In New Posts    1.0
Anti-SID(PHPSESSID) canonical tag    0.6
SMF 2.0.2 Update    1.0
Additional Instant Messengers    1.0.1
Today's Posts    1.1 
Title: Re: Spammers Registering even with Registration Disabled
Post by: tttonyyy on November 16, 2012, 05:29:24 PM
I've made our register.php non-readable by the webserver, I'm pretty sure that'll stop them.

Not the best long term solution though!
Title: Re: Spammers Registering even with Registration Disabled
Post by: Herman's Mixen on November 16, 2012, 05:39:24 PM
I would also recommend that under the registration settings you disable "Allow users to register using OpenID" just for the record.
Title: Re: Spammers Registering even with Registration Disabled
Post by: emanuele on November 16, 2012, 05:43:46 PM
Could any of you provide some logs of the events? In particular of course something that covers the period when the bots are registering with registrations disabled?
Title: Re: Spammers Registering even with Registration Disabled
Post by: tttonyyy on November 16, 2012, 05:47:32 PM
Logs of the event: - [16/Nov/2012:21:44:37 +0000] "GET /forum/index.php?action=activate;u=664;code=23284ecf2d H
TTP/1.0" 200 9616 ";u=664;code=23284ecf2d" "Mozilla/5.0 (Windows N
T 6.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.164 Safari/535.19 YE" - [16/Nov/2012:21:44:38 +0000] "POST /forum/index.php?PHPSESSID=vjlor26qiltqegaic623h6ff41&a
ction=login2 HTTP/1.0" 302 0 ";u=664;code=23284ecf2d" "Mozilla/5.0
(Windows NT 6.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.164 Safari/535.19 YE" - [16/Nov/2012:21:44:38 +0000] "GET /forum/index.php?action=login2;sa=check;member=664 HTTP/
1.0" 302 0 ";sa=check;member=664" "Mozilla/5.0 (Windows NT 6.1) Appl
eWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.164 Safari/535.19 YE" - [16/Nov/2012:21:44:39 +0000] "GET /forum/index.php HTTP/1.0" 200 26740 "http://www.biopowe" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.164 Safari/535.19 YE" - [16/Nov/2012:21:44:40 +0000] "GET /forum/index.php?action=profile HTTP/1.0" 200 13614 "" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.164 Safari/535.19 YE" - [16/Nov/2012:21:44:41 +0000] "GET /forum/index.php?action=profile;area=forumprofile HTTP/1.0" 200 27711 ";area=forumprofile" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.164 Safari/535.19 YE" - [16/Nov/2012:21:44:42 +0000] "POST /forum/index.php?action=profile;area=forumprofile;u=664;save HTTP/1.0" 302 0 ";area=forumprofile" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.164 Safari/535.19 YE" - [16/Nov/2012:21:44:43 +0000] "GET /forum/index.php?action=profile;area=forumprofile;updated HTTP/1.0" 200 28369 ";area=forumprofile;updated" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.164 Safari/535.19 YE" - [16/Nov/2012:21:44:44 +0000] "POST /forum/index.php?action=profile;area=forumprofile;u=664;save HTTP/1.0" 302 0 ";area=forumprofile;updated" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.164 Safari/535.19 YE" - [16/Nov/2012:21:44:45 +0000] "GET /forum/index.php?action=profile;area=forumprofile;updated HTTP/1.0" 200 28360 ";area=forumprofile;updated" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.164 Safari/535.19 YE" - [16/Nov/2012:21:44:46 +0000] "GET /forum/index.php HTTP/1.0" 200 26740 "" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.164 Safari/535.19 YE" - [16/Nov/2012:21:44:47 +0000] "GET /forum/index.php/board,13.0.html HTTP/1.0" 200 38194 ",13.0.html" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.164 Safari/535.19 YE" - [16/Nov/2012:21:44:48 +0000] "GET /forum/index.php?action=post;board=13.0 HTTP/1.0" 200 42473 ";board=13.0" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.164 Safari/535.19 YE" - [16/Nov/2012:21:44:49 +0000] "POST /forum/index.php?action=post2;start=0;board=13 HTTP/1.0" 302 0 ";board=13.0" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.164 Safari/535.19 YE" - [16/Nov/2012:21:44:50 +0000] "GET /forum/index.php/topic, HTTP/1.0" 200 26366 "," "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.164 Safari/535.19 YE"

Title: Re: Spammers Registering even with Registration Disabled
Post by: emanuele on November 16, 2012, 05:51:23 PM
Quote from: tttonyyy on November 16, 2012, 05:47:32 PM
Logs of the event: - [16/Nov/2012:21:44:37 +0000] "GET /forum/index.php?action=activate;u=664;code=23284ecf2d H
TTP/1.0" 200 9616 ";u=664;code=23284ecf2d" "Mozilla/5.0 (Windows N
T 6.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.164 Safari/535.19 YE"
Nothing before this line?
Title: Re: Spammers Registering even with Registration Disabled
Post by: tttonyyy on November 16, 2012, 06:09:47 PM
A lot unrelated before that line, however the only one I can find that may be relevant (same user agent?) is this, from a different IP: - [16/Nov/2012:18:21:14 +0000] "GET /forum/index.php HTTP/1.0" 200 23956 "http://www.biop" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.16
8 Safari/535.19" - [16/Nov/2012:18:21:14 +0000] "GET /forum/index.php?PHPSESSID=psvk6cvi079kia0r3rr5v14k83&action=register HTTP/1.0" 200 7291 "" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.168 Safari/535.19"
Title: Re: Spammers Registering even with Registration Disabled
Post by: tttonyyy on November 16, 2012, 06:10:29 PM
Quote from: The Burglar! on November 16, 2012, 05:39:24 PM
I would also recommend that under the registration settings you disable "Allow users to register using OpenID" just for the record.

On our forum this has never been enabled.
Title: Re: Spammers Registering even with Registration Disabled
Post by: Oscworth on November 16, 2012, 06:11:43 PM
Quote from: tttonyyy on November 16, 2012, 06:10:29 PM
Quote from: The Burglar! on November 16, 2012, 05:39:24 PM
I would also recommend that under the registration settings you disable "Allow users to register using OpenID" just for the record.

On our forum this has never been enabled.

Same on our forum  never used it
Title: Re: Spammers Registering even with Registration Disabled
Post by: tttonyyy on November 16, 2012, 06:19:23 PM
Possibly unrelated - but some very odd stuff earlier from another russian block IP: - [16/Nov/2012:16:07:19 +0000] "GET /forum/index.php HTTP/1.0" 200 23834 "http://www.biopo" "Opera/9.80 (Windows NT 6.1; U; MRA 6.0 (build 5711); ru) Presto/2.10.289 Version/12.00" - [16/Nov/2012:16:07:19 +0000] "GET /forum/index.php?PHPSESSID=v312uqjmbl91pm1lsev60eej05&
action=register HTTP/1.0" 200 7177 "
egister" "Opera/9.80 (Windows NT 6.1; U; MRA 6.0 (build 5711); ru) Presto/2.10.289 Version/12.00" - [16/Nov/2012:17:13:48 +0000] "GET /forum/index.php++++++++++++++++++++++++++++++++++++++
ED%E0%F8%EB%EE%F1%FC+%F4%EE%F0%EC%FB+%E4%EB%FF+%EE%F2%EF%F0%E0%E2%EA%E8; HTTP/1.0" 200 10588 "
4%EC%E8%ED%E8%F1%F2%F0%E0%F2%EE%F0%EE%EC;+%ED%E5+%ED%E0%F8%EB%EE%F1%FC+%F4%EE%F0%EC%FB+%E4%EB%FF+%EE%F2%EF%F0%E0%E2%EA%E8;" "
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20110303 Firefox/3.6.15 GTB7.1 WebMoney Advisor" - [16/Nov/2012:17:13:48 +0000] "GET /w/index.php?title=Talk:NotFound&action=edit&redlink=1
HTTP/1.0" 302 0 "" "Mozilla/5.0 (Windows; U
; Windows NT 5.1; en-US; rv: Gecko/20110303 Firefox/3.6.15 GTB7.1 WebMoney Advisor" - [16/Nov/2012:17:13:49 +0000] "GET /wiki/Talk:NotFound HTTP/1.0" 404 9473 "" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20110303 Firefox/3.6.15
GTB7.1 WebMoney Advisor" - [16/Nov/2012:17:13:50 +0000] "GET /Talk:NotFound HTTP/1.0" 200 10588 "http://www.biopowe" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20110303 Firefox/3.6.15 GTB7.1 W
ebMoney Advisor" - [16/Nov/2012:17:13:51 +0000] "GET /w/index.php?title=Talk:NotFound&action=edit&redlink=1
HTTP/1.0" 302 0 "" "Mozilla/5.0 (Windows; U
; Windows NT 5.1; en-US; rv: Gecko/20110303 Firefox/3.6.15 GTB7.1 WebMoney Advisor" - [16/Nov/2012:17:13:52 +0000] "GET /wiki/Talk:NotFound HTTP/1.0" 404 9473 "" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20110303 Firefox/3.6.15
GTB7.1 WebMoney Advisor" - [16/Nov/2012:17:13:53 +0000] "GET /Talk:NotFound HTTP/1.0" 200 10588 "http://www.biopowe" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20110303 Firefox/3.6.15 GTB7.1 W
ebMoney Advisor" - [16/Nov/2012:17:13:53 +0000] "GET /w/index.php?title=Talk:NotFound&action=edit&redlink=1
HTTP/1.0" 302 0 "" "Mozilla/5.0 (Windows; U
; Windows NT 5.1; en-US; rv: Gecko/20110303 Firefox/3.6.15 GTB7.1 WebMoney Advisor" - [16/Nov/2012:17:13:54 +0000] "GET /wiki/Talk:NotFound HTTP/1.0" 404 9473 "" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20110303 Firefox/3.6.15
GTB7.1 WebMoney Advisor" - [16/Nov/2012:17:13:55 +0000] "GET /Talk:NotFound HTTP/1.0" 200 10588 "" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20110303 Firefox/3.6.15 GTB7.1 WebMoney Advisor" - [16/Nov/2012:17:13:56 +0000] "GET /w/index.php?title=Talk:NotFound&action=edit&redlink=1 HTTP/1.0" 302 0 "" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20110303 Firefox/3.6.15 GTB7.1 WebMoney Advisor" - [16/Nov/2012:17:13:57 +0000] "GET /wiki/Talk:NotFound HTTP/1.0" 404 9473 "" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20110303 Firefox/3.6.15 GTB7.1 WebMoney Advisor" - [16/Nov/2012:17:13:58 +0000] "GET /Talk:NotFound HTTP/1.0" 200 10588 "" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20110303 Firefox/3.6.15 GTB7.1 WebMoney Advisor" - [16/Nov/2012:17:25:50 +0000] "GET /forum/index.php++++++++++++++++++++++++++++++++++++++Result:+%F0%E5%E3%E8%F1%F2%F0%E0%F6%E8%FF+%E7%E0%EF%F0%E5%F9%E5%ED%E0+%E0%E4%EC%E8%ED%E8%F1%F2%F0%E0%F2%EE%F0%EE%EC;+%ED%E5+%ED%E0%F8%EB%EE%F1%FC+%F4%EE%F0%EC%FB+%E4%EB%FF+%EE%F2%EF%F0%E0%E2%EA%E8; HTTP/1.0" 200 10588 ";+%ED%E5+%ED%E0%F8%EB%EE%F1%FC+%F4%EE%F0%EC%FB+%E4%EB%FF+%EE%F2%EF%F0%E0%E2%EA%E8;" "Opera/9.80 (Windows NT 5.1; U; en) Presto/2.10.229 Version/11.64" - [16/Nov/2012:17:25:50 +0000] "GET /w/index.php?title=Talk:NotFound&action=edit&redlink=1 HTTP/1.0" 302 0 "" "Opera/9.80 (Windows NT 5.1; U; en) Presto/2.10.229 Version/11.64" - [16/Nov/2012:17:25:52 +0000] "GET /wiki/Talk:NotFound HTTP/1.0" 404 9473 "" "Opera/9.80 (Windows NT 5.1; U; en) Presto/2.10.229 Version/11.64" - [16/Nov/2012:17:25:53 +0000] "GET /Talk:NotFound HTTP/1.0" 200 10588 "" "Opera/9.80 (Windows NT 5.1; U; en) Presto/2.10.229 Version/11.64" - [16/Nov/2012:17:25:53 +0000] "GET /w/index.php?title=Talk:NotFound&action=edit&redlink=1 HTTP/1.0" 302 0 "" "Opera/9.80 (Windows NT 5.1; U; en) Presto/2.10.229 Version/11.64" - [16/Nov/2012:17:25:54 +0000] "GET /wiki/Talk:NotFound HTTP/1.0" 404 9473 "" "Opera/9.80 (Windows NT 5.1; U; en) Presto/2.10.229 Version/11.64" - [16/Nov/2012:17:25:55 +0000] "GET /Talk:NotFound HTTP/1.0" 200 10588 "" "Opera/9.80 (Windows NT 5.1; U; en) Presto/2.10.229 Version/11.64" - [16/Nov/2012:17:25:55 +0000] "GET /w/index.php?title=Talk:NotFound&action=edit&redlink=1 HTTP/1.0" 302 0 "" "Opera/9.80 (Windows NT 5.1; U; en) Presto/2.10.229 Version/11.64" - [16/Nov/2012:17:25:57 +0000] "GET /wiki/Talk:NotFound HTTP/1.0" 404 9473 "" "Opera/9.80 (Windows NT 5.1; U; en) Presto/2.10.229 Version/11.64" - [16/Nov/2012:17:25:57 +0000] "GET /Talk:NotFound HTTP/1.0" 200 10588 "" "Opera/9.80 (Windows NT 5.1; U; en) Presto/2.10.229 Version/11.64" - [16/Nov/2012:17:26:01 +0000] "GET /w/index.php?title=Talk:NotFound&action=edit&redlink=1 HTTP/1.0" 302 0 "" "Opera/9.80 (Windows NT 5.1; U; en) Presto/2.10.229 Version/11.64" - [16/Nov/2012:17:26:02 +0000] "GET /wiki/Talk:NotFound HTTP/1.0" 404 9473 "" "Opera/9.80 (Windows NT 5.1; U; en) Presto/2.10.229 Version/11.64" - [16/Nov/2012:17:26:03 +0000] "GET /Talk:NotFound HTTP/1.0" 200 10588 "" "Opera/9.80 (Windows NT 5.1; U; en) Presto/2.10.229 Version/11.64" - [16/Nov/2012:17:31:24 +0000] "GET /forum/index.php++++++++++++++++++++++++++++++++++++++Result:+%F0%E5%E3%E8%F1%F2%F0%E0%F6%E8%FF+%E7%E0%EF%F0%E5%F9%E5%ED%E0+%E0%E4%EC%E8%ED%E8%F1%F2%F0%E0%F2%EE%F0%EE%EC;+%ED%E5+%ED%E0%F8%EB%EE%F1%FC+%F4%EE%F0%EC%FB+%E4%EB%FF+%EE%F2%EF%F0%E0%E2%EA%E8;+Result:+%ED%E5+%ED%E0%F8%EB%EE%F1%FC+%F4%EE%F0%EC%FB+%E4%EB%FF+%EE%F2%EF%F0%E0%E2%EA%E8; HTTP/1.0" 200 10588 ";+%ED%E5+%ED%E0%F8%EB%EE%F1%FC+%F4%EE%F0%EC%FB+%E4%EB%FF+%EE%F2%EF%F0%E0%E2%EA%E8;+Result:+%ED%E5+%ED%E0%F8%EB%EE%F1%FC+%F4%EE%F0%EC%FB+%E4%EB%FF+%EE%F2%EF%F0%E0%E2%EA%E8;" "Opera/9.80 (Windows NT 6.1; WOW64; U; MRA 5.10 (build 5310); ru) Presto/2.10.289 Version/12.00" - [16/Nov/2012:17:31:24 +0000] "GET /w/index.php?title=Talk:NotFound&action=edit&redlink=1 HTTP/1.0" 302 0 "" "Opera/9.80 (Windows NT 6.1; WOW64; U; MRA 5.10 (build 5310); ru) Presto/2.10.289 Version/12.00" - [16/Nov/2012:17:31:26 +0000] "GET /wiki/Talk:NotFound HTTP/1.0" 404 9473 "" "Opera/9.80 (Windows NT 6.1; WOW64; U; MRA 5.10 (build 5310); ru) Presto/2.10.289 Version/12.00" - [16/Nov/2012:17:31:27 +0000] "GET /Talk:NotFound HTTP/1.0" 200 10588 "" "Opera/9.80 (Windows NT 6.1; WOW64; U; MRA 5.10 (build 5310); ru) Presto/2.10.289 Version/12.00" - [16/Nov/2012:17:31:27 +0000] "GET /w/index.php?title=Talk:NotFound&action=edit&redlink=1 HTTP/1.0" 302 0 "" "Opera/9.80 (Windows NT 6.1; WOW64; U; MRA 5.10 (build 5310); ru) Presto/2.10.289 Version/12.00" - [16/Nov/2012:17:31:29 +0000] "GET /wiki/Talk:NotFound HTTP/1.0" 404 9473 "" "Opera/9.80 (Windows NT 6.1; WOW64; U; MRA 5.10 (build 5310); ru) Presto/2.10.289 Version/12.00" - [16/Nov/2012:17:31:30 +0000] "GET /Talk:NotFound HTTP/1.0" 200 10588 "" "Opera/9.80 (Windows NT 6.1; WOW64; U; MRA 5.10 (build 5310); ru) Presto/2.10.289 Version/12.00" - [16/Nov/2012:17:31:30 +0000] "GET /w/index.php?title=Talk:NotFound&action=edit&redlink=1 HTTP/1.0" 302 0 "" "Opera/9.80 (Windows NT 6.1; WOW64; U; MRA 5.10 (build 5310); ru) Presto/2.10.289 Version/12.00" - [16/Nov/2012:17:31:31 +0000] "GET /wiki/Talk:NotFound HTTP/1.0" 404 9473 "" "Opera/9.80 (Windows NT 6.1; WOW64; U; MRA 5.10 (build 5310); ru) Presto/2.10.289 Version/12.00" - [16/Nov/2012:17:31:32 +0000] "GET /Talk:NotFound HTTP/1.0" 200 10588 "" "Opera/9.80 (Windows NT 6.1; WOW64; U; MRA 5.10 (build 5310); ru) Presto/2.10.289 Version/12.00" - [16/Nov/2012:17:31:32 +0000] "GET /w/index.php?title=Talk:NotFound&action=edit&redlink=1 HTTP/1.0" 302 0 "" "Opera/9.80 (Windows NT 6.1; WOW64; U; MRA 5.10 (build 5310); ru) Presto/2.10.289 Version/12.00" - [16/Nov/2012:17:31:34 +0000] "GET /wiki/Talk:NotFound HTTP/1.0" 404 9473 "" "Opera/9.80 (Windows NT 6.1; WOW64; U; MRA 5.10 (build 5310); ru) Presto/2.10.289 Version/12.00" - [16/Nov/2012:17:31:34 +0000] "GET /Talk:NotFound HTTP/1.0" 200 10588 "" "Opera/9.80 (Windows NT 6.1; WOW64; U; MRA 5.10 (build 5310); ru) Presto/2.10.289 Version/12.00" - [16/Nov/2012:17:49:24 +0000] "GET /forum/index.php++++++++++++++++++++++++++++++++++++++Result:+%F0%E5%E3%E8%F1%F2%F0%E0%F6%E8%FF+%E7%E0%EF%F0%E5%F9%E5%ED%E0+%E0%E4%EC%E8%ED%E8%F1%F2%F0%E0%F2%EE%F0%EE%EC;+%ED%E5+%ED%E0%F8%EB%EE%F1%FC+%F4%EE%F0%EC%FB+%E4%EB%FF+%EE%F2%EF%F0%E0%E2%EA%E8; HTTP/1.0" 200 10588 ";+%ED%E5+%ED%E0%F8%EB%EE%F1%FC+%F4%EE%F0%EC%FB+%E4%EB%FF+%EE%F2%EF%F0%E0%E2%EA%E8;" "Opera/9.80 (Windows NT 6.1; U; ru) Presto/2.10.229 Version/11.64" - [16/Nov/2012:17:49:24 +0000] "GET /w/index.php?title=Talk:NotFound&action=edit&redlink=1 HTTP/1.0" 302 0 "" "Opera/9.80 (Windows NT 6.1; U; ru) Presto/2.10.229 Version/11.64" - [16/Nov/2012:17:49:25 +0000] "GET /wiki/Talk:NotFound HTTP/1.0" 404 9473 "" "Opera/9.80 (Windows NT 6.1; U; ru) Presto/2.10.229 Version/11.64" - [16/Nov/2012:17:49:26 +0000] "GET /Talk:NotFound HTTP/1.0" 200 10588 "" "Opera/9.80 (Windows NT 6.1; U; ru) Presto/2.10.229 Version/11.64" - [16/Nov/2012:17:49:26 +0000] "GET /w/index.php?title=Talk:NotFound&action=edit&redlink=1 HTTP/1.0" 302 0 "" "Opera/9.80 (Windows NT 6.1; U; ru) Presto/2.10.229 Version/11.64" - [16/Nov/2012:17:49:28 +0000] "GET /wiki/Talk:NotFound HTTP/1.0" 404 9473 "" "Opera/9.80 (Windows NT 6.1; U; ru) Presto/2.10.229 Version/11.64" - [16/Nov/2012:17:49:29 +0000] "GET /Talk:NotFound HTTP/1.0" 200 10588 "" "Opera/9.80 (Windows NT 6.1; U; ru) Presto/2.10.229 Version/11.64" - [16/Nov/2012:17:49:29 +0000] "GET /w/index.php?title=Talk:NotFound&action=edit&redlink=1 HTTP/1.0" 302 0 "" "Opera/9.80 (Windows NT 6.1; U; ru) Presto/2.10.229 Version/11.64" - [16/Nov/2012:17:49:30 +0000] "GET /wiki/Talk:NotFound HTTP/1.0" 404 9473 "" "Opera/9.80 (Windows NT 6.1; U; ru) Presto/2.10.229 Version/11.64" - [16/Nov/2012:17:49:31 +0000] "GET /Talk:NotFound HTTP/1.0" 200 10588 "" "Opera/9.80 (Windows NT 6.1; U; ru) Presto/2.10.229 Version/11.64" - [16/Nov/2012:17:49:31 +0000] "GET /w/index.php?title=Talk:NotFound&action=edit&redlink=1 HTTP/1.0" 302 0 "" "Opera/9.80 (Windows NT 6.1; U; ru) Presto/2.10.229 Version/11.64" - [16/Nov/2012:17:49:33 +0000] "GET /wiki/Talk:NotFound HTTP/1.0" 404 9473 "" "Opera/9.80 (Windows NT 6.1; U; ru) Presto/2.10.229 Version/11.64" - [16/Nov/2012:17:49:34 +0000] "GET /Talk:NotFound HTTP/1.0" 200 10588 "" "Opera/9.80 (Windows NT 6.1; U; ru) Presto/2.10.229 Version/11.64" - [16/Nov/2012:17:53:30 +0000] "GET /forum/index.php++++++++++++++++++++++++++++++++++++++Result:+%F0%E5%E3%E8%F1%F2%F0%E0%F6%E8%FF+%E7%E0%EF%F0%E5%F9%E5%ED%E0+%E0%E4%EC%E8%ED%E8%F1%F2%F0%E0%F2%EE%F0%EE%EC;+%ED%E5+%ED%E0%F8%EB%EE%F1%FC+%F4%EE%F0%EC%FB+%E4%EB%FF+%EE%F2%EF%F0%E0%E2%EA%E8;+Result:+%ED%E5+%ED%E0%F8%EB%EE%F1%FC+%F4%EE%F0%EC%FB+%E4%EB%FF+%EE%F2%EF%F0%E0%E2%EA%E8; HTTP/1.0" 200 10588 ";+%ED%E5+%ED%E0%F8%EB%EE%F1%FC+%F4%EE%F0%EC%FB+%E4%EB%FF+%EE%F2%EF%F0%E0%E2%EA%E8;+Result:+%ED%E5+%ED%E0%F8%EB%EE%F1%FC+%F4%EE%F0%EC%FB+%E4%EB%FF+%EE%F2%EF%F0%E0%E2%EA%E8;" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20110303 Firefox/3.6.15 GTB7.1 WebMoney Advisor" - [16/Nov/2012:17:53:30 +0000] "GET /w/index.php?title=Talk:NotFound&action=edit&redlink=1 HTTP/1.0" 302 0 "" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20110303 Firefox/3.6.15 GTB7.1 WebMoney Advisor" - [16/Nov/2012:17:53:32 +0000] "GET /wiki/Talk:NotFound HTTP/1.0" 404 9473 "" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20110303 Firefox/3.6.15 GTB7.1 WebMoney Advisor" - [16/Nov/2012:17:53:36 +0000] "GET /Talk:NotFound HTTP/1.0" 200 10588 "" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20110303 Firefox/3.6.15 GTB7.1 WebMoney Advisor" - [16/Nov/2012:17:53:36 +0000] "GET /w/index.php?title=Talk:NotFound&action=edit&redlink=1 HTTP/1.0" 302 0 "" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20110303 Firefox/3.6.15 GTB7.1 WebMoney Advisor" - [16/Nov/2012:17:53:38 +0000] "GET /wiki/Talk:NotFound HTTP/1.0" 404 9473 "" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20110303 Firefox/3.6.15 GTB7.1 WebMoney Advisor" - [16/Nov/2012:17:53:39 +0000] "GET /Talk:NotFound HTTP/1.0" 200 10588 "" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20110303 Firefox/3.6.15 GTB7.1 WebMoney Advisor" - [16/Nov/2012:17:53:39 +0000] "GET /w/index.php?title=Talk:NotFound&action=edit&redlink=1 HTTP/1.0" 302 0 "" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20110303 Firefox/3.6.15 GTB7.1 WebMoney Advisor" - [16/Nov/2012:17:53:40 +0000] "GET /wiki/Talk:NotFound HTTP/1.0" 404 9473 "" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20110303 Firefox/3.6.15 GTB7.1 WebMoney Advisor" - [16/Nov/2012:17:53:41 +0000] "GET /Talk:NotFound HTTP/1.0" 200 10588 "" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20110303 Firefox/3.6.15 GTB7.1 WebMoney Advisor" - [16/Nov/2012:17:53:41 +0000] "GET /w/index.php?title=Talk:NotFound&action=edit&redlink=1 HTTP/1.0" 302 0 "" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20110303 Firefox/3.6.15 GTB7.1 WebMoney Advisor" - [16/Nov/2012:17:53:43 +0000] "GET /wiki/Talk:NotFound HTTP/1.0" 404 9473 "" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20110303 Firefox/3.6.15 GTB7.1 WebMoney Advisor" - [16/Nov/2012:17:53:44 +0000] "GET /Talk:NotFound HTTP/1.0" 200 10588 "" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20110303 Firefox/3.6.15 GTB7.1 WebMoney Advisor" - [16/Nov/2012:17:57:58 +0000] "GET /forum/index.php++++++++++++++++++++++++++++++++++++++Result:+%F0%E5%E3%E8%F1%F2%F0%E0%F6%E8%FF+%E7%E0%EF%F0%E5%F9%E5%ED%E0+%E0%E4%EC%E8%ED%E8%F1%F2%F0%E0%F2%EE%F0%EE%EC;+%ED%E5+%ED%E0%F8%EB%EE%F1%FC+%F4%EE%F0%EC%FB+%E4%EB%FF+%EE%F2%EF%F0%E0%E2%EA%E8;+Result:+%ED%E5+%ED%E0%F8%EB%EE%F1%FC+%F4%EE%F0%EC%FB+%E4%EB%FF+%EE%F2%EF%F0%E0%E2%EA%E8; HTTP/1.0" 200 10588 ";+%ED%E5+%ED%E0%F8%EB%EE%F1%FC+%F4%EE%F0%EC%FB+%E4%EB%FF+%EE%F2%EF%F0%E0%E2%EA%E8;+Result:+%ED%E5+%ED%E0%F8%EB%EE%F1%FC+%F4%EE%F0%EC%FB+%E4%EB%FF+%EE%F2%EF%F0%E0%E2%EA%E8;" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"

... there are more lines like this.

The /w/ accesses refer to our wiki, which is bridged to use SMF authentication for wiki edit access.
Title: Re: Spammers Registering even with Registration Disabled
Post by: emanuele on November 16, 2012, 06:21:41 PM
You can use attachments you know? :P (or at least the code tag. ;))

ETA: could you please send me a complete log? (upload it to your server and send me the link by PM)
Title: Re: Spammers Registering even with Registration Disabled
Post by: tttonyyy on November 16, 2012, 06:26:49 PM
Quote from: emanuele on November 16, 2012, 06:21:41 PM
You can use attachments you know? :P (or at least the code tag. ;))

Sorry, I'll go back and edit.  Annoyingly my main machine has crashed its HDD today (overheating, long story) leaving me with an irritatingly restrictive netbook to check on the server and post here with.
Title: Re: Spammers Registering even with Registration Disabled
Post by: emanuele on November 17, 2012, 10:43:18 AM
tttonyyy I went through the log you sent me.
According to the informations you provided I can see you disabling the registration at 13:33:08.
Starting from that time I can't see any single successful attempt to register. I can see several accesses to ?action=register, but all of them ends there and the bot disappears.

For the record I can also see the moment you changed the permissions to the Register.php file, the first attempt is yours at 22:22:03.

I can also see few IPs *activating* their accounts after you disabled the registrations:

all of them did the registration *before* you disabled the function (search the IPs in the log and you'll clearly see the registration action), but waited until later to actually activate the account.
Only for there is no access to ?action=register, that makes me think this bot registered not the 16th, but at least the day before.

From the log file you sent me I cannot find any proof that there is any issue with SMF.
Title: Re: Spammers Registering even with Registration Disabled
Post by: tttonyyy on November 17, 2012, 10:54:05 AM
Fantastic - excellent news!  Activation after registration makes sense.  Much better than any bypass being discovered.

I'll re-enable the webserver's access to the file, but leave it disabled until they (hopefully) get bored.

One again thank you for taking the time to look at this - it is much appreciated by our group.
Title: Re: Spammers Registering even with Registration Disabled
Post by: Gort on November 17, 2012, 11:07:13 AM
My forum has been suffering from a sudden influx of spambots over the last few days like the posters above mentioned. I have the Stop Spammer mod on the forum and admin approval, which stops them from actually fully registering, so I can just delete the ones flagged as spammers. Anyway, over the last few days, despite having questions set, a lot of the bots were getting through the Capcha and question to the attempt to register, which Stop Spammer blocked and I denied. Thing is, from a situation where I'd get one or two spambots a week, the last few days ended up with at least 50 (possibly 100, as another admin had also removed some), so a bit more work required for lazy me.

Well, I decided to look at my questions, increasing the questions needed to two and also managed to change them enough to stop the flood. A lot of my questions were a bit like, "What number is missing in this sequence: 4, 5, 7, 8, 9?", which I suppose a bot could easily work out, even though such questions worked fine in the past. Now all my questions are a bit more detailed and require a bit of thinking. Seems that this worked, as I haven't had a spambot for nearly 24 hours. So, for me, setting two questions and making them a bit more difficult seems to have worked... for now.
Title: Re: Spammers Registering even with Registration Disabled
Post by: Oscworth on November 17, 2012, 11:51:33 AM
Quote from: tttonyyy on November 17, 2012, 10:54:05 AM
Fantastic - excellent news!  Activation after registration makes sense.  Much better than any bypass being discovered.

I'll re-enable the webserver's access to the file, but leave it disabled until they (hopefully) get bored.

One again thank you for taking the time to look at this - it is much appreciated by our group.

I gave access to ziycon on our forum so he could confirm the  httpbl was setup correct.  It is and has been blocking a lot of spammers.
Ziycon also came up with the conclusion that these bots were already registered. 
Last night I left registration turned off and got no new members but the httpbl did block 5 pages worth (150) bots. 

I personally still believe the bots weren't pre registered as my forum isn't that busy and I always keep it clear of spammers.  I receive email of every new reg and a custom mod posts a welcome post which I remove within the hour during the day and check first thing in the morning. 
The registering earlier and not activating is the logical explanation for making me believe they managed to register after it had been turned off.  I don't think any email is sent to admin until after the activation.  Or the httpbl is doing a great job, it certainly has been busy.

As soon as I turn registration on I start to get more members with admin approval so no way can I go back to email activation until things quieten down. 
For now I'm leaving the activation off....just to see if they manage to reg hoping they get bored trying.   I will report any findings & I also wont delete the accounts like I did before until they have been looked into.

A huge THANK YOU to ziycon for your time and expertise during the last few days.  Also thanks to the other admins who posted their experiences with the recent growth in bots.

Title: Re: Spammers Registering even with Registration Disabled
Post by: emanuele on November 17, 2012, 01:08:23 PM
Yep, the email to the admin is sent only when the user activates the account.
Title: Re: Spammers Registering even with Registration Disabled
Post by: Krysia on November 17, 2012, 01:12:14 PM
I too have suddenly noticed an extreme influx of spamming on the forum I run. Baffling because we've had it set up for years without this kind of slamming, and then WHAM! Just over the course of 8 hours, my email box was flooded with 104 "new members" trying to join.

I've since installed the following mods (running SMF v 2.0.2):

I'm hoping this will do the trick. I'm also hoping that this is an issue that the future versions of SMF will take into consideration and incorporate into SMF automatically.

*Fingers crossed*!
Title: Re: Spammers Registering even with Registration Disabled
Post by: Gort on November 17, 2012, 01:25:48 PM
One thing I'd like is the ability to know which question was answered by a registered member if the question system is set up. It'd be useful to know which question failed to stop a bot from registering so that changes could be made to the offending question.
Title: Re: Spammers Registering even with Registration Disabled
Post by: Oscworth on November 17, 2012, 01:33:10 PM
Quote from: Gort on November 17, 2012, 01:25:48 PM
One thing I'd like is the ability to know which question was answered by a registered member if the question system is set up. It'd be useful to know which question failed to stop a bot from registering so that changes could be made to the offending question.

Aren't all questions required to be answered during registration ?  I thought they had to all be answered correct.

Quote from: emanuele on November 17, 2012, 01:08:23 PM
Yep, the email to the admin is sent only when the user activates the account.

Thanks for confirming that.
Title: Re: Spammers Registering even with Registration Disabled
Post by: xrunner on November 17, 2012, 01:35:36 PM
I had an influx myself starting yesterday, at least 30 spammers registering over the last few days. I tried a new verification question just for kicks. I kid you not - I've had ONE spammer try to register since simply adding this message. I have not added any other kind of anti-spam.

You can't post ANYTHING until an Admin approves your account based on spam databases and heuristic screening criteria - you will not be registered until this approval is complete - if you still wish to apply enter "notspammer" without the quotes in the box

Title: Re: Spammers Registering even with Registration Disabled
Post by: Shambles on November 17, 2012, 01:36:39 PM
Quote from: Oscworth on November 17, 2012, 01:33:10 PM
Aren't all questions required to be answered during registration ?  I thought they had to all be answered correct.

You set up a list of questions and specify how many will appear during the registration - that's how many 'they' will have to answer :)
Title: Re: Spammers Registering even with Registration Disabled
Post by: Gort on November 17, 2012, 02:09:00 PM
Quote from: Oscworth on November 17, 2012, 01:33:10 PM
Quote from: Gort on November 17, 2012, 01:25:48 PM
One thing I'd like is the ability to know which question was answered by a registered member if the question system is set up. It'd be useful to know which question failed to stop a bot from registering so that changes could be made to the offending question.

Aren't all questions required to be answered during registration ?  I thought they had to all be answered correct.

You set up several questions and you can set how many questions have to be answered by the one registering. The questions asked are chosen randomly from the list of questions you create. Currently, as far as I can make out, there is no way to know which random question was asked from the list of questions you have. If I knew which questions were answered, then I'd know which were weak enough to allow spambots to answer them, then change them accordingly.
Title: Re: Spammers Registering even with Registration Disabled
Post by: Oscworth on November 17, 2012, 02:15:43 PM
I have only 2 questions both required.....I thought it took them in order.

I will add some more  Thanks!
Title: Re: Spammers Registering even with Registration Disabled
Post by: Chalky on November 17, 2012, 03:58:10 PM
I have mine set to two questions out of a possible 7 (I keep adding more as I think them up) and although I see dozens of spam IPs trying to register every day in the Who's Online, in 5 months we have only had one spammer successfully register, and that one didn't get past admin approval.  I have Bad Behaviour installed but presently disabled as I don't see there's much point until they start getting past the verification questions ;)
Title: Re: Spammers Registering even with Registration Disabled
Post by: tttonyyy on November 20, 2012, 05:57:52 AM
I suspect that some of the bots farm all the questions into a database, and at some point a human goes through the database manually answering the questions, which are then used by the bots to get into forums.

So perhaps the answer is just to change the questions when a sudden influx of registrations are seen, as your questions have probably been answered and are in a database somewhere.

I'm pretty sure this is what happened to our forum - I re-enabled registration, got a flood of new registrations with the existing questions, changed them to a new set of questions and so far (fingers crossed) it has all been quiet.

Damn crafty these spammers.
Title: Re: Spammers Registering even with Registration Disabled
Post by: Shambles on November 20, 2012, 06:15:55 AM
The best advice I ever got, regarding questions, was to gear the answers such that they are forum-specific.

EG, on my car forum I ask the colour of the background wallpaper, the manufacturer producing the car we specialise in, a reverse spelling of the main marque we deal with and so on.
Title: Re: Spammers Registering even with Registration Disabled
Post by: Oscworth on November 20, 2012, 06:43:50 AM
I have reopened registration too after having it turned off for a few days.  During that time httpbl blocked over 600 attempts from spammers.
Soon as registration was opened I got 1 new member/spammer but reg was set to admin approval.  Since then nothing 
I'm really happy that bombardment is over.

Thanks for sharing your tips on the security questions, I do plan on changing mine and adding a few more.
The idea of making them forum specific is a good idea especially as every time I go to add some I struggle to think of what to have  ;)
Title: Re: Spammers Registering even with Registration Disabled
Post by: Storman™ on November 20, 2012, 07:01:42 AM
QuoteThe best advice I ever got, regarding questions, was to gear the answers such that they are forum-specific.

EG, on my car forum I ask the colour of the background wallpaper, the manufacturer producing the car we specialise in, a reverse spelling of the main marque we deal with and so on.

I agree with  Shambles™, make your questions relevant to your forum so that possibly only people interested in the main subject matter would understand. Obviously not too complicated but many of these spammers originate from the far east/asia and won't understand the context. I've seen some really dumb answers which indicate that the person trying to register hasn't a clue. Also, seen lots of "human" registrations lately, again mainly from far east.

Also consider supplementing spam mods with something like Crawlprotect:

Its great at blocking:

-some code injection attempts
-some SQL injection attempts
-some visits coming from crawler known as "Badbots" (crawlers used by hackers)
-some website copier
-some shell command execution attempts
-known "bad" useragents.
