Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum

[forumite]

FWIW several non-SMF forums I visit have been hit hard with spam the last couple of days. One of them had hard core porn images in the body of a message. I disabled the ability to post inline images in our forum a long time ago.

[glasschalice]

This might be a dumb question... should we install all three of the mods in the OP or just one?

[Deprecated]

No questions are dumb questions if you don't know the answers.

I didn't test the mods together, only singly. However, at the present time I see no need for more than one mod as long as it works. Assuming default theme (the only thing I tested), the two mods by karlbenson are the easiest to install and I suggest you try one of them first. The reCAPTCHA is the most difficult to install and requires a free account at the reCAPTCHA site so it takes a few more steps to set up, but it is the most robust of the three.

My advice is that if you want to fix things quickly and don't mind an interim solution, install one of the karlbenson mods (the puzzles or Are You Human?). If you want a robust solution that is likely to hold for quite some time, install MC's reCAPTCHA modification.

It is quite possible that one of the simple mods might hold them off for a very long time. It depends on how determined the bot masters are, and how many SMF forums adopt those mods. But no, I would not install all three mods. That's overkill at the present time.

[glasschalice]

Thank you!  I've installed the reCAPTCHA mod and signed up for one of their accounts.  I've also changed the age restriction and hopefully the two will weed out these creeps!

Thank you so much for all that you guys 'n gals do!  The dedication and support here are the best bar none and it is certainly appreciated!

[palofdru]

Do you just recommended completely deleting these accounts, rather than any type of banning then? I've banned 13 accounts so far this evening...

I agree with what Moto said in response, but there is a benefit to banning these spam accounts.
- you know have a record in the database. If their technology improves (or they start using humans as captha busters) the attempts will be recognized and will fail.

If google Chrome gets wide acceptance, we will no doubt see a plethora of creative attacks, as the faster Javascript engine will allow naughty sites to do a lot more under the hood (that would previously be noticed as a slowdown or dragging performance)

[JohnS]

Update - after tests the age limit is not fooling them, but putting the capcha to high is, at least for the moment, if that gets broken I will look at one of the other methods but as I am using several special themes it will take quite a while to implement that.

[breen]

Hopefully this might help a few people finding the source of the attacks, I just added my site to hxxp:digg.com [nonactive] and within seconds I had a tidal wave of spam bots.  I buried the digg article and the attacks instantly stopped.  Could be coincidence, but I thought I'd share my experience in case it helps someone out. 

[forumite]

Related question - if I change the required strength for user passwords (on the Admin|Registration page in SMF 1.1.7), does that only affect new registrations? i.e. will current members still be able to use their existing passwords?

[Blind Bandit]

I'd also like to point out that theres also, seemingly, been other coordinated attacks today.  For a short while today World of Warcraft's servers were almost completely inundated with traffic from a DoS attack.  A number of people in the hosting industry today informed me of DoS attacks going on against their datacenters.  For a short while we were also seeing odd requests on this forum happening. 

The best advice I can give administrators is to keep an eye on things.  Don't be afraid to ask questions though if you need help getting things cleaned up. 

Thanks for everyone's patience

Ya I can believe it, it seems Proboards has been the victim of at least 2 DoS attacks in the last few weeks.  One happened on the Ninth.

Hopefully this might help a few people finding the source of the attacks, I just added my site to digg.com and within seconds I had a tidal wave of spam bots.  I buried the digg article and the attacks instantly stopped.  Could be coincidence, but I thought I'd share my experience in case it helps someone out.

It could simply be the spambots are just really active right now.

[palofdru]

Hopefully this might help a few people finding the source of the attacks, I just added my site to digg.com and within seconds I had a tidal wave of spam bots.  I buried the digg article and the attacks instantly stopped.  Could be coincidence, but I thought I'd share my experience in case it helps someone out.

not remotely helpful. What is happening is, the spammers are directing their efforts on popular sites. Obviously, making your site LESS popular to avoid spammers, is only one step away from  shutting it down altogether. (this also keeps out spam)

[青山 素子]

I need to allow guest postings on several of my forums, can recapture mod be amended to include the guest posting options  please

using 1.1.7

Use the Visual Verification Options modification. It only shows the built-in verification (sorry, I haven't written a "bridge" mod to combine the two), but should stop most spam guest posts.

Related question - if I change the required strength for user passwords (on the Admin|Registration page in SMF 1.1.7), does that only affect new registrations? i.e. will current members still be able to use their existing passwords?

It will affect new registrations and any password changes. If an existing user tries to change their password, they will be subject to the new strength requirements.

[peterinwa]

Thanks for the info. I thought I had just achieved enough status that my little forum had become spambotworthy!

I DO have a very small forum, and I chose to simply disable the registration process; I will register people by hand.

But when I disabled it in the Admin panel, it caused the registration link to produce an error message. I thought about modifying code to remove the registration links, but then I thought visitors would get frustrated looking for them.

So I chose to change the messages:

http://www.simplemachines.org/community/index.php?topic=273663.0

My registration links now take you to text that tell you to click on Home, then my Instructions board, where it tells you how to register (send me an e-mail).

It's working great!

Peter

[farzad]

reCAPTCHA worked for me - medium of the built in did not.

[Paul Cull]

I, too, found that the attack started yesterday, when I was still running 1.1.16. Have since upgraded to 1.1.17, added an age limit, and have been blocking the IP addresses of the attackers.. looking in the logs, I can see that this has stopped repeat visits.

As I am running a board in Brazilian Portuguese, aimed at Brazilian users, I don't mind blocking the other countries from which the attacks are originating.

I did find it interesting that my board which is in Brazilian Portuguese is being attacked and have now turned the ability to select languages off, in addition to changing the captcha security level to high and making it so that administrator authorizes new users.

For what it is worth I have blocked the following IPs:

78.26.179.*     
79.143.177.*    
83.149.71.*    
84.243.196.*    
85.29.210.*    
87.118.124.*    
87.248.181.*    
88.119.247.*       
89.76.6.*    
89.76.10.*    
89.149.253.*    
92.48.201.*    
94.102.60.*
194.8.75.*    
194.146.190.*

Regards to all

Paul

[poolhall]

3.) I've never seen a human registration from mail.ru

Just FYI,

this is the largest public mail service in Russian speaking serment of Internet, and I think it'd be safe to state that every third person from xUSSR has an account @mail.ru. There are easily tens of millions of human registrations from mail.ru.

[Deprecated]

I was referring to the days when I ran an IPB forum and had hundreds of spambot registrations using mail.ru addresses. Not a single one of them was a human, because our forum evidently didn't interest Russians.

In any case, my point above was that I believe it's fruitless to try and block mail domains. Rather, you just need to make your registration hard for bots and easy for humans. All three of the recommended mod packages do that.

[palofdru]

3.) I've never seen a human registration from mail.ru

Just FYI,

this is the largest public mail service in Russian speaking serment of Internet, and I think it'd be safe to state that every third person from xUSSR has an account @mail.ru. There are easily tens of millions of human registrations from mail.ru.

True,  until Hotmail or Yahoo have a Russian language selection, then that will be the mail provider of choice for many Russkies and Ukrainians.

In fact, I have an @mail.ru email address, since I could see Russia from my house, I figured it would boost my Foreign Policy credentials*



* My foreign policy = get a Russian bride.

[poolhall]

I'm running SMF Beta 4 with default CAPTCHA and user activation and having no problems with spam.

Remembering the time I was running phpBB, I would say that there is no better anti-bot protection than a custom security question. For human spammers, I used a mod allowing to set a number of posts beyond which links can be posted on the board. Using this simple "bundle", I didn't get a single spam message for a year.

@palofdru:

be carefull of viruses

[Burke ♞ Knight]

I use the reCAPTCHA mod, so have not noticed any spam attacks on my sites, but now that I have read this thread, I'll be keeping more of a closer eye on my StatCounter results for my 1.1.7 sites.

[bigmo66]

I notched up the Captcha to high and initiated the "age" verification and so far so good.
I have 2 bots trying to register at this very second!  I'm waiting to see if they get in.....

Guest  (93.174.93.196)     01:16:55 PM     Registering for an account on the forum.

Guest (94.102.60.115)    01:15:48 PM    Registering for an account on the forum.

****Well, they WERE NOT able to register!  Good news.