Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum

[societyofrobots]

An update to my last post, while looking through new error logs . . . I found this below. I am guessing this is the automated bot URL, no?

Guest
Today at 12:28:29 PM

IP address 194.165.42.27

URL http://www.myaddress.com/robotforum/index.php?topic=2633.0 [PLM=0][R] GET http://www.myaddress.com/robotforum/index.php?action=register [0,18671,24946] -> [R] POST http://www.myaddress.com/robotforum/index.php?action=register2 [0,0,17446] -> [L] GET http://www.myaddress.com/robotforum/index.php?action=login [0,7050,19026] -> [L] POST http://www.myaddress.com/robotforum/index.php?action=login2 [0,0,19310] -> [N] GET http://www.myaddress.com/robotforum/index.php?topic=2633.0 [0,133803,142083] -> [N] POST http://www.myaddress.com/robotforum/index.php?action=quickmod2;topic=2633.0 [R=302][0,0,337] -> [N] GET http://www.myaddress.com/robotforum/index.php?topic=2633.0 [0,0,142191] -> [N] GET http://www.myaddress.com/robotforum/index.php [5785,0,27832]

Sorry Guest, you are banned from using this forum!

So far none of the spam bots have gotten past my IP filter, so I still haven't verified the registration changes as working. The IP filter appears to be a good short term fix until Deprecated makes the more permanent fix.


Also interesting, and not sure if its related or not to the spam problem, but there appears to also be a bot that tries to download my database every three days (per IP address). But it appears to be failing (see info below). I've since blocked those IP's, but have no idea how to stop these attempts otherwise. Anyone else noticed this?

Guest
IP addresses:
65.55.209.32
69.24.179.77
72.30.142.163
72.30.142.218
65.55.230.188

example links:

http://www.myaddress.com/robotforum/index.php?struct=on&data=on&compress=gzip&action=dumpdb&sesc=d6ae617142697ea7f007b89300f388

http://www.myaddress.com/robotforum/index.php?struct=on&data=on&compress=gzip&action=dumpdb&edited_for_security_reasons

error: Only administrators can make database backups!

hope this helps someone!

[Akyhne]

It really doesn't help to make a list as there are thousends and thousends of IP's and spammer names. This would be a long topic then.

[Schoolbusforum]

I shut down my site until news comes that the SPAM has stopped

[Akyhne]

So you are waiting for an atomic war? Or to the day there are no more evil people?

That's giving up, dude. Fight back!

[Kjell H.]

Not sure if it is a coincident!

It stopped 3 days ago when I simply changed settings to:
Member Activation
Medium Password Strength
High complexity on image verfication

Had about 20-30 spam regs per day before the change.

Using 1.1.7

[SlammedDime]

I shut down my site until news comes that the SPAM has stopped

lol... I guess you'll never be running your site again then...

[webmistress]

Not too long ago, the bots attacked Vbulletin and it was not just spamm names but hardcore porn. That was much tougher to battle.

I'm trying kjell's suggestions. Thanks.

[mistryboy]

I am using 1.1.7 and *touch wood* haven't had a problem with the spam bots yet.

with my forum is all ok no spam  used 1.1.7

grts

[txleo]

Thanks for posting those registration bot checks! This will help.

reCAPTCHA for SMF : returned an error on the registration file so I did not install it.

[Deprecated]

Thanks for posting those registration bot checks! This will help.

reCAPTCHA for SMF : returned an error on the registration file so I did not install it.

I suggest that you post a support request in the reCAPTCHA modification support topic and I'm sure the author will be happy to help you get it working.

[Storman™]

It stopped 3 days ago when I simply changed settings to:
Member Activation
Medium Password Strength
High complexity on image verfica

Same here. I did the same and it all seems to have gone quiet now 

[aianeo]

High complexity image verification is the key. Fixed our spam on 1.1.7. I may add "Am I Human" anyway.

[folkandfaith]

I shut down my site until news comes that the SPAM has stopped

I don't know what else to do either. I have had to do the same thing

[青山 素子]

I don't know what else to do either. I have had to do the same thing

Follow the tips in the first post. Any of the solutions should stop the problem. Changing the registration form a little from the default will stop it.

[folkandfaith]

I don't know what else to do either. I have had to do the same thing

Follow the tips in the first post. Any of the solutions should stop the problem. Changing the registration form a little from the default will stop it.

how do I change the registration so that I have to authorize someone before they are active?

The ReCapthca thing created a whole string of gobeldygook html or such at the top of the forum so I had to un-install it as fast as it was installed.

I tried changing the captcha thing as it is currently and teh password strength but it didn't do anything to stop them.

They are throwing links with our forums name in it and they all either go to Canadian Rx drug companies or weirdo animal porn sites, definitely the opposite of the sort of image our site tries to create.

[forumite]

how do I change the registration so that I have to authorize someone before they are active?

Go to Admin|Registration|Settings, select 'Member approval' from the drop-down box, then scroll to the bottom of the page and click 'Save'.

[Xavi-Nena]

I have had these same issues and we had literally a hundred new registrations a day .... the registrations stopped once I changed the Medium Password Strength to High complexity on image verification.

However I always had a form that was by admin manual approval and require a welcome email with name, address and photos to introduce themselves....so that a spambot could not do...at least not yet that i know of anyway but they still managed to wreck my files and screw with my avatar images and phpchat and ... well they broke my board...

but i wanted to add that changing from medium to high complexity on image verification worked to stop the mass new registrations.

[jimtrap]

Just stating that I'm getting hammered with the spammers as well in order to keep this thread close to the top.

I did the age verification thing and that didn't help, so I'm just doing the admin approval for now as I have a fairly small forum.

As my forum is really only aimed at members in the US, I banned most IP's in the rest of the world and that seems to have really slowed it down as well.

[Col]

I have had these same issues and we had literally a hundred new registrations a day .... the registrations stopped once I changed the Medium Password Strength to High complexity on image verification.

However I always had a form that was by admin manual approval and require a welcome email with name, address and photos to introduce themselves....so that a spambot could not do...at least not yet that i know of anyway but they still managed to wreck my files and screw with my avatar images and phpchat and ... well they broke my board...

but i wanted to add that changing from medium to high complexity on image verification worked to stop the mass new registrations.

I believe this is because you are running SMF1.1.6 or earlier. I had a similar attempt, but, fortunately, I had already upgraded to SMF1.1.7.

http://secunia.com/advisories/32516/

If you have not done so already, updrade to SMF1.1.7.

[Deprecated]

Please be advised the Custom Team just approved my new modification package intended to fix this spambot problem for once and for all:

Anti-Spam Verification Questions for SMF 1.1.7 (Mod Site listing)
Anti-Spam Verification Questions for SMF 1.1.7 (support topic)

Adds SMF 2.0's anti-spam verification questions to SMF 1.1.7. You can add up to 5 questions which must be answered by the applicant before registration is permitted.

Here are some examples of types of questions that could work. I usually put a hint in the question so that humans can easily figure out what to enter. Spambots on the other hand don't understand human hints.

Examples:

• What year is it? (4 digits)
• Are you a robot? (yes or no)
• Please leave this answer blank.

I wrote this modification especially just for all of you 1.1.7 forum operators to see if I can solve your spambot problem once and for all. I've been chuckling as I've been writing my codes, thinking about all the probably weeks of effort that the spambot programmers put into their spammer scripts, thinking that with a few days worth of my own labor I may have possibly wiped them out completely!

So those of you who have shut down your forums, please check out this modification and see if it fixes your problem.

If this modification works as well as I think, then IMO there are two ultimate defenses from spambots: this mod and Motoko-Chan's reCAPTCHA mod. I don't see how the bots could get past either one of them.

I'm on a mission from God. I'm hoping this mod will kill the spambots and make the botmasters weep!