Ban system: using complex wildcard formatting for complex email formats?

Started by Tripredacus, July 16, 2021, 09:31:19 AM

Previous topic - Next topic

Tripredacus

Regarding the ban on email, where it has a simple example of *@badsite, I am wondering if there is any way to add a ban filter based on the format of an email address rather than just the wildcards used on name vs domain.

For example, there have been a slew of spammer accounts registering that use an email with many periods in the email address, using a format such as this:

[email protected]
[email protected]
[email protected]
[email protected]

We are seeing multiple spammer accounts being registered that specifically use this format. So the question is, does the field for entering a ban trigger on email support any other sort of formatting that would block email addresses like this?

Aleksi "Lex" Kilpinen

No I don't think so, and honestly you are better off trying to stop spammers from ever succesfully registering with other means, bans should be reserved for cases where they are actually needed.
Slava
Ukraini!


"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

a10

*.*.*.*@*.*

Safe, no real registration uses lots of . in an address. But, other means than bans are the way to go.
2.0.19, php 8.0.23, MariaDB 10.5.15. Mods: Contact Page, Like Posts, Responsive Curve, Search Focus Dropdown, Add Join Date to Post.


Tripredacus

Quote from: efk on July 16, 2021, 11:36:56 AM
Question for you, are they real humans or bots? What they are posting, what they are doing around your forum?

I was looking at the registrations and the accounts that get created by these users do not usually post or use the rest of the site. Only in the past couple of weeks have a couple of these accounts decided to wake up and post spam topics (but not replies) in Russian or Ukranian (I know these languages are different but I do not know how to tell the difference.)

Now some of them are sharing IPs but some of them aren't. So I can and have been able to add a couple IPs to the ban list. The one I posted above has made around 100 accounts in the past year but has not posted, and have used maybe 10 different IPs. Obviously banning IPs is dumb, but can be temporarily done in cases where there are 50 spammers on the same IP.

The email addresses I posted in the ot can be found on StopForumSpam's database. I do not believe that the site owner pays for an anti-spam service, which certainly would handle these automatically. Another forum I do work on does have a service like this and we just have to handle stragglers that manage to slip through the cracks.

Obviously preventing them from registering is the way to go, but in this situation I am operating as forum admin and no access to the actual site itself (for example, no access to modifying templates/skins/emoticons, etc) So when I post into here with questions, it is only based on what I can do in admincp, and if there are mods or addon services that can accomplish this then I can only make those recommendations.

I will try out using the multiple wildcard options posted by a10 and see how that turns out.

efk

Quote from: Tripredacus on July 16, 2021, 12:08:58 PM
I was looking at the registrations and the accounts that get created by these users do not usually post or use the rest of the site. Only in the past couple of weeks have a couple of these accounts decided to wake up and post spam topics (but not replies) in Russian or Ukranian (I know these languages are different but I do not know how to tell the difference.)

Ok so 99,9% they are bots.

Quote from: Tripredacus on July 16, 2021, 12:08:58 PM
Now some of them are sharing IPs but some of them aren't. So I can and have been able to add a couple IPs to the ban list. The one I posted above has made around 100 accounts in the past year but has not posted, and have used maybe 10 different IPs. Obviously banning IPs is dumb, but can be temporarily done in cases where there are 50 spammers on the same IP.
Its very bad idea to ban IP. Better ask how to ban htaccess or someone will correct me what exactly to ban to prevent bots from accessing your forum. Banned IP will make you problems in future, so its better to not play with it, modify bans, remove all IP bans.

Quote from: Tripredacus on July 16, 2021, 12:08:58 PM
The email addresses I posted in the ot can be found on StopForumSpam's database. I do not believe that the site owner pays for an anti-spam service, which certainly would handle these automatically. Another forum I do work on does have a service like this and we just have to handle stragglers that manage to slip through the cracks.
Here you go, my anti-spam service, combination from my personal experience and from what I read on SMF forum, its advanced version of very simple idea for security questions, original idea from a10
https://www.simplemachines.org/community/index.php?topic=575212.msg4070909#msg4070909
https://www.simplemachines.org/community/index.php?topic=571419.msg4045460#msg4045460


Quote from: Tripredacus on July 16, 2021, 12:08:58 PM
Obviously preventing them from registering is the way to go, but in this situation I am operating as forum admin and no access to the actual site itself (for example, no access to modifying templates/skins/emoticons, etc) So when I post into here with questions, it is only based on what I can do in admincp, and if there are mods or addon services that can accomplish this then I can only make those recommendations.
In links that I posted you can see in details how to organize your forum against spam bots + if necessary against real humans. Admin of that forum need to invest some time to make it be like explained, otherwise you will never get rid of bots.
Security questions require from Admin to modify questions after some period of time, usually few months , but once the job is done modifying questions can be easy and done with very small changes for each question.

a10

questions, questions, questions :O)

If in a period of human bot activity, temporarily try some bans (hints: *@*.ru, hostname *.ru) \ some ip's (ranges) in htaccess. If the forum is regularly monitored, use admin approval and pick them out there.
If human bots persevere (usually they disappear fast), evaluate to use some mod (like stopforumspam).
2.0.19, php 8.0.23, MariaDB 10.5.15. Mods: Contact Page, Like Posts, Responsive Curve, Search Focus Dropdown, Add Join Date to Post.

Dave J

You could also something similar to my option as posted here https://www.simplemachines.org/community/index.php?topic=578061.msg4092009#msg4092009

Also as a10 mentions use 'Admin Approval'

Remember you can always use "Post count under which users must pass verification to make a post" set it to whatever you feel and perhaps they'll get fed up and move on.

Every step you put in front of them helps to prevent them from posting spam, it wont necessarily stop it, but maybe it will slow them down.

See attachment
If you want quizzes to add to the new SMF2.1 quiz mod go here . There are also walkthroughs in the forum to explain how to install them and other tips.

Tripredacus

Admin Approval won't work due to custom integration, however a dev is working on a similar concept that will prevent users from just posting into the forum.

The forum already has set the antispam methods (captcha + question/answer) so I think that these are not bots but are humans. Then again, I have found there may be close to a thousand of these spam accounts registered over the past 4 years but only a handful have actually posted into the forum. I believe that 99.9% of these spammers are indeed bots and are getting stopped by the captcha.

Using a ban trigger with the multiple wildcards does work. Can't ban a whole country as we provide a service to people around the world and actually want real people from countries like Russia to contribute.

I agree about IP bans, in reality it may only be viable for 3 hours to 3 days and should only be used as a defence in an active attack. Otherwise it shouldn't be used. Same goes for hostname bans because a lot of spammers come through VPNs and guess what, so do actual people.

efk

Quote from: Tripredacus on July 19, 2021, 02:39:34 PM
Admin Approval won't work due to custom integration, however a dev is working on a similar concept that will prevent users from just posting into the forum.
Admin Approval at least how I understand it is manual work, I'm saying this because I never used it and from what I saw in past and from what it was told to me, it is stupid and useless, once I got approved on one forum after 2 months of waiting, and it was something important.. And if you guys have all day to approve every single account and posts and do other job, good luck, for me its wasting of time. Approving posts/topics is more than enough.

Quote from: Tripredacus on July 19, 2021, 02:39:34 PM
The forum already has set the antispam methods (captcha + question/answer) so I think that these are not bots but are humans. Then again, I have found there may be close to a thousand of these spam accounts registered over the past 4 years but only a handful have actually posted into the forum. I believe that 99.9% of these spammers are indeed bots and are getting stopped by the captcha.
Good for you if captcha is working. Better disable captcha and save your users from that annoying thing.
They can look like real humans sometimes and they are bots, so there is very small chance to be real human in action.

Quote from: Tripredacus on July 19, 2021, 02:39:34 PM
Using a ban trigger with the multiple wildcards does work. Can't ban a whole country as we provide a service to people around the world and actually want real people from countries like Russia to contribute.
Simple ban on username and email does its job. You will ban them over time, follow with Track User each banned account, that will help you to ban them faster.
I do believe that spam bots are using some kind of dedicated IP addresses for that purpose, now can their IP be used after by real person, who knows.


Quote from: Tripredacus on July 19, 2021, 02:39:34 PM
I agree about IP bans, in reality it may only be viable for 3 hours to 3 days and should only be used as a defence in an active attack. Otherwise it shouldn't be used. Same goes for hostname bans because a lot of spammers come through VPNs and guess what, so do actual people.
I've used VPNs to troll other admins on my forum and my behavior was like partially like real human, mentioning their name and some other stuff about them in funny way, and 2nd part as kind of spam bot. They check my fake IP and my fake email and they ban account because its not much different compared to bots. Now usually or always IP will be shown on google as reported for bad behavior, and email will look like fake email. One admin checked emails and once he told me about spam bot account that even email is black listed for bad behavior but post of this bot was 100% related to topic with real questions and content, so I guess people are using fake info for different reasons. I also consider better to use fake info for logging to most of sites and I do it often, so going with ban without being sure about is not the way to go.

Tripredacus

Quote from: efk on July 19, 2021, 07:26:55 PM
Admin Approval at least how I understand it is manual work, I'm saying this because I never used it and from what I saw in past and from what it was told to me, it is stupid and useless, once I got approved on one forum after 2 months of waiting, and it was something important.. And if you guys have all day to approve every single account and posts and do other job, good luck, for me its wasting of time. Approving posts/topics is more than enough.

Admin Approval on registrations is not ideal unless you want to run a public "private" forum. Ghosting/Mod Review on posts is a thing you use for problem members. Using it sparingly on posts... but I do not see an option to either use post hiding, which is how IPB handles that. I am somewhat new to SMF Admin but I have coming up to 20 years on forum admin experience, with Ikonboard and IPB primarily. I always see SMF as a bare bones type thing, and despite hating where IPB has gone (and is going) there are still some good things about it.

Quote from: efk on July 19, 2021, 07:26:55 PM
Good for you if captcha is working. Better disable captcha and save your users from that annoying thing.
They can look like real humans sometimes and they are bots, so there is very small chance to be real human in action.

It has a low threshold, like 5 posts. Anyone who makes a 6th post and isn't a scammer or spammer doesn't have to use captcha.
In the end, we cannot know for sure if it is a bot or a person. Doesn't really matter I guess.


Edit: simple edit to remove extra close quote ~ Steve

efk

Quote from: Tripredacus on July 20, 2021, 02:55:12 PM
Admin Approval on registrations is not ideal unless you want to run a public "private" forum. Ghosting/Mod Review on posts is a thing you use for problem members. Using it sparingly on posts... but I do not see an option to either use post hiding, which is how IPB handles that. I am somewhat new to SMF Admin but I have coming up to 20 years on forum admin experience, with Ikonboard and IPB primarily. I always see SMF as a bare bones type thing, and despite hating where IPB has gone (and is going) there are still some good things about it.
What do you mean by "post hiding", post moderation for new members so until few posts they are moderator or you want to hide topic/post anytime you like?
Check again 2 of my links, there are instructions how to set post moderation, step by step.
Also Post Unapproval  https://custom.simplemachines.org/mods/index.php?mod=1128 - this is core mod for moderation because you can approve/unapprove post/topic anytime you like, so must to have this mod

Quote from: Tripredacus on July 20, 2021, 02:55:12 PM
Quote from: efk on July 19, 2021, 07:26:55 PM
Good for you if captcha is working. Better disable captcha and save your users from that annoying thing.
They can look like real humans sometimes and they are bots, so there is very small chance to be real human in action.

It has a low threshold, like 5 posts. Anyone who makes a 6th post and isn't a scammer or spammer doesn't have to use captcha.
In the end, we cannot know for sure if it is a bot or a person. Doesn't really matter I guess.
Captcha is broken

Advertisement: