Anyone else seen this spammer called "leefriend1"?

[rrackow]

Just wanted to send a warning message about a spammer attempt.

I run several SMF and Tinyportal sites and I noticed a leefriend1 has joined each one. Luckily I keep a very tight reign on what members can and can not do on my forums so he hasnt effected anything, but in finding out why one person joined all my forums I looked at his profile. His sig is nothing but spam links.

Did a quick search in google on "leefriend1" and I got many hits on leefriend1 profiles all on SMF fourms. Mostly all with spam sigs.

watch out for him and the like. It has to be some type of automated registration script.

[DavidCT]

Yeah, he joined my forum a few days ago but hasn't posted anything yet.  My forum is dead so why he bothered is beyond me   I don't worry about spammers, I just delete their posts.  Only once did one guy tick me off by registering like 30 names in one day.  Took me forever to delete them all (was using PHPBB at the time, then switched to SMF).

Spammers wouldn't bother if LINKS were disabled.  SMF seems to translate urls into links automatically, which isn't cool.

I had one guy use his web url as his name (somesite.com, example) so I added .com .net .etc to the banned names area - I hope it works, not sure if I did it right or not.  SMF should disable "." from user names.

[karlbenson]

Indeed, it could be some sort of forum poster bot being used.

You could try my Are You Human Mod
http://custom.simplemachines.org/mods/index.php?mod=999

[Drunken Clam]

He/It joined my forum a couple of days ago, I've now banned and deleted him/it.

I've also installed Karls 'Are you Human' mod, which is great, thanks Karl!

[Fatality-]

He's in my forums too. He hasn't start posting yet, but his sig is damn huge, full of links.

[karlbenson]

This mod may also help then
http://custom.simplemachines.org/mods/index.php?mod=921

[DavidCT]

Not that it matters alot, but I was wondering if his info on my site matches yours...

leefriend1
IP: 79.176.164.244
Email: [email protected] (let the spambots harvest this one LOL)

Googling his email... Results 1 - 10 of about 1,230

This guy is busy.  I sampled a few of the results - all SMF forums.

[rrackow]

Yes, same guy.

[karlbenson]

bzq-79-179-116-251.red.bezeqint.net

[Loony Tune]

This mod may also help then
http://custom.simplemachines.org/mods/index.php?mod=921

Cheers. Sounds like another quality mod. I'll try that one tonight.

Cheers karlbenson

[jackregan]

I got this guy too adding loads of spam to one of the custom profile fields on my forum. I think that he is associated with the site footballyears.net

here are the details I got for him

IP: 79.180.10.224     
Email: [email protected]
Username: leefriend1
Host: bzq-79-180-10-224.red.bezeqint.net

[karlbenson]

indeed, looks like he is trying to sell tickets.

1. ban the user or even delete him
2. if you don't want to delete him
- remove his website from his profile
- remove his links from his signature
- change his email and password, (so he can't change them again).

[PacificWx]

He/she/it has not joined my forum - thank you for the info - we'll put a block on it before it tries.

[MirRustam]

Is it possible for spammer bots like this register in my forum if I use "Type the number on the picture" verification?

[crash56]

Is it possible for spammer bots like this register in my forum if I use "Type the number on the picture" verification?

Several spammers/harvesters got past that feature on our forum.  Try the Are You Human? mod that karlbenson recommended HERE. 

[metallica48423]

keep in mind that a common practice these days is to have a human register and then pass that info into a database or a script.

[jackregan]

Is there any kind of a database of known spammer usernames?

If not, let's make one!!

[karlbenson]

Spam bots are becoming more and more sophisticated. It is a cat-and-mouse game.

Some bots depending on their level of sophistication
- May have a HUMAN pass the visual verification, then let the bot take over
- Can pass email activation
- Can pass visual verification
> Alot can pass 'low setting'
> A few can pass 'medium setting'
> Only a tiny fraction can pass 'high setting'. (but probably the same pass/fail ratio as humans, who will struggle to read it)
> Use different usernames/passwords/emails/ips each time.

So, the idea is to do something different than everyone else.
But nothing can stop a determined spammer.

[Bogdan]

I don't know if it's a human or a bot, but he is registered on my forum ( with captcha ). He has a big signature with a lot of spam links. It will not make any post. Googlebot will access the profile and will index the links from his signature. It's  a silent spamer )

[karlbenson]

Then my prevent signature links mod could help.
http://custom.simplemachines.org/mods/index.php?mod=921

Prevent adding signature links until x posts.

(it only prevents ADDING/EDITING, it won't affect any existing signatures)

[Bogdan]

I will try that mode. My question is: about the no follow, are you going to change this script http://www.simplemachines.org/community/index.php?topic=200396.0 ?

[DavidCT]

It will not make any post. Googlebot will access the profile and will index the links from his signature. It's  a silent spamer )

Disable viewing of profiles by non-members...

[humbleworld]

Indeed, it could be some sort of forum poster bot being used.

You could try my Are You Human Mod
http://custom.simplemachines.org/mods/index.php?mod=999

I am using Are You Human Mod of Karl. It works perfect.

[DavidCT]

RE: Are you human?

Hmm, you know something?  I bet adding a routine like this on all web pages, setting a server type cookie so it only asks once, would save a ton of bandwidth by eliminating bots   I might have to try that. (making exceptions for google and other friendly bots)

[humbleworld]

There are several mail.ru registrations in a website I know. What is this? The poster did not post anything but it or he registers with an email of [email protected].

[tehtron]

Yes I've had the same guy

He's very stupid. He has the same hostname as you guys have

[Elrond]

This mod may also help then
http://custom.simplemachines.org/mods/index.php?mod=921

This mod may also help then
http://custom.simplemachines.org/mods/index.php?mod=921

Very good mod by the way.

I had the same ****off join a several of the sites I've hosted for people, a few of them being friends' sites. It's really ticked me off. Another thing that seems to be coming up a lot are IP's from Bell Canada host names who are trying to access pages in the following format: (h-t-t-p:/-/host/index.php?page=h-t-t-p:/-/some-spam-or-hacks-or-pron-site--or-page-that-does-not-exist).

I have deleted several different IP ranges in desperation of the problem, but obviously that will inevitably backfire. None of the attempted hacks have been successful at doing anything to the sites, but it is still enough to tick me off. I mean, if those pages are somehow getting listed on search engines, then those search engines will be redirected to the main pages of those sites (this will count as duplicate content won't it?). So far I've not seen any of them appear on Google following any of the domains/sub-domains + index.php?page=*offending string*. None of them were attempted sql injections though there was a php file quoted that apparently attempts to turn off certain features on the target server (like I said the attack doesn't succeed, it just ticks me off).

A mod I have on the site allows admins to track the full address that a guest or member is accessing; so eventhough the action is "unknown" or something like that, it appears next to the "unknown action" as a link, so that it can be analyzed. Server logs show the addresses being shown, but this is a short cut for it, so that we can combat the problem. But the thing is, the only way of combating such problems is ip range bans, which is something that I'm not willing to do. They're all guests (the offending ip's) so they are not particularly harmful.

Example of the links being accessed (that will redirect to the main page because they don't exist):
- h-t-t-p:/-/-host-.com/index.php?page=h-t-t-p:/-/migirlsadaoiwqiseatmeisum.mail333.su/body?;

I put dashes in there so that people can't just click on the last string and get something that might be dangerous. But it is an example of what they do. Script blockers will prevent -most- of those kinds of links from doing any harm though.

[青山 素子]

I had the same ****off join a several of the sites I've hosted for people, a few of them being friends' sites. It's really ticked me off. Another thing that seems to be coming up a lot are IP's from Bell Canada host names who are trying to access pages in the following format: (h-t-t-p:/-/host/index.php?page=h-t-t-p:/-/some-spam-or-hacks-or-pron-site--or-page-that-does-not-exist).

I've seen that on one of the systems at work. Random IPs will hit it and just put those URLs in. It's happened before, but there seems to be some kind of surge going on. At the peak, I was seeing 4 megabits of traffic from this (and loads over 150 before I took evasive action).

What that is is an attempt to spam webstats pages. As many sites do have public access, the spammers can get their URLs into search engines that way. It sucks, but that's the general purpose of those things.

I put dashes in there so that people can't just click on the last string and get something that might be dangerous. But it is an example of what they do. Script blockers will prevent -most- of those kinds of links from doing any harm though.

I generally do hxxp://urlhere/. It keeps the things from auto-linking and is nicer to read. (I actually picked that style up from 4chan.)