Help!!! Spammers suddenly attacking all my SMF forums!!!!

[Deprecated]

H is just an ordinary person, as we all are, and I believe he simply made a misjudgment. We know the problem isn't solved. Please don't hold that against SMF. We make mistakes too.

Do I understand it right that these spammers are blowing past the CAPTCHA? If so, then it appears that the 1.1.x CAPTCHA has been compromised. Otherwise we'd be getting reports from SMF 2.0 operators, and I haven't seen any yet.

Does this fit everybody's observations?

1.) You are running SMF 1.1.5, 1.1.6 or 1.1.7, but NOT running 2.0
2.) You have the CAPTCHA enabled
3.) We are talking about spam accounts, NOT spam guest posts

A few reports will be appreciated. Let's see if we can narrow this down to a signature so that we can figure out what part of SMF software needs fixing.

Everybody agree with the above 3 points? Anybody disagree?

[Bill.Ramby]

The Are you Human mod is still holding strong after 8 hours  would recommend that anyone still being spammed install it.
http://custom.simplemachines.org/mods/index.php?mod=999

Installed as well and holding for several hours now.

[青山 素子]

I have a 1.1.7 board that got hit with about four registrations yesterday. No posts from the accounts. Two accounts were mail.ru, which I normally block (I forgot on this particular board). Verification was set at medium.

[wibo]

@Deprecated,

1) yes 1.1.6 and 1.1.7
2) CAPTCHA enabled (medium --> changed to high)
3) yes spam accounts.

Thanks for your message.

[genieuk]

SMF is a very good, powerful forum software, as it is so popular obviously it is going to be targeted more than other forum software.

The more popular forum software is the spammers know there is going to be more forums out there using SMF software than other forum software which of course puts SMF forum software users at more risk. There are several measures to help as stated in many places over this board. I also use the reCAPTCHA for SMF mod as it constantly changes the wording so it never the same all the time like SMF default CAPTCHA, I highly recommend people using this one as it so much more powerful and words constantly changes, i upgraded to SMF 1.1.7 on day of it's release and have no problems, not yet anyway, thankfully. There are also other antibot mods such as Are You Human mod and a few more to help combat spammers. As spammers get smarter so does the security measures used need to get smarter, and probably i bet some good SMF coder is looking at this and thinking can he make a new way to help stop these bots, some are not bots but humans of course but that something we have to put up with and deal with manually.

I have come up with a possible new way to help stop these bots, obviously nothing is 100% fool proof but i am not a programmer so i cannot make it sadly but maybe someone wants to, if so they are welcome to PM me with what i got in mind.

Regards,
Mathew

[Bill.Ramby]

I was getting both spam accounts (signup but no posts) and spam posts.

[Deprecated]

Okay we seem to have some things that may help deal with it:

1.) Try installing the Are You Human modification package

2.) Enable "Age below which to apply registration restrictions." This is in Admin -> Members -> Registration -> Settings. Probably putting in "18" (years old) would be reasonable. It's possible that this simply screws up the pattern the bots are looking for.

3.) If you can handle the extra work load, switch to manual  new "Member Approval" instead of "Member Activation."

4.) Probably won't help, but put your CAPTCHA to "high." (same page as #3)

5.) Block email addresses from the domain "mail.ru" (does anybody see a lot of spammers from one mail domain?)

I'll add to this list if we find any additional methods of dealing with it.

[Deprecated]

I was getting both spam accounts (signup but no posts) and spam posts.

Do you mean spam guest posts?

[metallica48423]

As we've said, we do not currently believe this is a version specific attack.  We do not believe it is related to any hole in 1.1.7, which is what the OP asked and was addressed.  I have not seen any 2.0 reports.

What *is* happening is that there is a heavy spam attack going on right now that seems to be originating out of russia and/or saudi arabia at least from the information i've gathered.  Several of us have given our advice for handling the attacks in this thread.  in the meantime, i've made a post to the developers about it, to see what their general consensus is.

Thanks for your patience and consideration

[mouse92im]

Depreciated,

1.) Yes, I'm running 1.1.6
2.) I have the CAPTCHA enabled on MEDIUM
3.) Yes, Spam accounts that are posting new topics and/or replies

Thanks for looking into it! 

[Deprecated]

You're welcome. I've got some spare time and it seems like most everybody else is occupied with other tasks. I may spend the rest of the day focusing on this attack to see if I can find a sure way to stop it. One thing though, anything I can develop they are sure to figure their way around. It's only a matter of time. Any lock man can make another man can eventually pick or break open.

Just want to poo-poo one idea. I doubt if IP banning will be of any use here. Spammers have bot fleets all over the planet.

[rabbithutch]

I've received a dozen or so bad registrations on my 1.1.5 install.  I know all the people who should be using my site; so I've just banned each bogus registration.  But it IS a real pain.

Is there a fix for bogus registrations? 

The last time this happened, I didn't catch it and a lot of pornographic posts ensued.

1)  Yes.  I'm running 1.1.5 (installed by SMF)
2)  I don't know if I have CAPTCHA enabled.  I'll have to do some hunting or someone will have to tell me where to look.  If this refers to the graphics being displayed as a visual verification for new registrations, then "Yes!"  I have CAPTCHA enabled.
3)  Yes.  I'm getting spam registrations NOT spam guest posts.  I don't allow guests to post or see the member list.

[genieuk]

You're welcome. I've got some spare time and it seems like most everybody else is occupied with other tasks. I may spend the rest of the day focusing on this attack to see if I can find a sure way to stop it. One thing though, anything I can develop they are sure to figure their way around. It's only a matter of time. Any lock man can make another man can eventually pick or break open.

Just want to poo-poo one idea. I doubt if IP banning will be of any use here. Spammers have bot fleets all over the planet.

Hi,

I replied to your PM with my suggestions, the way i think what could be done means they wont be able to bypass due to changes which can be made at anytime via forum admin by admin themselves.

Let me know what you think. I personally think this is the best way.

Mathew

[Bill.Ramby]

5.) Block email addresses from the domain "mail.ru" (does anybody see a lot of spammers from one mail domain?)

Actually, several of mine listed gmail accounts.

[Bill.Ramby]

I was getting both spam accounts (signup but no posts) and spam posts.

Do you mean spam guest posts?

No, I mean I checked all new member signups this AM and found several that, though signed up, had no posts. I figured they were normal users till I checked IP's. Most of the IP's matched identically the IP's of those that did post spam.

I don't allow guest posting on my site.

[mouse92im]

...

Just want to poo-poo one idea. I doubt if IP banning will be of any use here. Spammers have bot fleets all over the planet.

I tried banning the IPs, but it seems there are no patterns or constants.  Only that most are coming from the Middle East or Hungary.




Also, some accounts are using .gmail addys.

[mouse92im]

sorry. double post.   

[青山 素子]

2)  I don't know if I have CAPTCHA enabled.  I'll have to do some hunting or someone will have to tell me where to look.

Try doing a registration like you are a normal user. If you see the image with letters, you have image verification enabled.

(We can't call our system CAPTCHA, as that is a registered trademark of CMU.)

[StanJ]

This is what the posting losers are generally using

http://www.mi80.com/security-news/Xrumer-50a-Google-Captcha-Cracked

vBulletin has a fix, I hope SMF will do that as well

[Costa]

Deprecated

1.) You are running SMF 1.1.5, 1.1.6 or 1.1.7, but NOT running 2.0
Yes, SMF 1.1.7

2.) You have the CAPTCHA enabled
Yes!

3.) We are talking about spam accounts, NOT spam guest posts
We are talking about spam accounts, not guest

After the massive SPAM attack i installed the Mod Anti-Bot Registration Puzzles, and i see the bots trying register but they can't.

here are the spam names account, IP and emails:
DownloadOemSoftw (195.245.119.76 | [email protected])
Elathestepe (195.159.196.243 | [email protected])
CewSheddy (194.165.42.87 | [email protected])
NolawemoNaism (194.165.42.95 | [email protected])
CialisBilligKaufen (194.165.42.93 | [email protected])
CreergePemi (194.165.42.27 |  [email protected])
XYTyler (94.102.60.115 | [email protected])

I have childs in my forum (under 18) and this is a major problem for me

Farewell