Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum

Started by Deprecated, November 11, 2008, 06:26:59 PM

Previous topic - Next topic


In recent days there has been a huge surge in the numbers of spambots attacking SMF 1.1.x forums. Some have suggested that this is due to the recent SMF 1.1.7 security upgrade, but in fact the attacks are unrelated to the functional changes in SMF 1.1.7. This is supported by the fact that SMF 1.1.6 and earlier versions are also subject to the attacks. The attacks have nothing to do with the SMF 1.1.7 upgrade.

We at SMF believe that this is nothing more than a coincidental, large scale, coordinated attack, possibly orchestrated using the recently updated version of Xrumer or a similar script or program used for spamming forums. Evidently one or more large bot herders have decided to exploit the market and has targeted their fleet towards spamming SMF forums. It is mere coincidence that this happened around the same time as the SMF 1.1.7 upgrade was released.

Why aren't SMF 2.0 forums being targeted?

Nobody knows, but we can speculate that it is due to SMF 2.0's improved functionality, or maybe there are minor differences between 1.1.x and 2.0 that confuse the bots. In either case if you are running 2.0 you should be on the watch for the attack spreading to SMF 2.0.

What can you do?

1.) Everybody should make sure that they are running the latest SMF 1.x or 2.x version. While the spam attacks are not related to security, you should take this occasion as a reminder to check out your security and make sure you have done everything you can to make your forum safe.

2.) At least for now SMF 2.0 has not been affected. The new version has improved spam defenses including the ability to ask any number of verification questions (what year is it? are you a bot?). Since most forums will pick different questions, these questions are very difficult for spambots to answer. If you have been considering upgrading to 2.0, now might be a good time to do so.

3.) Smaller forums may be able to switch from Member Activation to Member Approval and then may examine email addresses, IP addresses, etc. to decide which applications are human and which are spammers. This of course will result in more labor to operate your forum.

4.) You may decide to use post counts to restrict new members to posting a staging area, then give them full access only after they have shown they are human. The staging area can be easily swept of any spam debris.

5.) There are three modification packages that we believe can provide adequate defenses against spambots. I have verified that each of these packages is suitable for SMF 1.1.7. They are:

The last of the three replaces SMF's CAPTCHA system, but if you use one of the other mod packages make sure you have your CAPTCHA enabled. It won't hurt and it may help.

What won't work?

1.) Blaming it on SMF 1.1.7: As I explained above, the attacks are targeting all 1.1.x versions. It has nothing to do with the recent 1.1.7 release.

2.) Banning IP addresses: This is the Internet version of "Whack a Mole." They can create IP addresses and find proxies faster than you can ban them. This is useless in my opinion...

3.) Banning email addresses: Again, they can change them faster than you can ban them. I've never seen a human registration from mail.ru but some of the bots are using Gmail and other accounts. This is probably wasted effort unless you are manually verifying registrations.

4.) Hiding your SMF version: It's impossible for me to beleive that SMF 2.0 wasn't targeted only because the bots are searching for SMF 1.1.x strings. The target of SMF 2.0 would be too irrestible if there were not some other reason than the version tag.


Well that's about it. My colleagues at SMF and I agree that there is no new problem with SMF's software, and that this is simply something that was going to eventually happen anyway. The only thing that changed is that some bot master tweaked and tuned his scripts for SMF 1.1.x. and so the attack has arrived this week.

Please take advantage of one or more of the steps that I've outlined above, and we believe that your spam attacks should stop. Be assured that if these measures don't work that either the developers or the mod package authors will come to your defense. Let's just all stay calm and collected, and one way or another we will beat the spambots. Unfortunately this will be an ongoing effort because each side is always going to be trying to upstage the other. Good luck!

EDIT: Added link to new mod: Anti-Spam Verification Questions



Glad to see I'm not the only one affected.  Woke up this morning to lots of SPAM, and been clearing them out all day!  It got so bad I had to close registration for the time being.  Thanks for the info!


I should keep "one eye open" now.  Wouldn't want my site to be ruined by them.


I noticed the problem too and was very happy to see this post of fixes.  I've enabled two of 'em and expect the problem to cease PDQ.

Thank you.


The other topics were running away, speculative. This subject needed a cold shower. I gave it. :)


Thanks for the info.

For me it just worked to change the complexity of visual verification image from medium to high.


i've just added the are-you-human to my install, has this been found to be most effective by most people?


We don't have any comparative reports of which mod works best yet. I suspect all work well unless we hear to the contrary. I think all you have to do is mess up the 'bots just slightly and their script will fail.

This topic welcomes comparative discussion on which is the best strategy to use. I've merely outlined the choices so that everybody can pick which works best for them.

Some of the mods are not yet rated by the authors as 1.1.7 compatible. Part of my work involved testing all three to make sure they work on 1.1.7. I didn't test them exhaustively, but they all install and remove and are able to register a new member with no error logs being generated. I tested for that.

BTW two of the mods are up for grabs if anybody wants to support them, karlbenson's mods. MC is still alive and well as of about 2 hours ago when I was chatting on him via IRC, so I think the reCAPTCHA mod is probably not up for grabs. ;)


I noticed it on one of my forums as well. I will submit a mod to the modsite this weekend to help combat spam.
Community Suite for SMF - Take your forum to the next level built for SMF, Gallery,Store,Classifieds,Downloads,more!

SMFHacks.com -  Paid Modifications for SMF

EzPortal - Portal System for SMF
SMF Gallery Pro
SMF Store SMF Classifieds Ad Seller Pro


I just changed the registration setting to require admin approval, so that should surely stop these mo-fo's from spamming our forum. It's pretty easy to weed out the bots as their usernames and hostnames are all messed up looking, and most of these (in my forum at least) have their IPs showing up in non USA countries.


Great VB, I've been thinking along the same lines, but waiting to see if the spambots attack Beta 4 before I decide. :) I'll seeya where the mods play! ;)


Quote from: dustrho on November 11, 2008, 09:17:13 PM
I just changed the registration setting to require admin approval...

That is one of the strategies that I recommended in the OP, if your forum isn't so big that approval becomes an onerous task.


Thanks for the post.  I wasn't even aware of the reCAPTCHA mod, and am happy to implement it as it benefits a good cause.

Will be sure to let folks know if this doesn't help. :)


* lax.slash knocks on wood

Haven't been hit yet on 2.0, or 1.1.5 (KEEP FORGETTING TO UPGRADE!!) but will definatly take these precautions. Thanks, Deprecated! :) :) :)

青山 素子

As a note, reCAPTCHA for SMF works very well on the 2.0 betas, and in fact is much cleaner in code (because of the structure changes).
Director, Simple Machines

Note: Unless otherwise stated, my posts are not representative of any official position or opinion of Simple Machines.


I am using 1.1.7 and *touch wood* haven't had a problem with the spam bots yet.


Adding an age restriction seems to have helped as well.  I haven't seen any new member requests since.