Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum

[bootnut]

Hi i didnt want to use mods, changed these two settings

Method of registration employed for new members: Member Activation
Complexity of visual verification image: high

thats stopped all bot attacks on my forum, not had a single one get through since! seams the bots dont like to click on the email links

I noticed that i couldnt read the thing on high, if i have trouble i assume my members will, so i changed it back to medium, if the bots come back ill change it back to high or look at something else

[Deprecated]

I must be losing it. I recall seeing a post by someone suggesting several additions to a .htaccess file, but I can no longer find it. Might have been removed due to a camouflaged 4-letter word.

Anyone have a copy of the suggestions and know if they work?

I'm not aware of any post discussing .htaccess being removed from this topic. In any case all I can think of is using .htaccess for IP banning, and I continue to believe that trying to ban IP addresses, email domains, etc., is a waste of time, due to the fact that there are so many different spammers involved in this attack. You would end up playing Whack-a-Mole, banning the ones who have already spammed and headed for better pickings. Instead, follow the suggestions in the OP and the various additional tips throughout the topic.

[Dgui]

Update (pun intended):   

We updated from 1.1.2 to 1.1.7 one version at a time to get around language file problems and it went just fine.

Installed reCAPTCHA and turned off Member Approval, it seems to be working.

Deprecated, thanks for the great topic, it was a BIG help.

[rsmini]

Just to let you know my joomla site was hacked 3 days ago by a Turkish hacker who left a political message (and audio) on the home page.

Yesterday they deleted the whole smf forum and the whole joomla website. I have been running 1.1.6 for some time now and recently noticed a big increase in users from gmail and .ru

I thought disaster had struck and we were doomed. Now I find I am not alone which is in a way a relief. My host had a very recent backup and they have reinstalled for me.

I changed the joomla/smf bridge config to make sure it goes through smf registration when a new member joins. Also set to 'member activation' and increased visual activation and password strength to high. I will also install the suggested mods as well. Also upgraded to 1.1.7

I will also set about banning all @mail.ru accounts as well

They really are  a pain in the rear end

[Deprecated]

Dgui,

You're welcome. It is unusual that so many people have the same problem at the same time, so I thought it was merited to spend a few hours in my attempt to come up with a comprehensive post that could cover it all. That's so much easier than spending days giving out the information piecemeal to one person and one topic at a time.

As far as I know the advice in the OP is still the best thing to do, and as far as I know the advice works and the spamming is stopped. Particularly the third mod, a bit more complicated to install than the first two, but I don't see how it would be possible for the bots to get past the reCAPTCHA mod unless the forum is not properly configured.

I predict that eventually they will get smarter, but I also predict that in that eventuality we will just get tougher and we'll do whatever it takes to keep them out. We have no other choice. Our forums won't work if we let them in. This is life or death for us, or at least it is for our forums and our SMF software.

The only time we rest is when they are not getting in.

[rsmini]

I should also say a massive thank you to you for responding to this problem and explaining how to get around the problem. You have certainlly put my mind at rest

THANK YOU

[forumite]

I'm not aware of any post discussing .htaccess being removed from this topic. In any case all I can think of is using .htaccess for IP banning, and I continue to believe that trying to ban IP addresses, email domains, etc., is a waste of time...

I must have been thinking of another topic, or maybe even another forum. I've been reading anything and everything I can find on spam, vulnerabilities and exploits the last few days.

FWIW the suggestions weren't to ban IP addresses; I think we all know that's fruitless. IIRC the suggestions included preventing the inclusion of <script> and a few others in a URL from using said script for unintended purposes, such as described in this article.

[青山 素子]

SMF doesn't allow HTML in posts (unless you've disabled that security), so the only way that code could be inserted is through a security hole.

ephralon, look at Visual Verification Options or Advanced Visual Verification.

[Pere Escobar Solsona]

This thread is full of great solutions to prevent bot registrations, but registered bots are not my problem.

My 1.1.7 is overrun by guest spam posts in poll threads. Yesterday I disabled guest postings and yet they again posted almost a dozen messages full of junk links. And always in polls. Now I locked all polls, but I can't leave it like that forever.

All the anti spam mods that prevent guests from posting links do not work with 1.1.7, and when I try to manually update nospambyguests or antispam the package manager tells me the files are corrupted.
I think about adding nospambyguests to post.php manually, but I'd hate to resolve to a cheap hack like this.

Guests may only use the seach and view attachments and polls, I took away all other rights.
What can I do to make them stop posting in polls?

Try the Advanced Visual Verification 1.2-Fixed MOD; the CAPTCHA options include registration, guest posts and PM's.

[Deprecated]

I must have been thinking of another topic...

I recall seeing that post now, referring to <script>. It was at SMF but if it's not in this topic then it was in a different topic. I'm not going to go back and look for it.

As MC says, there isn't any need for that in a properly configured SMF, and in this respect SMF's default settings are proper. Just don't enable member use of HTML.

[forumite]

Apologies that this seems to have gone off on a tangent. No intentional hijacking of the topic.

I have html disabled in SMF, but the recent attacks haven't been limited to spam posted in SMF or, for that matter, limited to spam. As I said, I've been reading anything and everything I could get my eyes on related to any kind of vulnerability, and some (much?) of it has blurred. Again, apologies for the unintended diversion.

[Deprecated]

That was one of the points of the OP, that people who were speculating that this was some kind of security vulnerability. It has nothing to do with any security flaws.

The spam attack is not related to SMF's security. It's just a new and possibly coordinated attack on SMF's settings the way that forums are usually configured.

All you need to do to stop it is to reconfigure your SMF, and possibly to install one of the three modifications.

[catfished]

I must have been thinking of another topic...

I recall seeing that post now, referring to <script>. It was at SMF but if it's not in this topic then it was in a different topic. I'm not going to go back and look for it.

I recall that one as well but after doing a fairly thorough check through my original thread that started all this action and the other locked thread, I couldn't find it. I'm still pretty sure it's in one of those two threads: http://www.simplemachines.org/community/index.php?topic=273648.0
http://www.simplemachines.org/community/index.php?topic=273701.0

[forumite]

All you need to do to stop it is to reconfigure your SMF, and possibly to install one of the three modifications.

Understood.

For clarification, I haven't (yet) seen any of these recent SMF-related attacks, but have been actively reviewing my settings and learning what else I need to do to keep it that way. Apologies if I ask dumb &/or irrelevant questions in the process.

So far, I've changed three things since becoming aware of the issue, two as a result of this discussion:

• Raised CAPTCHA from medium to high.
• Increased the time between successive posts from the same IP address.
• Added age limit.

A high percentage of my forum members are near or over retirement age and, as I anticipated, the higher CAPTCHA level is inhibiting some bona fide new registrations. (Getting old is tough.)

I've been trying to install a couple of the mods but ran into some issues which I'm still working through.

I'll add my thanks for starting this topic and collecting everything in one place.

[mchero]

I have been in constant combat for the last three days! Some of the videos that where getting posted even made me turn red! WOW!
Updated to 1.7 & awaiting 2.0 final! I don't have manu users on my site so I enabled registration & that put a hold on attacks!

[Burke ♞ Knight]

Rest assured, these attacks are NOT only against SMF forums.
I am staff at 2 VB forums and 3 ProBoards forums, and those forums are also under attack.

This spambot war is getting really tiresome...

[darkfrontiers]

Thanks Motoko-chan.  I'll delete them all and look at installing these mods.  I have never used them before...  Will there be issues with TinyPortal then?

Please report what worked for you and your TP installation. We need user reports of what works particularly in situations I couldn't test due to my not running any TP or any 1.1.7 production forums.

If you have a combo that works with TP we'd like to hear it.

Yeah, sorry. I am a bit new to this board. Well. I have tried everything that was mentioned here. And nothing has worked.

Sir, you say that it is unrelated to 1.1.7, I am afraid that I am going to have to call false. Ya see, I did not upload 1.1.7 until yesterday (had never had a problem with spammers before), after reading about all the problems. I figured that after doing everything you suggested that I could mitigate the problems. So I uploaded, and instantly started getting spammers. Several dozen within the first few hours. I then added the recommended stuff. Still getting spammers. I have had to go to admin approval, and this has caused me to loose several real new members.

Ya may want to come out with a 1.1.8 that deals with these problems.

[Oldiesmann]

The spam bot problems have nothing to do with the 1.1.7 update. It's just a coincidence. Have you tried the reCaptcha mod?

[Burke ♞ Knight]

Yeah, sorry. I am a bit new to this board. Well. I have tried everything that was mentioned here. And nothing has worked.

Sir, you say that it is unrelated to 1.1.7, I am afraid that I am going to have to call false. Ya see, I did not upload 1.1.7 until yesterday (had never had a problem with spammers before), after reading about all the problems. I figured that after doing everything you suggested that I could mitigate the problems. So I uploaded, and instantly started getting spammers. Several dozen within the first few hours. I then added the recommended stuff. Still getting spammers. I have had to go to admin approval, and this has caused me to loose several real new members.

Ya may want to come out with a 1.1.8 that deals with these problems.

Please read the post right above yours.
This attack is NOT only against SMF forums, so how can it be because of SMF 1.1.7?
The fact that attacks at your site started after you did 1.1.7 are purely coincidental, the spambots would have hit there at that time, no matter what version you were running.

[Deprecated]

* Deprecated chuckles

Yeah, I guess I probably don't know what I'm talking about. Just think about it, almost 2,700 wasted posts.