Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum

[forumite]

I have 2 bots trying to register at this very second!

How did you know they were bots from the SMF Who's Online page?

[palofdru]

I have 2 bots trying to register at this very second!

How did you know they were bots from the SMF Who's Online page?

he probably googled the IP's, or checked his logs and found that those clients only did a GET of the page and a POST but otherwise consumed no other resources like a regular user browsing would.

[ModelBoatMayhem]

If you have been considering upgrading to 2.0, now might be a good time to do so.

Thanks for all your help and advice Deprecated, much appreciated.Are you recommending we install SMF 2.0 Beta 4 Public before the final on our live sites?Martin - England.

[lax.slash]

We should sticky this thread...

[Deprecated]

Actually I started it out sticky, and it flew right to the top line where nobody would ever see it. (IMO) If I hadn't written it myself I'm sure I wouldn't notice it.

People tend to ignore sticky posts unless there's only one of them.

I think it will float around near the top as long as there are still people who are being swamped by spambots.

[bigmo66]

I have 2 bots trying to register at this very second!

How did you know they were bots from the SMF Who's Online page?

Yeah, I traced the IPs and they matched the same other 70+ buttheads trying to get in. The emails were also similar. Lots of joyyee.com  emails.  Russia, Amsterdam.  So far the elevated Captcha is working. if it fails, then I'll mod it!

[forumite]

I traced the IPs and they matched the same other 70+ buttheads trying to get in.

Ah, OK, thanks. Thought you had some method I wasn't aware of.

[Jdanniel]

I've been getting hit also.  I have a small, not-widely-used board, but I take pride in its integrity.

I switch to Admin Approval, and set the visual verification thingy to high. 

I stopped bothering with the Ban list because that's an exercise in futility. 

What I'm wondering now is whether or not to set an age limit, as well.

Any suggestions on what age I should limit?  Thanks!  Jd

[Deprecated]

I stopped bothering with the Ban list because that's an exercise in futility. 

My point exactly. Whack-a-Mole.

I don't think it matters what age you set it at. The bots are evidently too stupid to check it no matter what age it asks about. Set it at 18... or 13... or even 1. It would be a good experiment.

[Dgui]

We're running 1.1.2, yea, I know it's well past the time to update but we have made extensive code changes and get nervous even thinking "update".  Anyway, we're going to swallow hard, grit our teeth and update to 1.1.7.

In the meantime, can we use any of the three above listed mods with 1.1.2?

We implemented Member Activation to stop the bad guys and then added Age Restriction and set CAPTCHA to high.  We watch the spammers try to register (Who's Online) but they don't seem to get past the CAPTCHA  / Age Restriction.

Still would like to install one of the mods if compatible with 1.1.2.

[Deprecated]

Well I have an answer you won't like to hear.

All three mods start at SMF 1.1.4. However I suspect they would work fine with 1.1.2. BUT... If they don't work right and they screw up your forum you will find yourself upgrading to 1.1.7 tonight!

I don't have any 1.1.2 test forum or I'd test it for you, so unless you want to be the guinea pig, and bet your life on it working, I'd say it might not be a very good idea.

As long as you are not being inundated by spambots with your current settings you should just sit tight. If you find even one spambot gets through, go to manual Member Approval and verify human/bot manually.

Come on back and post again if your situation changes.

[Dgui]

Thanks Deprecated.

Right now I'm "belt and suspenders" with Member Approval AND the CAPTCHA / Age Restriction.  We were hit by about 50 bots in 24 hours and it woke us up.

Don't want to update tonight but gonna get it done by this weekend.   

Again, thanks for the great read and your input.

[Muldoon]

well activation approval on my site has worked.   However, as some have said increasing the visual verificaiton image from medium to high has worked, I have just implemented that and put it back on member activation...so we'll see if this method works for me.

[lax.slash]

WAIT! I HAVE AN IDEA! What if someone writes a mod that searches EVERY new post for members with less than x posts (changable by admin) for keywords that are frequently used in SPAM, like Viagara, and such, and for each word, have a "threat level" settable by the admin (High, Medium, Low) and each level has a different % weight (again settable by the admin) where words or phrases rated HIGH such as Viagara count as 15%, MEDIUM words/phrases such as "limited time only" count as 10%, and LOW words and phrases, such as Free count as 5%? Then when a post reaches a certain percent settable by the admin it either deletes the post automatically, or directs the post to an admin/moderator for approval?

It might not be the easiest thing in the world to program, but I'm sure it would be well worth the effort, AND it would be a great permanent fix for all SPAM! Only roadblocks are misspellings that bots could use, and if the bot splits up the words, such as FR RE (Re: is the beginning of subjects sometimes), or VIA GRA (the word via). Just my idea, though!

[lax.slash]

Rough copy at link:

http://img515.imageshack.us/my.php?image=spamcoptf3.png

Go ahead and laugh   lol    I know I suck with MS Paint 

[青山 素子]

Considering all the wonderful permutations that spammers can do (seen e-mail spam lately?), it isn't really feasible to maintain such a list, and would be a huge drag on performance to do that kind of scanning.

[bugstomper]

My forum got hit too, but I implemented a very simple change that stopped the bots completely at the expense of requiring users to be running Javascript in order to register. The nice thing about what I did is that it does not require the user to answer any challenge or do anything special as long as they have Javascript enabled.

By the way, my forum is on a shared server at an ISP and I am able to see the raw access logs for all the different web sites on the server. I grepped for the ip addresses that were hitting me and found that the very same ones were hitting on forums running other software than SMF, including at least VBulletin, PHPBB, and YaBB. It looks like this wave of bots is either one massive distributed attack or else someone released a general multi-forum software bot script and a lot of script-kiddies are running amok with them. I could see from the acess logs that these bots were able to blast through the CAPTCHAs on my site in no more than one second but were stopped by even the simplest question/answer human test on any of the forum software.

I haven't set this up as a mod, but perhaps someone who is into mods can write one up. The changes are only in Themes/default/Register.template.php and what they do is change the registration form so that it doesn't work and use Javascript to make it right. A spambot, which doesn't execute javascript, will never see the proper form. If in the future spambots start including the ability to run javascript, then it will make the job of blocking them even easier, as you can the include simple "are you human" tests in the javascript and make the bots run javascript code that takes forever. So I think it unlikely that the bot writers will bother with that.

The changes: where it says <form action="', $scripturl, '?action=register2"  to
<form action="http://example.com/antispambot.php?action=register2 [nofollow]" style="display:none"

If you actually say "example.com" which is a domain name that is reserved to use as an example and is guaranteed to never exist, then the spambots will waste time posting there and not bother anyone. If instead you use your own web server name and a non-existent URL like "antispambot.php", then you can track in your web server access logs the spambots fruitless attempts at posting.

The display:none style makes the form invisible in a browser, so people not running Javascript will not be confused by a form that doesn't work.

In addition, to make sure that the spambot never sees the CAPTCHA image, remove the CAPTCHA image URLS a bit later in the same form by changing the IMG tags to look like

<img src="" alt="', $txt['visual_verification_description']

and

<img src="" alt="', $txt['visual_verification_description'],

That is, just change the src= parts to say simply ""

At the end of the form, will insert some Javascript that makes it all right again:

        echo '
<script language="JavaScript" type="text/javascript"><!-- // --><![CDATA[
        document.forms.creator.style.display = "block";
        document.forms.creator.action = "' . $scripturl, '?action=register2";
        refreshImages();
// ]]></script>
<noscript>
<h2>This form requires Javascript to be enabled in your browser for this
site</h2>
</noscript>';

That's it! I could see in my web server access logs spambots doing a GET of the registration page and then a POST to the bogus action URL that the form is initialized with. Not one ran the Javascript to get the correct form information.

I can think of one enhancement to this if the bots get more clever and start using the unmodified form from Register.template.php instead of reading my modified one. Add a hidden text field to the form, for example named sekret_field, and in code that checks the CAPTCHA authentication, verify that the sekret_field contains some secret string. You can even generate the string the same as the CAPTCHA string and put it in  session variable the same way. In the Javascript code, fill in that hidden field with the correct value, using a Javascript expression so that the value does not appear in complete form anywhere for the bot to read it simply. For example

document.getElementById("sekret_field").value = "This is " + "the sekret";

If anyone wants to make this into a mod and wants any more detailed code example. send me a PM and I'll help out.

[palofdru]

actually, you can keep out 95% of auto spammers with 3 lines of code   total.

Add a SAVE THIS POST? or THIS IS NOT SPAM! checkbox to the form, and the check for that checkbox being selected before you accept the  post.

Use a cookie to save and restore the value for subsequent posts, or force the user to affirmatively click "NOT SPAM!" each time (feel free to change "Not Spam!" to something else

SMF has a provision where it checks to see if a new post has been added while you were typing yours, I would insert my check for the 'I AM NOT SPAM' checkbox there, that way I can have it loop back to have you (as a human) click that checkbox

update,lol... bugstomper posted while I was typing!

I would add bugstomper's code to have his javascript 'click that checkbox' then HIDE IT (bots dont run javascript)

Humans not running Javascript would see the prompt to click the checkbox (that way it would work even if posting from a cell phone, which SMF supports)

Fully bio-degradable, like a SMF Bran Muffin!

[Burke ♞ Knight]

Someone please do a trace on these spam bots.
Let me know if the name InternetServiceTeam shows up in anyone's logs.

These are 2 of the IP/Hostnames they have:
89-149-209-68.internetserviceteam.com
89-149-226-58.internetserviceteam.com


They Offer these services (you can get to their site through hidden TOR connections):
Professional Hacking
Web Scraping
Spam Distribution
Dedicated Spam Botnets
(and some more).

The InternetServiceTeam used to be Web Hosting, but they merged with netdirekt.de. Have no idea who still controls the Domain.

I have reason to believe that InternetServiceTeam is actually part of the netdirekt.de team. That would explain the wide IP range they have. Yet, according to sources, netdirekt.de is a legit, decent ISP, so the way I figure, it's not the whole group, just some that are inside the ISP's business.

[palofdru]

who cares?

## Spammer
deny from .internetserviceteam.com

Just add the above to your .htaccess