Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum

[mashby]

You misinterpreted the image verification. It's not done in an email, it's done at the site.

[metallica48423]

I believe he meant in some sort of intermediate confirmation page with a visual verification image

you really can't utilize PHP code or dynamic images EASILY within an email

[Ashdaw]

I had a total of 57 users on my Forum yesterday. I have taken ALL precautions and I cannot understand WHY they are trying to access my site, It is just a small friendly community? Maybe I haven't done enough yet? I did add the are you human one and tried to add the Question one but got a fail message.

[SlammedDime]

Nothing is going to prevent them from looking at your site... it's the internet.  We're only trying to prevent them from registering on it.

If you're getting failed messages when trying to install mods, you should make posts in the support topic regarding those mods.

[Deprecated]

I had a total of 57 users on my Forum yesterday. I have taken ALL precautions and I cannot understand WHY they are trying to access my site, It is just a small friendly community? Maybe I haven't done enough yet? I did add the are you human one and tried to add the Question one but got a fail message.

Uninstall the Are You Human? mod, then install the Anti-Spam Verification Questions. The questions are far more powerful because they vary from forum to forum to forum, so the botscripts cannot be programmed to answer the questions. However, there are no indications that the Are You Human? mod has been breached yet. Probably either one would work, but the second is more powerful and is likely to resist breaching far longer, if at all.

[Bazil Greyson]

This link, in the footer of my site has helped greatly

http://english-138309221408.spampoison.com/ [nofollow]

I highly recommend checking out www.spampoison.com [nofollow]

[hillrunr]

Just want to thank Deprecated and the rest for the very educational topic.

I already had an age limit (13) and was still getting the spambots coming through. I changed visual verification complexity from medium to high and changed method from immediate to member approval. Not one spambot has gotten through since. I changed method back to immediate and still nothing.

I also did install reCAPTCHA with plans of implementing it later but was getting tons of undefined index error messages. For now, I uninstalled but did not delete reCAPTCHA. Seeing as things are good now, I'll take up that issue later and, if needed, post on its support topic.

Once again, thank you to Deprecated and everyone else.

[kaseymo]

I too had many unwelcome new registrants at the forum associated with the hxxp:selskc.net [nonactive] site.  I implemented High on image verf and put in a min age of 10. That took care of the *.ru  applicants . I then backed off the age check and for 3 days not the High setting on image verf has been sufficient to keep the outsiders out.

I still don't know 100% what the goal was and is for this type of attack. I could see that some listed various websites in their profile so though it was an ad campaign or an attempt to increase Google page rank by creating hundreds of inbound links but not all the new members listed an website via their profile.  As far as I could tell none of the "bots" posted to the Forum.

Was there/is there other mischief afoot?  Should I be examining other aspects of the site - where to look and for what?  Might the site have been compromised in some manner I'm not aware of while these bogus registrations did have access to the SMF forum.

I purged all of them and by instituting Member Approval and HIGH on image verf the onslaught has been halted. 

Gist of this - High on Image Verf did the job as of 11-22-08 anyway.

Dick Williams
Kansas City MO

[Col]

I don't know what else to do either. I have had to do the same thing

Follow the tips in the first post. Any of the solutions should stop the problem. Changing the registration form a little from the default will stop it.

how do I change the registration so that I have to authorize someone before they are active?

The ReCapthca thing created a whole string of gobeldygook html or such at the top of the forum so I had to un-install it as fast as it was installed.

I tried changing the captcha thing as it is currently and teh password strength but it didn't do anything to stop them.

They are throwing links with our forums name in it and they all either go to Canadian Rx drug companies or weirdo animal porn sites, definitely the opposite of the sort of image our site tries to create.

I had a similar problem - for some reason the language modifications were added after the ?> at the bottom of the language file. Simply edit the file so that '?>' is the very last line, and all should be well.

[societyofrobots]

You misinterpreted the image verification. It's not done in an email, it's done at the site.

Mashby I think you are confused
I was referring to SlammedDime's comment which refers specifically to image verification done in email:

It's very easy to 'pipe' emails through a script, be it php, cgi, perl, whatever, and have that script parse out the url, visit it, thus activating the account.  Perhaps adding visual verification to the verification of email would be a good idea.

Anyway, in an earlier post in this thread I noted these bots attempting to run strange url commands on my forum, including attempting to download my entire forum database. I since blocked those IPs, and after a week no other IPs have caused the problem. As you can see, the bots are fairly aggressive (the IP followed by # of attempts):
IP: 65.55.230.188     37
IP: 72.30.142.218    0
IP: 65.55.209.32    168
IP: 65.55.209.25    309
IP: 72.30.142.163    0

I highly recommend everyone checking their Forum Error Log for this, and even blocking these IPs. Better to block now before they improve their hack attempts!

[Akyhne]

Ha, ha, ha

Read the blog called "Spammers Wanted" in the Coppermine Photo Gallery blog. I really like that guy

http://coppermine-gallery.net/

[shads]

I enabled the recaptcha mod .. still some bots can register ...
my smf version is 1.1.7  ... some bots even posted about this xrumer information in the forum...
anyone with better solution?

[ddarrell]

This link, in the footer of my site has helped greatly

http://english-138309221408.spampoison.com/

I highly recommend checking out www.spampoison.com

This is a cleverly disguised scam to sell very poor protection to your users.  Look at it in IE without filtering scripts.   Where are the "bait" email addresses it says will confound the spam-bots? It is all a hoax. 

Sorry.

IMO,
ddarrell

[青山 素子]

This is a cleverly disguised scam to sell very poor protection to your users.  Look at it in IE without filtering scripts.   Where are the "bait" email addresses it says will confound the spam-bots? It is all a hoax. 

Even if it had addresses (and I have seen services that have tons of fake addresses hidden on pages), it doesn't help much at all. Modern spammers quickly remove bogus addresses from their lists. Whatever "damage" they do won't last.

[biodieselrick]

Well it works for me. I've gotten like 3 spam posts in the last year and maybe 3-5 dead registrations a day.

1) require email verification.
2) Ban every IP not assigned through hxxp:arin.net [nonactive]

[RawDepth]

Lots of bots have registered on my forum but only two or three have returned to actually make a post.

I've noticed that each of those bot posts were in the first forum on my board. The xrumor script must simply choose the first forum room at the top of the site and stick the new post in there. I wonder if setting the permissions more strictly for that forum only would foil all spambot postings?

EDIT:
BTW, I am not asking for help. I think I already cured my bot problem by following tips in this thread. I was just making an observation.

[tourneymanager]

Lots of bots have registered on my forum but only two or three have returned to actually make a post.

I've noticed that each of those bot posts were in the first forum on my board. The xrumor script must simply choose the first forum room at the top of the site and stick the new post in there. I wonder if setting the permissions more strictly for that forum only would foil all spambot postings?

EDIT:
BTW, I am not asking for help. I think I already cured my bot problem by following tips in this thread. I was just making an observation.

I just found this board and like the rest of you, have many unwanted registrations. Not a single post, though. My first board is read-only so only admins and moderators can post to it. Maybe you're on to something.

By the way, I just set my captcha to high. We'll see if that prevents the unwanted registrations.

[Burke ♞ Knight]

On all my sites, the first board is always News & Announcements. Only staff can post there, read only to regular members. So there may very well be something to this, as I have not gotten spam posts on my forums. Yet I do have a few new members that either don't post, or don't activate.

[tourneymanager]

On all my sites, the first board is always News & Announcements. Only staff can post there, read only to regular members. So there may very well be something to this, as I have not gotten spam posts on my forums. Yet I do have a few new members that either don't post, or don't activate.

We'll probably be the next ones to get hit, though. It won't take the spammers long to adjust.

[mashby]

It will take them quite a bit to adjust to custom questions/answers.
http://custom.simplemachines.org/mods/index.php?mod=1516

In fact, I doubt they'll be able to do it. reCAPCHA is also another great solution. SMF2.0 will have it built-in (when it's released).