Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum

[青山 素子]

You could do an IP ban at the server level if you wanted. If it's always the same IP, then it is certainly the right situation for such a thing. However, do remove it after some time to see if you still need to keep it blocked. It's a bad thing to keep stale bans/blocks in place (you tend to forget what they are for).

The code you'd want would be something like:

Code Select Expand


Order Deny, Allow
Allow from ALL
Deny from 0.0.0.0


Replace 0.0.0.0 with the IP you wish to block. You can add a comment at the end of the deny line if that will help you remember. Simply space out a few times, type "#" and then add your comment after it. Keep it on one line only.

[mixedcouples]

Many thanks.  I found a way to do it with cPanel... an IP Deny Manager.  I think that idiot may be gone at last!

[susb]

order allow,deny

deny from 77.88.26.25

allow from all

[kopchev]

I've run SMF since april 2007 and till november have had no bot registration. Since november 2008  lots of bots have tried to register and some of them - successfully. They use .ru or gmail account. I successfully solved this problem by setting the captcha difficulty level to maximum. Bots now cannot register.

[Rozza1]

I have solved the spambot problem but Google has detected malware on the site and is coming up with a warning when people try to access the forum.

How do i remove this malware?

Regards


Ross Warren
www.horrorwriters.net/forum

[青山 素子]

Check the report on Google's SafeBrowsing site: http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=Firefox&hl=en-US&site=http://www.horrorwriters.net/forum

It seems someone managed to insert some code in your site, perhaps through some other other software on your site, or via an old copy of SMF. You'll need to look through all the files you have and clean them up, or replace all the files on your site with clean copies.

Be aware that many attacks toss up shell scripts in many areas, so you need to either check all files or delete them all before restoring.

If you need additional help, start a new topic.

It seems you started a topic: [[Programs for removing malware]]. Help will continue there. Continued posts on your issue on this topic will be deleted.

[orange]

I've recently started getting lots of guest-posted spam ... is it possible in 1.1.7 to turn on the CAPTCHA when you make a post as a guest? The CAPTCHA is there when registering a new account but is it possible to add it to the posting screen for guests too?

[青山 素子]

Did you try Visual Verification Options?

[3ps]

Hi,

I am using the Joomla-SMF bridge. People register on the Joomla site and it automatically creates an SMF user. I have set an age restriction but I am still getting spam postings.

I want to try some of the suggestions mentioned at the start of this thread, but don't they all apply to SMF only? If my users register via Joomla then surely the SMF steps will be bypassed?

Any suggestions appreciated as I am thinking of closing my site as I can't keep up with clearing out the spam.

[MrPhil]

I have set an age restriction but I am still getting spam postings.

There's nothing magical about an age restriction. It's simply another question to answer, and if it's not in the spambot's canned response to the registration, the registration will fail. Once the spammer figures out what's being asked, the age restriction will not help at all.

"Are you human?" type anti-spam mods can choose from a variety of questions in different formats (fill-in text, radio button, checkbox, etc.) to confuse spambots, by not having a fixed number of input fields with fixed input types. Of course, spammers could counter with more sophisticated spambots that understand the prompts and data types wanted, and the arms race continues... or they can just hire a bunch of third world people to sit in front of a screen all day and register on forums.

[societyofrobots]

A spammer bot finally got through all my latest defenses.

I'm using reCAPTCHA for SMF 1.1.7. It was the typical bot account, with a random string for a password, and the email address had a .net.nz ending. The url traced to AU.

It didn't get through email validation however, but I'm shocked it got past reCAPTCHA. I honestly thought it would take one or two years before they beat it . . .

Any chance can someone make the Anti-Spam Verification Questions mod work with the reCAPTCHA mod?

[青山 素子]

It didn't get through email validation however, but I'm shocked it got past reCAPTCHA. I honestly thought it would take one or two years before they beat it . . .

More than likely, a real human did that part. There are services for spammers where one can pay for having people in rather poor countries solve verification images. It's not that common since it's still an extra expense on the spammer.

[vmgamer]

Waow...
the bot filling my forum with xxx posts

now i use anti spam verification question, and it works well

[KirkhamsEbooks]

Adding an age restriction seems to have helped as well.  I haven't seen any new member requests since.

How do you add the age restriction?

Rick

[ModelBoatMayhem]

I've had another wave of attacks / registration attempts this week.
I've now created a ban trigger on @mail.ru

[kat]

How do you add the age restriction?

Rick

Admin>Registration>Settings, oddly enough.

I have a trigger ban on gmail, too.

[Miller Time]

I'd really hate to block legitimate gmail users, most of our group uses it a a primary.

On another note, I'd prefer to be able to perform a one-click ban of the entire RIPE network.

[青山 素子]

On another note, I'd prefer to be able to perform a one-click ban of the entire RIPE network.

If you want to block all of Europe, you can certainly try. A quick query of their WHOIS info will give you this: RS-IP-ALLOCATIONS-TO-RIPE-NCC-FROM-IANA. As the text there says, those are all expressed in CIDR, not as /8 blocks. This makes a difference depending on what you are using to ban.

If you want to block everything outside North America, you'll also need to track down assignments to LACNIC, APNIC, and AfriNIC.

Of course, as assignments do sometimes vary and change quicker than db updates, you'll probably wind up blocking some of the visitors you want, but that's the risk you take when you start blocking whole regions.

[KirkhamsEbooks]

How do you add the age restriction?

Rick

Admin>Registration>Settings, oddly enough.

I have a trigger ban on gmail, too.

I've considered blocking gmail, but a lot of people are using it thus that is where a lot of the spam comes from. I don't think it's just a gmail thing

Rick

[Miller Time]

On another note, I'd prefer to be able to perform a one-click ban of the entire RIPE network.

If you want to block all of Europe, you can certainly try. A quick query of their WHOIS info will give you this: hxxp:www.db.ripe.net/whois?-rTroute-set%2BRS-IP-ALLOCATIONS-TO-RIPE-NCC-FROM-IANA [nonactive]. As the text there says, those are all expressed in CIDR, not as /8 blocks. This makes a difference depending on what you are using to ban.

If you want to block everything outside North America, you'll also need to track down assignments to LACNIC, APNIC, and AfriNIC.

Of course, as assignments do sometimes vary and change quicker than db updates, you'll probably wind up blocking some of the visitors you want, but that's the risk you take when you start blocking whole regions.

Yeah, I've just started to put in ip bans using the first octet of any spammers registering from RIPE. For my forum it works fine since it's a local group, and 100% of the spammers are from RIPE while not one legitimate user is. Even on a low traffic forum we get 15-20 hits a day per IP range. Not an SMF issue of course