What Changes You Have Made to Prevent Spam? What Worked & What Didnt? POST UP!

Started by doctorbull, October 23, 2010, 03:12:07 PM

Previous topic - Next topic

cpvr

Quote from: Gazmanafc on November 20, 2010, 11:20:18 AM
The only real spamming I get these days is sig spam, but I remedied that by requiring all users to have 1 post before they can edit their profiles. You'll be amazed at how many spammers I see trying to edit their profiles. :P

Once in a while I'll get a spam post or two, I just delete it, and possibly edit the post for another use. I once converted an entire Cutenews database of posts into my SMF data manually using old deleted posts. :P
How did you set it up so that they need to post before having a link in their signature?

Jerri Blank

Quote from: cpvr on February 09, 2011, 08:05:24 PM
How did you set it up so that they need to post before having a link in their signature?

I haven't done this, but you set up a post-count-based membergroup and give its members the ability to edit their own profiles.  You then remove that ability from the regular users group, I think.

Michael McNamara

I've had great success with StopForumSpam, it's already blocked 10,000+ registrations in the past 30 days since I installed it.

You can find the mod here; http://custom.simplemachines.org/mods/index.php?mod=1519

Previous to that I was getting 2-5 SPAM bot registrations a day even with reCAPTCHA installed.

Cheers!

aw06

Quote from: Michael McNamara on February 14, 2011, 11:54:02 PM
I've had great success with StopForumSpam, it's already blocked 10,000+ registrations in the past 30 days since I installed it.

You can find the mod here; http://custom.simplemachines.org/mods/index.php?mod=1519

Previous to that I was getting 2-5 SPAM bot registrations a day even with reCAPTCHA installed.

Cheers!

I had to remove this .. it works .. but it also blocks allot of potential members that somehow their IP or username is in the SFS database, and there is no easy way for us as admins to amend the database...

I have basically eliminated 'Bots' i only get about 2-5 HUMAN spammers per week, they don't post immediately so i get to them and zap account rather quickly..

On my register page, i have some checks that for now only Humans can pass..

I recently added this and it's working well .. http://custom.simplemachines.org/mods/index.php?mod=2932
:: ShopinJA.com Powered by SMF 1.1.19 | Ig-Oh Theme by Koni | 70 Rock Solid Error Free Mods | Many Custom Edits & Tweaks ::
- Host Unlimited Websites - Free Website Builder & Templates - Unlimited Disk Space & Bandwidth

Arantor

Me personally, I use my own custom CAPTCHA mod (not publicly available) and a mod I wrote to make signatures and the website option in profiles into a custom permission (also not publicly available)

My main site is pretty quiet, but in that time I've had 3 spam posts total. A number of bots did sign up but the accounts haven't been used for anything.
No good deed goes unpunished / All helpful urges should be circumvented

I have something to say: it's better to burn out than to fade away. There can be only one.

krick

I tried multiple anti-spam mods over the first few years that my SMF forum has been active.  Every one, including reCAPTCHA, was quickly defeated by spam bots.

The only one that really made any difference was the Anti-Spam Verification Questions for SMF mod.  I use SMF 1.1.13.  I think that SMF 2.0 includes the verification question option as a built-in feature.

The hardest part about using verification questions is coming up with a question that is difficult for spammers to solve, yet easy for someone signing up for your forum.  I suggest that you avoid math questions.  Much of the spam on my site comes from Russia and/or China, so having a math question just makes it easier for someone who may not speak English.

On SMF forum on my site, tankadin.com, I use the following question...

"Answer this question...   Tank + Paladin = ?"

...which I think is sufficiently obscure, yet most visitors to my site should know the answer.

owg

I've installed the following:

       
  • CrawlProtect
  • http:BL
  • Stop Forum Spam
  • Forum Firewall
I can highly recommend CrawlProtect, http:BL, and Stop Forum Spam.  CrawlProtect  creates a .htaccess that monitors incoming traffic for suspicious activity, and denies access when requests like referral attacks, injections and more are caught and denied access.  http:BL is one of my favorites because it queries the Project Honey Pot anti-spam database, and compares the IP address requesting access to the db of known spammers.  An initial problem with http:BL that I encountered was an issue where I have a trusted member in South Africa who is dynamically issued IP addresses by SAIX (South Africa Internet Exchange) that have been listed in the Honey Pot database.  Fortunately, the mod author of http:BL was wise enough to create a check box to allow specific member groups within the forum to be excluded from the normal http:BL tests, so all was good - still protected from the bad IP addresses, yet my trusted members are still able to access the forum.

Stop Forum Spam is another potentially excellent mod, but their database is created by user submission, which unfortunately allows disgruntled people to abuse the system (or so I understand).  I'm still on the fence with this one, but I see many registration attempts that I check against the Honey Pot, SFS, and Botscout before I add the IP to the .htaccess file, so SFS is still in my favored list.

I initially thought Forum Firewall would be the solution to most of my problems, and in many instances it performed as I hoped - except for one.  Unfortunately during the testing period, some of my trusted senior members were accused of DOS attacks, but because I could adjust settings, I was able to allow those trusted users to pass through the firewall.  Even more unfortunate for me (because I otherwise really liked the Forum Firewall mod) was the fact that one of my global moderators was presented with the "403 - access denied" page because Forum Firewall had flagged (and denied) his corporate proxy IP address.  I am 100% confident that his IP address is good, but because there is no option in Forum Firewall to allow trusted members through, I cannot use the mod, but instead, just occasionally look at the activity logs and compare it to the effectiveness of my other security mods - so far, everything has been intercepted by the other mods.

What should be concerning to those using the Forum Firewall is the access denial of valid proxy IP members with no option to allow them through.  To those that have seen the attacks significantly, or reduced to zero thinking that it is the effectiveness of Forum Firewall, please be aware that you might be denying access to far more than the spammers - yes Forum Firewall is presenting hackers with "403", but it is also possibly presenting the same "403" to some of your trusted members.

IMHO, the Forum Firewall has outstanding potential, and could potentially be a complement for many sites, it is not acceptable that there is no option to account for your trusted members behind a corporate firewall.

butchs

Quote from: owg on February 19, 2011, 01:49:09 AM
What should be concerning to those using the Forum Firewall is the access denial of valid proxy IP members with no option to allow them through. 

You are killing me.  Yesterday, I asked you to provide me the ip address of the mod and you were unsure.  You should at least give the mod author enough time before you go off the deep end and bash his work.  I am very busy and only can program Saturday mornings.

For the past week I was working on a "Review Proxy List" check box that should solve the problem if he is using a proxy.  Finished it this morning.

Honestly, the problem is the proxy not the mod.
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

Jerri Blank

I have developed an unhealthy fascination with going to "Who's Online" to see what the scummies are up to.  I'd really love to find a way to block guests who are trying to hack into the forum by using other registered users' usernames as passwords.  I guess the bots/hackers figure some users will have their username and password the same.  (Of course, in SMF that's not allowed.)

Since they can't get in that way, I should just relax, I guess.  It's annoying, though.

busterone


Arantor

Quote from: Jerri Blank on February 19, 2011, 11:33:28 AM
I have developed an unhealthy fascination with going to "Who's Online" to see what the scummies are up to.  I'd really love to find a way to block guests who are trying to hack into the forum by using other registered users' usernames as passwords.

Actually, they haven't been. They've been stepping through a very large list, if you see a run of users being hit, then the same users being hit again (same users, same order, but in 'waves'), it means they tried the same password for each user the first time, then another password for each of the users the second time around and so on. As it happens, the list of passwords they're using is basically the most common 50+ or so passwords.

You might want to read http://www.simplemachines.org/community/index.php?topic=416928.msg2960115#msg2960115 where I posted a patch that has successfully kept out hundreds of such requests because of the very specific methodology of the attack.

EDIT: Ninja'd
No good deed goes unpunished / All helpful urges should be circumvented

I have something to say: it's better to burn out than to fade away. There can be only one.

butchs

For years there have been dictionaries created of common passwords and methods to break them.  Software of this nature is called crack.  Get a list of encrypted passwords, run it on your computer overnight and wala.  Not that I know anything about it...

I watch my cpanel last 100 visitor log every now and then to see if there is a new trend.  My problem is that I have sooo effective in stopping spam they do not visit my site that often.  I may need ot branch out.   :o
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

owg

Quote from: butchs on February 18, 2011, 08:20:10 PM
Quote from: owg on February 18, 2011, 12:58:01 AM
Hi butchs, great mod!
I've been running FF for a few days in log mode, and just now turned it to block mode.  The log was full of mostly invalid IPs, and a few DOS reports (that were actually members).  Almost immediately one of my global moderators reported that he received the 403 error page - I asked his IP and it was not in the log, but there were lots of IPs in the 10.*.*.* ranges.  I assume that one of his is one of those, but if he is using a proxy, it is a legitimate corporate proxy.  I know very little about security, most of this is new to me.  Is there a way I can find the identity of the proxy, or is there a way to pass certain invalid IPs through?

One other thing - I see an invalid IP 127.0.0.1 in the log - sorry for my ignorance - do I need to worry about the localhost IP?
Thanks!

If you do not know his ip or when he was there how could I help you?  As I stated in earlier posts proxys can be compromised.

Well...  The mod only inspects traffic to your site so localhost should never be seen unless you have your server in your bed room.  Traffic between SMF and the DB is not watched with this mod.

If you want invalid ips to pass then turn off the ip check.
My apologies butchs - I am not intending to diminish the quality nor benefit of your work, but was genuinely concerned that forum admins might be excluding valid members, ergo, my post in this topic.  While it is possible that I failed to interpret your response to my question correctly, I honestly did not get a sense that you were working on a solution when you replied that I should "turn off the IP check".  I applaud the fact that you have created a method to exclude the proxy IPs, however to be completely honest, I wish that you had communicated the fact that you were working on a solution rather than reply with the flippant response.  I realize that you and hundreds of other mod authors work selflessly, often without reward, and for our failure to communicate properly, I am sorry.

butchs

Communicate?  I should not have to.  We do this for because it is supposed to be fun.  Take our time and enjoy the challenge.  Why else would some fool like me spend over a year creating a mod and then let others use it?  Making demands takes away the reason for people like me to author mods.
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

Robert.


DJ Omnimaga

-Installed Anti-Spam Verification Questions mod
-Installed the Stop Spammer one too
-Required 1 post to edit your member profile (so bots that don't post stop putting ads in their sig)
-Required 5 posts to send PMs (in case a bot signed up to mass-PM-advertise)
-I run a stop spammer scan every month or so, in case bot accounts slipped in before their IP/e-mail got added to the database.

I rarely ever get bots anymore. I would say one every 6 week will sneak in and post spam, but that's all. I even have CAPTCHA and e-mail/admin validation disabled completely.


krick

Quote from: DJ Omnimaga on February 21, 2011, 04:46:37 AM

-Required 1 post to edit your member profile (so bots that don't post stop putting ads in their sig)
-Required 5 posts to send PMs (in case a bot signed up to mass-PM-advertise)


What version of SMF are you running?
Where/how do you configure the options above?

Arantor

That can all be done with making post count groups and going to Admin > Permissions > Settings to enable permissions for post count groups.
No good deed goes unpunished / All helpful urges should be circumvented

I have something to say: it's better to burn out than to fade away. There can be only one.

WantSome

My forum is kind of new (less than a year old) and small (less than 80 members) but in the beginning i was getting about 10 spam accounts on average per week (some weeks none, some weeks fifty!) and they were obviously bots.

I use the CAPTCHA mod and the Anti-spam questions mod.  Both still allowed the occasional spammer through.

A few months ago I read a tip somewhere and added a question to the anti-spam questions mod.  "If you're human, leave this box blank".  The answer being, obviously, nothing.

Bots seem to want to fill something into these fields, so it's worked thus far - I can see when someone has tried to register and not gotten through those questions.  Two months and zero spammers.  My life is complete  :D

I expect bots will become smarter over time but this seems to work for me.

crash56

I administer three boards.  Two very small boards, and one moderate sized one. 

I had the following installed on all three boards, and was still being forced to contend with spammers getting through:

Stop Spammer
Are You Human?
Recaptcha

I also have a post-count based membergroup to prevent brand new, high-risk members from accessing profiles and e-mails, just in case they turn out to be e-mail harvesters.

Despite all those preventive layers, we were still getting spammers at the forums.  I finally decided that I could either chase them after they get in, or deal with it before they got in.  I set registration so it requires Admin Approval.  Overall, it has turned out to be less work than chasing the varmints after they manage to get in.

Advertisement: