Curious Spammer Observation

[butchs]

I have been able to keep a ton of spammers out of registering with several of the anti spam modifications provided.  My servers however seem to keep a HEAVY blow because of the spammers.  Any way to block them so they don't give me extra server load?

I had the same problem so I created the DOS prevention feature in Forum Firewall.  That was the last piece of the puzzle for me that dropped my bandwidth like a rock.  If you try that feature, make sure you test it for a few days and set up your robots text, google, yahoo and etc at their respective webmaster sites.

[mem1988]

Road Rash is correct.  2.0 appears to be selectively targeted by spammers.

right ... same happens to me...

I running SMF since years and never got spam... after 2.0 Final installation I got a lot of spam....
my other 2.0 RC5 forum is well fine without spam...

[oldrow]

I have been able to keep a ton of spammers out of registering with several of the anti spam modifications provided.  My servers however seem to keep a HEAVY blow because of the spammers.  Any way to block them so they don't give me extra server load?

I had the same problem so I created the DOS prevention feature in Forum Firewall.  That was the last piece of the puzzle for me that dropped my bandwidth like a rock.  If you try that feature, make sure you test it for a few days and set up your robots text, google, yahoo and etc at their respective webmaster sites.

Do you have a link to the info on that mod?  Is it easy to use and install?  I am not an expert in some of the complicated mods...

[Spoogs]

http://custom.simplemachines.org/mods/index.php?mod=2815

[Aleksi "Lex" Kilpinen]

I know this issue has been discussed in length already, but to address some of RR's concerns specifically, and to make sure this topic is not "over looked" as he pointed out elsewhere...

Is there something in the code that sends up a red flare, "Hey spammers here's a new install of SMF" that no one is aware of?

No, SMF has no such thing to my knowledge. Also, the code is open for everyone to inspect or have inspected by a professional if they wish. The only thing I can think of, is that the spammers use a targetted search patern involving version specific characteristics of the installation

Well see that's the point you missed, none of my previous installs of SMF have had spammer problems. Now all of a sudden, when the previously untouched forum is upgraded, it's immediately hit.

All previous versions have seen similar trouble - as  have all other forum software out therel. That you have not come upon this before, is probably just luck IMO. Did you use any mods or other tools in the previous version to stop spammers? Have you made sure they are still active and working after the upgrade? Did you have verification questions in place, were they active after the upgrade?
Sometimes upgrades can change some settings (returning them to their default states).

As for inspecting the code, that is beyond my skill level.

Your reply though is disconcerting. Never before has someone reported a possible security problem and been told to find or fix it themselves.

Actually, as have been pointed out - Spammers are not concidered a security issue in itself.
Also, we do always ask for specifics of an attack to identify the attack vector - that is, we expect the user to provide us with either a specific weakness - or genuine logs to show that a certain area of SMF has been used to gain access.
If we get either one, or enough support cases suggesting a real security issue, we take them very seriously.

I just removed it and re-installed a fresh, SFM 2.0 Full Install and low and behold within 30 minutes there were 43 spam hits.
All our forums are private, not for average traffic. You cannot register, pre qualified members are invited. Until installing SMF 2.0 final, for years our forums have remained under the spammers radar, server security stops IP mining so they have no clue that we even exist, yet all of a sudden spam bots and human spammers are aware of our forums only when they are running SMF 2.0 final.

Again, spammers are not concidered a security issue. If your forum is private, invite only, guest access disabled - then have these spammers registered on your site to post, or how do you identify the spammers exactly? I find this very strange that you say your forum is completely locked down, yet you have a spammer problem? My forum is completely open for registrations, and guest posting, and no trouble with the help of TOR blocker, HttpBL and Verification questions out of the box.

If you have logs, screenshots, or anything of sorts to prove there might be a problem in SMF 2.0 itself to cause or allow such behavior, that were not there in 2.0 RC5 - please do submit a security report  http://www.simplemachines.org/about/smf/security.php
Each and every security report we get, is taken seriously and investigated.

[Road Rash Jr.]

Hey Lex, thanks for the informative reply. On the surface and under normal forum situations where it is open to the public and crawlers I would agree, spammers are a bain.
However ------ our forums since RC1 thro RC5 have been UNSEEN by spammers. No one can register as it is selectively private. Basically invisible to the internet. Again, no spammers, no hackers, no attacks, no crawlers.

Here's the curious bit ---- Install 2.0 final and it's hit immediately by spammers. Uninstall 2.0 final, reinstall RC5 and the spamming stops. Install 2.0 final, spamming starts again. Uninstall 2.0 and reinstall RC5 and spamming stops again. Like a light witch, turn it on, spammers are attracted like moths to a flame. Turn it off and they don't come at all.

At times there is such a flood of spammers running 2.0 final that it causes a denial of service. If that's not a security issue I'll recind my comment but it sure is in my books.

So it begs the question, after using SMF for 2 years without spam, only to be immediately hit after intalling 2.0 final, what about 2.0 is letting spammers know the moment it is being activated?

Note these install tests were conducted over a period of days, weeks, on several servers with the same results.

We found a cure, did they?

[Suki]

Please fill out a security form:  http://www.simplemachines.org/about/smf/security.php


Spammer bots do not know when you are using 2.0 or 2.0RC5  they still attack your site no matter what version you are using,   if the bots are targeting only 2.0  then its only logical to assume that, when you install RC5 the bots will not appear since they are only looking for 2.0, they still are crawling your forum, its just that they are looking for 2.0 instead of RC5, thats why everytime you switch versions, bots only appear on 2.0.

At times there is such a flood of spammers running 2.0 final that it causes a denial of service. If that's not a security issue I'll recind my comment but it sure is in my books.

denial of service   is not a security issue:

http://en.wikipedia.org/wiki/Denial-of-service_attack


denial of service  does not take advantage from a security hole or such,    denial of service   means just saturation of your server by,  in many cases legitimate traffic, since it comes from Zombi PCs   causing your server to consume its resources and ultimately collapse.

Basically invisible to the internet.

It takes just one link, to your forum be found by spam bots,  you cannot possible control every user on your forum or what they do, the links they share, etc.

[Road Rash Jr.]

Please fill out a security form:  http://www.simplemachines.org/about/smf/security.php

Files as many as you requested with exception of this one as they seem to be ignored anyway.

Spammer bots do not know when you are using 2.0 or 2.0RC5  they still attack your site no matter what version you are using,   if the bots are targeting only 2.0  then its only logical to assume that, when you install RC5 the bots will not appear since they are only looking for 2.0, they still are crawling your forum, its just that they are looking for 2.0 instead of RC5, thats why everytime you switch versions, bots only appear on 2.0.

I reiterate cause you seem to ignore this point - However ------ our forums since RC1 thro RC5 have been UNSEEN by spammers. No one can register as it is selectively private. Basically invisible to the internet. Again, no spammers, no hackers, no attacks, no crawlers.

At times there is such a flood of spammers running 2.0 final that it causes a denial of service. If that's not a security issue I'll recind my comment but it sure is in my books.

denial of service   is not a security issue:

http://en.wikipedia.org/wiki/Denial-of-service_attack


denial of service  does not take advantage from a security hole or such,    denial of service   means just saturation of your server by,  in many cases legitimate traffic, since it comes from Zombi PCs   causing your server to consume its resources and ultimately collapse.

Basically invisible to the internet.

It takes just one link, to your forum be found by spam bots,  you cannot possible control every user on your forum or what they do, the links they share, etc.

If attacks from what ever source causes 'denial of service' it is a security issue and denying it is closing your eyes to it.
There more to our security than I am allowed to say, suffice it to say, you could not find it even if I gave you the IP address.

[Suki]

OK as you wish...


Just please fill out a security form:  http://www.simplemachines.org/about/smf/security.php

[Road Rash Jr.]

quoted from above
Quote from: Miss All Sunday on Today at 12:13:48 PM<blockquote>Please fill out a security form:  http://www.simplemachines.org/about/smf/security.php </blockquote>Files as many as you requested with exception of this one as they seem to be ignored anyway.

[Suki]

Please fill out a security form:  http://www.simplemachines.org/about/smf/security.php


Do you realize you just receive an enormous attention from both  team members and regular users right?

Do you realize that you haven't  yet send any security form?

We  can't ignore something that hasn't been send to us yet...

[oldrow]

I am pretty sick of these SMF elites acting like there is nothing wrong with this new software.  1.x = no problems.  2.0 = my frigging site wont load and I am about to get kicked off of my shared server with no refund!!!

All of your babble nonsense means nothing, this release is screwed by bots and needs to be FIXED!

[Illori]

since not every forum has the issue, and no one has submitted a security report there is nothing the team can do until we know WHY and HOW this attack is happening.

[LiroyvH]

Again;
Not only SMF is targetted by bot attacks. The bot attacks have NOTHING to do with SMF, the SMF source code or whatever. phpBB reported bot issue, invision reported bot issues, etc. etc. etc.
ALL forum softwares out there report heavy bot attacks since a few months. And not just forum software... WordPress for example has known botters.

Of course SMF 2.0 can be heavyer on the server. It has more functions, etc.
If your host cant cope with SMF 2.0 find one that can. If they dont know how to protect their server against high volume spambot attacks when they occur: leave them, they do not care about you. Or if you run your own server: Bloody well protect it instead of keep pushing the blame to SMF... There are tons of ways to stop or minimize attacks beyond modifying SMF. Get a firewall, no?

How do you think we're keeping SMF online with the insane ammounts of attacks we are getting? You think your forum is under attack? Imagine the ammount of traffic we get from spambots... Do you still see us going down or showing high stress warnings? No, we fixed the issue server side to mitigate the attacks far before 2.0 was even released!

[Road Rash Jr.]

Again;
Not only SMF is targetted by bot attacks. The bot attacks have NOTHING to do with SMF, the SMF source code or whatever. phpBB reported bot issue, invision reported bot issues, etc. etc. etc.
ALL forum softwares out there report heavy bot attacks since a few months. And not just forum software... WordPress for example has known botters.

Of course SMF 2.0 can be heavyer on the server. It has more functions, etc.
If your host cant cope with SMF 2.0 find one that can. If they dont know how to protect their server against high volume spambot attacks when they occur: leave them, they do not care about you. Or if you run your own server: Bloody well protect it instead of keep pushing the blame to SMF... There are tons of ways to stop or minimize attacks beyond modifying SMF. Get a firewall, no?

Except in this case, the server/IP is invisible to the internet. Proprietary and better than your average firewall. Until 2.0 is activated.
I reiterate cause you seem to ignore this point - However ------ our forums since RC1 thro RC5 have been UNSEEN by spammers. No one can register as it is selectively private. Basically invisible to the internet. Again, no spammers, no hackers, no attacks, no crawlers.

[Road Rash Jr.]

since not every forum has the issue, and no one has submitted a security report there is nothing the team can do until we know WHY and HOW this attack is happening.

How many times must a report be submitted?

[Illori]

at least 1 time so that it can be recorded, but more then 1 time by other people will allow the developers to get a better idea of what is causing the attack

[Aleksi "Lex" Kilpinen]

I ask you again, as you didn't answer the last time - if no one can register, and no guest can post, how you do recognise the spammers exactly? What do you identify as a spammer? And can you verify where they are coming from, and what parts of SMF are they approaching exactly? Everything you can tell us, makes it more possible for us to understand the reasons behind it, and so start fixing it - if there is something to fix. Without that, there really is not much we can do.

[LiroyvH]

Except in this case, the server/IP is invisible to the internet.

Err derp. Wat? How would spambots be able to visit your forum if it is unreachable on the net... They cannot. IP's and servers connected to the internet are never invisible unless you unplug them or block all traffic from the net.
Once connected to the internet they are visible... There are enough bots out there scanning millions of IP's per day searching whatever they find on there.

You keep ignoring multiple points:
1.) This is not related nor limited to SMF software and certainly not SMF 2.0. We were targetted far before the 2.0 release and so where others. See the topic in the announcement board. Next to that, all other forum software see the same issues. Since recently, tons of spambots hit their forums. And again: even Wordpress shows this issue. This is !!NOT!! related nor limited to SMF and/or it's source!
2.) If you feel this is a security issue, report it in the proper way rather than complaining without taking proper action, even though this has been requested from you multiple times now. Cant believe people still take the effort to keep requesting you to do it as it seems fruitless.

[Kindred]

I am pretty sick of these SMF elites acting like there is nothing wrong with this new software.  1.x = no problems.  2.0 = my frigging site wont load and I am about to get kicked off of my shared server with no refund!!!

All of your babble nonsense means nothing, this release is screwed by bots and needs to be FIXED!

oldrow...   I might add: You host seems to be an overseller who complains about your usage ALL THE TIME, since I just found a similar complaint regarding your site's resource usage dating back to 2009
http://www.simplemachines.org/community/index.php?topic=352049.msg2393002#msg2393002

So, get a new host already!