News:

Bored?  Looking to kill some time?  Want to chat with other SMF users?  Join us in IRC chat or Discord

Main Menu

Spammers Registering even with Registration Disabled (reg'd not activated)

Started by Oscworth, November 16, 2012, 04:37:52 AM

Previous topic - Next topic

Gort

My forum has been suffering from a sudden influx of spambots over the last few days like the posters above mentioned. I have the Stop Spammer mod on the forum and admin approval, which stops them from actually fully registering, so I can just delete the ones flagged as spammers. Anyway, over the last few days, despite having questions set, a lot of the bots were getting through the Capcha and question to the attempt to register, which Stop Spammer blocked and I denied. Thing is, from a situation where I'd get one or two spambots a week, the last few days ended up with at least 50 (possibly 100, as another admin had also removed some), so a bit more work required for lazy me.

Well, I decided to look at my questions, increasing the questions needed to two and also managed to change them enough to stop the flood. A lot of my questions were a bit like, "What number is missing in this sequence: 4, 5, 7, 8, 9?", which I suppose a bot could easily work out, even though such questions worked fine in the past. Now all my questions are a bit more detailed and require a bit of thinking. Seems that this worked, as I haven't had a spambot for nearly 24 hours. So, for me, setting two questions and making them a bit more difficult seems to have worked... for now.

Oscworth

Quote from: tttonyyy on November 17, 2012, 10:54:05 AM
Fantastic - excellent news!  Activation after registration makes sense.  Much better than any bypass being discovered.

I'll re-enable the webserver's access to the file, but leave it disabled until they (hopefully) get bored.

One again thank you for taking the time to look at this - it is much appreciated by our group.

I gave access to ziycon on our forum so he could confirm the  httpbl was setup correct.  It is and has been blocking a lot of spammers.
Ziycon also came up with the conclusion that these bots were already registered. 
Last night I left registration turned off and got no new members but the httpbl did block 5 pages worth (150) bots. 

I personally still believe the bots weren't pre registered as my forum isn't that busy and I always keep it clear of spammers.  I receive email of every new reg and a custom mod posts a welcome post which I remove within the hour during the day and check first thing in the morning. 
The registering earlier and not activating is the logical explanation for making me believe they managed to register after it had been turned off.  I don't think any email is sent to admin until after the activation.  Or the httpbl is doing a great job, it certainly has been busy.

As soon as I turn registration on I start to get more members with admin approval so no way can I go back to email activation until things quieten down. 
For now I'm leaving the activation off....just to see if they manage to reg hoping they get bored trying.   I will report any findings & I also wont delete the accounts like I did before until they have been looked into.

A huge THANK YOU to ziycon for your time and expertise during the last few days.  Also thanks to the other admins who posted their experiences with the recent growth in bots.

Sim Racing,  nearly as good as the real thing but much safer & cheaper

emanuele

Yep, the email to the admin is sent only when the user activates the account.


Take a peek at what I'm doing! ;D




Hai bisogno di supporto in Italiano?

Aiutateci ad aiutarvi: spiegate bene il vostro problema: no, "non funziona" non è una spiegazione!!
1) Cosa fai,
2) cosa ti aspetti,
3) cosa ottieni.

Krysia

I too have suddenly noticed an extreme influx of spamming on the forum I run. Baffling because we've had it set up for years without this kind of slamming, and then WHAM! Just over the course of 8 hours, my email box was flooded with 104 "new members" trying to join.

I've since installed the following mods (running SMF v 2.0.2):

  • httpBL
  • Redirect Banned Users
  • Stop Spammer
  • Anti-Spam Links
  • KeyCAPTCHA for SMF

I'm hoping this will do the trick. I'm also hoping that this is an issue that the future versions of SMF will take into consideration and incorporate into SMF automatically.

*Fingers crossed*!
:)
~Krysia



Gort

One thing I'd like is the ability to know which question was answered by a registered member if the question system is set up. It'd be useful to know which question failed to stop a bot from registering so that changes could be made to the offending question.

Oscworth

Quote from: Gort on November 17, 2012, 01:25:48 PM
One thing I'd like is the ability to know which question was answered by a registered member if the question system is set up. It'd be useful to know which question failed to stop a bot from registering so that changes could be made to the offending question.

Aren't all questions required to be answered during registration ?  I thought they had to all be answered correct.

Quote from: emanuele on November 17, 2012, 01:08:23 PM
Yep, the email to the admin is sent only when the user activates the account.

Thanks for confirming that.
Sim Racing,  nearly as good as the real thing but much safer & cheaper

xrunner

I had an influx myself starting yesterday, at least 30 spammers registering over the last few days. I tried a new verification question just for kicks. I kid you not - I've had ONE spammer try to register since simply adding this message. I have not added any other kind of anti-spam.


You can't post ANYTHING until an Admin approves your account based on spam databases and heuristic screening criteria - you will not be registered until this approval is complete - if you still wish to apply enter "notspammer" without the quotes in the box



Shambles

Quote from: Oscworth on November 17, 2012, 01:33:10 PM
Aren't all questions required to be answered during registration ?  I thought they had to all be answered correct.

You set up a list of questions and specify how many will appear during the registration - that's how many 'they' will have to answer :)

Gort

Quote from: Oscworth on November 17, 2012, 01:33:10 PM
Quote from: Gort on November 17, 2012, 01:25:48 PM
One thing I'd like is the ability to know which question was answered by a registered member if the question system is set up. It'd be useful to know which question failed to stop a bot from registering so that changes could be made to the offending question.

Aren't all questions required to be answered during registration ?  I thought they had to all be answered correct.

You set up several questions and you can set how many questions have to be answered by the one registering. The questions asked are chosen randomly from the list of questions you create. Currently, as far as I can make out, there is no way to know which random question was asked from the list of questions you have. If I knew which questions were answered, then I'd know which were weak enough to allow spambots to answer them, then change them accordingly.

Oscworth

I have only 2 questions both required.....I thought it took them in order.

I will add some more  Thanks!
Sim Racing,  nearly as good as the real thing but much safer & cheaper

Chalky

I have mine set to two questions out of a possible 7 (I keep adding more as I think them up) and although I see dozens of spam IPs trying to register every day in the Who's Online, in 5 months we have only had one spammer successfully register, and that one didn't get past admin approval.  I have Bad Behaviour installed but presently disabled as I don't see there's much point until they start getting past the verification questions ;)

tttonyyy

I suspect that some of the bots farm all the questions into a database, and at some point a human goes through the database manually answering the questions, which are then used by the bots to get into forums.

So perhaps the answer is just to change the questions when a sudden influx of registrations are seen, as your questions have probably been answered and are in a database somewhere.

I'm pretty sure this is what happened to our forum - I re-enabled registration, got a flood of new registrations with the existing questions, changed them to a new set of questions and so far (fingers crossed) it has all been quiet.

Damn crafty these spammers.

Shambles

The best advice I ever got, regarding questions, was to gear the answers such that they are forum-specific.

EG, on my car forum I ask the colour of the background wallpaper, the manufacturer producing the car we specialise in, a reverse spelling of the main marque we deal with and so on.

Oscworth

I have reopened registration too after having it turned off for a few days.  During that time httpbl blocked over 600 attempts from spammers.
Soon as registration was opened I got 1 new member/spammer but reg was set to admin approval.  Since then nothing 
I'm really happy that bombardment is over.

Thanks for sharing your tips on the security questions, I do plan on changing mine and adding a few more.
The idea of making them forum specific is a good idea especially as every time I go to add some I struggle to think of what to have  ;)
Sim Racing,  nearly as good as the real thing but much safer & cheaper

Storman™

QuoteThe best advice I ever got, regarding questions, was to gear the answers such that they are forum-specific.

EG, on my car forum I ask the colour of the background wallpaper, the manufacturer producing the car we specialise in, a reverse spelling of the main marque we deal with and so on.

I agree with  Shambles™, make your questions relevant to your forum so that possibly only people interested in the main subject matter would understand. Obviously not too complicated but many of these spammers originate from the far east/asia and won't understand the context. I've seen some really dumb answers which indicate that the person trying to register hasn't a clue. Also, seen lots of "human" registrations lately, again mainly from far east.

Also consider supplementing spam mods with something like Crawlprotect:

http://www.crawltrack.net/crawlprotect/

Its great at blocking:

-some code injection attempts
-some SQL injection attempts
-some visits coming from crawler known as "Badbots" (crawlers used by hackers)
-some website copier
-some shell command execution attempts
-known "bad" useragents.

;)

Advertisement: