News:

Wondering if this will always be free?  See why free is better.

Main Menu

Automated new accounts - hundreds of them...

Started by sulwen, June 28, 2013, 04:22:17 AM

Previous topic - Next topic

sulwen

SMF version installed: 2.0.4

mods:
1.     RSS Feed Icon    1.1
2.   Stop Spammer    2.3.7
3.   Bot Buster    1.1
4.   DisableTemplateEval
5.   Delete Spam Posts    1.5
6.   SMF 2.0.3 Update    1.0
7.   SMF 2.0.4 Update    1.0
8.   Fix for log spam due to failed attempt of quickmod2 exploit    0.1
9.   Advanced Language Menu    2.2
10.   Simple .htaccess Cache Mod     1.0

Problem:

I get hundreds of new accounts created per hour. At this point StopSpammer is just loading all of them into approval list, so they can't do anything and I am just bulk deleting them, but it is extremely annoying and clearly points at some sort of vulnerability.

Anyone has any ideas?


Kindred

are you using the "questions" feature in smf 2.0.x?

Stop Spammer is doing exactly what it is supposed to - it is flagging the potential/identified spammers.

If you want to actually STOP the spam registrations, then you need to add additional protections... like questions and bad behavior+httpBL
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

sulwen

Yes I know that StopSpammer is doing its job and brilliantly.

However... I am using questions. And I have email verification as well. This has nothing to do with a normal account creation process.

Isn't bad behavior+httpBL doubling StopSpammers job a little bit?

And I'm sorry but I'd rather not share url on a public forum, when I've already given exact information about mods used. I hope you understand that TheDragon.

TheListener

QuoteAnd I'm sorry but I'd rather not share url on a public forum, when I've already given exact information about mods used. I hope you understand that TheDragon.

9 times out of 10 this is the only way we can ofer help with a vast majority of problems.

Obviously we would (and have done previously) remove any links when requested to do so.

:)

The only security I have on my forum is bad behaviour plus two verification questions related to my forums subject.


kat

How about trying this?

http://custom.simplemachines.org/mods/index.php?mod=2502

As an off-topic note, why do you have a "DisableTemplateEval" mod installed?

That's a standard feature of SMF v2. So, you really don't need that mod.


Kindred

bad behavior + httpBL uses bad behavior and project honeypot to exterminate spam registrations before they complete the registration process.

Quote from: sulwen on June 28, 2013, 10:07:02 AM
However... I am using questions. And I have email verification as well. This has nothing to do with a normal account creation process.

Then your questions are not good enough.
(email verification is simple for the bots to handle)
and you have provided no evidence to support your last statement... 
If stop spammer is catching them, then they are , indded going through the normal account creation process.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

TheDragon

QuoteAnd I'm sorry but I'd rather not share url on a public forum, when I've already given exact information about mods used. I hope you understand that TheDragon.

sure = I can understand that part
but me = and the PROS here / can look at your register process and make suggestions

u can send us a PM if you want

ANYWAY

I am confused HOW you can get swamped with SPAMMERS ??
if you are REALLY blocking the registrations with email authentication/approval ????
like said above = if you ask verify question(s) = first = to stop bots
then examine the email request for approval

just my 2c




MrPhil

Take a look at your questions -- are they trivial? (2 + 2 = ?) Are they common knowledge? They should be something only familiar to your intended audience.

Make sure you have the number of questions displayed set to more than 0. It's common to leave it at the default and then no questions are asked. Have you tried signing up as a test?

sulwen

Let me answer to all questions in order:

K@: afaik Bad Behaviour is not needed I'll explain later. As to the mod you've mentioned my forum went through many versions and this is possibly a reminder of some old one. I'll remove it, thanks for pointing it out.

Kindred: Tbh I would yet have to see a system which can answer questions in my language as it's not English and questions aren't trivial. There is only one asking for a result of an equation but the equation itself isn't trivial as the last part of it is explained in text.

TheDragon, I may not have made myself clear, nobody is spamming my forum, it's just registrations. I get emails that a new user has registered, that's the type of flood I see. StopSpammer is not allowing them to finish the registration simply because it recognizes the IP/email/username triplet as a spamming source. So not spam. That's why (this is to K@) I think bad Behaviour isn't really needed.

MrPhil: I've already written about triviality of my questions. CAPTCHA in place at medium (my users couldn't read any harder) and one security question.

Thank you for all your suggestions I'll look into it myself and if I find anything I'll let you know.

Kindred

Quote from: sulwen on June 28, 2013, 12:12:49 PM
K@: afaik Bad Behaviour is not needed I'll explain later.

Quote from: Kindred on June 28, 2013, 10:26:10 AM
bad behavior + httpBL uses bad behavior and project honeypot to exterminate spam registrations before they complete the registration process.

So... if spammers are egtting through your registration process, even if they are flagged and caught by Stop Spammer, then, obviously, something more is needed.

I have Questions, Stop Forum Spam and Bad Behavior + httpBL.
I have no capthca (which is basically useless against spambots, at this time)
I get 1 or 2 spammers registered and flagged by SFS per month.
At the peak, I had bad behavior stopping 500+ hits to the registration system per day.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

sulwen

Like I said: "nobody is spamming my forum, it's just registrations."

Account gets opened and flagged by Spam Stopper so it's inactive and it's not posting anything.


Kindred

you have AGAIN, missed my point.

With my set up, very few of the spammers even REACH the "stop Spammer" flagged account stage
(none at all make it through to the board)

You complained that you were getting hundreds of accounts flagged as spammers.
install bad behavior+ httpBL and add a honeypot to your site...
this will stop 90% of the spammers before they even get into the registration process and get flagged
(because only spammers who COMPLETED the registration process have an account to BE flagged)
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

sulwen

Ok, I seem to have everything in order but still something is going through it.
Is it possible that due to the age of that forum (since early versions of 1.0.*) something went wrong with the code and there is a hole there?

I'm thinking I'll just install it clean and import db and then use the same setup as you're suggesting Kindred. Thanks.

Is there any information on how to do it without too much downtime, anywhere?

Kindred

if you are currently on 2.0.4, then you can just delete your directories and files
/Sources
/Themes
and all files in the root, with the exception of Settings.php (and Settings_back.php)
then - using the large upgrade archive, upload a clean set of files
then - using the clean archive of your cusotm theme, re-upload a clean set of your custom theme files into the correct subdirectory of Themes

*note: you may want to go into the database and truncate the smf_log_packages table
** note2: You may want to go into the database and find (and then clean out) the integration rows of the smf_settings table

by replacing the files, you have reset all of your FILES tyo the default installation\
by doing the database things, you have removed all your MODS, making it a "clean" install for you to start with new mods.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Illori

http://wiki.simplemachines.org/smf/How_to_upload_a_fresh_set_of_files

by uploading a fresh installed.list file in the packages folder it will make it look like all the packages are uninstalled.

Kindred

Illori...   not quite.
to do it properly, you need to truncate the log_packages table - and you have to remove the hooks
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Illori

that is one way, but i have tested my way and it does mark the packages as uninstalled given they dont have hooks you can reinstall with no problems.

sulwen

No problem deleting files and truncating table.

Thank you ever so much for help! I'll be back soon with results.

Advertisement: