Lots of new members

[Alycat]

Over the last week or so I have been getting an increased number of new members, who register and post stupid questions ("so is this for account sum101?"). I have had about a dozen in the last 6 hours. I have changed registration to require admin approval.

Anyone else experienced this? Other than nuisance, what are they trying to achieve?

Is this something to worry about?

On SMF 2.0.9.

[littleblue]

I'm having the same problem, also on 2.0.9 - I changed registration settings to Admin Approval, but this morning one new member still managed to submit a post even though I had not approved them! I've just rejected 40 new registrations that happened over night and new ones are coming in as I type this. It's a nightmare!

I've also got three verification questions that new members need to answer during registration and there is NO way all these spammers are putting in the correct answers. What's going on there?

[timetraveller]

Me too. 26 overnight. Another 4 while I was logged on.
In theory they can't post until I've approved them and obviously I'm not approving them - I haven't had any get past the approval process fortunately.

I had the captcha setting on medium security and one question where the answer was in the question.
I've upped the captcha to high security and changed the question so the answer is not in it.
Waiting to see what happens.

[Colin]

Spam - my forum is flooded with spam, what can I do

[timetraveller]

So the captcha is effectively useless at the moment?

[littleblue]

I'll have to try some of the add-ons. The standard functionality definitely doesn't seem sufficient anymore with these new spammers/bots. It was all working well until a few weeks ago, and it's getting worse.

[CyprusGrump]

Same problem here...

I have three verification questions (all changed today), Captcha and Bad Behaviour...

But I've had new members signing up all morning.... 

[Steve]

So the captcha is effectively useless at the moment?

Yep. Waste of time these days.

[Douglas]

Just got a report that we're being deluged by spam signups, as well (Hogville and FF) from Turkey, Poland, Germany.

Check to see where your signups are originating, please?

EDIT Listing ranges that seem to be most common...
190.112.224/20 # Curacao
188.138.0.0/17 # Germany
180.36.128.0/17 # Japan
5.167.120.0/21 # Russia
178.137.64.0/18 # Ukraine

Second edit: I need to note two things about our anti-spam stop measures...

On FearlessFriday, since this is centered specifically around the State of Arkansas High School Prep Sports, you have to know something about Arkansas High Schools in order to answer one of the random questions on signup.

On Hogville, the same holds true except that it's centered around the University of Arkansas Razorbacks and the collegiate athletic conference they play in.

Due to the nature of these signups, it appears that these signups are figuring a way around these questions.

Fearless is running 2.0.8; Hogville is running a MUCH older version of 2.x (will be updating to the latest this off-season (after all the College Football Bowl and Playoff games are played).

As others have noted, this has only been within the past 48 hours or so that we've seen this increase.

[user1234]

Running version 2.0.9
For the last year or two I have required 5 of 6 questions to be answered for registration, that wound up netting about 2 or 3 people per week, showing up as "awaiting approval".
Visual verification set on "high".

Today we had 19 "awaiting approval" in just over the 9 hours between 1:05 and 10:19 AM, from Russia, to Latvia to France to etc..
Googling the IP addresses, they are all listed as chronic violators, on the "Stop Forum Spam" and/or "The Anti-hacker Alliance" sites.

Is there an explanation as to how spammers from all around, within a 9 hour period, are suddenly all be able to answer 5 of the registration questions?

Feels like the door has been broken down or the drawbridge dropped.
I changed a few of the questions a bit, and will report back if it continues.

[krick]

I'm seeing the same thing running 2.0.9.  I woke up this morning to dozens of new signups some posting spam, some posting nonsense questions.  Changing my verification questions seems to have no effect.  I wonder if someone has found a new exploit.

[vbgamer45]

Hmm I was going to say change verification questions/Add more to help.
I just did that on my site and seems to have helped.


Make sure you are setting the number of questions the they must answer equal to the number of questions you want displayed.

[Arantor]

First up, SMF is a high value target. It is worth the spammer bots' dev time to figure out how to beat the CAPTCHA. And as such, the CAPTCHA has been broken - even on high. If that is your only measure, it's broken.

Spammers are well known also to share the Q&A answers - once a human beats the questions, it's shared with the bot database. Changing questions regularly is, therefore, a good idea. As is setting more questions than you display at once, e.g. showing 3 questions from a pool of 10. Means they won't be able to get all the answers at once into the database.

[timetraveller]

Thanks for the responses.

Changing my question seems to have stopped them for the time being.
However, I'll get rid of the Captcha and put a bit more effort into the questions

[Arantor]

I'd also suggest looking at the wiki page previously mentioned, it offers some useful suggestions. There are a variety of anti spam mods available, and making your site further from the norm will certainly help.

As a very first line of defence, my Misc Anti Spam mod will help a little

[littleblue]

Changing questions regularly is, therefore, a good idea. As is setting more questions than you display at once, e.g. showing 3 questions from a pool of 10. Means they won't be able to get all the answers at once into the database.

I did that earlier today - before that, it was always the same three questions. Now it's 3 out of 10. At the moment, it seems to be working. Though it might just be a matter of time.

[tjbalon]

I was having this issue with my forum, installling Anti Spam:KeyCAPTCHA solved most of our problems. We used to have a queue of waiting for activation by the hundreds.

Currently 0 waiting, and no new spam accounts in 4 days.


Link to mod: http://custom.simplemachines.org/mods/index.php?mod=2839

[Arantor]

Yes but are you getting any real registrations? There were certainly issues with it at one time.

[user1234]

As is setting more questions than you display at once, e.g. showing 3 questions from a pool of 10. Means they won't be able to get all the answers at once into the database.

Could you explain where this "pool" of 10 is kept? Do you mean just in a personal notepad?

[Arantor]

Yes, that is how it works.

[user1234]

Yes, that is how it works.

That's funny. I just edited my post (not realizing you replied to it) after I logged out and checked my forum. I had 6 questions and require 5, but all 6 showed.
But then when I repeated the exercise and required 3, it only showed 3. I must have made a mistake.

Yes, checked it, must have made a counting mistake.
So I guess it would be best to have 20 or 30 Q&A on the list?

[Bruce the Shark]

hmm i had this issue some time ago when i first installed a test version of SMF on a dummy web site. They some how got in.
But now with a new domain name and more questions added to my captcha it all appears to be running smoothly.
I dont know how long i can keep them out but i suggest to add some more additional  numbers of new question before sign up.
Change them frequently as time goes by.
Also i think its best to add as many anti spam mods to your site as possible and get to learn them well.
It is interesting on how they get in.

[user1234]

are questions like.....

five plus three minus four equals

.....too simple?

[vbgamer45]

It can be one of the questions maybe better if you spell it out then numbers.

Generally i try to find something related to your community name.

[user1234]

If a question like.....

five plus three minus four plus two equals

.....is passable, it would be easy to make up 50 of them in a few minutes.
Otherwise, it is surprising how many questions come to mind, that have multiple or ambiguous answers!

[Arantor]

Bots can solve math questions. They can also search Google for some answers.

[Westwegoman]

I had the same issue last night. Almost 100 in a span of about 6 hours. My site and another fishing site were both hit. We both used anti-spam questions and they were both defeated. Changing the question has helped both of us, for now.

Found it kind of odd that they were able to all of a sudden bust down the door at about the same time. We have been using the same approach without any problems for several years.

[Alycat]

Thanks for all the replies guys, at least I now "we are not alone".

But why?

Are they planning to keep flooding, and then demand a ransom? Or do they hate SMF? What is their point?

[Arantor]

It's a low cost way for them to make money. Not by ransom but simply because there are people naive enough to click on the product links, pay them money - and the cost to running such a thing is negligible.

Spam has been an active issue for a number of years. It just so happens that you haven't seen it come through the floodgates like this.

[Alycat]

Thanks for the info. Mine is a small forum, usually only a new member every few weeks. I have changed the questions, required admin approval and now have closed registrations, at least for the time being. Maybe I am talking too soon, but it looks like mine is easing a little.

[Alycat]

Yes it seems to have eased off here. They were coming in every 1.5 to 2 minutes, now about 10 minutes. I notice as I type, in the Who's Online, there are two guests, normally they have been showing Viewing board index, or yesterday Registering for an account, one now shows Unknown Action ...

[Arantor]

'Unknown action' actually is usually a bad mod that didn't update the who's online list of actions.

[Alycat]

Didn't think I had any mods installed.

[Alycat]

All I can see under Admin-Package Manager-Installed Packages are:
1. SMF 1.1.20 / 2.0.9 Update 1.0 [ Uninstall ]
2. SMF 2.0.8 Update 1.0 [ Uninstall ]
3. SMF 2.0.7 Update 1.0 [ Uninstall ]
4. SMF 1.1.19 / 2.0.6 Update 1.0 [ Uninstall ]
5. SMF 2.0.5 Update 1.0 [ Uninstall ]
6. SMF 2.0.4 Update 1.0 [ Uninstall ]
7. SMF 2.0.3 Update 1.0

[Arantor]

Huh... well, that's the *usual* case but by no means the only reason it can happen.

All it means is that someone is going to index.php?action=something (where the something can be anything) and there isn't a matching entry in the who's online language storage, so it doesn't know what action the user is trying.

[Alycat]

ok, thanks, probably just a bot trying something ... just a bit jumpy here!

[Alycat]

Looks like they are now trying to guess passwords to log on ...

[Arantor]

Ahhhh, this is nothing new. In fact this strongly reminds of the behaviour we saw back in 2010, same deal: floods of spam, then floods of trying to brute force accounts.

[Sweetwater]

Been getting flooded as well.

Slowed it down initally by banning all .ru domains then added a stack of other countries that have nothing to do with what my forum is about, but a few are still getting through. Then added some more unique local questions. They had worked out my existing questions, so there's some new ones. See if that stops them.

[timetraveller]

It's a low cost way for them to make money. Not by ransom but simply because there are people naive enough to click on the product links, pay them money - and the cost to running such a thing is negligible.

I have new members set to post approval for the first five posts. Hopefully that's a secure way of stopping them from posting their dodgy links, if for some reason they slip through the member approval net.

[Kindred]

timetraveller.... it's much better to intercept and stop them before they even register in the first place.

[TheDragon]

we get lately 1-3 per week - and got 100 in 2 days / all got stuck at waiting admin approval / even before I read these other posts on the topic / this morning I bumped captcha from easy = to hardest, changed my Q&A from answer 2 of 3 to 3 of 5 (and redid the ones that were there) = got ZERO new registrations since

Question / for the 75 still in Que (the first 25 we allowed in a as read only (ie can not post)
so, I was thinking - JUST IN CASE - we have some real people in the mix - how about I send a reject letter to all - and say - if you are real human  just re-register ??
or something similar ??

and
please do not YELL at me
I share the following for the 'owners'
I still use 2.04 and had the same issues as those with 2.09
I have lots of hand edits to my site CSS and some php and do not want to lose it with upgrades

[Kindred]

TheDragon ---   applying patches using the package manager means you don't lose coding.   Don't be an idiot...  2.0.4 has KNOWN security issues.
But that is neither here not there for this spammer influx.

Captcha is useless -- actually, captcha, at this point, is worse than useless - it affects real, live users badly... and does nothing at all to even slow down spambots.

[TheDragon]

ok - will try a master back and patch away

[Douglas]

Everyone needs to follow Arantor's advice in Question #12. I'm actually surprised that I hadn't even considered that option.

I'm going to drive both FF and Hogville's questions to 20 with 3 required.

To further throw these spambots off... don't be afraid to use images. The questions can and will parse BBC code, so I am now incorporating that into the mix, as well.

::hangs head in shame:: I should've been more aware of communication between operators of spambots. Thanks, Arantor, for the nudge.

[Arantor]

The collaboration thing is nothing new but it's previously only been on a small scale. This new avalanche is, well, new. Not entirely unexpected, but most certainly not welcome.

And, anytime Douglas

[Gwenwyfar]

Everyone needs to follow Arantor's advice in Question #12. I'm actually surprised that I hadn't even considered that option.

I'm going to drive both FF and Hogville's questions to 20 with 3 required.

To further throw these spambots off... don't be afraid to use images. The questions can and will parse BBC code, so I am now incorporating that into the mix, as well.

::hangs head in shame:: I should've been more aware of communication between operators of spambots. Thanks, Arantor, for the nudge.

Interesting to know about the bbc, I thought it was just text. Could make some nice new questions out of that. Didn't have any problems with bots so far other than some huge lists of completely unreadable gibberish posted as visitors, like once a day until I realized I had left the captcha on. I disabled that, leaving just questions and its been fine every since, but always better to be prepared

(Don't quite get the point of those spammers I got though, what would they achieve when nothing they wrote is even readable? Just being a pain in the ass is not profitable, and if it was that, posting once a day is not a pain in the ass either. It was similar to this, but filling a huge post: "sfh dfg rtyh4rutwyi teghleriufw wertfhweui weduwhdu" )

[Sweetwater]

Been getting flooded as well.

Slowed it down initally by banning all .ru domains then added a stack of other countries that have nothing to do with what my forum is about, but a few are still getting through. Then added some more unique local questions. They had worked out my existing questions, so there's some new ones. See if that stops them.

New questions have them stumped for the time being, I also changed the order of them as it looks to consistently grab the same 5 questionsfrom the 10 available.

No new bots registered for 12 hours. 

Great tip on the BB code, will add that.

[wunderbunny]

I'd also suggest looking at the wiki page previously mentioned, it offers some useful suggestions. There are a variety of anti spam mods available, and making your site further from the norm will certainly help.

As a very first line of defence, my Misc Anti Spam mod will help a little

@Arantor, I've followed your advice.  Thank you.  It has been very helpful.

I installed Stop Forum Spam and the spambot registration stopped immediately.  I also copied the banned IP ranges to the .htaccess file (not sure if this is a good idea).  Then I re-wrote all my registration questions, installed your Misc Anti Spam mod and switched OFF Stop Forum Spam.  No spambot registrations.

For now, I disable registrations at night and re-enable them in the morning.  I will restore Stop Forum Spam because I'll never know when the spambots will update their database.

[user1234]

Yes, that is how it works.

Thank you Arantor. I increased my question list to 28, and still require 5 to be answered.
It is going on 3 days with no spam registrants whatsoever (or any others, which is normal).