Spam Attack Potential DDOS Scared!

newbieforumaster · July 28, 2017, 12:59:23 PM

Hi my site http://bathroomgraffitti.com has gotten a horrible spam attack. It was fine last night but 9 accounts from the same guy have been spamming with pharmaceuticals over and over again all morning in different languages. It got so bad I had to take the site offline and ban them.

But now the guest traffic is going though the roof. I contacted my host. But am I being hacked?

What do I do?

Thank you for your help

a10 · July 28, 2017, 01:20:42 PM

Assuming it's automated bots, not human bots, and unless you see 1000's guests every minute you're probably not ddos'ed etc. A real ddos your host would have killed your site access long ago :O)

How many registration questions do you use, how many are set active, what kind \ style of questions, how often do you change questions.

ftm, set your forum to admin approval for new members, and check every ip \ email against spam databases (example stopforumspam etc) before letting them through.

The above will be a good start towards getting some respite while planning\investigating the most suitable anti-spam measures to implement.

Sir Osis of Liver · July 28, 2017, 01:34:40 PM

https://wiki.simplemachines.org/smf/Spam_-_my_forum_is_flooded_with_spam,_what_can_I_do

newbieforumaster · July 28, 2017, 05:50:40 PM

Its fixed for now but how do I check for malicious code? I did a securi site scan (http://bathroomgraffitti.com) and MALICIOUS code came up!

BUT it might have been confusing the "maintainence mode" feature as malware (because if I remember right the malicious code said something about maintainence mode and disabled warnings)

I checked again after clearing browser data and my site came CLEAN.

How do I triple check?

Thanks

Kindred · July 28, 2017, 09:12:47 PM

Spammers are not hackers... they don't insert maliscious code

newbieforumaster · July 28, 2017, 09:31:41 PM

could this be malicious code? I talked to my host and said it was not but I just want to check

(see photo)

Kindred · July 28, 2017, 09:54:47 PM

No, it is not, what ever program you are testing with is a piece of junk

newbieforumaster · July 28, 2017, 10:49:20 PM

I was using securi site scan. Are you saying securi is flawed

(No hard feelings just want to know for future reference

)

Is there malware on my site? (The spam got so bad it was over 20 users posting over 50 messages over and over again! I had to shut the site down for a few hours.)

Illori · July 29, 2017, 06:19:06 AM

Quote from: newbieforumaster on July 28, 2017, 10:49:20 PM
I was using securi site scan. Are you saying securi is flawed

that site is not even looking at the content of the files on your host from what i can see, as a result it cannot tell you if you have been hacked or not unless all the files are HTML which SMF is not.

best way to know if you have been hacked is to check the modify date on your files to see if any have been changed, do keep in mind this mean that the hacker has gotten access to your FTP or cpanel credentials [or admin access to your forum].

a10 · July 29, 2017, 12:31:40 PM

So...

QuoteHow many registration questions do you use, how many are set active, what kind \ style of questions, how often do you change questions.

newbieforumaster · July 29, 2017, 02:48:18 PM

Quote from: a10 on July 29, 2017, 12:31:40 PM
So...

QuoteHow many registration questions do you use, how many are set active, what kind \ style of questions, how often do you change questions.

Well when I look back I realized it was stupid. First I did instant registration (with capicha), but when spammers started abusing it I switched to email confirmation (with capicha). That is when the spam attack happened. I did not have any security questions at the time.

But now that spammers have abused the system I did admin approval and capicha and a security question.

Are their better malware scanners out there similar to securi?

Thanks

Kindred · July 29, 2017, 03:56:24 PM

Your site was almost certainly not hacked and there is almost certainly no malware.

Spammers are not hackers.
Spammer post crap, hackers sneak in and add stuff to your site files.

Did you read the FAQ on preventing spammers?
You shou,d have 10-20 good questions and ask 2 or 3 for each registration.

newbieforumaster · July 30, 2017, 03:34:21 PM

I checked my site again and its clean HOWEVER! Now my site is getting exclusively spam traffic. My host and I blocked the ips but the same spammers who used those ips keep coming back.

At times it is over 40 spam users visiting my site. BUT luckily they can't register.

I heard getting spam traffic without spamming can hurt your rankings.

What do I do?

Thanks

Kindred · July 30, 2017, 04:07:19 PM

1- banning or blocking by IP address is basically pointless since every spammer/spambot can change IP in a heartbeat.
2- spam traffic without spam posts has no effect on google rankings. EVERY site gets spam attempts -- so google would be penalizing everyone... spam posts, however, WILL hurt your ranking.

3- if the spammers are no longer getting in/registering/posting, then just ignore them.

newbieforumaster · July 30, 2017, 04:37:10 PM

So you are saying just to ignore them? It is like over 40 spam guests and it is increasing every minute. It has been like this all day. It is also the exact same people. I blocked them and when they keep visiting they get the error message that they are banned.

The IPs are from Brazil, Mexico,Russia, Eastern Europe, and Southeast Asia. Should I try to block those regions with cloudflare and other softwares?

(would it be safe to post their ips here to show you?)

Thank you very much for your help

Illori · July 30, 2017, 04:41:47 PM

dont waste your time banning them, just keep them from registering and forget about them.

newbieforumaster · July 31, 2017, 12:09:45 PM

So my host and I blocked several countries' IPs completely (on the server). The spam traffic went down. However, I do not think I completely blocked the 9 spammers. (I blocked the I.Ps I believe but not their networks) But since I blocked the countries of origin from the server is that sufficient? Or should I try to un-ban the members and re-ban them completely on the simple machines software (If so how would I do it?)

Thank you

a10 · July 31, 2017, 01:17:07 PM

Experimented with the massive ip ban route long ago, ended in chaos for members and admins (for example, ip's for different countries changes \ gets reallocated to some other country, needs constant monitoring\updates etc).

Using ip's to ban bots is useless in the long run and will one day turn into big problems for the day to day running of the forum.

As already recommended (do you read the posts here ?): add a dozen+ good questions, set 3 or 4 active, and...
*** forget all about automated botnets and their visits \ attempts to register ***

A very few human spammers may get through now and then, if the case, keep admin approval or\and add some automated look-up mod to a spam database.

newbieforumaster · July 31, 2017, 07:40:39 PM

I added security questions prior but my traffic was exclusively spam traffic. My site is fine for now but if I block countries IPs how is that problematic? I understand it would block some legit users but other than that what would be the issue? (just want to know for future reference

)

Thanks

Steve · July 31, 2017, 07:46:26 PM

Quote from: newbieforumaster on July 31, 2017, 07:40:39 PM... if I block countries IPs how is that problematic? I understand it would block some legit users ...

That's exactly why it's problematic.

News:

Spam Attack Potential DDOS Scared!