Spam problem
Asked Modified Viewed 78,863 times
asked
I've recently had literally thousands of spam messages posted as comments on my site. They have to have been generated by bots, no human could have posted so many messages.
The problem seems to be that the image validation code can be read by bots, is there any way to make it more challenging for them?
I've tried using email validation in the past, but that causes more problems than it solves. Many people who tried to register said they didn't receive the confirmation mail, and I suspect it's often ended up in people's spam bins without them noticing.
The problem seems to be that the image validation code can be read by bots, is there any way to make it more challenging for them?
I've tried using email validation in the past, but that causes more problems than it solves. Many people who tried to register said they didn't receive the confirmation mail, and I suspect it's often ended up in people's spam bins without them noticing.
Falk
Falk 131
Need help?, Having trouble?
• View our Documentation for Guides, Standards and Functions
• Name and Organize your Topics and Content correctly in the corresponding Forums for best support results
• Attaching Log Files and Screenshots when reporting issues will help
• Provide with an URL to live example if one exists
• Please read the How to Report an Error post
• Please read and comply with the Code of Conduct
• View our Documentation for Guides, Standards and Functions
• Name and Organize your Topics and Content correctly in the corresponding Forums for best support results
• Attaching Log Files and Screenshots when reporting issues will help
• Provide with an URL to live example if one exists
• Please read the How to Report an Error post
• Please read and comply with the Code of Conduct
(¯·._.·(¯°·._.·°º*[ Project Manager ]*º°·._.·°¯)·._.·¯)
- Super Admin, joined since
- Contributed 6,201 posts on the community forums.
- Started 639 threads in the forums
- Answered 11 questions
The code is definitely random where i have tested it, i refreshed over 100 times, each code was unique. Maybe certain setups act differently, i dont know. I thinks its obvious we some sort of spam filter (wordpress use Askimet for example, which i have started considering). From what i've read, these bots can decipher validation images, no matter how complex. We will strive to resolve this issue i assure you.
moppentappers
- Junior Member, joined since
- Contributed 26 posts on the community forums.
- Started 4 threads in the forums
if a few guys just comment the change e-mail field we could see what e-mail adres is doing this
answered
moppentappers,
I already listed that information on the first page of this thread.
1. Name= Luis (with 4 numbers)
email= u72.15.530.luis@eemjbh.info
IP= 66.154.87.10
2. Name= Herman (with 4 numbers)
email= u74.17.152.herman@ovtdpupw.info
IP= 61.55.135.167
I sent emails to the above addresses at that time and they never came back to me undeliverable. I assume some server received those emails.
I have had my site set NOT TO ALLOW any members to change their email address once they register.
I already listed that information on the first page of this thread.
1. Name= Luis (with 4 numbers)
email= u72.15.530.luis@eemjbh.info
IP= 66.154.87.10
2. Name= Herman (with 4 numbers)
email= u74.17.152.herman@ovtdpupw.info
IP= 61.55.135.167
I sent emails to the above addresses at that time and they never came back to me undeliverable. I assume some server received those emails.
I have had my site set NOT TO ALLOW any members to change their email address once they register.
Falk
Falk 131
Need help?, Having trouble?
• View our Documentation for Guides, Standards and Functions
• Name and Organize your Topics and Content correctly in the corresponding Forums for best support results
• Attaching Log Files and Screenshots when reporting issues will help
• Provide with an URL to live example if one exists
• Please read the How to Report an Error post
• Please read and comply with the Code of Conduct
• View our Documentation for Guides, Standards and Functions
• Name and Organize your Topics and Content correctly in the corresponding Forums for best support results
• Attaching Log Files and Screenshots when reporting issues will help
• Provide with an URL to live example if one exists
• Please read the How to Report an Error post
• Please read and comply with the Code of Conduct
(¯·._.·(¯°·._.·°º*[ Project Manager ]*º°·._.·°¯)·._.·¯)
- Super Admin, joined since
- Contributed 6,201 posts on the community forums.
- Started 639 threads in the forums
- Answered 11 questions
Quote
TammyK wrote:
On Monday I'll put a log on the registration form on my site.
Something to look at, why is it only spamming the comments? Once registered, it should be able to hit the forums just as hard, but it's only spamming the comments.
Yeah its odd how its only comments get spammed. The log sounds useful, keep us informed ;)
answered
First off, thanks to everyone for the great product.
A lot of email servers have a catch-all email account for email sent to addresses that don't exist. So, even if the emails used are fake, the server might be sending any email sent to these fake email to an account.
How did you do that? Is it an updated file and is it in the settings already? thank you
Quote
Joe Kriz wrote:
snip..
I sent emails to the above addresses at that time and they never came back to me undeliverable. I assume some server received those emails.
snip..
A lot of email servers have a catch-all email account for email sent to addresses that don't exist. So, even if the emails used are fake, the server might be sending any email sent to these fake email to an account.
Quote
Joe Kriz wrote:
snip..
I have had my site set NOT TO ALLOW any members to change their email address once they register.
snip..
How did you do that? Is it an updated file and is it in the settings already? thank you
answered
It's a never ending fight.
Take a view on all the spam mods that have been produced for phpBB2:
http://www.phpbb.com/community/viewto...p?t=427852
The spam bots do in fact crack the default validation image for phpBB2 and for the upcoming phpBB3 the spam bots are already starting to crack the validation image as well.
I think that what is needed is some kind of unique user customization for each specific PHPFusion installation in order to make it difficult to code a standard spam bot that just follow the stock PHPFusion sign up process.
Take a view on all the spam mods that have been produced for phpBB2:
http://www.phpbb.com/community/viewto...p?t=427852
The spam bots do in fact crack the default validation image for phpBB2 and for the upcoming phpBB3 the spam bots are already starting to crack the validation image as well.
I think that what is needed is some kind of unique user customization for each specific PHPFusion installation in order to make it difficult to code a standard spam bot that just follow the stock PHPFusion sign up process.
Falk
Falk 131
Need help?, Having trouble?
• View our Documentation for Guides, Standards and Functions
• Name and Organize your Topics and Content correctly in the corresponding Forums for best support results
• Attaching Log Files and Screenshots when reporting issues will help
• Provide with an URL to live example if one exists
• Please read the How to Report an Error post
• Please read and comply with the Code of Conduct
• View our Documentation for Guides, Standards and Functions
• Name and Organize your Topics and Content correctly in the corresponding Forums for best support results
• Attaching Log Files and Screenshots when reporting issues will help
• Provide with an URL to live example if one exists
• Please read the How to Report an Error post
• Please read and comply with the Code of Conduct
(¯·._.·(¯°·._.·°º*[ Project Manager ]*º°·._.·°¯)·._.·¯)
- Super Admin, joined since
- Contributed 6,201 posts on the community forums.
- Started 639 threads in the forums
- Answered 11 questions
More useful information, it all helps ;)
answered
Quote
TammyK wrote:
Something to look at, why is it only spamming the comments? Once registered, it should be able to hit the forums just as hard, but it's only spamming the comments.
Probably because he just wants to show off. I would assume that if you are a hacker and you want to impress other imature people, you would just want to prove that you're in and do that a lot of places. Creating a big mess by also spamming the forum wouldn't be more impressive, just more destructive.
Maybe there such a thing as a semi-friendly hacker after all...;)
answered
Allright, allright... If you say so.... ;)
answered
Just a bit of food for thought.
I am in the position where this site is brand new so I can watch what happened a bit (haven't been hit since initial time about 2 weeks ago).
All news items were hit simultaneously. Is there a hole in the comment section that will allow to insert generated text into that area, whereas in the forums they are unable to get in. I agree that if they could, I am sure that they would use the forums as well.
Just my 2 cents.
I am in the position where this site is brand new so I can watch what happened a bit (haven't been hit since initial time about 2 weeks ago).
All news items were hit simultaneously. Is there a hole in the comment section that will allow to insert generated text into that area, whereas in the forums they are unable to get in. I agree that if they could, I am sure that they would use the forums as well.
Just my 2 cents.
answered
Well, I switched to activation by admin and I just saw a new attempt to get back into my site by these guys.:
:@
username:romaine10152
email:mailto:u101.18.116.romaine@flqsatko.info
ip addy:67.15.183.3
So, as long as they can't get pass me, I should be OK. Of course for those of you who have hundreds or more members, I feel for you. However, they follow the same pattern every time so far. So, it's easy to recognize them.
Hope a fix can be found soon.:|
Edit:
OK, it seems that they first try to add themselves as new members with a normal looking name. Then they add a new account that has a name followed by numbers which is the one they use to spam the comments. I caught the one above and almost allowed another new member that looked OK at first. However, after I googled the name, it came up on many forums. That's what gave it away. Also, I researched the IP address and the geo location and it made no sense for someone from across the world to want to join my little hometown website. So, it seems this one is another one of their attempts to get in too:
username:2n2kas
email:jahh@walla.com
IP addy:84.15.70.40
So, start looking at new members closely. They are using simple looking usernames too. By the way, subimp997 and irupeteq are another two names.
:@
username:romaine10152
email:mailto:u101.18.116.romaine@flqsatko.info
ip addy:67.15.183.3
So, as long as they can't get pass me, I should be OK. Of course for those of you who have hundreds or more members, I feel for you. However, they follow the same pattern every time so far. So, it's easy to recognize them.
Hope a fix can be found soon.:|
Edit:
OK, it seems that they first try to add themselves as new members with a normal looking name. Then they add a new account that has a name followed by numbers which is the one they use to spam the comments. I caught the one above and almost allowed another new member that looked OK at first. However, after I googled the name, it came up on many forums. That's what gave it away. Also, I researched the IP address and the geo location and it made no sense for someone from across the world to want to join my little hometown website. So, it seems this one is another one of their attempts to get in too:
username:2n2kas
email:jahh@walla.com
IP addy:84.15.70.40
So, start looking at new members closely. They are using simple looking usernames too. By the way, subimp997 and irupeteq are another two names.
Edited by joecrow on 27-03-2007 05:36,
answered
Quote
TammyK wrote:Quote
Yxos wrote:
Allright, allright... If you say so.... ;)
Well the ones who've done it to me in the past on my other project follow that pattern. :@
I've had it too. See
http://php-fusion.co.uk/forum/viewthr...d_id=16001
Probably it's not the same people who does the attacks in the above thread and the ones that cleverly manages to register as described in this thread.
I agree the its not very "friendly" to post porn links in the comments box, but the comments that I've seen are pretty clumsy, and the link doesnt work, so even he manages to put the link in the comments, its not very comvincing. Especialy if you put an English phrase on a 100% Danish (or other) site.
So, if you are so clever that you can get passed all the verification, why not put some more effort in making the comment look as if it was put by a person and not a machine.
Maybe a dumb, semi-friendly geek ?
answered
This is not a solution, but perhaps (at least) a temporary aid: store all original emails. If Joe registers with joe@blahblah.com, then that goes in the original email database field. Then the bot can change the email address, but the admin can look up the original email. Again, not a fix but it will give users who have turned admin activation on an idea about addresses to look out for. Otherwise, who do we know to be OK to validate?
Also, somehow ban @xxxx.info addresses. Admit it, how many users out there use .info? It may block some valid users but when attacking spam - or any other large problem - there are typically no perfect solutions.
Of course, the spammers will catch on to this and change tactics, but like the various security firms making antivirus software, its an ongoing battle. Face reality: if you have a web presence, security will always be an issue.
EDIT (MORE): Also, why not implement a type of email validation of comments, posts, etc. (hereby referred by just "posts"
. While this may present a problem (flooding) if the number gets large, perhaps it can be coupled with the implementation of a "trusted user" status. In other words, new users must have X number of validated/verified posts before they can post without such a measure. So, for instance, the admin can set the level at 20 posts before this measure is turned off. While this may inconvenience new users, if you make them aware that this is a step to protect them from inappropriate posts, they will put up with it if they are legit.
Of course, you'd need to limit the number of verification emails sent out for the posts so you don't flood the SMTP server, but this can be coded in.
Also, somehow ban @xxxx.info addresses. Admit it, how many users out there use .info? It may block some valid users but when attacking spam - or any other large problem - there are typically no perfect solutions.
Of course, the spammers will catch on to this and change tactics, but like the various security firms making antivirus software, its an ongoing battle. Face reality: if you have a web presence, security will always be an issue.
EDIT (MORE): Also, why not implement a type of email validation of comments, posts, etc. (hereby referred by just "posts"
. While this may present a problem (flooding) if the number gets large, perhaps it can be coupled with the implementation of a "trusted user" status. In other words, new users must have X number of validated/verified posts before they can post without such a measure. So, for instance, the admin can set the level at 20 posts before this measure is turned off. While this may inconvenience new users, if you make them aware that this is a step to protect them from inappropriate posts, they will put up with it if they are legit.Of course, you'd need to limit the number of verification emails sent out for the posts so you don't flood the SMTP server, but this can be coded in.
Edited by braajeri on 27-03-2007 14:49,
TammyK's solution doesn't work, guys like jason15413 registered few times and spammed on my site
please anyone do something its annoying:o:o:o
please anyone do something its annoying:o:o:o
answered
Quote
TammyK wrote:
I can find where they viewed the page to submit the comments. They're hitting each news item/article 3 times. It looks like they're maybe reading the news_cats.php and articles.php pages to generate a list of all news items and articles then posting a single comment to each one.
Mmm. That makes it a lot harder if they are doing it manually.
I was going through some tutorials on mysql (trying to learn how to set up a RDBMS) and I came up with this bit of code.
Code Download source
WHERE yourcolumn >= DATE_SUB(CURRENT_TIMESTAMP, INTERVAL 30 MINUTE)I believe it is used to select the records that have been entered into the database within a certain period of time. The code example is set at 30 minutes.
I do not know how to utilise it at the moment but I am sure that the gurus here will be able to apply it. Perhaps it is a way at least to be able to monitor the entries until a solution is found.
answered
I've switched to a different tactic, for those who currently do not use the bad word filter, get one of the posts made by spammer, then simply add the whole post to the bad words filter, as it is all one line it will pick it up as one entry.
Now the spammers get the message *** Blocked by Admin
instead of my site getting spammed to hell, leaving me plenty of time to block (Thus holding the username/email) and remove the spammed comments.
Now the spammers get the message *** Blocked by Admin
instead of my site getting spammed to hell, leaving me plenty of time to block (Thus holding the username/email) and remove the spammed comments.
answered
Here's an idea on captcha type protection, but could be potentially less readable by a bot. Run algorithm to generate a random number (4 or more digits). Then, display that number with pixel sized images rather than any type of text. In other words, the image would be 1x1 pixel, and several of the images would be displayed together to form an image of the number. This could also be randomized so that the number displayed would not be on one line but the first number could be higher than the next, the next on a mid level, etc. I don't have access to a graphics program to generate an example, but I think you can get my idea from the description. Since the correct number would be generated at runtime, it would be inaccessible by reading the rendered HTML.
answered
Name: bela10176
Email: u101.14.399.bela@cfcow.info
IP: 69.61.55.58
Not all news items this time.
Email: u101.14.399.bela@cfcow.info
IP: 69.61.55.58
Not all news items this time.
answered
Quote
joecrow wrote:
Edit:
OK, it seems that they first try to add themselves as new members with a normal looking name. Then they add a new account that has a name followed by numbers which is the one they use to spam the comments. I caught the one above and almost allowed another new member that looked OK at first. However, after I googled the name, it came up on many forums. That's what gave it away. Also, I researched the IP address and the geo location and it made no sense for someone from across the world to want to join my little hometown website. So, it seems this one is another one of their attempts to get in too:
username:2n2kas
email:jahh@walla.com
IP addy:84.15.70.40
So, start looking at new members closely. They are using simple looking usernames too. By the way, subimp997 and irupeteq are another two names.
I checked my site for members as written above after a few spam-bot attacks, and i found this user:
username: Lorder
email: jurox@walla.com
Ip add: 88.118.83.158
Can anyone confirm that these walla.com accounts has(or dont) something to do with the spambots?
Edit: This guy (Lorder) havn't made any spam on my website at all, just for the record :)
Edited by Lasse Jensen on 28-03-2007 02:11,
answered
Quote
Lasse Jensen wrote:
I checked my site for members as written above after a few spam-bot attacks, and i found this user:
username: Lorder
email: jurox@walla.com
Ip add: 88.118.83.158
Can anyone confirm that these walla.com accounts has(or dont) something to do with the spambots?
Edit: This guy (Lorder) havn't made any spam on my website at all, just for the record :)
I had already looked into this domain. It is owned by Teletel Communication Channels. However, it seems they use proxies that sometimes are in the states and other times in other parts of the world. I found this about them:
http://www.robtex.com/as/as13074.html
Now, look at the number of IP addresses they have: 2048
:| I hope that doesn't mean they have that many IP addresses at their disposal.
here's more info:
Registrant:
Teletel Communnication Channels
Iben Gavirol 166
Tel Aviv, 62032
IL
Domain Name: WALLA.COM
Administrative Contact , Technical Contact :
Teletel Communnication Channels
assi@walla.net.il
Iben Gavirol 166
Tel Aviv, 62032
IL
Phone: 97236010678
Record expires on 19-Dec-2006
Record created on 20-Dec-1995
Database last updated on 07-Mar-2005
Domain servers in listed order: Manage DNS
NS2.BEZEQINT.NET 192.115.106.11
DNS.TELETEL.CO.IL
NS3.BEZEQINT.NET 62.219.186.11
NS1.BEZEQINT.NET 192.115.106.10
Show underlying registry data for this record
Current Registrar: NETWORK SOLUTIONS, LLC.
IP Address: 192.118.82.148 (ARIN & RIPE IP search)
IP Location: IL(ISRAEL)
Record Type: Domain Name
Server Type: Apache 1
Lock Status: REGISTRAR-LOCK
Web Site Status: Active
DMOZ no listings
Y! Directory: see listings
Secure: No
E-commerce: No
Traffic Ranking: Not available
They provide free email accounts for spamming. Or they could be the ones doing the spamming. Who knows.
Category Forum
Official Core Support - 6Labels
None yet
Statistics
- Views 0 views
- Posts 169 posts
- Votes 0 votes
- Topic users 55 members
0 participants
Notifications
Track thread
You are not receiving notifications from this thread.
Related Questions