Recent problems with spambots

Everything about this website and its content. Here you will find update announcements or requests for feedback. Questions about layout, functionality, content, and your suggestions are welcome.
User avatar
Pierce89
60
Joined: 21 Oct 2009, 18:38

Re: Recent problems with spambots

Post

Greg Locock wrote:more like 24 hours

maybe its the ghost of White Blue
The posts weren't nearly annoying enough to be the ghost of WB.
“To be able to actually make something is awfully nice”
Bruce McLaren on building his first McLaren racecars, 1970

“I've got to be careful what I say, but possibly to probably Juan would have had a bigger go”
Sir Frank Williams after the 2003 Canadian GP, where Ralf hesitated to pass brother M. Schumacher

User avatar
Steven
Owner
Joined: 19 Aug 2002, 18:32
Location: Belgium

Re: Recent problems with spambots

Post

First of all, let me explain again what measures we have in place against spammers.

1. User is checked on ip, email, username on stopforumspam.com (blocking more than 25 regs each day). Some gets through because the user isn't listed there yet at the time he ends up on our forum. When checking manually later, it's present. Obviously the occasional pass is unavoidable, as someone obviously has to be the first.
2. User is required to anwer our anti-spam registration question. Catpchas were removed years ago as they proved to be even less effective that what we have now.
3. If passed, username and email are checked for our naughty words list and prevented reg if anything mathes
4. Each post for users with less than 10 approved posts is passed through our own spamfilter, checking for foreign characters, naughty words, lots of links, etc. When dubious, it's put on the modqueue for moderator approval first (often ending up with the user and his posts being deleted entirely
5. When a user changes his profile (sig, occupation, ....), all is checked again for spamwords. Matches will get the account permanently disabled (until the admin decides otherwise, however this has happened less than a handful of times). This also catches around 5 users each day before making their first post.

Also note that each time a post gets through, it's added to my spamtest list as I continuously adapt the spamfilter here.

I can tell you that we end up with approx 10 detected spamposts per day (that only the mods see), and unfortunately some gets through. It's important that you report them as soon as possible. We do our very best to kick them out as soon as possible.

wesley123
wesley123
204
Joined: 23 Feb 2008, 17:55

Re: Recent problems with spambots

Post

I see a lot of spambots who have a link in their signature, why not disable the signature and allow it on 20+ posts?
"Bite my shiny metal ass" - Bender

Greg Locock
Greg Locock
236
Joined: 30 Jun 2012, 00:48

Re: Recent problems with spambots

Post

Steven-thanks, how about farming out the first 10 posts from any new user to a randomly chosen contributor with say 50 points, for him to moderate? All we need to do is weed out the machine spam , mere idiocy will be dealt with as usual.

Roughly how many new members are there per week?

User avatar
Steven
Owner
Joined: 19 Aug 2002, 18:32
Location: Belgium

Re: Recent problems with spambots

Post

FYI, on 25 July we had 96 successful spamuser registrations
11 of those made a post before more of them got automatically locked upon setting profile or signature
1 of those posts got through the spamfilter

(We don't keep track of failed user registrations, such as those who fail to correctly answer the spamquestion or with usernames that include spamwords)

User avatar
Steven
Owner
Joined: 19 Aug 2002, 18:32
Location: Belgium

Re: Recent problems with spambots

Post

As some of you have been informed or found out themselves, recent spammers are often just copying text from a post earlier in the same thread, making it look like somewhat ontopic. The spammers sometimes add a link, and usually add a signature to their profile after making one or two posts. It also happens often that this is done in old threads (with the last post often several months ago).

If you see anything like that, please do report and don't bother replying. We're doing what we can to filter stuff out, but some of these spammers aren't known in the spam database yet, and with such posts are extremely hard to detect (it's not impossible of course...)

Apart from that, medical and other more obvious spam has been rather extreme in recent days, fortunately only one such post slipped through in the last 7 days.

User avatar
Tim.Wright
330
Joined: 13 Feb 2009, 06:29

Re: Recent problems with spambots

Post

Is is possible to setup a mechanism which deletes all of a user's posts (temporarily) if he is reported for spam? That would have solved some of the more recent issues we've had here.
Not the engineer at Force India

wesley123
wesley123
204
Joined: 23 Feb 2008, 17:55

Re: Recent problems with spambots

Post

Okay this is just ironic
"Bite my shiny metal ass" - Bender

User avatar
turbof1
Moderator
Joined: 19 Jul 2012, 21:36
Location: MountDoom CFD Matrix

Re: Recent problems with spambots

Post

Oh damn... .

One spambot slipped through the filter and made a staggering 100+ posts (that'll butthurt my finger removing all of those). It never made any advertising in its posts, but simply posts so much to have the link in its signature, which is the advertising, to show as much.

I'll ask Steven if we can keep members from using a link in the signature until they've made atleast a few posts. That way we can block such cases.

To be honest, even I am still a little bit confused whether this is a true spambot, or a real person who is a bit too chatty :? .

EDIT: I'll leave the brunt of the posts for now untouched, since Steven will need to see how this thing works in the first place, so that we can attempt to prevent this. They'll be removed however as soon as we have a solution planned out!
#AeroFrodo

George-Jung
George-Jung
18
Joined: 29 Apr 2014, 15:39

Re: Recent problems with spambots

Post

And we have a new one.. robbybobby.. =D>

User avatar
turbof1
Moderator
Joined: 19 Jul 2012, 21:36
Location: MountDoom CFD Matrix

Re: Recent problems with spambots

Post

I noticed. I'm going to get rid of this one's posts.

HOPEFULLY that'll be the last one. I'm going to sleep after this. I really do not want to wake up with a spambot apocalypse.
#AeroFrodo

User avatar
Phil
66
Joined: 25 Sep 2012, 16:22

Re: Recent problems with spambots

Post

Spambots are very predictable. In the most basic sense, they are simple scripts, executed on either malware infested systems or webservers and serve the sole purpous of finding forms on websites (<form name....></form>) and fill them out, either with the goal to insert malicous (javascripts) scripts or to add urls to infected sites. Sometimes, they just exist for the pure sake of a bit of fun by the creator to see his little 'work of art populate the internet and spread the love...err message'.

Anyway, the most simple spam bot will simply look for <form> tags and fill out any inputfield it can find. More complex spambots have algorityhms to detect what kind of inputfield require which data, for example email fields that usually have some form of validation to check the validy of an email address. Even more complex bots can handle basic forms of captchas too.

Which brings me to the next point;
The easiest way to create a spam bot (one that works) is to target a specific platform. Why? Because regardless if its a f1 website, or a forum on girls-talk, dating etc - the common ground is that the platform behind it is the same application / board or website software. That means that all inputfield are named precisely the same in the HTML code, which makes it easy for a spambot programmer to target that specific platform. They also have the same captcha protection as a common-ground, and if the programmer can crack one, he cracked them all. When you have this, you have a dedicated spam-bot.

Unfortunately for those using purchased or downloaded platforms such as phpBB or others is that people who use these types of boards have zero programming expertice and simply rely on the software vendors updates to secure themselves against these types of attacks. So it's essentially hard to solve, unless you do have a bit of programming experience and are not shy of altering the software itself to make it differ from the rest. But then you can forget about all these comfortable updates. ;)

Anyway, long point short - it's difficult to protect yourself against spam-bots if you are using generic software for your board or website. A easy example is Joomla, a CMS (content managment system) which allows many people to create complex websites through the use of the application. Easy and impressive, but they all suffer from the same security leaks. Hack one and the chance is you've hacked them all sort of speak. Same applies to forum software such as phpBB such as this one here.

Last point; How do you protect yourself from spam-bots?
There are a few techniques that work. Spam-bots are stupid - they are just a script by its creator that do what they were programmed for. If you add a hiddenfield - that is an inputfield that is within the html code but not visible through a browser because of its attribut (the property hidden through an external CSS attribut), a bot will likely still fill it out because it just assumes it's another field it can enter its rubbish into. If you then check upon submitting the form if that inputfield has data on it, simply discard it - it's likely originating from a bot. The other alternative is to use better captchas, but are a nuisance to legit board users.

How to solve it on this board? Make the registration step more difficult. For example; only allow new registrants to post on the site when they've been okayed by an administrator. Good because it avoids the crap being posted - but it wouldn't help with administrators having to do work and discard a list of new registrants that are all just bots.

Even better solution: if you have access to the php.ini file (essentially the php-config file), you can prepend a php-script to every page on this site - that checks every POST-Request-method (essentially, the request type that is used when a form is filled out and submitted) and do a bit of basic validation. If there is rubbish, simply throw an exit command to end the script and the data is never submitted into the database.

Easy as pie.
Not for nothing, Rosberg's Championship is the only thing that lends credibility to Hamilton's recent success. Otherwise, he'd just be the guy who's had the best car. — bhall II
#Team44 supporter

Richard
Richard
Moderator
Joined: 15 Apr 2009, 14:41
Location: UK

Re: Recent problems with spambots

Post

Phil wrote: If you add a hiddenfield - that is an inputfield that is within the html code but not visible through a browser because of its attribut (the property hidden through an external CSS attribut), a bot will likely still fill it out because it just assumes it's another field it can enter its rubbish into. If you then check upon submitting the form if that inputfield has data on it, simply discard it - it's likely originating from a bot.
This is a technique used by several "honey pot" traps and we subscribe to a database that compiles bots caught in those traps. However, the recent flurry of bots that have apeared here don't feature in that database. Maybe those bots have found a way to evade the honey pots, or perhaps the bots are actually humans?

I think the hidden field would be worth coding if Steven can do that, even if it filters a few spammers it'll save us hassle because we currently have to manually remove 5 to 10 bots a day. Most of them are caught in the approval queue by our naughty word spam filter, but 2 or 3 are evading the filters at the moment.

We currently ask questions in the registration form as a human detector, we could refresh those, or switch to a more sophisticated captcha?

The other thing is that these aren't bots from infected computers, they nearly all originate from IPs in Pakistan, India or Russia. I'd expect infected computers to come from a broader range of countries?

User avatar
Phil
66
Joined: 25 Sep 2012, 16:22

Re: Recent problems with spambots

Post

Richard,

The hiddenfield might work, but it means altering the phpBB php files which usually not good for maintainability. Which is why the php prepend option is good, because you can add a layer of logic outside the phpBB code. Can you check with your webhost if you can configure a prepend file?

The ip address does perhaps point to actual humans - but i cant imagine so eone taking the time to so with so little "reward". As a programmer myself, actually programming a spam-bot sounds more fun than spamming forums by hand. Given that phpBB has been around for nearly as long as the internet, i think it's just a bit more vulnerable. But i think solvable too. The question is only at how much expense in regards to maintainabilty.
Not for nothing, Rosberg's Championship is the only thing that lends credibility to Hamilton's recent success. Otherwise, he'd just be the guy who's had the best car. — bhall II
#Team44 supporter

wesley123
wesley123
204
Joined: 23 Feb 2008, 17:55

Re: Recent problems with spambots

Post

Richard wrote: The other thing is that these aren't bots from infected computers, they nearly all originate from IPs in Pakistan, India or Russia. I'd expect infected computers to come from a broader range of countries?
Not if it was a direct attack towards that area(see, Stuxnet for example.).

Also, who says they are infected? Believe it or not, there is good money in doing such bad, bad things on the internet. People pay a good amount of money to have Captcha's cracked, for example, there are lots of services in those areas of the globe where people just solve captchas all day.

But on the Captcha thing. I heard that Google was trying out a new form where it simply checks user action to determine if it's a bot or not, saw it implemented on Tumblr, but I'd doubt that would work if it's an actual human being making these spam accounts.

Never heard of the hiddenfield trick before, certainly an interesting one. It might work if that field refers to validating your e-mail(typing it a second time) without it actually being necessary. A spambot would fill it in as it needs to verify it's e-mail adress twice.
"Bite my shiny metal ass" - Bender