355 Spam posts in one evening (1.Viewing)

MapleDots

MapleDotsMapleDots is verified member.

MapleDots.ca
Community Guide
Joined
Nov 4, 2020
Topics
1,610
Posts
6,747
Likes
6,265
From
Waterloo, ON
Country flag
WordPress-Spam-Posts.jpg



Was horrified to see 355 spam posts caught in various stages of our spam filters.

All but three of them originated from India based ip addresses.

It's high time that India does something about this because it's out of control.

The only real answer I have for this is to ban IP's from India registering but that would affect legitimate users as well.

All part of running a public website I guess :eek:
 
Again, the spam hitting the contact form and registration form totaled in the hundreds last night and the night before. In both cases only one registration per night got through our security protocols.

That said, when I look at the logs there are thousands of hits from two country's that clog up all my stats and resources. I am currently at the end of my monthly uses and have to upgrade server resources at significant monthly expense.

I am first going to ip ban all activity from Russia to eliminate thousands of spam attempts.

Unfortunately this may impact about 5 active members from India and I will attempt to white list their IP's.

In the long run I will probably be adding additional countries to the ban list, but I don't see that being too problematic given we are highly specialized in .ca. I know we list other extensions too but that is mostly for the convenience of our members and not necessarily meant to attract users from other countries.

Looking at it from a usability side I think keeping our group small and tight, highly focused on .ca will make/keep the forum more conducive to it's users.
 
Last edited:
What I do is record failed recaptcha submissions into one logfile, and passed recaptcha submissions into another log file. That's done on the php/form side. Then I run a script to count up how many failures by IP, and from which countries. The script will blacklist IP addresses that pass whatever thresholds I set, using iptables. That'll make sure the server resources are not used as it just completely ignores those incoming connections. It's not unusual to find a single IP making thousands of attempts.

I have another version too for tracking IPs that are trying to log into my server - failed attempt gets your IP banned. But the ban is timestamped and released after a pre-defined time period.

There is probably software out there to do that too, but I first started doing it like 20 years ago, so I just stuck with rolling my own.
 
Yeah, I get you

I just puchased three pieces of software

One checks to see if you are a bot trying to sign up and it sends you in loops. It is 100% effective against bots for fake registrations.

The other one prevents you from logging in should your ip be logged on a list of nefarious ip addresses. Please note that now includes a lot of proxy services so if you are using a VPN you may not be able to login. That list gets updated daily and I can safelist a proxy.

The other place I get hundreds of spam is the yellow contact us link at the bottom of the page. It is required in case someone cannot login and reCaptcha has zero effect, the bots get right through. Again I now have custom software that sends the bots into loops.
 
MapleDots said:
Again I now have custom software that sends the bots into loops.
Click to expand...
If you have the option, just drop their IP at the firewall level so there are no resources sucked up on your end. Even blocked spammers may continue to try for months otherwise. It also wouldn't surprise me if the people that write software add-ons for spammers aren't the ones also doing the spamming... Cheap customer acquisition that way.
 
The problem with blocking ip's is you have to do it in batches because it's a never ending process. I get hundreds of hits from different Russian IP addresses daily and they are trying user /password combinations that have been compromised. It is done by a bot and I can ban ip addresses until the cows come home and never be on top of it.

I ended up banning all of Russia but I have just as big of a problem with India except I cant country ban it because there is a large domaining community in India.

So the way it's handle is the system recognizes its a bot and adds extra registration fields. When the bot then submits the system sees those fields filled out and knows it's a bot thus rejecting the registration. Real users who type slowly get recognized and those fields do not display allowing the registration to go through.

Same goes with the contact form and with login now. It's some pretty complex software changes to take care of that.

The only thing is real people, they can still be spammers but they can only register twice before the system flags them as a duplicate and we can shut them down.

I swear I've spent the last two days clearing out bogus accounts and spam posts, I had to do something and it's going to get interesting as I watch the logs tonight.




Here you can see the software at work (I only posted one ip address for the example)

Screenshot (18).png





That is just the contact form in the last 60 minutes, it does not get active until night time and then also the registration and login forms.
 
With a perl script, you can continuously follow a log file, so this script runs 24/7/365, and thus can keep running totals over any given time span of attempts by particular IPs, dropping them at the firewall level, then reopening them after a specified "timeout" period. If you're good with perl, its something you can startup at boot and never think about it again. And quite often you'll see the same spammers using multiple domains on the same c block so you can just "timeout" the whole c-block. But I usually only do that for the problem countries, i.e. china, russia, estonia, belarus, ukraine, etc... See the pattern of where all the cockroaches like to hide? In any case, if you like perl, its great. And more than anything, I like to know that it stops those cockroaches from using your system resources.
 
On average about 150 attempted registrations per night that are spam, the occasional one gets through, we are having to ban many VPN services so if you use a VPN you may have trouble accessing the board.

There is no solution because we have banned the offending countries. (Russia, India, Pakistan, Bangladesh) but they keep registering with generic email and different VPN's.

First 45 minutes of every morning is spent cleaning up and sorting through spam logs.

As of today we are joining the forum network that records all spam activity.


Screenshot (26).png



Any spammer posting...

ALL LINKS ARE ADDED TO THE SPAM DATABASE AND DISALLOWED, YOUR WORK IS FUTILE, YOU WILL BE DELETED EVERY DAY!!
 
Screenshot (27).png



Seconds after posting above the first one is caught in the moderation que


The Time Zone is a dead give away even though they are using a VPN

Will be writing a TIME Zone script to reject foreign time zones as well.

Scammers have to use a new

  • email address
  • vpn
  • time zone
  • not be listed on forum spam
  • etc
  • get deleted moments after posting

The futility of it all should eventually reduce the amount
 
Did you consider moving to an OAuth/social account based registration system?
That should take care of most spam.

The past two days, I have observed increased attacks on my websites.

We made two changes and it has been extremely effective so far.
1. Put all open forms including login and signup behind Cloudflare’s managed captcha challenge

2. Rate-limited form submissions from same IPs.

#1 was the most effective and simplest to deploy.
 
  • Like
Reactions: rlm
rath said:
We made two changes and it has been extremely effective so far.
1. Put all open forms including login and signup behind Cloudflare’s managed captcha challenge
Click to expand...

We have that already

The problem is labour is so cheap in India that the spammers are doing everything manually to bypass filters.

However you need a functioning email address to register and adding each one to the forum spam list NETWORK and sharing that list is key.
The have to register a new gmail account with every attempt and if it was ever used on another forum it gets caught.
 
I mentioned captcha-solving services in a separate thread. Long story short, I used a service called 2Captcha around a decade ago. I must've accidentally created a worker account because I'd receive emails advertising that they'd pay $2 per 1000 solutions. Checked today and it's dropped to $1 per 1000 solutions. If anything, it goes to show how many have gained internet access over the last decade.

Have you looked into SMS verification? I know the costs can be high.
 
mcm said:
Have you looked into SMS verification? I know the costs can be high.
Click to expand...

No different than email verification, they have hundreds of fake numbers and email accounts.

The StopForumSpam database seems to be catching 90% but I still have to go through and delete them daily.
 
Login or Register to reply

Sponsors who contribute to keep dn.ca free for everyone.

Sponsor
CanSpace
CIRA
FullHost
WHC
Donors (7)

Sponsors who contribute to keep dn.ca free.

Members who recently read this topic: 25

Back
Top Bottom