RC Attacker 09-10-2006, 11:19 AM This is crazy. Over the last 3 days I have gotten these weird (I think fake) accounts. They usually don't do the conformation e-mail and never fill any of the profile fields out. And have retarded e-mails.
Here...these people have joined in the last 3 days:
appletango
curlopt2007
Daleman1984
-----
disappointment2
disappointment2
disappointment2.........Yes! 3! of them....wtf, how???? the EXACT same names........
-----
fujitsusi
reliantrobin
Rob2007
south_harmon
Some of them have actually confirmed the e-mail thing. But what the f*ck are they? Why are they joining, it's so weird....
P.S. Hi Ohiosweetheart :D
Peggy 09-10-2006, 11:20 AM Hey there darlin'.
Looks like spammers to me. I've been hit with 'em too. I think we all are. Tomorrow nights' a full moon.
Go figure :rolleyes:
noppid 09-10-2006, 11:21 AM You have to be dillegent. There is a huge pack of spammers attacking forums. It's affecting all of us.
Keep adding the emails to the ban list. It will help.
RC Attacker 09-10-2006, 11:23 AM Okay thanks. My other forum (the one i just work at, not mine) was getting them too. But they had a custom profile field that said "Years of experience" and they would always put their user name there. Then we got the miserable users hack and it has slowed them down. I guess I'll start bannin'.
LILMO 09-11-2006, 09:24 AM wow......
RC Attacker 09-11-2006, 05:43 PM Yeah, I got 2 more after posting this. I'll use them to my advantage and make it look like my forum is big and worth joining. :D
Coder1 09-11-2006, 06:33 PM Hmmm. "appletango" just joined mine, too. Hasn't posted anything, though. Based on the signature though, which has "Black Hat SEO" links, he's a spammer. I pre-emptively perma-banned.
In fact, I have the same group. All the email addresses end with ".info". Watch out for "aptonline.info" and similar email addresses. Usernames from these domains have joined my forum, a couple have spammed - all have now been deleted.
aptonline.info
abilityonline.info
alertonline.info
brainyonline.info
burnacouplemore.com
highwellglobal.com
Under "User Banning" options, I would add all of those domains to your mask. And possibly every domain ending with ".info". Copy and paste this into the appropriate spot:
@aptonline.info @abilityonline.info @alertonline.info @brainyonline.info @burnacouplemore.com @highwellglobal.com @info
Hell³ 09-11-2006, 11:23 PM so... how this guys circumvent the captcha image?...
noppid 09-12-2006, 04:02 AM They can be humans. There seems to be a pack of spammers targeting forums.
We have to be on our toes.
Coder1 09-12-2006, 07:51 AM Do a web search for "appletango" for example. Pages and pages of "view profile" listings for that single username.
RC Attacker 09-12-2006, 05:51 PM That's crazy. i don't see why they would do it if they were real. And I don't have an image verification so that's how. Update: 3 more! :D They love me over here.
Peggy 09-12-2006, 06:43 PM lol...
minstrel 09-12-2006, 06:44 PM I don't either, unless they're kids who just want the notoriety. There are no signature links or URLs to benefit them. Makes no sense.
Coder1 09-12-2006, 07:48 PM But there ARE signature links, to insurance sites, SEO sites, etc.
dawnavon 09-12-2006, 09:31 PM Our board has been hit with them too..
their e-mails ended in @burnacouplemore.com
and their ip addresses were: 63.166.111.6
We got those users, plus a few others that never did post anything, but have the same ip address..
WoodiE55 09-13-2006, 05:33 AM Yeah, I got 2 more after posting this. I'll use them to my advantage and make it look like my forum is big and worth joining. :D
Umm your getting excited over the wrong type of members - there are plenty of ways of making your forum look busy and letting spammers join isn't one of them. I'd strongly suggest banning or deleting these users, because once they start posting on your forum you're not going to like what they have to say.
As for making your forum look busier - you've got a million and one forums, from the looks of it you've got more forums then threads. This needs to be the other way around, most of your forums don't even have posts in them. CONSOLIDATE your forums into 1-2 like forums then as your site really does get bigger add more forums when needed.
RC Attacker 09-13-2006, 11:53 AM I'm not letting them join, and I was kidding......
About 4 more, and one posted three times in the weirdest forums to be posting. I hate them.
Coder1 09-13-2006, 12:00 PM I think a neat mod would be to have a central email/ip address/username blacklist of known spammers. vBulletin would check against this list and reject any new member registrations that are on the list. For example, the username "ZionKyleigh" just joined my forum, and is an obvious spammer.
Another trend I've noticed is that email addresses that start with "Array@" are spammers. Array@netscape.com, Array@gmail.com, Array@yahoo.com, etc.
minstrel 09-13-2006, 02:09 PM Sort of like Akismet for WordPress - virtually no spam makes it through Akismet for my blog.
Peggy 09-13-2006, 04:08 PM I think a neat mod would be to have a central email/ip address/username blacklist of known spammers. vBulletin would check against this list and reject any new member registrations that are on the list. For example, the username "ZionKyleigh" just joined my forum, and is an obvious spammer.
Another trend I've noticed is that email addresses that start with "Array@" are spammers. Array@netscape.com, Array@gmail.com, Array@yahoo.com, etc.
yeah this would be great
Coder1 09-13-2006, 08:21 PM Hmm. A web-service. During user registration, a call is made to see if that email address and/or IP address is for a "known spammer". Admin settings determine what happens then (email, whatever).
Blacklist would be populated when a "trusted site" bans a user for spamming. Sites become trusted only after review and invitation. I think it would be very important to strive to keep our member list confidential, to prevent DOS attacks and thus potentially cripple user registrations.
I think this has a lot of potential. I'll play with it as yet another "when I have time" project. If anyone else wants to run with the idea, that's fine with me. I'm throwing it out there, but would like to stay involved if anyone runs with this.
adwade 09-14-2006, 06:53 PM I think a neat mod would be to have a central email/ip address/username blacklist of known spammers. vBulletin would check against this list and reject any new member registrations that are on the list. For example, the username "ZionKyleigh" just joined my forum, and is an obvious spammer.
Now THAT's smart thinking. An excellent idea!
Coder1 09-14-2006, 07:50 PM Working on it. Looking at the exisitng user registration code and how it works with the User Banning options. I think an "also check this list" option could be added, allowing you to enter a URL to a service that maintained email addresses of spammers.
minstrel 09-15-2006, 06:13 AM If you're serious about this, you might want to have a look at how Akismet (http://akismet.com/) does it for WordPress. This works extremely well and has a system where any post/comment manually marked as spam is added to the database for other people using the system.
If someone could adapt something like this for vBulletin, it would be awesome.
Coder1 09-15-2006, 08:21 AM I am serious, and I'm working on it. The key decision is methodology. I don't want a system that, if the central repository goes down, then everyone's user registration is broken. I think a cronjob that simply polls the blacklist (global ban list), and updates your local User Ban list, might be appropriate. Similarly, any additions you've made to your local ban list get added to the "global" blacklist.
minstrel 09-15-2006, 08:27 AM It doesn't have to break registration. What Akismet does is flag it as spam. The admin then has the option of reviewing those flagged as spam and deleting/banning or flagging it as "not spam" to update the registry.
Coder1 09-15-2006, 09:44 AM I'm not talking about messages, I'm talking about users, and more specifically, the email addresses/domains used by forum spammers.
vBulletin already has a "User Banning" system under vBulletin options, where you can enter email addresses and/or domains. When someone tries to register using a matching email address, they are rejected.
My idea is simply to "share" all of our entries. So when someone tries to join, they are checked against not just my "banned" email address list, but against the banned email address lists of all of us.
All participating sites would "synchronize" our blacklisted email addresses.
minstrel 09-15-2006, 03:54 PM I know that, tgreer. That's what Akismet does - visit the site. It flags IP addresses and email addresses (as well as content) in a database. To guard against false positives, it allows the users to un-blacklist.
RC Attacker 09-17-2006, 06:35 AM WTF? This guy DreaDLord some how deleted a bunch of our shouts. Then when I went to ban him, I see by banned list and everyone was off it.....
minstrel 09-17-2006, 07:13 AM Who is DreaDLord?
RC Attacker 09-17-2006, 07:22 AM One of these spam things I have.
minstrel 09-17-2006, 07:25 AM That's a little more than spam, isn't it? How did the member get permissions to delete things?
RC Attacker 09-17-2006, 07:33 AM I have no clue. He typed this in the shoutbox - <Font Color=red>selam</Font> and un-banned the other users like him, and for some reason made my forum title go back to saying "RC Forum"
minstrel 09-17-2006, 08:10 AM Assuming that your permissions were not set to allow it, it would seem he hacked your Admin password(s)? Probably a good idea to reset that.
minstrel 09-17-2006, 08:28 AM Add this to your .htaccess file:
Options -Indexes
php_flag register_globals 0
Help block probes like this (from my logs - unsuccessful):
[Mon Sep 11 07:13:43 2006] [error] [client 220.3.92.77] mod_security: Warning. Pattern match "([0-9a-zA-Z]+[-._+&])*[0-9a-zA-Z]+@([-0-9a-zA-Z]+[.])+[a-zA-Z]{2,6}" at POST_PAYLOAD [severity "EMERGENCY"] [hostname "forum.psychlinks.ca"] [uri "/register.php?do=addmember"]
[Mon Sep 11 07:13:53 2006] [error] [client 220.3.92.77] mod_security: Warning. Pattern match "([0-9a-zA-Z]+[-._+&])*[0-9a-zA-Z]+@([-0-9a-zA-Z]+[.])+[a-zA-Z]{2,6}" at POST_PAYLOAD [severity "EMERGENCY"] [hostname "forum.psychlinks.ca"] [uri "/register.php?do=addmember"]
[Mon Sep 11 07:14:06 2006] [error] [client 220.3.92.77] mod_security: Warning. Pattern match "([0-9a-zA-Z]+[-._+&])*[0-9a-zA-Z]+@([-0-9a-zA-Z]+[.])+[a-zA-Z]{2,6}" at POST_PAYLOAD [severity "EMERGENCY"] [hostname "forum.psychlinks.ca"] [uri "/register.php?do=addmember"]
[Mon Sep 11 07:15:23 2006] [error] [client 220.3.92.77] mod_security: Access denied with code 403. Error reading request body, error code 70007: The timeout specified has expired [severity "EMERGENCY"] [hostname "forum.psychlinks.ca"] [uri "/register.php?do=addmember"]
Whois info:
OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU
Or this:
[Mon Sep 11 07:30:12 2006] [error] [client 67.72.98.27] mod_security: Warning. Pattern match "([0-9a-zA-Z]+[-._+&])*[0-9a-zA-Z]+@([-0-9a-zA-Z]+[.])+[a-zA-Z]{2,6}" at POST_PAYLOAD [severity "EMERGENCY"] [hostname "forum.psychlinks.ca"] [uri "/profile.php?do=updatepassword"]
[Mon Sep 11 09:08:19 2006] [error] [client 67.72.98.27] mod_security: Warning. Pattern match "([0-9a-zA-Z]+[-._+&])*[0-9a-zA-Z]+@([-0-9a-zA-Z]+[.])+[a-zA-Z]{2,6}" at POST_PAYLOAD [severity "EMERGENCY"] [hostname "forum.psychlinks.ca"] [uri "/admincp/user.php?do=update"]
Whois:
OrgName: Level 3 Communications, Inc.
OrgID: LVLT
Address: 1025 Eldorado Blvd.
City: Broomfield
StateProv: CO
PostalCode: 80021
Country: US
Bottom line: Assume that someone somewhere will at any hour of any day be attempting to hack in to your website or forum.
dakar 09-17-2006, 03:41 PM We've been getting nailed pretty hard over the last week as well, my banlist is getting pretty large. I finally gave in and added a hack to stop anyone from posting a URL in a post unless they have >10 posts.
This centralized spammer system would be fantastic, I like the idea of it fetching a current list and such so that if the 'repository' goes down it doesn't break registration.
tgreer, I've been it some serious thought and the 'repository' really wouldn't be hard to setup/maintain, at least by my skills, however intergrating the vB side would likely get the better of me. But if you want a hand with the backend LMK.
|
|
