Kitz Forum
Announcements => Site Announcements => Topic started by: roseway on November 12, 2008, 11:17:27 AM
-
In recent days the forum has been subject to something of a storm of spammers joining and attempting to post messages. We deal with these nuisances immediately we see them, and delete any spam messages which get through the net. If you do come across one of these messages, please don't give them encouragement by clicking on any links which they include, and we would appreciate it if you advise the moderators in case it's something we haven't spotted.
Many thanks.
-
Will do Eic.
-
Happy to help Eric. :)
-
I've noticed a few, but they are dealt with so quickly :clap2: I haven't had chance to "report" them .... I'll continue to keep an eye out :)
-
An update on this, if anyones interested on whats going on.
The forums stance on SPAM has not changed.
- It will not be tolerated and it will be immediately removed upon Identification.
- Accounts will be banned/deleted.
- All details of spammers are reported to the Stop Forum Spam (http://www.stopforumspam.com/) database.
The Problem
Over the past 24 hours we've seen a huge increase in spam attempts. Mods and Admin have deleted/removed/stopped no less than 20 new accounts that have got through the normal filters. Much of yesterday was spent adding new filters and measures.. and of course the alertness of the mods for the ones that slipped through.
Forum logs indicate that the preventative measures that we have in place has halted an additional 162 attempts in their tracks since yesterday.
Is it just this forum?
Today it has emerged that we are not the only ones, and many other technical forums are also experiencing what has been described elsewhere as a 'tidal wave' of forum spam attacks.
Much of the attacks have come from russia/latvia/ukraine and as a first stage banning IP ranges + blocks from these regions appeared to be having some success. However, the bots are now getting cleverer and using open proxies on IP ranges 'closer to home' which is meaning more manual intervention from the Admin/Mods.
Apparently several other forums spent yesterday also IP Block banning, and the consensus is that they were playing cat and mouse trying to keep up with it.
Why its Happening
It would appear a new version of XRumer (http://en.wikipedia.org/wiki/Xrumer) has recently been released. This program has the ability to automatically:
- Defeat hotmail / gmails CAPTCHAs and create email addresses to be used to sign up for forums
- Defeat Forum CAPTCHAs and sign up a forum account
- Automatically post forum spam
- Ability to make use of Open proxy servers to avoid detection by any anti-spam IP blocks that may be on place in the forums.
What happens next?
SMF (The makers of the software on which this forum runs) is alert to the problem.
Current suggestions are to mostly do what we have already been doing, and I will be looking around later today on installing some additional mods/hacks to see if these help.
SMF developers are also looking into this to see if they can assist and make an upgrade.. but at the moment this will take investigation into the spammers methods and time to implement code for a new release.
SMF is open source, and suggestions have been made to see if any developers can make mods that would say check the stop forum spam database, but again this would need to be implemented by someone with the time and ability to do so.
-
Ooh er, time to batten down the hatches methinks.
-
:shoot: :spam:
-
Kitz, is there an option for new memberships to be approved manually by the admins... would create a bit extra work, but might be worth it.
-
Kitz, is there an option for new memberships to be approved manually by the admins... would create a bit extra work, but might be worth it.
Another forum (using SMF) I belong to has just had to do this to prevent spammers getting through easily, so I guess the answer is yes its possible.
-
Kitz, is there an option for new memberships to be approved manually by the admins... would create a bit extra work, but might be worth it.
Yes there is an option, but we want to use that as a last resort, if at all. It would stop genuine posters from being able to sign up and post immediately, which would be terrible.
So whilst it's an option, it's not really practical.
-
I did consider that point Chris, but if push comes to shove...
-
Good luck people, will also keep an open for any.
I think sometimes because we don't see it, we just don't know what really goes on behind the scenes with running and maintaining forums, so people like myself can get or give advice to others.
Thanks to all of you.
-
OF, I have been an admin on forums in the past, and believe me there's a lot more goes on in the background than you'd ever imagine. It's a nightmare.
-
I'm not saying too much for obvious reason, but I did implement something different at about 4pm. Still early days yet... but refusals are racking up.
Re Admin approval - it was something discussed last night. Its also something that SMF have suggested for smaller forums. We've decided its probably best as a last resort due to it relies on Admin approval who may not always be around. (Chris has a new job which means that he now cant access from work) - so that leaves me mostly.. and since theres some family stuff going on right now, it means that some days I may not be around as much.
At least with the current situation theres normally a mod around before too long to sweep up any that get through, and/or ban before they even post.
Bearing in mind the amount we received* I think they do a damn good job, because AFAIK only 1 actually managed to get through and actually post before it was soon deleted.
So well done guys. Eric + Dave have been very much on the ball :thumbs:
* Now more than 200 refused attempts and/or bans placed or deleted
-
I realise you don't want to give too much away in an open discussion, but just as a matter of interest if I tried to sign up now would I be refused. I ask because I have a gmail email account, and I know some forums refuse these, in fact I have only be unable to register once with my email address, also I know my ISP allocates the dynamic address from a range that got inadvertently assigned to the Czech Republic before being reallocated to the UK, the VNU site always shows me as being in Czechoslovakia, I can assure you I am in chilly north Yorkshire.
-
My account is gmail, so seems it should not be a problem.
-
Don't worry ... gmail accounts can still be used for signup
-
Yorky,
You would not have to show your passport on here to sign up, just a Yorkshire bus pass will do! ;D
Googlemail, or webmail eg. Yahoo are fine.
Vot happens now izt zat ve fon you up unt check your aczent! :lol:
dave
-
You'd be fine Yorkie.
btw I can quite clearly see you are in the UK.
-
Careful Dave, I'm a proud Yorkshireman too.
-
TBH I have never seen spam on the site as you guys are always too quick for me :clap2:
I will keep my eyes open but it looks that Kitz maybe onto something that she implemented earlier :)
-
Careful Dave, I'm a proud Yorkshireman too.
Me too, Mike.
I still like to see the Tykes win!
dave
-
I never knew that Dave.
> I still like to see the Tykes win!
That's a sore point at the moment being a Doncaster Rovers fan.
-
I'm in Latvia tomorrow/Friday/Saturday - do you want me to smack a few heads or whip 'em into shape? :whip:
Colin
-
lol thanks for the offer Colin ;D
Actually.. Ive been doing a bit of reading on the subject this eve and how this particular bot works. Even though it may appear to have been originating in Latvia, that this particular bot is simply making use of open proxies. One of the things I have noticed is that it sometimes 'moves' through countries as you block one country it will find another.... each time getting 'nearer' in the EU if you know what I mean* I guess the .ru and similar blocks are easier to find proxies so it goes through there first.
SMF forum advice is theres not much point IP blocking as it will only find another.... although I and others have found that it does help quite a bit. Im currently bouncing off on average at least 10-15 an hour using this method, so its at least keeping some of it at bay.
AFAIK this is the first time a bot has majorly been able to attack SMF big style, and previous bots tended to target other php forums. Looking at SMF's first reaction yesterday, I dont think even they believed quite what was going on at first, as SMF has always had one of the best php forum reputations for security and anti-bot measures.
I suppose it was only inevitable that as SMF became more popular because of just that reputation, it was a challenge for someone just waiting to happen. :'(
*one of the things I said to the mods yesterday before we knew the full scale of this attacks was 'persistent little git'.
-
Careful Dave, I'm a proud Yorkshireman too.
Well I'm a Sheffielder(thats a posh Yorkshireman)does that count. :D
-
As long as you were born within the traditional county boundaries of Yorkshire, it counts.
-
TD has just posted on forumites quiz saying he can't log on here, and his he banned because of his email address?????
Edit
He is using pop3 through virgin.net
-
Maybe we need a new emo:
(https://forum.kitz.co.uk/proxy.php?request=http%3A%2F%2Fimg.photobucket.com%2Falbums%2Fv250%2FFloydoid%2Fdiespam.gif&hash=15ec77b18b518b4e880b34268b1c63034a0592b0)
-
TD has just posted
No TDs not banned - Ive just checked his account, which would tell me, and also his email address is absolutely fine... as is his range of IPs which is in the UK anyhow.
>> he can't log on here
When you say cant log on.. how far can he get?
Does he get any error messages at all?
.. if he's been caught up in any way shape or form with this - he will get a very specific message!
-
TD has just posted
Tell him he can join me in the NC. :-X
-
Just to clear up the bit about emails, Kitz hasn't implemented ANY bans on certain email addresses.
As I understand things, even if she did implement an email address ban, this would just affect new registrations only. All users who are already signed up, even if they were signed up with a newly 'banned' email address, would still be able to log in as normal.
-
Are disposable emails banned from registering (just curious)?
-
Apart from your ISP's original allocated email address, surely all others are classed as disposable?
Gmail. Hotmail, etc.
-
Hi
Must be affective and QUick never seen any spam ,will keep a lookout . Thanks for all your efforts .
Jeff
-
Kitz hasn't implemented ANY bans on certain email addresses.
Actually I have.. but it wont affect UK users.
-
Just to clarify....
email blocking isnt whats keeping them at bay now, and every valid user should be perfectly fine.
Its now well over 24 hours since I made some changes and although the bot attempts are still continuing - touchwood none have got through. :fingers:
Obviously I'd be rather stupid if I said in the open forums just what measures Ive implemented, and what Ive allowed and what I havent.
Suffice to say if you are human and you can read - you will know if youve been blocked through the anti-spam measures.
-
Things like this are a useful reminder of what a lot goes on in the background to keep this forum running smoothly. Thank you to all involved.
-
The Tsunami now appears to have reduced to a trickle.
Thanks, everyone for helping us with it and also for the complements.
Cheers,
Admin and Mods. ;)
-
Good to hear Dave. :)
And well done to all those involved. :clap2:
-
Good to hear Dave. :)
And well done to all those involved. :clap2:
ditto :)
-
I'm in Latvia tomorrow/Friday/Saturday - do you want me to smack a few heads or whip 'em into shape? :whip:
Colin
I asked the whole population of Latvia, and they both said they don't know anything about it. :P :lol:
-
Well they wouldnt would they? :lol: :lol:
-
4 for more just arrived but removed with 5 minute.
Good for you pppl.
-
Thanks Phil.
Just removed the posts and slapped a ban on her.
dave
-
Thanks.
Thought I would use this post as an alert knowing that "mods" would be alerted (possibly quicker)
-
ty guys.
As the mods already know - we seem to have 2 different types of spammers, the automated bot type.. and then theres those that are more 'humanoid' type spam.
Touch wood we seem to have have arrested the bot type attack that started last month. The logs show that for the past couple of months theres been 146 pages (x15) of unsuccessful attempts. There will also be some which wont record to the log, so for the odd 1 or 2 to get through from the 'humanoids' aint too bad, I suppose.. particularly when the mods are pretty quick with their dusters :)
-
Nice one guys. :)
Kitz sweeping up the spam.
(https://forum.kitz.co.uk/proxy.php?request=http%3A%2F%2Fdl6.glitter-graphics.net%2Fpub%2F595%2F595426om7plh9hpc.gif&hash=f97558bed9924e38b9827b66affaf3baa3646d33) (http://www.glitter-graphics.com)
-
naw - credit goes to Eric and Dave for most of that - since they do most of the cleaning up.
Thats why they get one of these to wear.
(https://forum.kitz.co.uk/proxy.php?request=http%3A%2F%2Fwww.kitz.co.uk%2Ftemp%2Fmods_pinny.jpg&hash=dd90c5d4fe35d7d5976dbbf5541f82b801c62c6a)
-
I look nice in my pinny :lol:
-
I don't mind the pinny BUT I do draw the line at PINK Marigolds. :no:
dave
-
I don't mind the pinny BUT I do draw the line at PINK Marigolds. :no:
dave
:lol:
-
I don't mind the pinny BUT I do draw the line at PINK Marigolds. :no:
dave
Sorry dave - I was going to buy blue ones to match the pinny, but they were out of stock, so pink it had to be.
:D
-
Nice one guys. :)
Kitz sweeping up the spam.
(https://forum.kitz.co.uk/proxy.php?request=http%3A%2F%2Fdl6.glitter-graphics.net%2Fpub%2F595%2F595426om7plh9hpc.gif&hash=f97558bed9924e38b9827b66affaf3baa3646d33) (http://www.glitter-graphics.com)
Kitz feeling pleased after the spam cleaning
(https://forum.kitz.co.uk/proxy.php?request=http%3A%2F%2Fimg.photobucket.com%2Falbums%2Fv250%2FFloydoid%2Felegant.gif&hash=809f1af3a7db6105d41a61b0a9323af916bbba51)
-
:D
-
My god that was a quick hair doo.
-
:lol:
-
Kitz and all the mods celebrating after a successful spam sweep.
(https://forum.kitz.co.uk/proxy.php?request=http%3A%2F%2Fdl2.glitter-graphics.net%2Fpub%2F748%2F748162u3u8f79xza.gif&hash=b44352f0ba5f5a0c39ae98f6c8b504004ba7653e) (http://www.glitter-graphics.com)
-
Wonderful :lol:
-
awww cute.
The blonde with the purple collar in the middle is me :)
-
very nice too! ;D
-
Hmm seems spammers are getting hi-tek now 8) Shall Imagine™ warm up his advanced tracking tools ;) >:D
-
See, always said these mods were a load of pussycats.
(But nice ones though) :crazy:
-
I wonder how much bandwidth this will be consuming(and CPU usage)? Was there a spike when the bots started?
I am just thinking of the costs for you because I can already imagine it won't be the cheapest of sites to host. I suppose if it got to much of a resource hog you could put a firewall in front of the site and then any IP's your homebrew bot detectors find add to a 24h blocklist.
-
Hard to say really.
no to spiking though as regards to the 'all out attack' on forums the other week, then I could imagine there was a strong possibility that some servers could have come under CPU pressure and may have caused some slow downs.
I havent noticed a spike in usage through it - the forum traffic is minor compared to the main site, so in the grand scheme of things its not made any difference to bandwidth
I also have a couple of lines of 'defence' some are logged - Those that are stopped at the first hurdle arent, but I should imagine if I could be bothered to go through the traffic logs (which Im not going to!) they will all originate from either beijing or eastern block type countries. Theres still some that are getting to stage 2 which are logged, as an indication theres been 16 of those in the past 12 hours which have been stopped and logged. I think you can gather from that, that I'm already using some pretty large IP blocks - which I maintain and add to myself.
-
Yeh I thought you would have had some already I was just curious as to whether these sort of attacks had any other impacts other than being annoying and time consuming.
-
>> being annoying and time consuming.
Thats about the gist of it for me (and the mods).
I could imagine it would have larger impacts on smaller sites as regards to their bandwidth though :/