Announcement

Collapse
No announcement yet.

Spam bots defeat Recaptcha.

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Dv_
    replied
    Another one...

    lmno820
    email : [email protected]
    IP : 59.173.226.84

    Leave a comment:


  • hbr
    replied
    I had a look at the serverlogs.

    One thing, that is common to all bot registrations is, that the are quite different to "normal" registrations.

    Here are two bot-registrations from the serverlogs:
    61.173.43.67 - - [23/May/2008:05:56:30 +0200] "GET /register.php?do=signup HTTP/1.1" 200 17751 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)" "http://forum.computerbetrug.de"
    61.173.43.67 - - [23/May/2008:05:56:31 +0200] "POST /register.php?do=register HTTP/1.1" 200 23960 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)" "http://forum.computerbetrug.de/register.php?do=signup"
    61.173.43.67 - - [23/May/2008:05:56:32 +0200] "GET /image.php?type=hv&hash=e04cd6d3adbcc6d2cf83f0b9caa47c56 HTTP/1.1" 200 14536 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)" "http://forum.computerbetrug.de/register.php?do=signup"
    61.173.43.67 - - [23/May/2008:05:57:28 +0200] "POST /register.php?do=addmember HTTP/1.1" 200 15480 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)" "http://forum.computerbetrug.de/register.php?do=register"
    61.173.43.67 - - [23/May/2008:06:42:23 +0200] "GET /register.php?a=act&u=10848&i=74842131 HTTP/1.1" 200 24245 "Mozilla/4.0 (compatible; Windows XP 5.1; MSIE 6)" "-"
    and
    218.240.13.108 - - [23/May/2008:07:22:34 +0200] "GET /register.php?do=signup HTTP/1.1" 200 17646 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)" "http://forum.computerbetrug.de"
    218.240.13.108 - - [23/May/2008:07:22:37 +0200] "POST /register.php?do=register HTTP/1.1" 200 23855 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)" "http://forum.computerbetrug.de/register.php?do=signup"
    218.240.13.108 - - [23/May/2008:07:22:39 +0200] "GET /image.php?type=hv&hash=a6c3342ed881d2d11e9fa8890a5c6ca8 HTTP/1.1" 200 17554 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)" "http://forum.computerbetrug.de/register.php?do=signup"
    218.240.13.108 - - [23/May/2008:07:25:53 +0200] "POST /register.php?do=addmember HTTP/1.1" 200 15370 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)" "http://forum.computerbetrug.de/register.php?do=register"
    218.240.13.108 - - [23/May/2008:07:26:16 +0200] "GET /register.php?a=act&u=10849&i=7684469 HTTP/1.1" 200 24248 "Mozilla/4.0 (compatible; Windows XP 5.1; MSIE 6)" "-"
    218.240.13.108 - - [23/May/2008:16:45:12 +0200] "GET /register.php?do=signup HTTP/1.1" 200 17646 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)" "http://forum.computerbetrug.de"
    218.240.13.108 - - [23/May/2008:16:45:17 +0200] "POST /register.php?do=register HTTP/1.1" 200 23855 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)" "http://forum.computerbetrug.de/register.php?do=signup"
    218.240.13.108 - - [23/May/2008:16:45:25 +0200] "GET /image.php?type=hv&hash=7e2605968c62524a0e9614933758f977 HTTP/1.1" 200 11875 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)" "http://forum.computerbetrug.de/register.php?do=signup"
    218.240.13.108 - - [23/May/2008:16:45:33 +0200] "POST /register.php?do=addmember HTTP/1.1" 200 24670 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)" "http://forum.computerbetrug.de/register.php?do=register"
    218.240.13.108 - - [23/May/2008:16:45:39 +0200] "GET /profile.php?do=editsignature HTTP/1.1" 200 26624 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)" "http://forum.computerbetrug.de"
    218.240.13.108 - - [23/May/2008:16:45:49 +0200] "POST /profile.php?do=updatesignature HTTP/1.1" 200 26933 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)" "http://forum.computerbetrug.de/profile.php?do=editsignature"
    Please note that this is really everything they did from the server point of view. The remarkable thing is: there was not a single image loaded, no javascript, no nothing besides the scripts. The bots seem to get directly to the vb-scripts and register the bot-user.

    Probably they got a hook into that MD5-Checksum/Hash of the images (I guess this is a MD5-Checksum). MD5 is quite outdated in some ways. I would propose to change to SHA1 for testing purposes. I am willing to join some tests.

    Please Jelsoft-programmers have a look at this issue. I guess there is some trouble ahead that needs to be avoided...

    Leave a comment:


  • steven s
    replied
    Most of these have spammed my board also in the past two days.

    Leave a comment:


  • CarterMarkham
    replied
    Won't a large htaccess file slow down your site?

    Leave a comment:


  • joomlajon
    replied
    http://www.parkansky.com/china.htm
    http://www.blockacountry.com/

    I have also got a couple of chinaaccounts, and I have a non english forum.

    beijmanli [email protected]
    lovebeijgo
    [email protected]

    Leave a comment:


  • diettalk
    replied
    Originally posted by Suri.CMS View Post
    How do you block a specific country ?
    Can you please elaborate ?
    You can try... http://ip.ludost.net/

    Leave a comment:


  • hbr
    replied
    Originally posted by Suri.CMS View Post
    How do you block a specific country ?
    Can you please elaborate ?
    Just have a look at this:
    http://www.apnic.net/db/ranges.html

    Start with 58.17.*.* and 222.176. to 222.183.

    Leave a comment:


  • Suri.CMS
    replied
    I've blocked China in htaccess. That seems to do the trick.
    How do you block a specific country ?
    Can you please elaborate ?

    Leave a comment:


  • CarterMarkham
    replied
    I have disabled reCAPTCHA as its very hard to read. I need to do something here. Im going to check out IS Bot when I get home.

    Leave a comment:


  • CarterMarkham
    replied
    i have to ask, I have been making a list in vBulletin for blocked IP's, is it a problem if one gets listed twice? I cant go through the whole list and double check...

    Leave a comment:


  • Boosted Panda
    replied
    I would like to block all Chinese IP's how would I do that? This spam is rediculous, and more than that I hate WOW and all these spammers are those Chinese Farmers I always hear people at work babbling about.

    Leave a comment:


  • CarterMarkham
    replied
    I have these beji members successfully registering too. I also have a track visitors mod on my 3.7 forum and it shows new registrations, but they don't show up in the members list, and vBulletin says the username was not recognized, so ReCaptcha is doing its job for the most part except for these Chinese people...

    Leave a comment:


  • renep
    replied
    Originally posted by nibb View Post
    I suppose another person with a non english forum that has Q&A setting on can confirm this?
    Same here. [email protected] passed the Q&A on one of my Dutch forums.

    Leave a comment:


  • vord
    replied
    Seems to work on 3.7, though I'd imagine if a lot of people used it the bots would put a time delay in.

    I've blocked China in htaccess. That seems to do the trick.

    Leave a comment:


  • Chris-777
    replied
    ^ That's working on 3.7?

    Leave a comment:

widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
Working...
X