suggestion: pay extra attention to new members who do NOT post messages.

Thank you SARAH and SOCKWATER for any <form> tips. My HTML is good except that my <form> skills are nil. I am eager to experiment.

I also have a few suggestions to add to a previous strategy. It has been suggested by others to confine members with less than 1 post to a "New Member" forum.

• Perhaps the New Member forum should only allow New Threads, no replies. Spamborgs do not seem to be configured for New Threads.
• On the registration acceptance page, show active links that make it easy to start the New Thread, and encourage legitimate members clearly such as: "Just say Hi and your favorite sport, hobby, or TV show."
• Once a week, review all new memberships with 0 posts. These may be spamborgs. You may want to ban them. Or quarantine them with an 'upgrade' to an obscure membership level that only allows posting in the New Member forum.
• Spamborgs are not active immediately. The puppet master is building fake registrations. He returns days or weeks later to spam. Thus, any member who does NOT post a new message quickly is more likely a spamborg.
• I.e., this changes the emphasis to be more efficient for large forums. Moderators may not need to scrutinize New Member messages. Instead, just bundle away those new members who do not post anything.

(Note: I deleted a previous version of this message because it was over-complicated.)

Something I've discovered from looking at the logs: the Indian and Philippine spammers will usually visit a few pages before they head to register.php. There may be a referrer from a Google search for a certain subject. With the Chinese spamborgs, they land right on register.php?do=signup, with no referrer.

I still don't believe captcha or recaptcha was defeated. Having thousands of registrations may seem bot-like, but given a list of thousands of vBulletin-based oboards, it should be something a human can do in a few days.

They are bots or automated scripts that are somehow bypassing/solving the captcha. This is provable if you add some extra hidden form fields to the registration form, they will not be set by the bot meaning they are directly submitting POST data and not submitting from the registration page.

So I kind of found it weird that I was getting so many spammers but they were not posting anything - so I just had to ban them because their profile would link to porn or what not. I started thinking and found out the reason why they are only able to register. I have the force read a thread mod installed, so that members "must" read the rules (at least click to go to tat page) the bots are unable to click the link to go to the force read board and therefore are unable to post anything. This doesn't prevent them from registering (which I don't mind this forum is an education forum and will help me get into college and a higher member count doesn't look bad) but it does prevent them from doing any real damage to your forum.

Good idea. This may be better than my idea to 'quarantine' spamborgs to an invisible subforum.

SOCKWATER has evidence these are mainly robots. However it seems to me, they are simply assisted by humans who read the Image Verification. These humans do not show any sign of even understanding the English messages that they post.

Therefore, perhaps it is not even necessary to install a PHP hack. Perhaps the spamborgs can be defeated with a simple template modification. I.e., just change the ID and text of a form field for posting, or something. So long as each forum did this slightly differently, this might put an end to the spamborg phenomena. This might be standardized to work automatically with every Vbulletin as follows.

• Enable each Vbulletin owner to change the ID of the SUBMIT REPLY button, and instead of text for the button VALUE, use an image with a customized file name. (Perhaps also an invisible SUBMIT REPLY button that either does nothing, or that automatically bans the user. Along with a message that the ban can be lifted by sending a PM request.)
• Or a simple image verification required for each New Post.
• Or after using the SUBMIT REPLY button, a simple verification page appears with customized values.

Also likely to help: adding a simple question to the Image Verification at registration, as in the following hack:

Hi Skublum,

Where can I install this "force read a thread mod installed" module?

Thanks in advance!

I've just cleared out my IP ban list (but kept a copy of it here as a backup), and instead I'll be using a unique expression required userfield. I also executed an SQL query to pre-fill in the answer for my existing 700 members. I'll see how that goes. I'd like it to be something more specific, like a question for something that only people with a genuine interest in the community's topic matter, would actually know, but...

I'm not yet l33t enough to come up with an expression of exclusive/alternate answers of entire words/names, some of the possible answers being in unicode too. That whole hypothetical code makes my brain hurt. I'm just going to start with a simpler expression that should be enough to hold off the Chinese, especially if they're auto-filling custom fields with "array". This should stop them dead. I'm still a little worried about nonChinese spammers, but they shouldn't be by any means an epidemic.

The bots defeated me so I was wondering the reason with the no spam the bots started to decrease o.o

my spammers, which are mostly listed in this thread, are all inputting '1' into field3 (a custom user profile field)

I know about the nospam mod, but does anyone know of a way to filter out the spammers by what they enter into 'field3' at registration time?

I dont know if this one was already mentioned:

ereieoty

Email Address : [email protected]
Birthday : January 1, 1980
Referrer: N/A
IP Address: 211.158.21.152

another spammer I found

spammer name: sunrxpartner
IP: 61.17.186.147
email: [email protected]

I've search through google and found that on other sites as well.

I did a reverse ip lookup and I found:
OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU

ReferralServer: whois://whois.apnic.net

NetRange: 61.0.0.0 - 61.255.255.255
CIDR: 61.0.0.0/8
NetName: APNIC3
NetHandle: NET-61-0-0-0-1
Parent:
NetType: Allocated to APNIC
NameServer: NS1.APNIC.NET
NameServer: NS3.APNIC.NET
NameServer: NS4.APNIC.NET
NameServer: NS-SEC.RIPE.NET
NameServer: TINNIE.ARIN.NET
Comment: This IP address range is not registered in the ARIN database.
Comment: For details, refer to the APNIC Whois Database via
Comment: WHOIS.APNIC.NET or http://www.apnic.net/apnic-bin/whois2.pl
Comment: ** IMPORTANT NOTE: APNIC is the Regional Internet Registry
Comment: for the Asia Pacific region. APNIC does not operate networks
Comment: using this IP address range and is not able to investigate
Comment: spam or abuse reports relating to these addresses. For more
Comment: help, refer to http://www.apnic.net/info/faq/abuse
Comment:
RegDate: 1997-04-25
Updated: 2005-05-20

OrgTechHandle: AWC12-ARIN
OrgTechName: APNIC Whois Contact
OrgTechPhone: +61 7 3858 3188
OrgTechEmail: [email protected]

# ARIN WHOIS database, last updated 2008-08-10 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

Where can I find that mod?

I was getting a few a day and now I get this after I made some SEO changes.



So I guess my real question is, if VBulletin is failing. Why are WE, as end users, required to alter it in a manner so that it is not abused/circumvented?

Seems like the VB people should be trying to stay more on top of this instead of forcing forum admins to do it themselves. Since the flaw is in their software.

The SEO worked - look at how easy you are to find now!

We implemented a simple honeypot using

• new field with regex to check it is empty
• minor change to the registration fields template
• css to work on that minor change and hide the div.

I was really pleased that we could do all that without a plugin and using vB as cleanly as possible. The only criticism would be that the template change was required when it should or could have been out-of-the-box.

so far the honeypot is working.