Announcement

Collapse
No announcement yet.

Spam bots defeat Recaptcha.

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • suggestion: pay extra attention to new members who do NOT post messages.

    Thank you SARAH and SOCKWATER for any <form> tips. My HTML is good except that my <form> skills are nil. I am eager to experiment.

    I also have a few suggestions to add to a previous strategy. It has been suggested by others to confine members with less than 1 post to a "New Member" forum.
    • Perhaps the New Member forum should only allow New Threads, no replies. Spamborgs do not seem to be configured for New Threads.
    • On the registration acceptance page, show active links that make it easy to start the New Thread, and encourage legitimate members clearly such as: "Just say Hi and your favorite sport, hobby, or TV show."
    • Once a week, review all new memberships with 0 posts. These may be spamborgs. You may want to ban them. Or quarantine them with an 'upgrade' to an obscure membership level that only allows posting in the New Member forum.
    • Spamborgs are not active immediately. The puppet master is building fake registrations. He returns days or weeks later to spam. Thus, any member who does NOT post a new message quickly is more likely a spamborg.
    • I.e., this changes the emphasis to be more efficient for large forums. Moderators may not need to scrutinize New Member messages. Instead, just bundle away those new members who do not post anything.

    (Note: I deleted a previous version of this message because it was over-complicated.)
    Last edited by Christophe_O; Thu 19 Jun '08, 3:08pm.
    sigpic Krystof
    Starnectar Free Forums

    Comment


    • Something I've discovered from looking at the logs: the Indian and Philippine spammers will usually visit a few pages before they head to register.php. There may be a referrer from a Google search for a certain subject. With the Chinese spamborgs, they land right on register.php?do=signup, with no referrer.

      I still don't believe captcha or recaptcha was defeated. Having thousands of registrations may seem bot-like, but given a list of thousands of vBulletin-based oboards, it should be something a human can do in a few days.
      Last edited by cyburbia; Fri 20 Jun '08, 3:02pm.
      Cyburbia Forums - a third place for urban planners
      http://www.cyburbia.org/forums

      Comment


      • Originally posted by cyburbia View Post
        With the Chinese spamborgs, they land right on register.php?do=signup, with no referrer.
        They are bots or automated scripts that are somehow bypassing/solving the captcha. This is provable if you add some extra hidden form fields to the registration form, they will not be set by the bot meaning they are directly submitting POST data and not submitting from the registration page.
        ~~~~~

        Comment


        • So I kind of found it weird that I was getting so many spammers but they were not posting anything - so I just had to ban them because their profile would link to porn or what not. I started thinking and found out the reason why they are only able to register. I have the force read a thread mod installed, so that members "must" read the rules (at least click to go to tat page) the bots are unable to click the link to go to the force read board and therefore are unable to post anything. This doesn't prevent them from registering (which I don't mind this forum is an education forum and will help me get into college and a higher member count doesn't look bad) but it does prevent them from doing any real damage to your forum.

          Comment


          • Originally posted by skublum View Post
            ...I have the force read a thread mod installed, so that members "must" read the rules (at least click to go to tat page) the bots are unable to click the link to go to the force read board and therefore are unable to post anything...
            Good idea. This may be better than my idea to 'quarantine' spamborgs to an invisible subforum.

            SOCKWATER has evidence these are mainly robots. However it seems to me, they are simply assisted by humans who read the Image Verification. These humans do not show any sign of even understanding the English messages that they post.

            Therefore, perhaps it is not even necessary to install a PHP hack. Perhaps the spamborgs can be defeated with a simple template modification. I.e., just change the ID and text of a form field for posting, or something. So long as each forum did this slightly differently, this might put an end to the spamborg phenomena. This might be standardized to work automatically with every Vbulletin as follows.
            • Enable each Vbulletin owner to change the ID of the SUBMIT REPLY button, and instead of text for the button VALUE, use an image with a customized file name. (Perhaps also an invisible SUBMIT REPLY button that either does nothing, or that automatically bans the user. Along with a message that the ban can be lifted by sending a PM request.)
            • Or a simple image verification required for each New Post.
            • Or after using the SUBMIT REPLY button, a simple verification page appears with customized values.


            Also likely to help: adding a simple question to the Image Verification at registration, as in the following hack:
            Originally posted by K4L
            If you are using vb3.7+ trying using NoSpam! for 3.7+
            http://www.vbulletin.org/forum/showt...55#post1548655
            Last edited by Christophe_O; Thu 26 Jun '08, 9:34am.
            sigpic Krystof
            Starnectar Free Forums

            Comment


            • Originally posted by skublum View Post
              So I kind of found it weird that I was getting so many spammers but they were not posting anything - so I just had to ban them because their profile would link to porn or what not. I started thinking and found out the reason why they are only able to register. I have the force read a thread mod installed, so that members "must" read the rules (at least click to go to tat page) the bots are unable to click the link to go to the force read board and therefore are unable to post anything. This doesn't prevent them from registering (which I don't mind this forum is an education forum and will help me get into college and a higher member count doesn't look bad) but it does prevent them from doing any real damage to your forum.
              Hi Skublum,

              Where can I install this "force read a thread mod installed" module?

              Thanks in advance!

              Comment


              • I've just cleared out my IP ban list (but kept a copy of it here as a backup), and instead I'll be using a unique expression required userfield. I also executed an SQL query to pre-fill in the answer for my existing 700 members. I'll see how that goes. I'd like it to be something more specific, like a question for something that only people with a genuine interest in the community's topic matter, would actually know, but...

                I'm not yet l33t enough to come up with an expression of exclusive/alternate answers of entire words/names, some of the possible answers being in unicode too. That whole hypothetical code makes my brain hurt. I'm just going to start with a simpler expression that should be enough to hold off the Chinese, especially if they're auto-filling custom fields with "array". This should stop them dead. I'm still a little worried about nonChinese spammers, but they shouldn't be by any means an epidemic.

                Comment


                • The bots defeated me so I was wondering the reason with the no spam the bots started to decrease o.o

                  Comment


                  • my spammers, which are mostly listed in this thread, are all inputting '1' into field3 (a custom user profile field)

                    I know about the nospam mod, but does anyone know of a way to filter out the spammers by what they enter into 'field3' at registration time?

                    Comment


                    • I dont know if this one was already mentioned:

                      ereieoty

                      Email Address : [email protected]
                      Birthday : January 1, 1980
                      Referrer: N/A
                      IP Address: 211.158.21.152

                      Comment


                      • another spammer I found

                        spammer name: sunrxpartner
                        IP: 61.17.186.147
                        email: [email protected]

                        I've search through google and found that on other sites as well.

                        I did a reverse ip lookup and I found:
                        OrgName: Asia Pacific Network Information Centre
                        OrgID: APNIC
                        Address: PO Box 2131
                        City: Milton
                        StateProv: QLD
                        PostalCode: 4064
                        Country: AU

                        ReferralServer: whois://whois.apnic.net

                        NetRange: 61.0.0.0 - 61.255.255.255
                        CIDR: 61.0.0.0/8
                        NetName: APNIC3
                        NetHandle: NET-61-0-0-0-1
                        Parent:
                        NetType: Allocated to APNIC
                        NameServer: NS1.APNIC.NET
                        NameServer: NS3.APNIC.NET
                        NameServer: NS4.APNIC.NET
                        NameServer: NS-SEC.RIPE.NET
                        NameServer: TINNIE.ARIN.NET
                        Comment: This IP address range is not registered in the ARIN database.
                        Comment: For details, refer to the APNIC Whois Database via
                        Comment: WHOIS.APNIC.NET or http://www.apnic.net/apnic-bin/whois2.pl
                        Comment: ** IMPORTANT NOTE: APNIC is the Regional Internet Registry
                        Comment: for the Asia Pacific region. APNIC does not operate networks
                        Comment: using this IP address range and is not able to investigate
                        Comment: spam or abuse reports relating to these addresses. For more
                        Comment: help, refer to http://www.apnic.net/info/faq/abuse
                        Comment:
                        RegDate: 1997-04-25
                        Updated: 2005-05-20

                        OrgTechHandle: AWC12-ARIN
                        OrgTechName: APNIC Whois Contact
                        OrgTechPhone: +61 7 3858 3188
                        OrgTechEmail: [email protected]

                        # ARIN WHOIS database, last updated 2008-08-10 19:10
                        # Enter ? for additional hints on searching ARIN's WHOIS database.

                        Comment


                        • Originally posted by skublum View Post
                          I have the force read a thread mod installed....
                          Where can I find that mod?

                          Comment


                          • Originally posted by FCRhino View Post
                            Where can I find that mod?
                            http://www.vbulletin.org/forum/showthread.php?t=172155
                            ~~~~~

                            Comment


                            • I was getting a few a day and now I get this after I made some SEO changes.



                              So I guess my real question is, if VBulletin is failing. Why are WE, as end users, required to alter it in a manner so that it is not abused/circumvented?

                              Seems like the VB people should be trying to stay more on top of this instead of forcing forum admins to do it themselves. Since the flaw is in their software.
                              Last edited by CtrlAltDel; Tue 7 Oct '08, 9:53pm.

                              Comment


                              • Originally posted by CtrlAltDel View Post
                                I was getting a few a day and now I get this after I made some SEO changes.
                                The SEO worked - look at how easy you are to find now!

                                We implemented a simple honeypot using
                                • new field with regex to check it is empty
                                • minor change to the registration fields template
                                • css to work on that minor change and hide the div.

                                I was really pleased that we could do all that without a plugin and using vB as cleanly as possible. The only criticism would be that the template change was required when it should or could have been out-of-the-box.

                                so far the honeypot is working.
                                Simple SEO

                                Comment

                                widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                                Working...
                                X