Announcement

**briansol** · Wed 28 May '08, 2:54pm

looking at the logs, there's a 90% chance they aren't going to your site at all.... but rather running a simple CURL program they whipped up. it's pretty easy to make a curl script to do this. <100 lines a code, tops.

**mikesz** · Wed 28 May '08, 8:13pm

Actually, Briansol, I think you are right on with that one. I have been trapping the data entry for some time now and that is exactly what it looks like, either that or they have figure out how to do an injection but it does not appear to be using the standard vbulletin registration vehicle to me.

I have been avoiding these jerks for several months and just the other day, three of their attempts succeeded so I had to tweak my filter to trap them but its clear to me that they were not using the "standard" form spamming bot, maybe as you say, CURL is their vehicle now.

vBulletin need to find a zealot in their development organization to champion this cause like they do with ALL the other phantom XSS and CSRF they have supposedly fixed. THIS one is REAL and PRESENT and affecting thousands of vBulletin owners and operators every day.

I don't appreciate wasting MY time to try to hack a solution for this product deficiency frankly. I would prefer to use my skills for more creative and satisfying work.

regards, mikesz

**Dan B** · Wed 28 May '08, 8:37pm

I recently been hit by them as well ;(

I would hate to do manual verification

**kalam** · Wed 28 May '08, 8:42pm

I've been getting hit by one of these bots almost daily. They get passed the normal vBulletin registration and Enhanced Captcha Image Verification which makes me believe that they are using some other way to completely bypass all that as well.

I'm currently using Prevent Spam to put all posts into the post moderation cue for all post that contain links from members that have fewer than 10 posts. So far it has caught all the bots.

Only correlation that I've noticed is that they all put their birthdate as January 1st, 1980 and all have their time set to GMT + 8:00 (Beijing, Perth, Singapore, Hong Kong).

Hopefully the vBulletin development team will take a serious look into this matter and fix it.

**ampersand** · Thu 29 May '08, 6:53am

Im also hit by this ****

**CarterMarkham** · Thu 29 May '08, 10:28am

eh, I just edited the .htaccess file and banned ALL Chinese IP's. Problem solved, for the Chinese anyway.

**CarterMarkham** · Thu 29 May '08, 10:30am

hmm why dont we all mass email these guys and flood their account!?

**copiertalk** · Thu 29 May '08, 10:39pm

Originally posted by CarterMarkham View Post

eh, I just edited the .htaccess file and banned ALL Chinese IP's. Problem solved, for the Chinese anyway.

KevinFlys

They are pretty easy to spot when they join. The almost immediately edit the signature. I just made it so people that that user group can not edit their signature.

**thebigman87** · Fri 30 May '08, 1:56am

Originally posted by CarterMarkham View Post

eh, I just edited the .htaccess file and banned ALL Chinese IP's. Problem solved, for the Chinese anyway.

It's not a path I'd personally go down, I mean China is a very fast developing country and with a Population of 1 Billion its not one to be blocked by outsiders (their Government can do that for them :P).

I know you probably don't see any reason for a Chinese lad joining but I suppose depending on your site it helps to have as many views from different areas in the world. btw My Site is a Registered Only forum for Members, so I am quite surprised to be hit by it, because I only have 1 entry on google. Which I think summarises the scale of the problem.

Before I continue to babble any longer, my solution will be to use Prevent Spam so new members who post links are placed in a moderation queue. Although it's not the external links I'm particularly worried about it's the nuisance it causes to me and members using the site.

**kalam** · Fri 30 May '08, 7:29am

Well, today I was hit by 4 different bots at once: joef88112, baadman25, kevin7901, and loveumaryii. Luckily, none of their posts actually appeared on the forum because of Prevent Spam. I modified it further to only stop posts with links from users with no posts. Since the bots posts are placed into moderation cue, they are not counted towards their post count. This problem appears to be getting worse and blocking all of China is not an option for me.

**Scalemotorcars** · Fri 30 May '08, 8:00am

Thanks for posting the list. I know someone is working on a Spam hack at VB.org but its far from finished. Anyone know of a master list that can be copy/pasted into my banning section? Thanks again. Daniel

**Wayne Luke** · Fri 30 May '08, 8:06am

Originally posted by Scalemotorcars View Post

Anyone know of a master list that can be copy/pasted into my banning section?

http://www.projecthoneypot.org/top_comment_spammers.php

Of course any true spammer is just going to start spoofing their IP address or lease a zombie workstation in another country.

**Scalemotorcars** · Fri 30 May '08, 8:08am

Thanks Wayne. That was quick. Site is currently down but Ill check back soon.

**Wayne Luke** · Fri 30 May '08, 8:09am

Originally posted by Scalemotorcars View Post

Thanks Wayne. That was quick. Site is currently down but Ill check back soon.

I think they are currently being DDOSed by spammers... It happens quite a lot there if you can imagine. The site works but it is slow right now.

**Scalemotorcars** · Fri 30 May '08, 8:52am

Go figure them doing that.

Just glad someone is keeping track of all this to make it easier on the rest of us. Thanks again for the link.

Announcement

Spam bots defeat Recaptcha.

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment