Announcement

Collapse
No announcement yet.

Spammers Getting Around Image Verification

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • pank
    replied
    Originally posted by wutthehell View Post
    Seriously.... I don't have "AdminCP -> User Profile Fields -> Add New User Profile Field
    " in my AdminCP. I am using 3.7.1. What am i missing here????

    I have had to turn off new regs as well.... seems like a pretty big exploit?
    AdminCP -> User Profile Fields -> Add New User Profile Field

    Profile Field Type: Single-Line Text Field
    <<Continue>>

    Use the following information when creating the Profile Field:
    Title: Can you spell?
    (Note: Adjust the title to the question you want to ask)
    Description: Enter the first character of the word "Monkey"
    (Note: Adjust the question. Don't use this example as it would be quickly picked up by bot registrations)
    Default Value: B
    (Note: anything but a valid answer)
    Field Required: No, but display at registration
    Field Editable by User: Only at registration
    Private Field: Yes
    Field Searchable on Members List: No
    Show on Members List: No
    Regular Expression: ^[mM]$
    (Note: this expression would only allow a 'm' or 'M' as valid answers, adjust to your needs)
    I just set it up and it appears to be working fine???

    Leave a comment:


  • ravenstarr
    replied
    Originally posted by Steve Machol View Post
    Post #2.
    Thanks for the info. Steve. I have had everything you mentioned in place except for moderating new posts and the recaptcha service. I am now moderating new posts because of the 30 or so spammers my forum got today. They were all from @gmail.com. I have never had this many register at one time.

    Leave a comment:


  • wutthehell
    replied
    Seriously.... I don't have "AdminCP -> User Profile Fields -> Add New User Profile Field
    " in my AdminCP. I am using 3.7.1. What am i missing here????

    I have had to turn off new regs as well.... seems like a pretty big exploit?
    AdminCP -> User Profile Fields -> Add New User Profile Field

    Profile Field Type: Single-Line Text Field
    <<Continue>>

    Use the following information when creating the Profile Field:
    Title: Can you spell?
    (Note: Adjust the title to the question you want to ask)
    Description: Enter the first character of the word "Monkey"
    (Note: Adjust the question. Don't use this example as it would be quickly picked up by bot registrations)
    Default Value: B
    (Note: anything but a valid answer)
    Field Required: No, but display at registration
    Field Editable by User: Only at registration
    Private Field: Yes
    Field Searchable on Members List: No
    Show on Members List: No
    Regular Expression: ^[mM]$
    (Note: this expression would only allow a 'm' or 'M' as valid answers, adjust to your needs)

    Leave a comment:


  • mknapik
    replied
    Originally posted by khosk View Post
    I have checked my logs, the spambot isn't even checking the captcha. It calls register.php with a parameter of s and some long hex string then calls index.php with a parameter of s and you can see the rest. No image.php is ever called, so the spambot is bypassing the check.

    the first two parameters are getting cut off when I post.

    register.php s = 062e492e20f2647ed111199cd81519a9
    index.php s = 29407f6d587142b54a2129a1a679a85b

    PHP Code:


    84.19.188.30 
    - - [01/Oct/2008:18:38:44 -0400"GET /forum/register.php? HTTP/1.0" 200 18156 "http://volkovtrio.com/sound/pre/index.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; ru) Opera 8.01"
    84.19.188.30 - - [01/Oct/2008:18:38:48 -0400"GET /forum/index.php? HTTP/1.0" 200 45797 "http://www.erisaboard.com/index.php?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; ru) Opera 8.01"
    84.19.188.30 - - [01/Oct/2008:18:39:01 -0400"GET /forum/register.php HTTP/1.0" 200 17854 "http://www.erisaboard.com/register.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; ru) Opera 8.01"
    84.19.188.30 - - [01/Oct/2008:18:39:02 -0400"POST /forum/register.php?do=register HTTP/1.0" 200 23413 "http://www.erisaboard.com/forum/register.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; ru) Opera 8.01"
    84.19.188.30 - - [01/Oct/2008:18:39:05 -0400"POST /forum/register.php?do=addmember HTTP/1.0" 200 23907 "http://www.erisaboard.com/forum/register.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; ru) Opera 8.01" 
    Is this bypassing reCaptcha as well?

    Leave a comment:


  • yogesh
    replied
    I am using 3.6.11 with no spam and they manged to break past nospam as well! These are definetly bots, which never used to get past nospam and imagevarification. Another interesting twist came when I traced two ips which belong to servers is US and one of them to an imageshack server (check your logs for ips begining with 70.) though that one didn't made it past the registration page, it kind of makes me believe that it might be a handy work of distributed spam network, being carried out through a trojan or a virus, installed on computers/servers.

    Leave a comment:


  • pank
    replied
    Same BS here. Here is a list of new banning options I added as of today (I actually totally disabled gmail and hotmail for now since 98% of the spammers used those emails as well as .ru emails)

    Emails:
    @gmail.com @hjklghjkl.co.cc rambler.ru @xmail.net mymail-in.net @e-mail.org @web-sex.tv @mail.ru @intim-shluhi.ru @viagrabe.com @sina.com

    IP's:
    93.81.*
    92.243.*
    82.7.*
    78.157.*
    67.212.*
    87.118.*
    94.50.*
    93.81.*
    200.63.*

    I know this is somewhat drastic but at this point I had no choice. I probable deleted around 300 accounts today.

    Tip: Do a search for new accounts registered today/yesterday.
    If they use a gmail I just deleted them. But click on their profile and look for suspicious sigs, websites, etc...

    Hopefully this helps. And note: I am using all of the current spam settings. The only thing I do not have (but am adding right now) is the extra registration question...

    Leave a comment:


  • GSXR
    replied
    Originally posted by Wayne Luke View Post
    Was your question: What is 2 + 2?

    You need to ask decent questions.
    Yes, we also got smashed yesterday too.

    The question stopped them, no point putting a question that can be Googled.

    Leave a comment:


  • HobbiesPR
    replied
    Awaiting Moderation

    I have turned ON new registration moderation, over 60 spam users today. I have deleted some users but this is a screenshot of the remaining. Lots using gmail.com now.
    Attached Files

    Leave a comment:


  • OS,
    replied
    Spam is on the rise now... just yesterday and today we have been getting an influx of over 30 spam registrations from russia.... and the email they register with always resolves to gmail or some other free email service.

    We have email verification and they seem to also verify their email accounts some how and spam...

    Leave a comment:


  • Lt. Dan
    replied
    Originally posted by Photics View Post
    This seems like such a silly thing and a huge waste of time.

    Early this morning, after I figured out what was going on, the new posts were set to automatically be placed into moderation. The messages and the spam accounts were deleted. These spam messages didn't make me want to buy any viagra or visit any porn sites.
    Yes it is a huge waste of time... for a human. That's why they have bots spewing this mindless BS.

    I really wish there were some laws with teeth to throw these people in jail.

    Leave a comment:


  • Lt. Dan
    replied
    Originally posted by HobbiesPR View Post
    Lots of the registrations I have seen today, under the user info: Biography: Man

    Registering from different locations but using the same entry in the Biography.
    When you see 'Man' in any profile field, its always a bot. Before 3.7.x I used to get those all the time.

    I enabled all checkboxes on the image verification settings (random shapes was the only one I had turned off) and the registrations stopped immediately.

    Maybe they only had a partial crack on the image verification.
    Last edited by Lt. Dan; Wed 1 Oct '08, 6:33pm.

    Leave a comment:


  • mooncreek
    replied
    I was getting them all day, changed from image verification to extra question and it stopped.

    Leave a comment:


  • Wayne Luke
    replied
    Originally posted by Photics View Post
    I implemented the extra question. It didn't seem to work for me. HA!
    Was your question: What is 2 + 2?

    You need to ask decent questions.

    Though like I said in a different thread, I am using Recaptcha on different sites and haven't had a single spam registration. One site is just sitting wide open (not even using the latest version) and uses recaptcha for human verification with no issues today.

    Leave a comment:


  • Photics
    replied
    I implemented the extra question. It didn't seem to work for me. HA!

    Leave a comment:


  • wutthehell
    replied
    Our site has been hit bad as well. However I am having an issue implenting the extra question during verification. I am using 3.7.1 and I don't have a "User Profile Fields"....

    I have had to turn off new regs as well.... seems like a pretty big exploit?
    AdminCP -> User Profile Fields -> Add New User Profile Field

    Profile Field Type: Single-Line Text Field
    <<Continue>>

    Use the following information when creating the Profile Field:
    Title: Can you spell?
    (Note: Adjust the title to the question you want to ask)
    Description: Enter the first character of the word "Monkey"
    (Note: Adjust the question. Don't use this example as it would be quickly picked up by bot registrations)
    Default Value: B
    (Note: anything but a valid answer)
    Field Required: No, but display at registration
    Field Editable by User: Only at registration
    Private Field: Yes
    Field Searchable on Members List: No
    Show on Members List: No
    Regular Expression: ^[mM]$
    (Note: this expression would only allow a 'm' or 'M' as valid answers, adjust to your needs)

    Oh Yeah... heres my list of banned IPs...
    190.11.1*
    78.157.1*
    200.63.4*
    85.12.2*
    87.118.1*
    79.143.1*
    204.246.1*
    136.226.2*
    93.92.2*
    91.66.2*
    85.12.2*
    89.18.1*
    94.75.1*
    92.112.1*
    221.12.1*
    195.149.*
    93.80.*
    87.226.*
    89.208.*
    92.243.*
    77.121.*

    Leave a comment:

widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
Working...
X