08/20/2012 - Attack of the Bots

Discussion in 'Site Security & Legal Issues' started by PWO, Aug 21, 2012.

  1. PWO

    PWO Enthusiast

    Yesterday was an interesting day. After never really having a problem with spam bots before, I had over 30 plus spam threads created throughout yesterday and last night. Not sure exactly why it's happening all of a sudden. Has anyone experienced the same thing? Anyone else get attacked yesterday? Anything I could do? Today was been fine...so far.
  2. Morganna

    Morganna Mistress of Mayhem

    There's been a mass influx of spammers since around Saturday - a LOT of xenforo-based sites were targeted, but I don't imagine they were the only ones to suffer.

    Best line of defense is Q&A sets that aren't simple mathematics, stopforumspan plugins, and lots of vigilance :)
  3. PWO

    PWO Enthusiast

    What Q & A do you use? I've used the 1 + 2 = ? question and the bots get past that. I also had reCAPTCHA and that didn't seem to work out real well yesterday.
  4. Morganna

    Morganna Mistress of Mayhem

    heh heh heh... my questions are currently:-

    There are 10 spammers in a room. I set them all on fire and they die in agony. How many spammers are left?

    There are 10 spammers waiting to be shot. I have six bullets. How many spammers have to wait until I've reloaded

    There are 5 spammers. I stab one in the eye with a rusty fork, how many are left to disfigure?

    There are fifteen spammers locked in a room. One is infected by zombies. How many victims does it have remaining?

    There are five spammers camping. 1 has its throat ripped out by a werewolf. How many are now crapping themselves waiting to die?

    Yes, i have a problem with spammers :D
    • Like Like x 1
  5. whocky

    whocky Adherent


    hahaha all these are brilliant, they would amuse any would-be members lol
  6. RhyssaFireheart

    RhyssaFireheart Enthusiast

    Heh, I should change our Q&A questions to something like that. Right now, I have it set up with the "The number is 3+4 and the letter is the one after M" type of questions and the sheer amount of spam we've gotten recently has really gone up. It seems to go in waves since things were pretty quiet earlier this summer.
  7. Morganna

    Morganna Mistress of Mayhem

    Feel free to use them, I will be regularly adding or changing them dependent on my mood of the moment ;D
  8. R0binHood

    R0binHood Aspirant

    I love this :D

    So have many non XF admins been under attack recently too?
  9. SarisIsop

    SarisIsop Uncomfortable

    Change monthly, I use some related to my forum so you would have to know a bit about the content.

    I don't think bots can see colour so something like:

    What is the main colour scheme of this forum?

    What is the border colour of this forum?
  10. dethfire

    dethfire Fan

    bots are easy to block, it's the human spammers that are tricky
  11. It's my understanding that bots don't see things rendered by css or pictures outside the registration form. So asking about background pictures or style-sheet rendered colors or header pictures should work quite well. I know one forum that's state specific and most of their antispam questions relate to the map-based logo they use. Not a single bot has gotten through in ages and very few hubots.

    Another good anti-bot measure, the old-fashioned honeypot - a registration field that looks legit but has to stay empty and is hidden through css. Mine catches at least a hundred attempts a day on each of my forums.
  12. RhyssaFireheart

    RhyssaFireheart Enthusiast

    Finally got around to updating our verification questions and I based them off AzhriaLilu's.

    I only have 4 questions atm, I should probably add a few more.
  13. salem

    salem Adherent

    Only thing about adding more questions would be that you won't
    know which ones are failing .
  14. RhyssaFireheart

    RhyssaFireheart Enthusiast

    I don't know which ones fail now as it is. I just know that they work for a while and then we get an uptick in new spambot registration. And the amusing instances of banned idiots who can't figure out the questions so they can post on the private forum for info. That can be hilarious, tbh.
  15. echo_off

    echo_off Life is an illusion...

    the Q & A plugin for MyBB tells you how many people get it correct and how many get it wrong, if one is only wrong answers and no correct answers change it, and it's even, with no spammers. then you know it's a good question, if they are all correct answers, make a harder question.
  16. RhyssaFireheart

    RhyssaFireheart Enthusiast

    Ah, not sure if there is anything like that for vB and even if there was, I have no ability to install a mod like that anyways.
  17. Esprit

    Esprit Participant

    Although it can be tedious, I manually activate all new members to my forum. I've noticed a HUGE increase in bogus applications from the Russian Federation lately.
  18. Cyburbia

    Cyburbia Fan

    My site experienced a massive increase in human spammers at the start of September. It used to be where one or two would make it through the site's defenses every day or so. Now, it's several a day. It's not the usual "Axis of Human Spam" (India, Pakistan, Sri Lanka, Bangladesh, Vietnam, China, Philippines) either. I'm now seeing a lot from Poland, Bulgaria, Romania, Indonesia, Bosnia, Spain, Greece, Morocco, Turkey, the Baltic states ... pretty much, any country hit hard by the Euro crisis or where there's a lot of babushka-covered old ladies wandering around. I added a bunch of countries to the country moderation plugin list. Every morning, there's five or six new users in the moderated user list.

    I found the vast majority of human spammers register between midnight and 9:00 AM Eastern time (USA). I'd love to see a vBulletin/IPS plugin that disables registration for certain times of the day.

    I'm now seeing a lot of US- and Netherlands-based proxies for human spammers, I look at the IP for all new users, and if resolves to a Web host, I get out the banhammer. There's also the usual tells of Indian spam; salon name usernames ("henrygeorge", "johnrobert12", etc), locations in "newyerk", "londin" and "united State", etc. I assume the proxies are in place because an increasing number are resting to country blocking, or banning those with Indian IPs as soon as they're discovered.

    Bots are also hitting the site hard, but SFS, non-math Q&A, and email/keyword blacklists stop them. To reduce the load on the server -- yes, they're hitting it that hard -- I installed ConfigServer and now drop all packets from the following countries.

    Belarus BY
    China CN
    Moldova MD
    Pakistan PK
    Philippines PH
    Pakistan PK
    Russia RU
    Ukraine UA
    Vietnam VN
    Last edited: Oct 4, 2012
  19. Zylantex

    Zylantex Adherent

    You will have to rethink that question.

    You haven't specified that ammunition capacity of the weapon you are using.

    Is it a single shot, five shot, six shot or an automatic which could contain any number of shots depending on the magazine capacity?

    Also there is a distinction between loading a gun and reloading a gun.

    Add to that you only have six bullets...

    I could go on but you get the idea. You have to be precise. :lildevil:
  20. RhyssaFireheart

    RhyssaFireheart Enthusiast

    Not if I don't want the spammers to ever get through. :lildevil:

    Actually, like Cyburbia said, spambots for September have been crazy. I finally resorted to turning registration moderation on which means I (or the other admin if he's around) have to approve each new account. It's honestly not that big an issue because the bots are beyond obvious anymore. I have seen a rise in previously banned accounts logging in, presumably to check if they can do anything on the site. One day, if I'm bored enough, maybe I'll just delete all spam accounts with no posts.
Draft saved Draft deleted