miniBB ® miniBB®
miniBB Support Forums
 | Forums | Register | Search | Statistics | Manual |
Specific miniBB Support Forums / Specific /   

Nasty surprise for Christmas - automated or manual spam?

Author marsbar
Associated Member
#1 | Posted: 26 Dec 2010 06:40 | Edited by: marsbar 
Hi Paul and everyone,

It's finally happened: between Christmas Eve and Christmas Day, my hitherto spam-free miniBB-powered forum was hit hard by spam. :-(

Over 400 new threads--different topic names but same content packed with hyperlinks--had been posted consecutively, before the spammer was stopped.

Server logs reveal over 3,000 requests from IP 66.23.235.114, in a 12-hour period. Deleting all the messages in the pre-moderation queue was a manual affair--not fun!

I have put in an order for the official CAPTCHA plugin. It is hoped installing the plugin will help reduce automated spam and maybe even slow down manual spam.

I am of two minds about whether the spam attack was automated or not--maybe it was part manual and part automated: human to register and confirm registration; machine to do the posting.

Perhaps someone would not mind taking a look below, at a small sample of the pertinent server log entries (29 lines covering not quite 5 minutes of the spammer's activities, starting from the time of signing up), and tell me what he/she thinks.

Thanks and cheers -
marsbar

--
Log entries (just the first 29 out of 3000+ entries):

66.23.235.114 - - [24/Dec/2010:17:41:21 -0800] "GET /forums/index.php?action=registernew HTTP/1.1" 200 19301 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ru; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)"
66.23.235.114 - - [24/Dec/2010:17:41:21 -0800] "POST /forums/index.php? HTTP/1.1" 200 5542 "http://domain/forums/index.php?action=registernew" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ru; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)"
66.23.235.114 - - [24/Dec/2010:17:42:40 -0800] "GET /forums/index.php HTTP/1.1" 200 22793 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ru; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)"
66.23.235.114 - - [24/Dec/2010:17:42:40 -0800] "POST /forums/index.php? HTTP/1.1" 302 20424 "http://domain/forums/index.php?action=loginfrm" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ru; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)"
66.23.235.114 - - [24/Dec/2010:17:42:41 -0800] "GET /forums/index.php HTTP/1.1" 200 19893 "http://domain/forums/index.php?action=loginfrm" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ru; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)"
66.23.235.114 - - [24/Dec/2010:17:42:41 -0800] "GET /forums/index.php HTTP/1.1" 200 19893 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ru; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)"
66.23.235.114 - - [24/Dec/2010:17:42:41 -0800] "GET /forums/index.php?action=vtopic&forum=1 HTTP/1.1" 200 27763 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ru; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)"
66.23.235.114 - - [24/Dec/2010:17:42:42 -0800] "GET /forums/index.php?action=vtopic&forum=1 HTTP/1.1" 200 27763 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ru; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)"
66.23.235.114 - - [24/Dec/2010:17:42:47 -0800] "POST /forums/index.php? HTTP/1.1" 200 5565 "http://domain/forums/index.php?action=vtopic&forum=1" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ru; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)"
66.23.235.114 - - [24/Dec/2010:17:43:40 -0800] "GET /forums/index.php HTTP/1.1" 200 22890 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ru; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)"
66.23.235.114 - - [24/Dec/2010:17:43:40 -0800] "POST /forums/index.php? HTTP/1.1" 302 20375 "http://domain/forums/index.php?action=loginfrm" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ru; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)"
66.23.235.114 - - [24/Dec/2010:17:43:41 -0800] "GET /forums/index.php HTTP/1.1" 200 19844 "http://domain/forums/index.php?action=loginfrm" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ru; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)"
66.23.235.114 - - [24/Dec/2010:17:43:41 -0800] "GET /forums/index.php HTTP/1.1" 200 19844 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ru; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)"
66.23.235.114 - - [24/Dec/2010:17:43:41 -0800] "GET /forums/index.php?action=vtopic&forum=10 HTTP/1.1" 200 24422 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ru; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)"
66.23.235.114 - - [24/Dec/2010:17:43:42 -0800] "GET /forums/index.php?action=vtopic&forum=10 HTTP/1.1" 200 24422 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ru; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)"
66.23.235.114 - - [24/Dec/2010:17:43:47 -0800] "POST /forums/index.php? HTTP/1.1" 200 5565 "http://domain/forums/index.php?action=vtopic&forum=10" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ru; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)"
66.23.235.114 - - [24/Dec/2010:17:44:40 -0800] "GET /forums/index.php HTTP/1.1" 200 22826 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ru; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)"
66.23.235.114 - - [24/Dec/2010:17:44:40 -0800] "POST /forums/index.php? HTTP/1.1" 302 20395 "http://domain/forums/index.php?action=loginfrm" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ru; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)"
66.23.235.114 - - [24/Dec/2010:17:44:41 -0800] "GET /forums/index.php HTTP/1.1" 200 19864 "http://domain/forums/index.php?action=loginfrm" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ru; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)"
66.23.235.114 - - [24/Dec/2010:17:44:41 -0800] "GET /forums/index.php HTTP/1.1" 200 19864 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ru; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)"
66.23.235.114 - - [24/Dec/2010:17:44:41 -0800] "GET /forums/index.php?action=vtopic&forum=5 HTTP/1.1" 200 24384 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ru; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)"
66.23.235.114 - - [24/Dec/2010:17:44:42 -0800] "GET /forums/index.php?action=vtopic&forum=5 HTTP/1.1" 200 24384 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ru; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)"
66.23.235.114 - - [24/Dec/2010:17:44:47 -0800] "POST /forums/index.php? HTTP/1.1" 200 5565 "http://domain/forums/index.php?action=vtopic&forum=5" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ru; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)"
66.23.235.114 - - [24/Dec/2010:17:45:39 -0800] "GET /forums/index.php HTTP/1.1" 200 22789 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ru; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)"
66.23.235.114 - - [24/Dec/2010:17:45:39 -0800] "POST /forums/index.php? HTTP/1.1" 302 20378 "http://domain/forums/index.php?action=loginfrm" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ru; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)"
66.23.235.114 - - [24/Dec/2010:17:45:40 -0800] "GET /forums/index.php HTTP/1.1" 200 19847 "http://domain/forums/index.php?action=loginfrm" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ru; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)"
66.23.235.114 - - [24/Dec/2010:17:45:41 -0800] "GET /forums/index.php HTTP/1.1" 200 19847 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ru; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)"
66.23.235.114 - - [24/Dec/2010:17:45:41 -0800] "GET /forums/index.php?action=vtopic&forum=15 HTTP/1.1" 200 23738 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ru; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)"
66.23.235.114 - - [24/Dec/2010:17:45:42 -0800] "GET /forums/index.php?action=vtopic&forum=15 HTTP/1.1" 200 23738 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ru; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)"

Author tom322
Registered
#2 | Posted: 26 Dec 2010 11:40 
These days captcha on the forum is a must, I wouldn't start a serious forum (or even a contact form) without it. The premium one is very good.

I tend to think it's a manual spam - because the IP at each post attempt is the same. Most auto spam generate a different IP each time.

And it's not a coincidence it happened during the holidays, spammers think websites don't have any administration during that time, watch for the New Years Eve too.

Author marsbar
Associated Member
#3 | Posted: 26 Dec 2010 15:21 
Hi tom322,

tom322:
[CAPCHAT plugin] The premium one is very good.

That is good to know! I ordered a copy yesterday; I hope to be granted access to the script soon.

tom322:
I tend to think it's a manual spam - because the IP at each post attempt is the same. Most auto spam generate a different IP each time.

I see! But ... 12 hours of continuous activity? Amazing.

tom322:
And it's not a coincidence it happened during the holidays, spammers think websites don't have any administration during that time, watch for the New Years Eve too.

Oh the scumbags think of everything, don't they! My colleagues and I will remain extra vigilant over the holiday season.

Thanks, tom322, for your helpful advice.
All the best -
marsbar

Author Paul
Lead Developer
#4 | Posted: 27 Dec 2010 04:33 | Edited by: Paul 
Our board was spammed a bit too these days.

If you don't have the Captcha enabled for members posting, it's quite possible to register manually and then program the script which will work automated way.

So enable Captcha also for members who did less than X posts (defined in settings), to prevent this issue.

If you have some other ways to prevent it, let us know.

Author marsbar
Associated Member
#5 | Posted: 27 Dec 2010 05:53 
Many thanks for your advice, Paul; I'll get busy to get CAPTCHA set up!

The sheer volume of messages left by the spammer last weekend caused quite a headache for those clearing the pre-moderation queue. The moderator who did most of the hard work provide me with some feedback on the pre-moderation plugin, which I will email you for your consideration.

Cheers -
marsbar

Author Paul
Lead Developer
#6 | Posted: 27 Dec 2010 09:40 
I suppose, the issue is not related to Premoderation queue or add-on, or the software itself. It's about server's security - if there is mass of bulk POST data coming from the same IP within few hours, the server SHOULD react on it internally. If it doesn't react, it's possible to flood it using any other software, not just miniBB. As I know, most latest Apache versions have this kind of flood protection.

I've got your suggestions. We should prevent the posting of the message itself, not build the premoderation queue some tricky way - it won't help. One of the solutions is to allow certain members (let's say new members) to not post more than X messages per day from the same IP.

tom322:
Most auto spam generate a different IP each time.

I wouldn't agree with that - a unique IP-address is a rarity nowadays. Even if spammers may use different IP addresses, they would go for such move only having a highly profitable task known. Without making money, rotating IPs has no sense.

And I think, in this case there was just a "simple crime" involved - somebody INTENTIONALLY had a purpose to flood the forum, if it lasted for few hours.

Author marsbar
Associated Member
#7 | Posted: 28 Dec 2010 07:13 | Edited by: marsbar 
Thank you, Paul, for your prompt and helpful reply.

Paul:
I suppose, the issue is not related to Premoderation queue or add-on, or the software itself. It's about server's security - if there is mass of bulk POST data coming from the same IP within few hours, the server SHOULD react on it internally.

I have reported the abuse to my web host. Instead of being alarmed, tech support's reply was simply to block the offender's IP. !!!! *O crystal ball, please tell me what IP I need to ban to prevent the next attack!*

Paul:
I've got your suggestions. We should prevent the posting of the message itself, not build the premoderation queue some tricky way - it won't help.

You are right: we ought to concentrate on finding ways to prevent the message queue from being flooded in the first place.

Paul:
One of the solutions is to allow certain members (let's say new members) to not post more than X messages per day from the same IP.

Yes, my colleagues and I have been thinking along similar lines:
allow only x messages per day per ID (EVERY registered member, including the pre-moderated) - admin and moderators are exempt from the rule.

Which would make better sense and be more effective in getting the desired result? And would either rule be easy to implement - preferably without touching the core?

Cheers -
mb

Author kuopassa
Registered
#8 | Posted: 28 Dec 2010 10:57 | Edited by: kuopassa 
I would use CAPTCHA and .htaccess together to block unwanted messages. In The Perishable Press blog there's a series of "Blacklists" which are created to block spammers etc.

Author Paul
Lead Developer
#9 | Posted: 3 Jan 2011 06:21 
marsbar:
please tell me what IP I need to ban to prevent the next attack!

Modern hosts are too *dumb* to provide you more human replies, because mostly they are build by automated solutions and machines ;-)

Blacklists won't help a lot, too. Specifically, in blacklists there are often listed "valid" sites. As I know, minibb.com is listed in many blacklists with no reason - may be just because of competitors requests.

Yes, it's possible to build on the add-on's level a limitation of posts per day from the certain IP. I see you have continued the similar thread, so let's bring our discussion over there.

Specific miniBB Support Forums / Specific / Nasty surprise for Christmas - automated or manual spam? Top
This topic is closed. New replies are not allowed.
 
miniBB Support Forums Powered by Forum Software miniBB ® Features  Requirements  Demo  Download  Showcase  Gallery of Arts
Compiler  Premium Extensions  Premium Support  License  Contacts
Check out the Captcha add-on: protect your miniBB-forums from the automated spam and flood.
Captcha Addon for miniBB