WANTED (Not)

[Dippy]

Here are the most recent Spammers:-

ZXY888 60.186.24.85 Chinanet-zj Hangzhou Node Network, Beijing, China
jojolucky 125.120.9.61 Chinanet-zj Hangzhou Node Network, Beijing, China
weiwei 221.221.173.20 Cncgroup Beijing Province Network, Beijing, China
goldlizou 125.71.133.167 Chinanet Sichuan Province Network, Beijing, China
jklm689 59.173.224.214 Chinanet Hubei Province Network, Wuhan, Hubei, China

Can anyone notice anything they all have in common?

 

[demonicpicaxeguy]

hmm... they are all from china...? none of them have the letter A in their names
they are all a product of some kind of forum posting bot (google the names)

 

[Rickharris]

Here are the most recent Spammers:-

ZXY888 60.186.24.85 Chinanet-zj Hangzhou Node Network, Beijing, China
jojolucky 125.120.9.61 Chinanet-zj Hangzhou Node Network, Beijing, China
weiwei 221.221.173.20 Cncgroup Beijing Province Network, Beijing, China
goldlizou 125.71.133.167 Chinanet Sichuan Province Network, Beijing, China
jklm689 59.173.224.214 Chinanet Hubei Province Network, Wuhan, Hubei, China

Can anyone notice anything they all have in common?

I don't actually know any of then although they seem to know me - or at least they keep emailing me!

You see what happens when you educate people? They just go off the rails.

 

[Mycroft2152]

I don't actually know any of then although they seem to know me - or at least they keep emailing me!

Rick,

Sounds like your computer was hacked and your address book copied. Now you're on a list that gets sold to different spammers.

Good Luck

"and this litttle piggie went wei wei weir all the way home!"

 

[hippy]

The worse part about spammers is that they keep coming back and it seems they don't care that their postings are deleted and if their user names are barred they will simply choose another. That doesn't mean that they cannot be dealt with fairly effectively ...

I don't know how vBulletin works, but if I were running an open forum I'd allow moderators to flag usernames as spammers, keep allowing them in, and then auto-delete their posts a few minutes later.

Alternatively it may be possible to create web pages which simply deletes everything posted by a spammer when launched. If so, all Rev-Ed would need to do is schedule those to run every so often. I'll look into that.

It's not perfect but would minimise vandalism and the amount of chasing down which currently has to be done manually.

Added : It is possible to create a web page which auto-deletes posts, but the post numbers have to be known and it seems it needs to be run from the right referring page, so something Rev-Ed would need to do.

 

[Dippy]

It's a shame something can't be done during registration using IP address or reverse DNS.
Trouble is there is always a way around, but if things were made a bit more difficult during registration then it may put some off.

Whilst some may moan about blanket IP address bans, we also have to look at the genuine versus spam ratio.

Ultimately it's impossible to get it 100%.

I mean to say we couldn't ban hippy if he mentiond his Anne Summers catalogue only once in a while.

 

[Rickharris]

Fortunately I have changed ISP so the worst email address is dead and I generally use google mail that is excellent at screening spam.

Still I do wonder how they knew so much about my physical size/abilities.!!! So much for always keeping the light off.

 

[hippy]

I've just deleted another ten postings from our most prolific spammer wei wei, that's 43 from that one alone, others haven't gone above 20 but it all adds up.

I've refined my thoughts on auto-deletion. With a Spammer flag, only show spam posts to spammers, don't show them to non-spammers and don't allow those posts to appear in New Posts. That way spammers waste their time without affecting anyone, and it's more likely to keep them honey-trapped and using their user names because they think they are being effective when they are not. The annoyance then is reduced to new spammers who come along, but once caught they are shunted off as well.

I'd also add registration delays for sign-ups from the region and artificial delays for each posting from spammers and people with less than ten or so posts.

You cannot beat them but you can make their lives more difficult and their actions ineffective. Maybe Rev-Ed / we need to talk to the people at vBulletin to provide what's needed because the situation is getting worse and will continue to deteriorate.

Added : Having just tried some auto-spamming of the forum, we should think ourselves lucky we're only being hit by amateurs !

 

[--]

Deleted. Point proven I think.

 

[Tutor]

Have you tried Vbulletin.org. They have something that prevent spammer adding links (for say the fist five post), most robots just give up if they cant add a link

 

[Dominic B]

My experience has been that a combination of email verification, visual confirmation and a non-standard required field in registration has stopped all bots. Unfortunately this is on phpBB3, not vbulletin so whether something similar could be done here I don't know and the forum was smaller, so probably wasn't targetted so much.

The best way I've found is to make something non-standard but compulsary. For example, "What Are You?" with two options, "I am a human" and "I am an evil bot" with "I am an evil bot" being both default and equivalent to a null value. That way it's something the bot's not expecting and not been programmed to deal with, therefore can't do it.

 

[hippy]

I think the spammers we are getting are real people ( if spammers can ever be called that ) rather than bots, and not technically competant ones. Thus it's another social engineering challenge as well as a technical one. The best option, given they won't go away ( they probably get a desperately needed grain of rice for every hit they generate ), is to keep them bogged down in tar pits while they're here.

Keeping them trapped in their own personalised Matrix appeals to my sense of justice and fair play.

 

[Dominic B]

I'd be surprised, if I recall correctly, the links were directly to a website which means they aren't getting paid per click. (which is highly unlikely).

I am aware that people are being employed instead of bots to crack CAPTCHAs on Google Mail, Yahoo! Mail or Live Mail accounts. But I doubt there is much benefit from employing people to do so on this forum.

If there is though, then indeed there's not much more that can be done though. But I doubt human spamming will be occuring here.

 

[Dippy]

"Keeping them trapped in their own personalised Matrix appeals to my sense of justice."
- same here, but how?

"..keep them bogged down in tar pits while they're here."
- lovely, sounds wonderful, but how? What tar pits? Are you going to keep them talking while I sneak round and let their tyres down?

They don't care whether they get rude responses, no responses are deleted. Probably brings a smile that they've got a response.
One or two of the spammers slipped in their link within a forum-related question so I suspect a human of some description, as you say, on a dollar a day.
Maybe more if some suckers respond.

Just ban any registrations from China for a couple of months.

 

[Andrew Cowan]

What about if your first post has to be verified? Lots of forums I know do that...

 

[medvampire]

I have helped admins on vBulletin before and there are ways to stop this but I will not post them here. Spam is a problem on many boards. The last one I worked on was spammed with in days of going on line. Its a part of having a forum. I hate to see the board here getting hit. I have lurked here for weeks finding the answers I need and many times before I even had the question.
Later
Steve

 

[hippy]

"Keeping them trapped in their own personalised Matrix appeals to my sense of justice."
- same here, but how?

"..keep them bogged down in tar pits while they're here."
- lovely, sounds wonderful, but how? What tar pits? Are you going to keep them talking while I sneak round and let their tyres down?

That's my earlier idea - when they login they get one web site we get another, all their vandalism occurs in their sandboxed matrix, everyone else carries on blissfully unaware that's even going on. When a spammer does pop their head into the real world, we cosh them, next thing they wake up in the matrix unaware it's different, carry on thinking they are still working on a live system doing things we can see. They're happy, we're happy.

The tar pit nature is as you describe; "keep them talking". While they're faffing about in their sandbox going nowhere fast ( especially if there's a forced delay for their posts to be accepted and acknowledged ) they are tied up here limiting damage elsewhere. Maybe not held up a lot but it's better than nothing.

There is a pattern forming which indicates there is some automated spamming at work ( similar to what I experimented with and using the same tricks ), most notably that spam keeps getting added to the same threads. That suggests they've got the hook for a set of post ID's ( those &p= items in the URL ) and then have an automated post thread script ). That multiple spammer identities are hitting the same threads suggests they are simply passing those links along. The process is probably manually sign-up, login, capture some post ID's, add to the auto-spamming database. That's what I did but all manually.

If something isn't done I expect the amount of spam will start to increase.

Banning Chinese sign-ups might work but it would take me seconds to get round that and avoid having a DNS track-back which went to my originating location.

 

[hippy]

I have helped admins on vBulletin before and there are ways to stop this but I will not post them here.

Your help could prove very useful here, especially with practical experience. I suppose the first question is, can vBulletin be configured to prevent the type of spam attacks we're getting largely automatically without making real users jump through hoops ?

Whatever ultimately happens is in the hands of Rev-Ed, us mods can only delete and comment on the situation.

PS : Thanks to everyone who hasn't taken the bait and simply ignored the spam. Hopefully most of it gets erased pretty quickly so not too much of it should get seen.

 

[medvampire]

With out knowing a few things its hard to answer.
I am on rotation this week end and stuck at the lab. I will pm you with some questions when I get out of rotation and back to the house.
Steve

 

[moxhamj]

medvampire, Dr_Acula here. Good to hear from you. You must be my long lost cousin!

 

[Dippy]

Lordy, lordy, and there I was thinking that it was only accountants and lawyers that were real-life blood-suckers

Surely, this really is down to Technical/Admin to communicate with VBulletin on a way forward. If the Forum authors can't do anything about it then I can't see how anyone can - even with the best wills/brains in the world.

I've seen Spam on all the Forums I use , both VBulletin and PHP. I would guess mostly human not bots. Let's face it, even with simple cut'n'paste it only takes a few minutes.

I agree banning IPs would merely delay the inevitable but anything to make things harder may put off one or two light-weight opportunists and (a question) are Chinese users allowed (by their Government) to fiddle via 'foreign' providers. I would have thought that if they could have done then they would have done by now.

Perhaps a combination of Reverse DNSing and hippy's suggestion: if certain IP Geographical* users register then they get a spoof Forum and post into obvlion thinking they have posted OK. An automatic system would be perfectly happy that it has been successful. And therefore the human perp would think all was well and not bother with any cunning IP rerouting. (Or was that hippy's suggestion in entirety? He keeps on about Social Engineering and matrices that it reminds me so much of business meetings that I fall asleep , sorry ).

Is it possible, I really haven't looked, for Moderators/Technical/Admin to delete users and all their posts with a simple click-or-2?

*e.g. China and any non-specific geographical locations.

 

[westaust55]

It's a shame something can't be done during registration using IP address or reverse DNS.
Trouble is there is always a way around, but if things were made a bit more difficult during registration then it may put some off.

Locking members to an IP address might curtail access for myself and some others significantly. Being fairly mobile in work and social life, I regularly access this forum not only home but occasionally work and also each weekend from friends homes.

 

[slurp]

do your have a ban list of IP and email addresses?

I found I didn't have too many block bans but a few where useful where there was a pattern from any praticular block. Similarly the 'bots often have common parts the the email domain.

Until ISPs start taking action we'll only be slowing and delaying these people

regards
colin

 

[Dippy]

"Locking members to an IP address might curtail access for myself and some others significantly. "

- I wasn't suggesting that. I was suggesting, tentatively, that IP addresses , when reverse DNSed, can be located Geographically. If they have certain regions associated with them then life should be made harder. So, maybe if you went to Beijing and tried to post (likely?) then it might be tricky, but wasn't it Mr Spock who said "The needs of the many outweigh the needs of the few"?

Of course it's ultimately impossible. And no-one has a solution or they would be millionaires.

 

[medvampire]

medvampire, Dr_Acula here. Good to hear from you. You must be my long lost cousin!

I remember reading some where you are a med doc. I am a med and histo tech. So i guess we could be blood brothers. Doc, you a GP? I am a generalist.

There are ways to curb the spam but not stop it. The ranking system is one way to help slow it.
I have used Hippy's honey pot ideal on Linux servers but most spammers/hackers have gotten wise and have ways around it.
To really stop the spam would degrade the user access. Security versus user is the real question.
The sysadmin would have to make any real changes on a server level in Apache as well as VB unless he sets up some mod panels that would allow mods to make changes on the fly but that opens up more issues.
I think that time as a member as well as post count should be used to control posting links and attachments. That would also encourage new users search the forum for answers before asking questions. Most questions have already been discussed if a person really looks for them.
You may also want to look at minimum post size to stop the "me too" post to boost post count.
Signatures also need to be looked at to prevent outside linking to spam as well. I have no problem linking to personal sites but adds need to be evaluated for relevant content.
I have listed a few of the more popular ways of slowing forum spam but there are other ways that can be used.
Later
Steve

 

[Dippy]

And of course, welcome to our newest Spammer:-
Pereftiyo 222.183.123.204 Chinanet Chongqing Province Network, Beijing, China

 

[hippy]

@ medvampire : We've been lucky and don't see any 'me too' postings nor abuse of signatures and attachments so, for now anyway, it's really just this group of Chinese spammers that need to be dealt with.

Banning the specific IP addresses and the entire Chinese region soon after if that doesn't work would be the first step while longer term solutions are found.

 

[moxhamj]

medvampire, I am a GP. And yes, Dippy, sucking blood is the game! Usually the first 4 patients every morning are there for blood tests. I then send the specimens off to medvampire. To look at. Or whatever he does with them...

Just to double check, I believe on this forum the large number of posts by the likes of hippy and Dippy entitles the poster to the title of "Supreme Ruler of the Universe", and also the somewhat less inspiring title of "Moderator". And with this title comes the responsibility of cleaning up all the rubbish posts that we see occasionally but then disappear soon after. Is this right? And if so, how many rubbish posts per week is this forum getting?

 

[hippy]

Without checking the weekly rate, I do know wei wei has posted 48 spams in total, three others combined are responsible for about the same amount. For mods, quantity isn't that much of a problem as all posts from a user can be deleted in just a few clicks, but each individual spammer has to have their posts deleted separately.

It's more inconvenience and nuisance. I feel I've had to delete spam at least once every day for the past couple of weeks and sometimes two or three times a day. I don't mind flagging up spammers with the system dealing with their posts from then on but having to repeatedly keep deleting posts from the same users day after day is just tedious and it's precisely the task computers are good at.

I'd best email Rev-Ed because it is entirely possible that mods are doing such a good job of keeping the spam out of sight that even they may not appreciate the growing scale of the problem. It would be a bit unfair to say they weren't doing all they could if they didn't know anything needed doing !

 

[Dippy]

That's a good idea hippy.

I'm lazy, so I usually just select the user and then "all threads by x" and then do a select-all and delete. I just wish I could do the same to their Server. It would work in a 70s SF film.

medvampire is asleep now... it's daytime.

 

[hippy]

Another three culled, and this time links to hard core sex so not of any use at all to techno-geeks

 

[Dippy]

Oh, old tonilovekelly 60.171.255.143 Chinanet Anhui Province Network,Beijing, China.

Well, me old Chinas, I think it's about time technical/VBulletin got their eheads together.

 

[medvampire]

medvampire is asleep now... it's daytime.

Yea its afternoon and I just woke

The sysadmin has not given the mods the ability to ban users or IP ??
If that is the case I understand the frustrstion... Kinda like trying to get a beer at a Alcoholics Anonymous meeting
Later
Steve

 

[Dippy]

"Kinda like trying to get a beer at a Alcoholics Anonymous meeting"
- I sell it outside the meeting hall from the boot (trunk) of my car.

I can't speak for hippy who has been 'at it' for longer than me, but my moderator status is only to 'referee' and delete naughty thing status. I am not employed by Rev-Ed. And I don't really have an Uncle Myk.

 

[hippy]

I'm just a humble user in real life as well and until recently moderation has been cleaning up small messes and stains where people have posted to wrong forums and such like, basically just keeping the place tidy rather than running or controlling anything. Rev-Ed ( "Technical" ) wield the big stick if things flare up ( they rarely do ), I might point them to an issue which may need their attention but I stay out of that process. Only for obvious spammers will I delete posts.

I'm never sure how successful banning usernames or their IP addresses is but wouldn't discount it ( I don't have that power ) although I'd expect them to come back with a different identity just creating never ending work, hence why I think it's better to keep them with the same identity but not causing any interference to others.

 

[Dippy]

Hey Steve,
"I understand the frustrstion" - sounds like you ought to go to the next AA meeting

 

[hippy]

Under User CP link at the top there's an option to show how many posts have been deleted by mods, between us ...

299 in total ( presumably since the new forum started )
203 in the last month
71 in the last two days

Definitely escalating out of control.

 

[Andrew Cowan]

Could you moderate everyone's first post, or do these spammers somethimes ask picaxe questions?

Andrew

 

[medvampire]

I hate to see the mods time wasted chaseing spam. Between the mods and a few others most of the tech questions are taken care of. I have read hippy's site and dippys insights as well as mutated doc projects it very helpful gadgets around the house and really hate to see the mods doing mundane task like this. Hippy you ask what good does blocking the spammer do? I had the same problem in a pool forum and I found giving the mods more access cut the spam by around %70 as well as helped the sysadmin reduce bandwidth.
But like I said there are ways to cut the spam but you need access to the server as well as the php and mysql that runs the board.
The extended mod pannel is a mod to the VB and has to be added to by the sysadmin due to the needed changes in the php code. The Apache directives can also help reduce the spam as well by filtering out proxy servers and ip's from geo locatons.
But as you said RevEd will have to make the changes on their level while you mods plug away.
Later
Steve

 

[Dippy]

Gosh!

And maybe they can also invert the polarity of the tachyon flow.