Help!

Apparently hackers have cracked and can now defeat the protection previously provided by CAPTCHA. As a result my website is now getting inundated with spam user submissions. Does anyone have any suggestions on how I might be able to respond?

Don
www.panama-guide.com

Yeah, I've been struggling with the same problem on several sites over the last few days

We knew this day would come. Ultimately, we need a new version of the CAPTCHA plugin that creates different images. Until then, here are some tips and observations:

- most (but not all) of the accounts use hotmail.com or outlook.com email addresses, so I've added those to the list of domains not to allow for registration: Users and Submissions > User Submissions > Automatic Disallow Domains (in the Configuration)

- block IP addresses that signed up the users; many of them will try more than once

- while you're at it, block requests that have "Bork-edition" in the user agent string (this was a fun - legit - version of Opera 7 that nobody really uses any more, but spambots often use that user agent string)

- On a German-language site that I'm running, all the users fail to log in after registration. My guess is that they can't parse the confirmation email. Changing the text of that email may also help (untested).

- The accounts are created for profile spam only, from what I can tell. So banning users (instead of deleting them) and using the two Spam-X modules attached to this issue may also help (they auto-ban users that try to post spammy URLs in their profiles).

HTH. I feel your pain ...

bye, Dirk

The problem is I also have valid users who use these types of accounts.

That's what I've been doing this morning. I see from the CAPTCHA log that most of the attempts are coming from places like Romania, Ukraine, Thailand, etc. And, I have practically no valid users from those countries, so I don't have any problem at all using the IP Deny Manager to simply block all traffic from those countries. However, sometimes the attempts are coming from individual IP's in the US or other countries where most of my traffic comes from. In those cases, I've been surgically blocking just the offending IP's.

On my site the new users get stopped at the registration phase, because I have the configuration set so that all new users require approval.

Interesting. What's the difference between deleting and banning a bogus user account created in this manner? How or why would it be better to ban them, instead of deleting them?

New (related) question. Is there a log, or is there a way to monitor all of the incoming traffic to the website? Or does that have to come from the server level? It would be nice if I could simply look at all of the traffic, and pick off the individual IP addresses that are crating these bogus Spam users.

Thanks for your help.

Don

The point of banning a user instead of deleting them is to keep the URL they're spamming for (in their profile) and then use the above-mentioned Spam-X modules to automatically ban other users that try to spam for the same URL. We've seen that sort of profile spam in the past here on geeklog.net, where apparently human visitors created accounts to spam for the same sites over and over again. I even got hold of a PDF that had detailed steps how to do that ... That's when I wrote those 2 modules.

If you don't see that sort of spamming happening on your site, then you can just as well delete the accounts.


You should have access to the webserver's logfile, in one form or another. Check with your hosting provider. That's where you can best see the raw traffic that's happening, including IP addresses and user agent strings.

bye, Dirk

Yeah, that's what I'm doing right now. I'm currently in a sort of back and forth war with the spammer. They create a new spam user, I block that IP string, they shift to something else. I'm getting the upper hand...

And I'm just going to be deleting the bogus users, because they never get to the point of being valid users posting Spam URL's - I catch and kill them before they get that far.

Don

I've seen the same traffic since a week or two. Not so much, but worrying.
There were also invalid attempts to download, which is maybe a omen.
I do see quite a lot of traffic trying to register, and obvious, only a few break through.
After banning the user-agent and the domains Dirk mentioned, the traffic nearly vanished.

I'm using captcha for any input on the website, unless logged in. And I am using the admission queue. So, when they come back to confirm the registration, a captcha fires again. This brings me to the suggestion to add a timeout to the confirmation of registration.
When the timeout expires, the account is silently deleted (or banned, or suspended).
Add to the rule that they must come back with the same IP?

Yeah this started happening for me 2 days a go as well. I got over 100 new users in 10 hours yesterday. I enabled the user submission queue which unfortunately disables OAuth logins.

Today I actually disable registrations all together until I can figure something out.

I also have CAPTCHA enabled for non logged in users.

Do you thing there is a security hole in the captcha program or are they just able to machine read the images?

---

One of the Geeklog Core Developers.

There was a bunch of articles published going back to October 2013 in which a company had supposedly figured out a way to read or crack Captcha. Now, that has gotten out to the hacker community, and they are using it to spread spam.

I've been focusing on blocking the offending IP addresses. Most of them are in Asia or Eastern Europe, and almost none of my legitimate traffic comes from Romania (for instance) so I have no problem blocking the who damn country...

It started off for me as a fire with 100's of submissions. Throughout the day today I've reduced it to a trickle. I'm still bailing out the boat and plugging holes. Now I'm watching the real time traffic via SSH and the Apache logs, looking to catch and ban the IP's while they are doing the deed. Shhhhhh, be berry berry quiet - I'm huntin' wabbits.

Bottom line = CAPTCHA is toast.

Don

Simple CAPTCHA images can be read already. That is why they have gotten complex over time with lines, changing the orientation of the letter and faded letters. It is not a surprise that the captcha images we use with Geeklog eventually have been figured out by a computer.

The captcha plugin does allow for automated generated captcha and you can also add in new static captcha image sets. Has anyone tried changing to a new static image set or played around the auto generated by changing the backgrounds and fonts?


New ideas for the Captcha plugin would be adding security questions (that are in an image format) that are hard for a computer to figure out but easy for a human.

Something like:

What color is a banana?
What is 2+3-1

---

One of the Geeklog Core Developers.

There is a lot of captcha ideas here:

http://stackoverflow.com/questions/8472/practical-non-image-based-captcha-approaches

---

One of the Geeklog Core Developers.

I had to lock down the forum last night as it got about 75 spam posts in 2 hours (with captcha enabled).

Ben said in the mailing list that he is working on a fix for the captcha plugin.

---

One of the Geeklog Core Developers.

I found the traffic is back again.
And I see a problem with gl when the plugin is protected by requiring to be logged in.
F.i. the forum replies on a anonymous post that you should register. Very Good.
However, directly after that, the login form is auto displayed with captcha and such.

Well, if the traffic only seeks forum spam, that action is a invitation to try being registered.
I suspect that these spambots fill the form and respond.

In Apache logs I find endless loops of requests to home, forum, create topic, users, captcha, create topic, users, etc. etc.
Some requests do not seem to await an answer.
Also, most tries do refresh the captcha first before entering data.

Hope this helps.

note: I see only traffic; few spam registrations and none spam posts.

Well isn't this just dandy! Luckily I am not having this issue. I think its because I have been using ZBBLOCK for a few years now. Sure, there has been some adjustments along the way but it is worth it. Reconsider setting it up. It is very configurable and you can customize the signatures for detection. If your users are as loyal to your site as they should be, they'll notify you if they cannot browse your site.

Michael

I am testing a very simple protection, so maybe it will not be very solid. Instead of submitting a string in the form, users need to clear an input.

Beta is available in Downloads here

Ben

---

I'm available to customise your themes or plugins for your Geeklog CMS

Hi all, I have uploaded reCAPTCHA plugin to geeklog.net.

This is based on Ben's CAPTCHA plugin (thanks Ben!), using reCAPTCHA service. You have to sign up and get API keys at https://www.google.com/recaptcha/admin/create to use this plugin. I hope this will help you.

---

-- mystral-kk, "Every cloud has a silver lining."

Thank you for the reCaptcha plugin. I got 2 questions:

- How to enable the reCaptcha on a custom registration page?
- Is it possible to move the reCaptcha from the top to the bottom of the form?

Ben

---

I'm available to customise your themes or plugins for your Geeklog CMS

New beta for captcha plugin is available in Downloads. I do not see new spam

Ben

---

I'm available to customise your themes or plugins for your Geeklog CMS

Question guys. When someone on my website clicks on "Sign Up As A New User" they are taken to this link:

http://www.panama-guide.com/users.php?mode=new

On that page there is a three sentence paragraph of text which currently says: "Register with Panama Guide! Creating a user account will give you all the benefits of Panama Guide membership and it will allow you to post comments and submit items as yourself. If you don't have an account, you will only be able to post anonymously. Please note that your email address will never be publicly displayed on this site."

Where is that text located within the Geeklog program? I want to modify the text to say something along the lines of "CAPTCHA has been cracked and as a result this website is now being flooded with bogus spam user account requests. In order to have your account approved you must first be a paid subscriber, and secondly you must notify me via email to don@panama-guide.com that you are creating your account. If you create a user account without first notifying me, it will simply be deleted along with the 100 or so bogus spam accounts I have to clear out every day..."

You get the picture. What file has that text?

Don
www.panama-guide.com

You will find the text in the language files of Geeklog. If you are using English it would then be either english_utf-8.php or English.php depending if your site is utf-8 or not. All text from Geeklog is found in these language files. Plugins have their own separate language files.

---

One of the Geeklog Core Developers.

THANKS mystral-kk I just got it installed now on my main site.

Ben I am also trying on another site the CAPTCHA plugin using the GD library instead of static images. I have also downloaded some other fonts and background images so that the images are generated differently. I want to see if this will make a difference. Using the GD library takes a bit more processing power than the static set but you get more unique images.

Ironmax. Thanks for letting us know that ZZBlock seems to block the attacks. I have used ZZBlock before and while I find it a little too aggressive it does work well with Geeklog and the owner does keep it updated to help against new spam bots and bad IP neighbourhoods.

---

One of the Geeklog Core Developers.