Geeklog Forums

Hi,

I was attacked last night by a php script/bot that was registering and logging in, then posting spam. It was pretty rapid. I just hacked users.php to die on those domains. The domain names were constant, but the username changed. As of today, the script/bot is still attempting registration.

4watcher dot com
koziavok dot net
pornoscop dot com
dro4ers dot net
1stflirt dot org
sweetsnet dot com
yamy dot net
strokersclub dot net
lovesnake dot net

This is how I solved the problem on my site. I just deny certain emails in COM_isEmail. So my change is in lib-common and affects all email validation in geeklog.

http://www.geeklog.net/forum/viewtopic.php?forum=3&showtopic=68531

We had the same problem on geeklog.net on Thursday night and the short-term fix I chose was to block the entire IP ranges the bots were coming from:

205.252.0.0 - 205.252.255.255
206.161.0.0 - 206.161.255.255
209.8.0.0 - 209.9.255.255

bye, Dirk

Looks like I'm not alone

I've been wondering whether adding a validation during registration process would prevent form bots registration. I mean adding a picture with random characters that you need to enter to the field.
This is like a common thing around the net now.

Just a thought,

Robert

---

Geeklog Polish Support Team

As much as I dislike CAPTCHAs, they would probably have helped in this case There's an implementation for Geeklog in the downloads section if you want to try it out (I haven't yet).

Geeklog's current signup process (sign up, receive password by email, log in with that password) was designed on the assumption that it would ensure that the user was legit. Now that throwaway email addresses - and even throwaway domains - are common, I guess it's time to rethink and re-evaluate that approach.

bye, Dirk

Me neither especially as it requires something like GD library or something similar.



Exactly and I believe that it works as I got several spammers registered with the site however never logged in. Maybe I'm missing something but how is it possible for a bot to spam as a registered user? Even if they register with a site they have to validate before logging in. Are they so clever these days?

Robert

---

Geeklog Polish Support Team

I've also had this on two of my sites. To help slow this down and give me some level of control over who registers, I've set:



in config.php

That'll buy me some time until some other mechanism for confirming users is put in. I do like the graphic scrambeld text idea. Many sites use that to make sure there's a warm body on the other end...

This is exactly what happened, though. The bot registered with the site and came back a minute later and logged in (and started spamming right away). It has obviously been written to wait for the email, read it and use the password to log in.

In a way, I guess, that's sort of a compliment: Geeklog is popular enough that it's worth going through the trouble of writing such a bot.

Actually, if it reads the email automatically, that would be another option to stop it (or at least make its author's life a little harder): Change the text and layout of the password email. Either by changing the language file or by using the built-it welcome email hack.

bye, Dirk

I've been getting hit by these exact same people for two weeks now. I've been able to control their comment posts because they always use the same domains and they always use ".:." between their URLs. But they are racking up the fake user accounts.

All of their IP addresses are coming from btnaccess.com so I sent an email to their abuse address: abuse@btnaccess.com

I'm waiting to hear back from them. If you check the IP address of the folks linking to the above URLs, and find they are coming from blocks on btnaccess.com, please report them ASAP so we can temporarily stop these *censored*ers.

Thanks,
Lex

Could the bots now be using gawab.com email addresses? I say this because a couple of weeks ago, I had switched from automatic user registrations to me having to manually approve new users because of the bot spam coming from the domains previously mentioned in this thread. But in the last few days, I have found an unusual amount of new users using email domains of gawab.com... Whereas over a year running Geeklog, and over 535 users, there haven't been any, and now within the last few days, there had to be a dozen new users with gawab.com addresses... makes me wonder if they are real or not.

Anyone else notice this?

Cheers,
Louis

Sort of glad to hear that it's not just me....

My new friends are punting cheap drugs spam with user names such as:
buy_ci***s
Order phen****n
cheap a*****x 200
(starred out to keep Geeklogs spam filters calm)


and email domains:
bfr.net
msn.com
myrx.com
octelera.com
etc

I've now switched to approving user requests but am having a problem deleting the bogus applications. When I attempt to do so I am faced with this error....


phpBB : Critical Error

Could not delete user 275 from phpBB groups table

DEBUG MODE

SQL Error : 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 2

DELETE FROM phpbb_groups WHERE group_id =

Line : 360
File : functions.inc

Not being the best at understanding such can anyone please give me some pointers to get on top of this.

Thanks.

Oh and they've also been spamming my Chatterblock. Industrious critters...

Can't help you with phpBB problems, but if you're on Geeklog 1.4.0, you could also ban those users and keep their accounts. Unless those are really throwaway addresses, it would also have the added benefit of preventing those addresses from being reused.

bye, Dirk

Looking at upgrading to 1.4 (currently 1.3.11sr2). The snag is I have phpBB and Gallery2 currently integrated and working and ,the truth be told, am scared of messing the whole thing up.

This could be the reason to make the leap though.

Thanks.

I would comment not hacking up lib-common. Use the system the way that it was designed. GeekLog already has methods in place for implementing customizations. This is done via lib-custom.php. GeekLog also already has methods in place for implementing custom registration forms. Thus, fighting these bots and implementing a black list for registration is as easy as:

1. setting "custom_registration" in config.php to true (line 246)

2. making sure that your template includes ../custom/memberdetail.thtml

3. enhancing the "custom_usercheck" function in lib-custom.php to:

I would recommend not hacking up lib-common. Use the system the way that it was designed. GeekLog already has methods in place for implementing customizations. This is done via lib-custom.php. GeekLog also already has methods in place for implementing custom registration forms. Thus, fighting these bots and implementing a black list for registration is as easy as:

1. setting "custom_registration" in config.php to true (line 246)

2. making sure that your template includes ../custom/memberdetail.thtml

3. enhancing the "custom_usercheck" function in lib-custom.php to (starts on line 326):

same here.. I've deleted about 60 of these today, by hand.

I just integrated & tested the custom login stuff mentioned... Here's hopin it works.

I've had to enable spam-x filters and have to make the custom registration changes listed above.

My GL site is currently being attacked every day by these same guys posting dozens of spam-comments. Spam-X seems to be doing the trick for now - or until such time as they change their ad content.

I've had to manually delete over a hundred automatically created users with no end in sight. There's no point banning these users - they just create more and more and more.

Personally this is going to force the GL registration system to include some sort of protection against this abuse.

My GL site has been running for over three years now (I'm a big fan of GL and the work you guys do) and I like to think it's fairly visible in the search engines. This problem is only going to get worse, unless the present registration system gets tweaked.

Just my 5c.

I added "http" to my spamx log and no longer get any spam at all. Users can't post links but not a single user has complained yet and it's been months since I made the change.

Thanks, this really saved my day. Implemented and tested it in about 20 minutes. Saved me a few hours i guess, if I had to come up with something like this myself.
In about three days, one of my sites got over 100 new users - I knew something was not right.

As a very late follow-up: I just noticed that something from 209.8.40.26 is still trying to register automatically here on geeklog.net.

Now, if you do a ping on all those domain names that ByteEnable posted at the beginning of this thread, you'll notice that they are all hosted on IP addresses in the 209.8.22.* range. And the entire 209.8.* address range belongs to a "Beyond The Network America, Inc.". According to www.btnaccess.com, they are a hosting company, so it's one of their customers spamming.

I heartly recommend blocking that entire address range. If they are a hosting company, you won't see any regular visitors coming from that address range anyway.

bye, Dirk