| Author |
Message |
webservant
Worker
Joined: Feb 26, 2006
Posts: 206
Location: Springfield, MA
|
 Posted:
Sat Mar 24, 2012 5:35 am |
|
I upgraded our production site to RN 2.5 this week.
All is well, and I like the changes - kudos to the diligent workers!
Over the past two days, I've seen almost two dozen registrations.
While I should be thrilled, the pattern is abnormal.
Additionally, all the users have email from hotmail.com
I'm not seeing any spam in the comments or posts in forums.
Just lots of user registrations.
Is this legitimate or am I dealing with a script kitty? |
_________________
Awaiting His Shout
Webservant - GraciousCall.org
Romans 8:28-39 |
|
  
|
|
webservant
|
| Posted:
Sat Mar 24, 2012 5:37 am |
|
BTW - I installed nukeSPAM yesterday.
I tested it successfully on an entry from the spam forums.
It has not caught anything. |
| |
|
|
|
|
nuken
RavenNuke(tm) Development Team
Joined: Mar 11, 2007
Posts: 2024
Location: North Carolina
|
| Posted:
Sat Mar 24, 2012 7:17 am |
|
Check the ip addresses and email on Project Honeypot and see if they match known spammers. |
_________________
Only registered users can see links on this board! Get registered or login! |
|
|
|
fkelly
Former Moderator in Good Standing
Joined: Aug 30, 2005
Posts: 3312
Location: near Albany NY
|
| Posted:
Sat Mar 24, 2012 8:28 am |
|
You might also want to look at the patterns in IP tracking. If you look by users and then look at the anonymous user you can see the pattern they are taking when they register. Or look at some of the new users and see what their pattern of use is. Were they trying to post when they were still anonymous? Do you have Captcha enabled for new registrations ... if so they must be entering that successfully. I have noticed quite a few bots trying to register but they all get rejected by the captcha. You can see that happening right in IP tracking. |
| |
|
|
|
|
webservant
|
| Posted:
Sat Mar 24, 2012 10:12 am |
|
CAPCHA is enabled on the second page of user registration.
So, how are they getting through because there are only three IPs involved?
Here is the data:
| Quote: | avilalj 46.229.224.170 avilalj Theresia Avila banojdigaelfesriede@hotmail.com
wellscb 46.229.224.170 wellscb Stephine Wells fluqoramulernary@hotmail.com
gilbertte 128.204.196.86 gilbertte Rey Gilbert swbyinneyxebodonita@hotmail.com
beltranih 46.229.224.170 beltranih Matthew Beltran yjkorilqiemapierre@hotmail.com
tracyda 46.229.224.170 tracyda Tracy Cuevas armaneqvudinuwaraney@hotmail.com
darellya 128.204.196.86 darellya Darell Bowers doreyqttahemowbburee@hotmail.com
beanmm 46.229.224.170 beanmm Filomena Bean abrykeilumqiarita@hotmail.com
royro 128.204.196.86 royro Freeman Roy jalisacvupehaywmpagne@hotmail.com
vHumbertoLyonss 46.229.224.247 vHumbertoLyonss Humberto Lyons pillowyxbrituxntoey@hotmail.com
phebesi 46.229.224.247 phebesi Phebe Miller ombesevandoefria@hotmail.com
eMarioOlivero 128.204.196.86 eMarioOlivero Mario Oliver otrsuuthluoglu@hotmail.com
arroyosj 46.229.224.247 arroyosj Harold Arroyo jegonnilamonetyhte@hotmail.com
stewartpw 128.204.196.86 stewartpw Rico Stewart hlyoinristonpura@hotmail.com
ranahl 46.229.224.247 ranahl Rana Gardner mcvadaniviecdaddie@hotmail.com
sMarinaOlivero 128.204.196.146 sMarinaOlivero Marina Oliver sheorrkarihedujge@hotmail.com
fosterlu 46.229.224.247 fosterlu Craig Foster ehkeefnyattaeayxdy@hotmail.com
|
I'll check honeypot, but my concern is how to detect / stop this. |
| |
|
|
|
|
fkelly
|
| Posted:
Sat Mar 24, 2012 12:12 pm |
|
You can ban the IP's easily enough with NS or even directly in htaccess.
If you have automatic approval on, even with email activation, then any spammer who comes to the site in person and has a real email can get registered. I require approval of new registrations by an administrator. I look at their locations and other factors before deciding whether to approve them. |
| |
|
|
|
|
kguske
Site Admin
Joined: Jun 04, 2004
Posts: 6437
|
| Posted:
Sun Mar 25, 2012 8:23 am |
|
A little research on this:
Amazon Mechanical Turk (http://ws.amazon.com/mturk) and other sites pay pennies for people to do "data entry" (read: comment spam). They do this by posting forum and comment spam, but also be entering signatures with spam links (typically to sites for casinos, performance enhancing drugs, etc.).
Some times, they even go so far as to create an account, post some meaningless forum reply, then, later return to "update" their signature with spam links. They might do this just with the signature.
nukeSPAM will stop a lot of it, but with IP spoofing, cheap domains and endless free email accounts, it isn't possible to block 100%. All of the things fkelly mentioned are good approaches to keep in your toolbox, and Guardian suggested a mod to notify administrators when someone changes their signature, which I think is an excellent idea for yet another tool... Tools like Akismet (which is built into Disqus, which is now integrated with RavenNuke New / Tricked Out News) which analyze the content could also be valuable and effective means for blocking spam. If we could have a generic class / tool for integrating Akismet into Forums and modules with comments...yet another argument for a class-based comment system. |
_________________
I search, therefore I exist...
Only registered users can see links on this board! Get registered or login! |
|
|
|
|
webservant
|
| Posted:
Sun Mar 25, 2012 12:36 pm |
|
Thank you - all of you. These are all excellent suggestions. I did implement nukeSPAM and added CA Honeypot. There an uncomfortable amount of information flowing into/through the site. I'll look more for Guardian's suggested mod, and keep you posted.
The flow of users seemed to stopped when both of these modules came into play, but I'll keep you posted. |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
