| Author |
Message |
Susann
Moderator
Joined: Dec 19, 2004
Posts: 3191
Location: Germany:Moderator German NukeSentinel Support
|
 Posted:
Sun Aug 19, 2007 3:39 pm |
|
Many different factors are the reason for spam in nuke sites in module comments, reviews, weblinks or within the forums.
After 3 years online I asked me several times why is it possible to receive no spam while other sites with actual patches are spammed through news comments, reviews and weblinks.
There is no ultimative answer but I quess it has something to do with the nuke version, the cache in search engines, hide links, disallow signatures, running a guestbook or not, allow submit news or not, show the memberlist to all or only for admins and of course much more like ban of known spam IPs via cidr.
I never had to delete any spam entries in my database. The only "accident" I ever had in the last years was a own created page with a contact form (worked like a honey pot) and one automatic spam entry within the forum from a script kiddie which couldn´t run this without logged in a registred member.
But reading an article about "XRumer" I believe those times of peace are definitive over because its so easy to send mass spam with this tool.
And the most used captchas aren`t any barricade.  |
| |
|
|
|
kguske
Site Admin
Joined: Jun 04, 2004
Posts: 6437
|
| Posted:
Sun Aug 19, 2007 6:03 pm |
|
I've seen this on some sites - including those where people register to post comment spam! Ridiculous...
I've seen a lot of pointless feedback spam, too. In addition to adding catpcha (which may not solve all the problems - I saw one spammer get the form with 1 IP address, then post his spam with another milliseconds later), I put in validations to see if fields where longer than they should be in the forms and to check for HTML in fields that should not contain it (even the textarea fields in most feedback forms don't need HTML!). They can still send pointless feedback if they respond to the error messages, but at least it won't contain lots of stupid links... |
_________________
I search, therefore I exist...
Only registered users can see links on this board! Get registered or login! |
|
|
|
|
Susann
|
| Posted:
Mon Aug 20, 2007 6:23 am |
|
|
|
|
|
slackervaara
Worker
Joined: Aug 26, 2007
Posts: 236
|
| Posted:
Wed Sep 19, 2007 8:45 pm |
|
|
|
|
|
montego
Site Admin
Joined: Aug 29, 2004
Posts: 9457
Location: Arizona
|
| Posted:
Thu Sep 20, 2007 7:56 am |
|
Sorry, but if I cannot review the code (because it is encrypted), I won't be using it... and, no, $499 to get the source is not an option. The internet is too anonymous, so to just trust blindly is not my thing... |
_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! |
|
|
|
kguske
|
| Posted:
Thu Sep 20, 2007 8:24 pm |
|
Susann, not sure if it works with the RN captcha, but I think the point is that we need better tools / techniques for monitoring / preventing / and removing spam. An approach I'ved used is to put more logic in the form validation. For example, fields that shouldn't contain HTML, but have it, cause errors. Maybe a function that limits the number of links in a text area would be useful. Sure, that wouldn't stop it, but it would certainly force the spammers to take more time and resources to get the same impact.
It's almost like locking a door. Yes, if someone wants to get in badly enough they can. But if the next house has an open door... |
| |
|
|
|
|
Susann
|
| Posted:
Fri Sep 21, 2007 8:06 am |
|
|
|
|
|
evaders99
Former Moderator in Good Standing
Joined: Apr 30, 2004
Posts: 3221
|
| Posted:
Fri Sep 21, 2007 10:36 am |
|
Yea I've seen the demo video for XRumer. Really does show how even CAPTCHA's aren't a cure-all. Haven't been able to acquire a copy of the software to look at yet. |
_________________
- Only registered users can see links on this board! Get registered or login! -
Need help? Only registered users can see links on this board! Get registered or login! |
|
|
|
|
montego
|
| Posted:
Sat Sep 22, 2007 7:22 am |
|
Just watched the video... Sickening... |
| |
|
|
|
|
Susann
|
| Posted:
Sat Sep 22, 2007 7:41 am |
|
Evaders I´ll send you the download link as soon as I located one.Still no luck. |
| |
|
|
|
|
fkelly
Former Moderator in Good Standing
Joined: Aug 30, 2005
Posts: 3312
Location: near Albany NY
|
| Posted:
Sat Sep 22, 2007 3:28 pm |
|
All the more reason we need some form of Approve Membership.
I've spent considerable time looking at Bob Marion's wonderful tool, IP tracking. There is a definite pattern to these attempts. They try creating a user id but they can't get by the CAPTCHA. (Although the link posted earlier in the thread indicates this software may be able to). Then they try posting in forums. Since they don't have a id they can't. What we almost need is some sort of "pattern recognition" in Sentinel that recognizes the Forum spamming patterns. I'm not sure banning IP's really buys us much ... there's a mention in the link that it includes links to proxies to get IP addresses, so we aren't dealing with real IP's that belong to someone and they will always be able to get another IP to use. |
| |
|
|
|
|
Susann
|
| Posted:
Sun Sep 23, 2007 12:14 pm |
|
| fkelly wrote: | | All the more reason we need some form of Approve Membership. |
I personally believe that spammers are always one step ahead and a Approve Membership module wouldn´t be the general solution.
For example there are many options of filtering in World Press before a comment is published e.g. a function that limits the allowed number of links in comments is also there. Similar options within the administration of RavenNuke would be great and a step in the right direction I think. |
| |
|
|
|
|
fkelly
|
| Posted:
Sun Sep 23, 2007 2:10 pm |
|
I don't think there is a one size fits all solution. Some sites don't allow users who have free email accounts to sign up for instance. I can't do that, too many of my "real" users have them. On a large site such as Raven's the admins might not have the time to look at each new user individually. Too much overhead. On my site I can and would. I'd even email them personally and make them respond with something halfway intelligent about why they want to join the site before they got approved. Foolproof no, but I'd guess it would stop 99% of my spam. Actually (knock on wood) I haven't had any since the new captcha.
Speaking of which, here is a typical pattern for an attempted spam attack that I see in NS IP tracking:
| Quote: | /rn/modules.php?name=Forums&file=posting&mode=newtopic&f=12
/rn/index.php
/rn/forumsbackend.php
/rn/modules.php?name=Forums&file=posting&mode=newtopic&f=12
/rn/modules.php?name=Your_Account&username=pasiterri&gfx_check=&op=login
/rn/modules.php?name=Your_Account&stop=1
/rn/modules.php?name=Forums&file=posting&mode=newtopic&f=12
/rn/modules.php?name=Your_Account&username=pasiterri&user_email=pasiterri@uk2.net&op=new user
/rn/modules.php?name=Forums&file=viewforum&f=12
/rn/modules.php?name=Your_Account&op=new_user
/rn/modules.php?name=Forums |
I'll leave the miscreants email right there. You notice that when the gfx_check comes up they can't respond. I've seen others respond with something that doesn't match and of course they get rejected.
I have run NS with a hack in it that basically says, if the user is anonymous and they do this:
/rn/modules.php?name=Forums&file=posting&mode=newtopic&f=12
ban 'em. This works but the email address is from the UK and the IP is from the USA so I suspect they are using a proxy and can come back with another IP. On the other hand I think these spam programs are probably trying a thousand sites a day and if they don't crack into yours they just move on to another one. |
| |
|
|
|
|
bodzio
New Member
Joined: Sep 30, 2007
Posts: 2
|
| Posted:
Sun Sep 30, 2007 2:54 am |
|
| fkelly wrote: |
I have run NS with a hack in it that basically says, if the user is anonymous and they do this:
/rn/modules.php?name=Forums&file=posting&mode=newtopic&f=12
ban 'em. This works but the email address is from the UK and the IP is from the USA so I suspect they are using a proxy and can come back with another IP. On the other hand I think these spam programs are probably trying a thousand sites a day and if they don't crack into yours they just move on to another one. |
I've gone through hell with these morons. Gallery was a major exploit that infected entire ISP server (I moved to another one after that). Spam via guestbook, weblink submission, comments is also a major pain. Banning IP addresses works partially, but ...
And here MY idea.
My assumption are -
- there is a limited number of proxy servers available in the world, so how about building a server that would hold a list of all proxy servers (ip addresses) and distributing their ip info viar RSS-type mechanism?
- each site that identified a new spammer would have an RSS type interface that would list the newest blocked address. The IP information exchange could be arrange on bidirectional arrangement between webmasters following the "you-scratch-my-back-I'll_scratch-yours" rule.
- The database could be cached locally and updated on regular bases
- any "new" ip address would trigger behaviour validation routine (described in the post above). If automated routine recognizes a spam it automatically submits the new "winner" to the central database and it updates a local cache, any other entry gets posted.
- Webmaster could manually flag entry as spam and trigger a manual submission of a "winner" to the central repository.
I can venture to bet that this variation of black-list database would very quickly get rid of the problem on a mass scale.
OH... as a "thank you" note, each spam could invoke 10 emails from every attacked site to the ISP hosting the offending post (proxy) and to botmaster.ru folks. They DO need to feel the pain and know how much we appreciate all that money that they make on us.
These Ruskies are so "smart", but I believe that their ISP ( located here in US (Oregon) would not be happy to be attacked by millions of emails daily with "Thank you emails" for hosting such a "great" vendor.
Oh, since these "posts" do qualify as spam, teh modules could submit them to their ISP and appropriate spam databases for appropriate follow ups. If an ISP hosts people like botmaster.ru, their entire subnet should be blacklisted for email traffic. This could give them some additional push to kickout the evil XRumer folks.
What do you think?  I would be willing to put such a module on my web sites. |
| |
|
|
|
|
Susann
|
| Posted:
Sun Sep 30, 2007 4:09 am |
|
Your idea sounds interesting fight back with "Thank you emails" I know it works when you flood an email account from little dirty spammers but I don´t believe it works generell because Spammers and some registrars/hoster work so often hand in hand.
Sure I would also put such a module on my sites and I ´m willing to test an admin modul http: BL for Nuke to join Project honeypot with all my Nuke sites to make the future of the web a bit better.
But I know all these actions are only very litte steps but not the general solution against spam and cybercrime. |
| |
|
|
|
|
evaders99
|
| Posted:
Sun Sep 30, 2007 7:03 pm |
|
Sadly proxy servers come up and down every day. There are many block lists already out there, just isn't any particular one that is really effective. Servers are compromised hourly and allows further spamming. And as Susann said, many hosts work with spammers for a cut of their profits. |
| |
|
|
|
|
fkelly
|
| Posted:
Mon Oct 01, 2007 12:34 pm |
|
Just to relate a recent experience. I have a test site for Ravennuke. It's just test data and I can rebuild it quickly so I'm pretty free to experiment there. So I changed forums to allow anonymous posting. It took them about 3 days to find it but pretty soon I had Britney Spears and Angelina Jolie postings. I checked one out. It was a link to what promised to be pornographic videos of Angelina though the thumbnails were pretty fuzzy. Well, click on one of those and you get a "you need to load an update to Directx file xxxxx , click here to download and install it". Needless to say I shut that thing down pretty quickly and ran a complete virus scan. Interesting psychology they use. That exe file you would load probably turns your PC into a zombie that they can use to post on other sites. Not that I'm going to find out.
Which raises in my mind an interesting question. Should we "fix" forums to not allow anonymous posting at all? Or at the very least make it so you have to bypass a couple of strong warnings to do so? I just went into my test site and verified that if you create a new forum anonymous posting is "off". But it is all to easy for someone to use the "public" choice in the "simple mode" of setting up a forum and wind up turning anonymous posting on as a result. And while you can say "an admin should be responsible for his/her own actions" ... at the same time giving spammers a place to post links to sites that can tempt users to download viruses is probably not something we want to encourage. |
| |
|
|
|
|
Susann
|
| Posted:
Mon Oct 01, 2007 1:44 pm |
|
Its known that it´s a high risk to allow anonymous posting and also that they are building the greatest botnets with 1.7 million of infected machines. I received emails with links to such sites also.
Its like a major offensive.
But some forums need the option anonymus posting at the beginning to push their sites.We should not change this. More warnings wouldn´t be a bad idea I think. |
| |
|
|
|
|
slackervaara
|
| Posted:
Tue Oct 02, 2007 10:39 pm |
|
Since August 7 I have allowed guest to post in my forum and I have not had a single spam posting in that time. This is probably due to Advanced Textual Confirmation (bbantispam), where upon the first posting one have to answer a question like Are you human? correct. Earlier when I allowed guest to post I always had problems with spam and it could be houndreds a day. Bbantispam is easy to install and if you write the install code in config.php spamming everywhere in PHP-Nuke should be stopped claims the author. |
| |
|
|
|
|
Susann
|
| Posted:
Wed Oct 03, 2007 4:26 am |
|
|
|
|
|
TAd
Worker
Joined: Oct 11, 2004
Posts: 127
Location: Oregon, USA
|
| Posted:
Thu Oct 04, 2007 5:46 am |
|
I am getting spammed hard, from multiple IPS I mean lots of them! I contacted Raven offline via ICQ, awaiting Authorization. I cannot stop them :/
Captcha is not working, they are all using the same line...
Updated RN and NS 2-3 weeks ago after I got my site backup. NS had old SQL until yesterday when I updated it. Tonight they were going crazy :/ I have lines they input and will pass them along off forum. I have 1 Question, Is Anonymous User ID -1 ? There was a strange bit of code that an individual or bot, typed in through Your_Account as well. Like Your_Account -stop
Something like :
Code:/nuke/modules.php?name=Your_Account&stop=1
|
At this point I am not sure if my upgrade is bad, or they are exploiting holes they have found... I am sorry I am jumping around alot, it has been a long night. I will try to gather facts and info and present them in a different post.
Best regards,
Thomas |
| |
|
|
|
fkelly
|
| Posted:
Thu Oct 04, 2007 7:07 am |
|
Are the spam posts getting into your forums? If so, I would guess you may have inadvertently opened a forum up to the public. Go into Forums administration, permissions and look at each Forum. Go to advanced mode on each forum in the drop down box and make sure that it says reg for everything except view and read.
The anonymous user is userid #1. The code you are seeing is normal, hackers will be trying to post all the time. They do this on all sites but if you have your forums set up right they can't post. Right now there is no way within Sentinel to ban anyone who attempts to post as anonymous but the post will be rejected and they will be redirected to the login screen. |
| |
|
|
|
|
Susann
|
| Posted:
Thu Oct 04, 2007 10:24 am |
|
TAd
The nuke_ users table use for Anonymus -1 in older versions of Nuke but in RavenNuke its 1.
Did you upgrade from an old version of Nuke ?
Make sure you have in the table 1.
Also make sure that there are no old files on your server.
Beneed this you can always ban via cidr directly in .htacces. This worked well for me in the past when I used an older version of Sentinel and PHPNuke.
The never had a real chance to add comment spam.I have banned 50 % of my visitors at the end. |
| |
|
|
|
|
bodzio
|
| Posted:
Thu Oct 04, 2007 5:32 pm |
|
Since last of my posts, I had yet another  experience.
The 95% of the problems are caused by scripts. Scripts, by nature are VERY fast in posting, so ... how about measuring the time spent on typing an comment, submitted news, guestbook entries. No human will go over certain rate of typing. So, if one could take under consideration an average Joe-the-geek typing skills and compare it to an actual entry, it could be assumed that an entry is created by a robot or human.
Any "fast" entry would be rejected or subject some kind of black-listing.
As far as infected machines, I would still argue, that it would be beneficial to contact any responsible (for the subnet) ISP with a message that his network has a "problem" child, and if they don't want to be black listed or be a subject of a collective (naturally massively automated) campaign, they better do something about it.  Forcing ISP to enforce their users to pratice "save" computing could be accomplished.
Cheers.. |
| |
|
|
|
|
TAd
|
| Posted:
Fri Oct 05, 2007 5:39 am |
|
| fkelly wrote: | Are the spam posts getting into your forums? If so, I would guess you may have inadvertently opened a forum up to the public. Go into Forums administration, permissions and look at each Forum. Go to advanced mode on each forum in the drop down box and make sure that it says reg for everything except view and read.
The anonymous user is userid #1. The code you are seeing is normal, hackers will be trying to post all the time. They do this on all sites but if you have your forums set up right they can't post. Right now there is no way within Sentinel to ban anyone who attempts to post as anonymous but the post will be rejected and they will be redirected to the login screen. |
fkelly,
I started to respond last night, however I stopped and tended to my website. The forums I have are set all to Reg only. The comment spam was in reviews. I had been attempting to take certain parts of the code they were using in the URL's and place them into Nuke Sentinel, under the category: String Blocker Settings. It does not seem to work, but I am still looking into it. (I was misinterpreting what String Blocker usage was for).
I deleted a review as there was NO physical way of keeping up with them (bots) they posted hundreds in minute or so. The "delete" (when logged in as admin) in many of the modules is insufficient for "Mass" editing. There is no limit to how many comments can be made by a user/ip. (note, I am removing the "post Anonymous" in comments section of the review. It allows registered users to post, well anonymously! I will re-add it later.
When I deleted the review. And created a new one as a test. Boom there were already spam (older dates), then boom, here came the new ones! (my guess is database error in recent upgrade) as all review comments should be linked to a review id. So that told me I needed some downtime to check my db.
Susann, in a later post, confirmed that something is amiss, with her comment
| Quote: | TAd
The nuke_ users table use for Anonymus -1 in older versions of Nuke but in RavenNuke its 1.
Did you upgrade from an old version of Nuke ?
Make sure you have in the table 1. |
Thank you Susann!!! (fixed!) And yes I did upgrade from an outdated RN, I am going to run a file compare for the DB as I have found a few discrepancies thus far. I will check the forums for a suggestion on a program for performing the compare.
In PHP-Myadmin, I removed all comments for reviews, removed all reviews. And then did testing, seems that they are synced now. 
I could type so much more, but I am thinking of writing an article instead! One of the most difficult things is to explain what is going on, before you have a full grasp of the "entire" situation. Which I did not when I first posted as it was just not new spammers, and not just old ones, not just any one thing, but instead a lot of different things.
Thank you all! |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
