The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
|
|||||||
|
#1
09-23-2007, 03:10 PM
|
|||
|
|||
Trying to learn about spammers and bots - some interesting results!
I have been very busy with a couple projects and work the past few months and I have one vbulletin forum that is not very active that I had not checked in on for about 2-months (big mistake but I am going to make the most of it).
During the 2-3 month period my site but have been included onto every spam bot posting list as I had in the order of 2000 NEW MEMBERS (by far mostly bots) and about 10,000 new posts and threads (porn, drugs, a real mess!). So, I got an e-mail from a visitor/member making me aware of the problem and the past week I have been locking the site down to keep the bots out. To do this I have added the following hacks that have been posted here at vBulletin.org: NOSPAM Is Bot IPNoRegister SpamBuster Prevent Spam Posts Timezone block (suggested in this thread) Now, when I added these various tools to the site I still had problems with bots getting onto the site. I learned that the bots automatically come to my site to register and post their spam BUT there is a human component that allows these bots to "learn" from their experience. Specifically, in my logs I could see where the bots would get rejected (because they could not answer the NoSpam question. The bots would take a few seconds to be rejected and sometimes I would see a slower pinging of the registration page were I assume a person making a list of questions and answers that were programed into the bots. After this, the bots were able to get onto the site and corectly answer the NoSPam question. At this point the Spambuster and Prevent Spam Posts worked together to self moderate the spam. Now, to supplement these three tools, I then took the problem e-mail domains and ip addresses and added them to the vbulletin blocking mechanism as well as my own IPNoRegister hack. Now, in order for me to understand how this was happening I also rewrote parts of the hacks above and included a little code that logs all registration attempts. Over the past 2-weeks I have not had a single post get posted in my site that I did not want and as near as I can tell I have not impacted members I wanted. In the following two posts I will share two of my logs. Note that I have removed some registration info for cases were the person was a real member but you can see that in the logs! I hope this info helps someone that has also been infested with these dambed bots learn something that can be used to keep them out! 
|
|
#2
09-23-2007, 03:15 PM
|
|||
|
|||
|
Here is the site log that had the biggest problems:
This is the order that these are posted: Quote:
|
|
#4
09-23-2007, 04:20 PM
|
|||
|
|||
|
I really don't know how I can give that out as I rewrote the hacks above to combine what I needed to get this done. Most of the code I use is not mine...
I will see if there is a way that I can rewrite it so that the code is in a seperate plugin and product so that I can release it without the other hacks included.
|
|
#5
09-23-2007, 04:26 PM
|
|||
|
|||
|
Thanks, You wizards are great. I'm pretty much a noobie, but reading and learning fast. I've always thought that you can't know too much. I just installed isBot, it looks like a winner.
|
|
#6
09-23-2007, 04:31 PM
|
||||
|
||||
|
Filter posts and new threads through Akismet
Spam Decimator These are the only two I use, no spam post ever make it to the public. No need to add more then whats needed and bog your site down 
|
|
#7
09-25-2007, 04:57 PM
|
|||
|
|||
|
The nospam hack with 2 different questions worked for me. Now I wish there was some way to make new registrants make a post. I'm not sure if the emai to confirm registration is being filtered out as spam
|
|
#8
09-25-2007, 05:16 PM
|
|||
|
|||
|
https://vborg.vbsupport.ru/showthread.php?t=141554
This hack eliminated the bots entirely on 2 forums for me, its simple and works flawlessly, I even have captcha and email verification turned off  not sure why it hasnt caught on, only shows 31 installs
|
|
#9
09-26-2007, 12:13 AM
|
|||
|
|||
|
Quote:
Thanks, I have noticed a trend there too and I will add that one as well Over the past week I have been logging the log-ins for my SPAM TRAP website as the only thing going on there is these dambed bots trying to register then they try to log in and post their spam. In the process of logging this I have learned something new that may be VERY useful (not that I have worked out how to use this yet). My log file captures the following: DATELINE | DATE TIME | IP ADDRESS | IP HOST USERNAME | PASSWORD | PASSWORD MD5 | PASSWORD MD5 UTF | Cookie Now, what is VERY intersting is that if a NORMAL user logs in (with an error as that is where I am logging these bots) my logs show the following! Quote:
Here is a copy of the logs (I tried to edit the offensive stuff) of the attempts to log in... NOTE - THIS IS LESS THEN 24-HRS (What Was Prevented Today) Quote:
Note: In the above post I had to edit out a LOT of attempts to get that down to the point that it fit in a post (What you see above is ONE THIRD of what my log has as almost all of these attempts above were tried three times!!!).... NOW, I learned in this process that these BOTS register on as many forums as they can with these same usernames and passwords! If your site has bot problems, try searching for some of these members and if you have them, try the password and it may well work! I certainly am not posting this so that people can log in using these bot usernames or passwords to cause problems and this is a VERY SMALL sample of what I have logged over the past several days. Just the same, I was able to google a few of these names and find these bot accounts on other forums (beyond my own) and I was able to log in using the username and password. For those sites that got a PM to the ADMIN saying, "I am a BOT, BAN me or I will be back" sorry for the intrusion, I was just trying to understand the problem. I was the one that sent you the PMs (at least if it was before now). Now, what I would like to figure out is how we can add a check in the login page to see if the password is being submitted as plain text (not-hidden). In my experience, all of the bots have been submitting the password as plain text BUT the PASSWORD MD5 UTF looks to be sent as hidden text. I can not explain this, but the trend is absolute? If this is a mistake posting all of these... please feel free to edit the post above or send me a PM and I will edit it when I am online... These are ALL login attempts from bots! I am posting with the hope we can learn how to fix this problem... --------------- Added at 21:48 --------------- OK, Now, in case I have not made it clear why I feel that what I am sharing has the potential to be significant... I did a google search (at random) for one of the usernames from my logs. Note that this is a BOT and the password is posted above... When you search for this username in google I get OVER 25,000 HITS!!! http://www.google.com/search?hl=en&s...an&btnG=Search Now, this account is the same bot on at least some of these as I just checked about five sites with the password from my logs and I was able to get in!!! Now, if these bots are creating acounts, and god help us if we don't detect them in time, and if they were to mass attack our sites they could really mess up a larger website and community. Sorry to be standing on my soapbox but that google link points out why I am trying to get more interest in what I am trying to look at as their are programers on here that are far more skilled then I am and I would love to get more people interested in what we can do about this problem.... --------------- Added at 22:25 --------------- OK, I have hacked my code that logs registration attempts to also log the timezone. I will post the results in a say or two after I get some data... I will also try to recode my script so and post it so that if sites want a way to monitor the registration or log-in attempts on their site that they can. Note, you can never see user passwords (they are hidden) but bots are very obvious because they seem to NEVER be hidden! Cheers! p.s. I have also uploaded my latest Registration LOG file for everyone... Mind you, I have been working on this for about 3-weeks and these bots keep comming!
|
|
#10
11-10-2007, 11:39 PM
|
||||
|
||||
|
thanks quarterbore, for all the trouble your going through and sharing the results. wish i could help you out. i had a whole slew of hacks installed on a vb3.6.4. nothing stopped them until i upgraded to 3.6.8. after that, the only spammer hack i installed was the inhanced captcha images hack, and it stopped them dead in thier tracks. i wonder how long it will take for the bot programmers to find a way around that one.
|
 |
«
Previous Thread
|
Next Thread
»
Linear Mode
|
|
All times are GMT. The time now is 03:01 PM.