XF 1.1 My Forum's Getting Lots Of Spam

[System0]

edit by jake - I just posted a resource that consolidates all of the information from this thread into one guide:
http://xenforo.com/community/resources/dealing-with-forum-spam.980/

I've never had any problems with spam before but when I checked my forum today I saw lots of spam threads. Some were in Russian though many were in English.

I checked some users and they had fully validated their account using Gmail. The spam is undoubtedly automated though.

Some users have signed up using the domain andasio.com.

At the moment I am getting a new thread every few minutes and the IP addresses are all different so there doesn't seem to be any way to stop it

(note: I haven't installed any new add ons or mods in a while so I don't think that's the issue)

I used to have this problem with vBulletin though this is the first time I've ever had a problem with XenForo. It's kind of taken me by surprise to be honest.

Any idea how this is happening and how I can stop it?

Thanks,
Kevin

 

[GokouZWAR]

Ip is prolly no good granted, I got a second one named
XRumer75Rus

Clearly some could be blocked by disallowing users named xrumer in the name...at least some of them.

 

[GokouZWAR]

Do you have an ANGRY user ?
That's what I noticed first.
http://xenforo.com/community/threads/do-you-have-an-angryuser.34810/

yeah i had one of those. Thought it was weird. I blew it away shortly after it showed up. Course he couldn't post squat cuz it couldn't email register so I'm guessing I never got the whole "why you ban me" post.

 

[GokouZWAR]

oh crap!! Check this:

85.21.237.227
busy IP: http://www.stopforumspam.com/ipcheck/85.21.237.227
angryuserseks@gmail.com

Static IP pool for broadband customers in Moscow RU
CORBINA TELECOM/Internet Network Operations
Kozhevnicheskij proezd, 1

Administrative Contact
CORB1-RIPE
Technical Contact
CORB1-RIPE

That IP is the same one as my XRumer75Rus user that logged into my site with! Maybe we got a match?

 

[GokouZWAR]

I should note that this user registered in the past 24 hours on my site because I've been cleaning off all these bogus users everyday.

 

[Digital Doctor]

oh crap!! Check this:
That IP is the same one as my XRumer75Rus user that logged into my site with! Maybe we got a match?

Maybe angryuser has changed to XRumer ?

 

[GokouZWAR]

No I deleted angry user when it showed up.

 

[Sniper]

Looks like my forum is on that list!

I've installed XenUtiles and followed other tips posted.

Have had 2000 attempts since Sunday (started on the weekend), a few got past today which meant 1000+ spam messages!

A few had Amazon AWS ip addresses!

 

[MikeMpls]

Looks like my forum is on that list!

I've installed XenUtiles and followed other tips posted.

Have had 2000 attempts since Sunday (started on the weekend), a few got past today which meant 1000+ spam messages!

A few had Amazon AWS ip addresses!

Where does one view these stats?

 

[BGL]

Cleaning up the spammers a while ago. Most recent one had IP from Kazakhstan...couldn't help but laugh.

A lot of them get to register despite the three anti-spam checks in XenUtilities but only one posted so far. It was complete gibberish. I don't get why it is worth their while to post gibberish. Surely no one is paying them to post this stuff. What is the point?

 

[Jeremy P]

Where does one view these stats?

If you have XenUtiles: ACP > Tools > Registration Log

 

[fattony69]

I switched to Q & A only to have more spammers.

 

[Russ]

I switched to Q & A only to have more spammers.

Bad set of Q&A's

 

[MikeMpls]

If you have XenUtiles: ACP > Tools > Registration Log

Thanks!

I switched challenge questions over the weekend but had left registration turned off.

I installed XenUtiles and the country blocker in the three smaller forums that had been hit and turned registration back on about 2 a.m. Basically these are very special-purpose forums with membership counts in the negligible to small (< 50) range. This afternoon I dealt with 4 spam registrations that made it through, and there is one questionable one that passed all tests, but I'm keeping an eye on "her".

The number of registration attempts in the first 18 hours in these three forums that see almost zero activity other than an occasional surfer via Google or Bing: 120, 200, 294.

In my two larger forums (typically 40-100+ users) registration is still turned off but there are areas where non-registered users can post. These are protected only by the challenge questions and country blocker. I only had to deal with 2 spam posts today, down from a 10-20 (don't know exactly how many the other mods deleted) yesterday.

Since I last tweaked the challenge questions, no spam users or spam unregistered posts have made it through.

My experience thus pretty much mirrors what others have been doing: XenUtiles + blocking major national spam sources (CN/IN/RU/UA) + challenge questions, and keep tweaking the challenge questions.

My use of the country blocker (Deny/Moderate County): Russia, Ukraine, India, China are banned. I have no use for them. The country lists provided with the add-on is way out of date, so the first thing to do is do download & update new zone files. These are still outdate, but not nearly as badly outdated.

I then created two virtual countries -- ZY & ZZ - that I also block.

ZY is for zones that I discover are missing from the CN/IN/RU/UA zone files, and IP blocks in other countries where I decide to ban the entire block of addresses.

ZZ is for individual IP addresses in countries (e.g. the U.S. & Western Europe) where I don't want to cut a wide swath by banning entire IP blocks. ZZ also contains the IP addresses off 300+ anon proxies that I know about and new proxies that aren't otherwise banned are added here, e.g. proxies in Sweden & the U.S. that were used successfully end up in ZZ.

 

[fattony69]

Bad set of Q&A's

I tried to make them difficult, but at the same time easy enough for members.

 

[M@rc]

I tried to make them difficult, but at the same time easy enough for members.

My Q&A is to spell a word backwards (no answer given). I have not gotten any spammers since,

 

[sparky5693]

Keycaptcha and xenutils seems to stop everything.

 

[sparky5693]

I opened a ticket with them about it, and here is the response and fix:

Did this work for anyone? I just lost the contact us link altogether with the mod.

 

[fattony69]

My Q&A is to spell a word backwards (no answer given). I have not gotten any spammers since,

I'll try this. Thank you!

 

[MattW]

Did this work for anyone? I just lost the contact us link altogether with the mod.

Yes, working fine for me (edit done with TMS)

 

[sonnb]

I personally block YAHOO (yahoo, rocket mail, ymail)

You'd be surprised on how many spammers that stops. But more importantly, Yahoo is completely unreliable for e-mail delivery. I had a user point that out to me. Signed up for a few Yahoo accounts and waited for my e-mail conformation to my site. Some came and some came really, really, really later than expected... ie... Between 3 days to 4 months. 2 others never came at all.


*@rocketmail.*
*@rocketmail.*.*
*@yahoo.*
*@yahoo.*.*
*@ymail.*
*@ymail.*.*

I have just added to my addon "Stop Spam Here" a feature "Point Check System" that I call Risk Indicator, with this feature, you could set point for: email domain, username and IP.

In your case, if you see that email from yahoo is higher risk than the another, you could set higher point for this domain (such as: yahoo.com=>50). The same for IP, if you see that IP from Russia is higher risk than the another, you could set IPs from this country with a point (eg: 20.45.14.0/24=>30).

So users from Russia and using yahoo mail would get 80 points and you could configure how we would process for this point from option: Block, Discourage, Moderate, Allow.

I think this would help you rather than block whole IPs or Email Domains