XF 1.1 My Forum's Getting Lots Of Spam

System0

System0

Active member
edit by jake - I just posted a resource that consolidates all of the information from this thread into one guide:
http://xenforo.com/community/resources/dealing-with-forum-spam.980/

I've never had any problems with spam before but when I checked my forum today I saw lots of spam threads. Some were in Russian though many were in English.

I checked some users and they had fully validated their account using Gmail. The spam is undoubtedly automated though.

Some users have signed up using the domain andasio.com.

At the moment I am getting a new thread every few minutes and the IP addresses are all different so there doesn't seem to be any way to stop it

(note: I haven't installed any new add ons or mods in a while so I don't think that's the issue)

I used to have this problem with vBulletin though this is the first time I've ever had a problem with XenForo. It's kind of taken me by surprise to be honest.

Any idea how this is happening and how I can stop it?

Thanks,
Kevin
 
Sort by date Sort by votes
I installed CustomImgCaptcha a few hours ago but spam registrations are still coming through. This is starting to get frustrating. Do you know how to check to see whether Facebook registrations are causing this?

Is FoolBotHoneyPot the best solution available?
 
Upvote 0 Downvote
These are popular:
XenUtiles: http://xenforo.com/community/resources/8wayrun-com-xenutiles-tools.104/
&
Stop Spam Here: http://xenforo.com/community/resources/sonnb-stop-spam-here.845/

These deal with know bots (using the StopForumSpam or other Databases of know bots)

A full list of spam plugins and prevention techniques are listed here:
http://xenforo.com/community/resources/dealing-with-forum-spam.980/


But I would first check your server access logs to figure out where they are coming from,

If they are getting through CustomImgCaptcha and you have your own image custom set, it is incredibly unlikely that they would have solved your custom image (it's like asking a bot to draw an original Van Gogh like painting, the technology of image recognition of un-encountered objects isn't there yet, they need to train on something to solve it, you can't train on custom images since every solution will be different) ... CustomImgCaptcha is a very long way from being solved

I have a strong suspicion you have a leak in your system allowing bots through, and since I have seen a few recent bots use FaceBook (and FaceBook registration is an easy way to bypass many of the bot prevention mechanisms)... I have reason to believe it might be this.
Do you also use any custom bridges (for instance, single sign on for Wordpress / Media Wiki), if so the leak could be there, you need to now how they are getting in first.

On my system I can look at the Access Logs on my server via FTP, they are located here:

viaftp.webp

or via CPANEL:

CPANEL.webp

Once you have the logs open (I would open them with notepad++, since some editors can crash when opening large text files) search through the logs for the IP address.. then find the point at which the bot registered... where did they do this?

If you do find that they are targeting FaceBook, I have now added a free resource to include any CAPTCHA mechanism you use, to be applied to FaceBook registrations: (http://xenforo.com/community/resources/facebookregcaptcha.1222/)

I'm biased with FoolPotHoneyPot so you will need to ask other users that have installed it, but it will only stop bots from registering via the registration page.
 
Upvote 0 Downvote
Thanks again for your help. Both Stop Spam Here and FootBotHoneyPot look really good. I'd be happy to buy both if that's what's needed - can they be used together?

I downloaded the access logs. I checked the ip addresses of a few spam registration members which I have banned and their ip addresses on the logs. I'm not sure I can make sense of the logs though. For example, the ip of one banned member was 176.61.140.11. The logs seem to suggest that login/login and register/register was accessed.
 
Upvote 0 Downvote
can they be used together
Click to expand...

I'm not sure

Any mechanism that checks a database, if it checks it on registration, it will need to know what parameters to send...
The point of FoolBotHoneyPot is that no one knows what the parameter names are (most bots think they need to fill the fields named "email/name/password etc"), but these are all honey pot traps that are hidden (a user will not fill these but a bot will). It will also use a custom template (so you will need to re-add any customisations you use on your registration page)

I couldn't tell you if if they work well together, but I can give you a refund if you find they don't (or just send you a free copy to try with your existing method)

But honestly, a bot will not get through CustomImgCaptcha (which can be used with any other system)....
Can you look at the logs for CustomImgCaptcha (ACP >> Tools >> CustomImgCaptcha logs) and then find the IP address of the bot
If it is not there, the suspect "bot" has not registered via the registration page, if it is there it will tell you what parameters it sent.

register/register was accessed.
Click to expand...

Is this the same for all bots that you suspect of getting though and is it the taekwondo forum?
If so, you do have multiple possibilities where bots might be finding a weak point, but you would not see forums.com/register/register on the logs, you would see:


1) Twiter Auth, goes via: forums.com/register/twitter?..etc
2) Google Auth, goes via: forums.com/register/google?...etc
3) FaceBook Auth, goes via: forums.com/register/facebook?...etc
(4 I noticed you mention wordpress a lot, do you allow sign on to the forum through a bridge somewhere, even if you think it is hidden and inactive?)

So you know what they look like in the logs, I just attempted all 3 registration types on your forum, so you should see these together for the IP address 86.182.64.87 approximately 20 mins ago (I made them all error, so that I didn't register)

The down side of making registration easy for humans is that you might also make it too easy for bots (anyone can have a Twitter account and use that to easily sign up on multiple forums... this would also be easy to automate, avoiding any bot registration traps)

  • Can you send the full line from the logs for the known bot at the point of registration (to see if there are any parameters it also sends)...
  • Are you certain this is a bot (sometimes bot users manually sign up to see what they need to do bypass any bot prevention techniques that are similar to yours)
  • Do you also have the time + date of registration for the "suspect bot"
  • What time did you install CustomImgCaptcha?
It would be good if you could send me a few examples, or a big chunk of you logs when you think they registered after the point of CustomImgCaptcha (Honestly... I like trying to figure out how smart these bots are, and always want to stay one step ahead, so I don't mind looking through the logs)... Although, I would make sure there is nothing personal in them first
 
Upvote 0 Downvote
Since adding CustomImgCatpcha yesterday, there is 9 logs for it. All seem to be legitimate members. A few put no answer and then an incorrect one but got it right on the second attempt. This suggests it's working good. I don't have any WordPress bridge installed in my forums (I'm not a fan of bridges in general).

I just checked Account Spam Finder and I can't see any new spam members registered since last night. Yesterday I was actively checking the latest member to sign up and then banning them if they were a spammer. This suggests that there are no more spammers registering.

I'm unsure as yet. Do you mind if I wait getting back to you on this? I can keep checking my records sporadically today. If no more spammers sign up within the next 24 hours, it's safe to say CustomImgCatpcha is working. Then the next step would be to go through and ban as many spammers as I can find :)
 
Upvote 0 Downvote
Sure... I'm suprised you have any humans fail it , but if you do, you can always add their "strange" answers to the answer list (making it easier for humans):
ACP >> Options >> CustomImgCaptcha

By default, it doesn't log all the bot attempts, because there are often just too many, it only logs the bots that actually attempt the CAPTCHA (by sending the field, even if it is blank). If you want to log all of the bot attempts you can turn this on by selecting:

Log all CAPTHCA events (including passed attempts)
Click to expand...

Few, you had me doubting CustomImgCaptcha for a second... if they figure out how to solve that, then Skynet isn't far off ;)

Once the image is customised and unique, the only way to solve it would be with image recognition, identify the potential reference object in focus, identify the image text and solve the two together... AI isn't there yet, but OCR/ANNs can solve simple text when a training set is available (this is why all common CAPTCHAs now fail, and Custom Image CAPTCHAs are near impossible unless they are basic text images)

Sure , get back to me, I'm keen to know if you've seen them comming through any other registration route

I think your next step should also involve a second bot prevention mechanism that also works, one can compliment the other (that way, when one fails, you don't have a flood of bots)...
but then I'm super paranoid about that sort of thing.


I would keep an eye on FaceBook/Google/Twiter sign ups, these all areas that I would target if I was botting and aren't covered by most bot prevention plug-ins (and I've already seen some sneak through using this path)
 
Upvote 0 Downvote
As much as I love XenForo, and I do, their release schedule has been terrible at best. I appreciate it's difficult for them just now with the court case etc.

Do you expect honeypot to conflict with 1.2 - or is this too hard to predict?
 
Upvote 0 Downvote
I've held off doing anything related to StopForumSpam since this is going into 1.2, there is no point if designing something that is going into core, and IMO it's all you really need for known bots

So, as soon as 1.2 is released I'll update FoolBotHoneyPot if needed, since I too would like to use the core anti-spam functionality, so it will definitely work with core, if not immediately... then very soon after the release of 1.2.

I'm fairly confident that CustomImgCaptcha will work with all plug-ins and all later versions of XenForo without updates needed (but it's impossible to know that for certain)

Don't worry, I will be around for quite a while, I'm currently starting one of my larger existing projects making use of XenForo (this is the main reason I'm designing plug-ins for security & bot issues)
 
Upvote 0 Downvote
Yeah so far so good. No spam registrations today.

I signed up to your forum. I tried to purchase three licenses for forumbothoneypot but it wouldn't let me change the quantity from 1. Will you need to set up a custom order? Alternatively, if you send me your paypal email I can send the money directly via PayPal.
 
Upvote 0 Downvote
Good to hear,

If you buy 1 license via the forum, it will give you access to download the plug-in (I would install that and try it first)
Then additional payments can be sent to the email address I sent to you via conversation / PM
 
Upvote 0 Downvote
Hello everyone. Forgive my intrusion but I am very new to all this spam stuff. I purchased a license back in Feb. 2012. I just tested a few ideas for the forum and had a few friends sign up so I could test it out. I eventually removed the forum from public view from my site (the link to my forum page was disabled from within my website) but I didn't disble the forum completely from within the Admin control panel. Wow, was that a huge mistake....

I didn't pay attention to it because I was trying to slowly create an indentity for my site before I fully launch the forum. When I signed back in, I noticed over 400 new users posting spam. Now there are over 43,000 spam messages and links all over my forum. I mass-banned them all but now I want to know how to delete all of the posts. I wouldn't mind deleting all the threads and starting from scratch because I never launched the forum to the public, yet.

Does anyone have any ideas or any queries that I can run to mass delete posts from these spammers?

Any help will be greatly appreciated. Thanks in advance.

Sincerely,
the forum noob, err...
Lefty

Oh, and BTW- I managed to ban myself during my "mass-banning" and now I can't lift the ban because it keeps giving me a "can't find user" error. I also can't delete my account because it says I can't delete myself. Yeah, I know *noob*
lol
 
Upvote 0 Downvote
Hey Lefty,

If the forum hasn't been launched, I would advise backing up the design and any modifications you made and then re-installing XenForo again. You can then launch your forum again with the correct settings...and more importantly, zero spam.

Kevin
 
Upvote 0 Downvote
That sounds easy. How do I do that? I had the Xenforo team install it for me. Should I contact them? I can do it myself, I'll search for some instructionals on here. Thanks System 0, this gives me hope. =)
 
Upvote 0 Downvote
You must log in or register to reply here.

Similar threads

R
  • Question Question
XF 2.1 5,000+ of my forum's 6,800 users are spambots - How to delete them?
Replies
6
Views
525
jeb35
J
Stuart Wright
  • Question Question
XF 2.1 404 Page not found on lots of links after migration. Leading and trailing slashes needed.
Replies
4
Views
709
Stuart Wright
Stuart Wright
jr777
  • Question Question
XF 2.0 Lots of trouble with email system, and not just with 2.0
2
Replies
20
Views
1K
jr777
jr777
shinyidol
Upgraded to 1.4 and still getting lots of spam
Replies
1
Views
732
Paul B
Paul B
Brian O'Neill
  • Question Question
XF 1.2 Getting lots of Undefined variable: fileName errors in Server Error Logs
Replies
2
Views
952
Brian O'Neill
Brian O'Neill
Top Bottom