XF 1.1 My Forum's Getting Lots Of Spam

[System0]

edit by jake - I just posted a resource that consolidates all of the information from this thread into one guide:
http://xenforo.com/community/resources/dealing-with-forum-spam.980/

I've never had any problems with spam before but when I checked my forum today I saw lots of spam threads. Some were in Russian though many were in English.

I checked some users and they had fully validated their account using Gmail. The spam is undoubtedly automated though.

Some users have signed up using the domain andasio.com.

At the moment I am getting a new thread every few minutes and the IP addresses are all different so there doesn't seem to be any way to stop it

(note: I haven't installed any new add ons or mods in a while so I don't think that's the issue)

I used to have this problem with vBulletin though this is the first time I've ever had a problem with XenForo. It's kind of taken me by surprise to be honest.

Any idea how this is happening and how I can stop it?

Thanks,
Kevin

 

[ManagerJosh]

oh really? Again, how do they obtain my tiny little nothing website with a whole 21 users signed up to it when I don't even really advertise heavily? What do they hope to gain from attacking my site?

I have all the guest stuff disabled so my users have no clue this is even going on. It's just a rather annoying thing to have to go delete about 100 sign ups a day who are still pending email confirmation.

Is there anyway to automate the delete process if a user is not email confirmed after 24 hours so I can basically ignore all this? I got better things to do with my time then deal with garbage like this. I'd just as soon let them continue to sign up and just leave them in the database but I do have a limit and I'd rather not wait till i have 100,000 users in my database to have to go thru and delete them then. The deleting process is really annoying since there doesn't appear to be a way to mass delete the users from the database without manually deleting them from the MySQL database...:\ At least leave me in the user list instead of throwing me back to the main menu...

They likely got it via Google searches. I didn't advertise my client's test forum and it's on there.

One thing I'm noticing is that they haven't identified where my client's forum has went since I moved it.

 

[AlexT]

Deleted

 

[ManagerJosh]

In this minute SFS ran out of mysql connections

If the addons can't connect to SFS....
Hope the best.

I signed up for APIs from all three major services XenUtiles to provide some levels of redundancy.

 

[Walter]

I signed up for APIs from all three major services XenUtiles to provide some levels of redundancy.

Me too.
The problem is - eg. FSpamList limits the queries to 5000 queries per day. Thats to low for me.

 

[MikeMpls]

• They are able to solve or guess many Q&A questions. Definitely some calculations like (2+2=4) but even questions like "Is fire hot or cold?" If your question is answerable with a number, they simply try all numbers.

According to what I read, the new Xrumer allows user to share info about challenge question successes, so when one gets an answer right it sounds like it goes into a central database for all Xrumer users.

 

[Digital Doctor]

According to what I read, the new Xrumer allows user to share info about challenge question successes, so when one gets an answer right it sounds like it goes into a central database for all Xrumer users.

Interesting.
I guessed earlier that must be happening.
It would be nice to be able to check with Q&As are working and which are not.

 

[ManagerJosh]

Me too.
The problem is - eg. FSpamList limits the queries to 5000 queries per day. Thats to low for me.

I remember reading somewhere on FSpamList you can request they up the API count, but the BotSpam wants you to pay

 

[GokouZWAR]

According to what I read, the new Xrumer allows user to share info about challenge question successes, so when one gets an answer right it sounds like it goes into a central database for all Xrumer users.

I'm rotating my questions now so hopefully that should reduce it. I'm also not using standard idiot proof questions like "what is 2 + 2" anymore. If they're too stupid to figure out what the message means then they probably shouldn't be on the site anyway IMO. If the bots start figuring it out before the users then really I'm gonna pull the plug and request a refund on the software. $140 software should not have this security gap IMO. I'd expect this from free software but not professional software. That's why I got it in the first place. I wanted something better. If the Google captcha has been compromised lets get a new one pushed out to the users that's better or provide some instructions on how to install a custom one please.

 

[Deebs]

In this minute SFS ran out of mysql connections

If the addons can't connect to SFS....
Hope the best.

Already offered a mirror to take the load, waiting to hear from Pedigree.

 

[MikeMpls]

Just reporting in to confirm what everyone else is already saying, seems spam is hitting XF boards pretty hard now. I've definitely been clicking 'spam cleaner' far more often recently. Using XenUtilities and all 3 API's. 969 caught by botscout so far (no idea what the average a day is, but so far for 8/22 it's caught 40, and I'm sure this # will be much higher by the end of the day). Forgot my pass for the other 2 services, so currently awaiting an e-mail to reset it. Interested in what the stats are for them.

I have XenUtiles installed -- where do I find these stats?

 

[Digital Doctor]

I wanted something better. If the Google captcha has been compromised lets get a new one pushed out to the users that's better or provide some instructions on how to install a custom one please.

Besides using Q&A.
Are you using something else ?
Like: XenUtiles ?

 

[MikeMpls]

Anyone *NOT* on this SPAM list ?
http://xenforo.com/community/threads/my-forums-getting-lots-of-spam.35195/page-11#post-401275

I have one forum that's not on it, five that are.

 

[mikel]

Posted this spam management suggestion in the small tweaks forum, but thought it might bear repeating here.

The main crux (for those who don't feel like clicking because you've been doing too much of that lately in your efforts to clean up spam):

Would love to have an option that allows me to enter a list of words/phrases, very similar to the censored words list, and when a word/phrase on the list is encountered within a post that post would automatically be sent to the moderation queue for review. This would allow for an added layer of spam management based on post content.

Admittedly, this wouldn't be an all-encompassing solution, but it would be an alternative to manually approving new registrations.

 

[Syndol]

8394 Xenforo forums listed.

if all of these were actually paid licenses, it kind of gives you an idea of how much money XF has made.

Assuming that number is correct and all are licensed owners...
If lets say on average each license cost $120 then that is $1,007,280
Anyone still wants to donate to the XenForo legal fund?

 

[GokouZWAR]

Assuming that number is correct and all are licensed owners...
If lets say on average each license cost $120 then that is $1,007,280
Anyone still wants to donate to the XenForo legal fund?

Not particularly, but since each one is actually $140 now, you're numbers are low. Never mind the fact that some may have renewed over the past year or two as well. What I do see is $1,007,280 worth of pissed off customers that want this fixed.

 

[Digital Doctor]

Assuming that number is correct and all are licensed owners...
If lets say on average each license cost $120 then that is $1,007,280
Anyone still wants to donate to the XenForo legal fund?

With so many of them being gaming sites .... I'd say at least half of those sites are nulled XFs.

 

[GokouZWAR]

Thought this might be interesting to others:

Edit User: XRumerTest

• IP Addresses​

• 1. 80.82.66.234
     Today at 2:01 AM

IP owner info (Whois)
#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=80.82.66.234?showDetails=true&showARIN=false&ext=netref2
#

NetRange: 80.0.0.0 - 80.255.255.255
CIDR: 80.0.0.0/8
OriginAS:
NetName: 80-RIPE
NetHandle: NET-80-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at http://www.ripe.net/whois
RegDate:
Updated: 2009-03-25
Ref: http://whois.arin.net/rest/net/NET-80-0-0-0-1

OrgName: RIPE Network Coordination Centre
OrgId: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NL
RegDate:
Updated: 2011-09-24
Ref: http://whois.arin.net/rest/org/RIPE

ReferralServer: whois://whois.ripe.net:43

OrgAbuseHandle: RNO29-ARIN
OrgAbuseName: RIPE NCC Operations
OrgAbusePhone: +31 20 535 4444
OrgAbuseEmail: hostmaster@ripe.net
OrgAbuseRef: http://whois.arin.net/rest/poc/RNO29-ARIN

OrgTechHandle: RNO29-ARIN
OrgTechName: RIPE NCC Operations
OrgTechPhone: +31 20 535 4444
OrgTechEmail: hostmaster@ripe.net
OrgTechRef: http://whois.arin.net/rest/poc/RNO29-ARIN

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#

I found this guy in my user list. See if anyone else sees him on the same IP or similiar. It's not a class C IP like the others.

 

[Digital Doctor]

User: XRumerTest
IP Addresses : 80.82.66.234

No users have been logged at the specified IP address.

 

[Adam Howard]

Not that it is of any direct help, check out the attach list of (mostly) XF forums to see if you are on their target list.

I'm on line 435

 

[Digital Doctor]

I found this guy in my user list. See if anyone else sees him on the same IP or similiar. It's not a class C IP like the others.

Do you have an ANGRY user ?
That's what I noticed first.
http://xenforo.com/community/threads/do-you-have-an-angryuser.34810/