• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Same Spam, New tricks.

ShadyX

Well-known member
#1
We have been hit with all the usual types of spam since our forum opened. Fake Sig Spam, Mass link spam, PM spam etc; But it seems these spammers have learned a new trick.

Over the last few days I have noticed a handful of odd looking posts that have invisible images in them that display as broken images for a few seconds then go under the radar, I clicked the edit button to see what was wrong with the image and to clean it up and guess what I found in there:



There is obviously something odd happening here, The image link you see redirects through a PHP script then displays a transparent image to avoid detection.

They are posted by the usual culprits with wacky usernames and posts with broken English.

This is either a new way to get spam backlinks or something malicious, Has anybody seen this before? If so a little insight to what they are up to would be great :)
 

ShadyX

Well-known member
#3
I just took a look at my cookies and found 3 from that website:

63338550.1754899242.1326247861.1326247861.1326247861.1
63338550.1.10.1326247861
63338550.1326247861.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

I'm not sure what they mean though..
 

Brandon Sheley

Well-known member
#4
I just took a look at my cookies and found 3 from that website:

63338550.1754899242.1326247861.1326247861.1326247861.1
63338550.1.10.1326247861
63338550.1326247861.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

I'm not sure what they mean though..
It might mean someone is trying to snag some affiliate sales from the site without the owner catching on.
http://en.wikipedia.org/wiki/Cookie_stuffing
It happen to me a few years ago.
Does a .php file usually interact with the img tag?
 

Anthony Parsons

Well-known member
#10
This is why I really love http://xenforo.com/community/resources/splendidpoint-com-antispam-prevent-links-and-emails.106/ which just stops all this. I jack it up to a decent number... screw new members wanting to post links. Spammers don't even bother, they just go hit the next site. They can't post anywhere with that mod. I also remove the URL field from profiles... another deterrent.

I only have around 30 new registrations daily... very rarely do we get spam with Jaxel Utiles mod, the above linked mod and auto remove zero poster accounts mod. Barely see spammers nowadays.

None of my staff have ever come across this one though... just ran a DB search to check myself... nothing in post content.

Interesting how tricky they're getting.
 

CTXMedia

Formerly CyclingTribe
#11
I've had quite a few of these recently. The duplicate account mod flags them for me, and my members are excellent spam spotters (which helps) - but is there any way to limit the IMG BBcode so it only works on image file extensions?

Cheers,
Shaun :D
 
#12
I've had quite a few of these recently. The duplicate account mod flags them for me, and my members are excellent spam spotters (which helps) - but is there any way to limit the IMG BBcode so it only works on image file extensions?

Cheers,
Shaun :D
That wouldn't necessarily be enough. A clever server admin can simply set up .png/.jpg/.gif extensions to go through PHP, or redirect via .htaccess to the PHP file to do the heavy lifting.

I wonder how feasible it would be to have a server perform an HTTP peek at any image being posted, and block the post if it is a redirect or 1x1 transparent gif.
 

cmeinck

Well-known member
#14
This is why I really love http://xenforo.com/community/resources/splendidpoint-com-antispam-prevent-links-and-emails.106/ which just stops all this. I jack it up to a decent number... screw new members wanting to post links. Spammers don't even bother, they just go hit the next site. They can't post anywhere with that mod. I also remove the URL field from profiles... another deterrent.

I only have around 30 new registrations daily... very rarely do we get spam with Jaxel Utiles mod, the above linked mod and auto remove zero poster accounts mod. Barely see spammers nowadays.

None of my staff have ever come across this one though... just ran a DB search to check myself... nothing in post content.

Interesting how tricky they're getting.
Will this prevent the ability to post image links from external sites. In other words, does this block the 1x1 image spammers?
 

mrGTB

Well-known member
#15
We have been hit with all the usual types of spam since our forum opened. Fake Sig Spam, Mass link spam, PM spam etc; But it seems these spammers have learned a new trick.

Over the last few days I have noticed a handful of odd looking posts that have invisible images in them that display as broken images for a few seconds then go under the radar, I clicked the edit button to see what was wrong with the image and to clean it up and guess what I found in there:



There is obviously something odd happening here, The image link you see redirects through a PHP script then displays a transparent image to avoid detection.

They are posted by the usual culprits with wacky usernames and posts with broken English.

This is either a new way to get spam backlinks or something malicious, Has anybody seen this before? If so a little insight to what they are up to would be great :)
Not good when people resort to doing that on your forum, not good at all. Hard to see what you can do about it also bar blocking IMG tags from being used completely, I know a few vBulletin forums in the past disabled the use of IMG because of that nasty little spamming trick hard to spot. Have you got any plans to try and stop it?