Spam Account mod?

[jwernerny]

Does anyone know of an IM mod that can be to help get rid of "Spam Accounts". It would be nice to be able to spot spam accounts automatically and flag them in the "Inactive User" screen.

There are a couple of ways I think spam accounts can be detected.
- number of forums they joined (> 200?)
- central reporting spot (like the e-mail blacklists)

Any thoughts or suggestions?

- John

BTW: Here is a long explanation of what I call a Spam Account. I posted it after deleting about 40 of them from one of my forums. It uses a real world account name that you might even have on your own forum now.

In my previous post, I used the term "Spam Account." A Spam Account is what I call an account that is soley created to allow someone to post spam messages on a forum.

Here is one example "rich_oston". A quick [url=http]Google Search for the user name[/url] turns up over 22,000 sites. Either there are a lot of rich_oston's out there, this guy is really busy, or there is something else going on.

A look through the search results reveals this guy is quite a polyglot. I count at least 5 different language sites. His interests also seem to stretch from snow tires to weddings to electronics to ... well just about everything and anything that has a forum.

It is also quite obvious that he is very busy on the internet. I counted over 100 forums that he has joined in just the past week.

Let's look at what he has posted. He must sure have some great thoughts.

Author: rich_oston (217.196.166.---)
Date: 09-06-06 17:45

Hey!

I was just blindly clicking the links and found this website.
sourcing

AugustaM Sourcing will solve your procurement problems with quick and professional service and extremely competitive pricing and quality
Just imagine - a few millions items database

Bye-bye

Hi

It was a real problem for me to find some rare parts until i found this website.
<a> sourcing </a>

AugustaM Sourcing will solve your procurement problems with quick and professional service and extremely competitive pricing and quality
Just imagine - a few millions items database

Cheers

Hey!

It was a real problem for me to find some rare parts until i found this website.
excess inventory

AugustaM Sourcing will solve your procurement problems with quick and professional service and extremely competitive pricing and quality
Just imagine - a few millions items database

Chao

It sure looks like rich_oston is just a spam source, or in my words, a "Spam Account."

[Helter]

you must have disabled the profilcp images for registration. That is what they are there for.

[jwernerny]

Nope, the profilcp images are still there. (see http://www.snowtire.info/forum/profile. ... efer&mod=0)

That means they are either doing them by hand (which seems unlikely, because of the speed they hit so many sites), or that they have found a way around them. Maybe it is time to look at my logs again....

- John

[jwernerny]

Okay, I did some more research and found some interesting things.

1. All of the bogus users have no security question.

2. From my logs, it looks like they are doing an end-around insertion

Code: Select all

211.191.97.246 - - [15/Sep/2006] "GET /forum/profile.php?mode=register&agreed=true HTTP/1.1" 302 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"    ***MARK***211.191.97.246 - - [15/Sep/2006:00:05:06 -0400] "POST /forum/profile.php HTTP/1.1" 302 - "http://snowtire.info/forum/profile.php?mode=register&agreed=true" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"  

I think this issue really needs to be moved into a bug. Since it is a "hack" against IM, I will log this also in the Security forum.

[Dragonsys]

sounds like a type of SQL injection.

Have you updated to the latest patch release of 2.0.21 and installed the latest Security Fixes?

patches - http://integramod.com/forum/dload.php?a ... &cat_id=29

Security Fixes - http://integramod.com/forum/viewtopic.php?p=14453

[jwernerny]

I have the latest security fixes installed, but I don't have 2.0.21 in there yet, just 2.0.20. I have been waiting for IM 141.

I may try putting 2.0.21 in tonight and see if it solves anything.

[Dioncecht]

I have .21 and the patches and getting same issue. The account names are starting to get quite colorful to. Already offended one of my members...

[Helter]

try this...looks like an easy install
It is called, Visual Confirmation on Posting

[Dioncecht]

"This modification integrates the phpBB visual confirmation system with posting to require newly registered members to enter a code before their post is entered in your database."

None of them actually post anything, they just create accounts which displays in the Newest Members area

[Helter]

so are they registering via sql injection to bypass the profilcp images?

you could set registration to Admin Aproval to see if they get past that

[jwernerny]

On my site, I still get a message to approve them, but no one else sees them.

The bypass they are using also seems to bypass the security question.

For the other people who are having this problem -- did you previously have a plain phpBB site? I did, and I keep wondering if there is some old file hanging around that they are using.

- John

[Dioncecht]

On my site, I still get a message to approve them, but no one else sees them.

The bypass they are using also seems to bypass the security question.

For the other people who are having this problem -- did you previously have a plain phpBB site? I did, and I keep wondering if there is some old file hanging around that they are using.

- John

Nope.. I did a fresh install of IM 1.4.0

[ZacFields]

i had to bring this topic back up.

I'm having a horrible problem with spammers on my forum. Like 5-10 spammers join the site everyday and about 3-4 of them post some junk spam crap on the forums.

I have the visual code thing enabled on the forum. I'm not sure if these are real people or if they're getting around it somewhere. If it were an SQL injection, wouldn't PHPBB Security catch that?

Also, does anyone have any suggestions? My forums are based locally in the US so I have banned the email providers of the people (all from foreign email providers like mail.ru and web.de) and I think that will stop about half of them, but the other half I am clueless about...and why is it that I've been targeted with this?

Zac

[ZacFields]

Also, wasn't there talk once about creating a public blacklist of spammers and hackers' IP addresses? I think this would be an effective way of preventing a lot of this.

Zac

[jwernerny]

I have the visual code thing enabled on the forum. I'm not sure if these are real people or if they're getting around it somewhere. If it were an SQL injection, wouldn't PHPBB Security catch that?

Take a look at your Users database. (You can do this through phpmyadmin in the Admin / General section. It is called phpbb_users.) If you find registered users without a security question, and you have required that they have one (this is the defaul), then it is probably an SQL injection. The checks for these fields are pretty well hard coded in the user profile code.

Also, does anyone have any suggestions? My forums are based locally in the US so I have banned the email providers of the people (all from foreign email providers like mail.ru and web.de) and I think that will stop about half of them, but the other half I am clueless about...and why is it that I've been targeted with this?

Zac

You were most likely targeted because they have triggered off of phpBB or Integramod on your pages.

My steps to help with this are band-aides, but here they are.
- turn on admin approval for registration
- turn on approval for all open forums
- when a new user is created, check for the security question. If it isn't there, delete the user (you could try banning instead)
- when in doubt, I run the new user's name through a Google search. If I get a lot of hits from other forums (like > 1000), I get really suspicious.