New Spam

Matt_K · by **Matt_K** » 2018-12-20 11:56 a.m.

Looks like someone figured out our questions. I think everyone here has access to ban. If you see a 'topic request' and it's spam, go ahead and ban the IP address, not just the username. I'll investigate other methods of authentication now that we're up and running when I get home from CA but in the meantime, I suspect it'll be mildly annoying for a few days (~4-5 posts per day).

BGuttman · by **BGuttman** » 2018-12-20 1:48 p.m.

I've dumped 4 already today. One was porn. One was an ad for a phone jammer. Two were in Russian and I have no idea what they were about.

I didn't know I had banning priviledges. I'll have to investigate that.

Matt_K · by **Matt_K** » 2018-12-20 2:15 p.m.

[quote="BGuttman"]I've dumped 4 already today. One was porn. One was an ad for a phone jammer. Two were in Russian and I have no idea what they were about.

I didn't know I had banning priviledges. I'll have to investigate that.[/quote]

If you don't, I'll add you to the banning list

Neo_Bri · by **Neo_Bri** » 2018-12-20 4:44 p.m.

Well - how was the porn?

BGuttman · by **BGuttman** » 2018-12-20 9:17 p.m.

[quote="Neo Bri"]Well - how was the porn?[/quote]

I didn't watch it. It tried to download some malware on my computer and my anti-virus program blocked it.

Doug_Elliott · by **Doug_Elliott** » 2018-12-21 1:13 a.m.

A porn one just came in from DerrickLem and I banned the username. Hope I did that right.

I see there's a choice to ban the IP address but I couldn't figure out if I should do one or the other.

Neo_Bri · by **Neo_Bri** » 2018-12-21 5:08 p.m.

[quote="Doug Elliott"]A porn one just came in from DerrickLem and I banned the username. Hope I did that right.

I see there's a choice to ban the IP address but I couldn't figure out if I should do one or the other.[/quote]

Ban the IP and maybe delete the user, too?

Matt_K · by **Matt_K** » 2018-12-21 10:38 p.m.

It's not immediately evident. When you go to the ban menu, it takes you first to ban user. There should be text somewhere on the page that says, 'Ban by IP'. If you do that, they won't be able to log in at all from any of their accounts that might come from there.

I'm finally back home now. I have some clients I need to do some work for this weekend but I'm going to try to finish that up and then get to shoring up this spam problem. There is a fairly active phpBB community and I believe some of them have came up with other methods of dealing with the spam just a matter of figuring out what is the best fit an dimplementing.

BGuttman · by **BGuttman** » 2018-12-27 5:35 p.m.

I didn't find the "Ban by IP" option and I've just been banning by name.

They are coming pretty thick and fast. You will see if you check the Moderator Log. I think my fingerprints are on a lot -- probably because I'm the guy with the time.

I hope you can find a way to eliminate these miscreants.

Doug_Elliott · by **Doug_Elliott** » 2018-12-30 3:01 a.m.

Banned another username, BlackMissster.

I still don't know how to do both the username and the IP address, or whether you want that done or would rather keep track of them.

Doug_Elliott · by **Doug_Elliott** » 2018-12-30 7:07 a.m.

Another one came through but I disapproved the post and now I don't know where it went.

Matt_K · by **Matt_K** » 2018-12-30 10:01 a.m.

Tell you what, for the time being, just go ahead and report it and I'll get a ping where I can take care of all of them at once. (Using the "!" icon at the top of the post). Nobody else will see them anyway since these users have to have two approved posts anyway.

Neo_Bri · by **Neo_Bri** » 2018-12-30 10:18 p.m.

How about we change the registration process to keep things at bay? Or am I missing something?

Matt_K · by **Matt_K** » 2018-12-30 10:32 p.m.

[quote="Neo Bri"]How about we change the registration process to keep things at bay? Or am I missing something?[/quote]

We could do that. Probably changin up the questions would solve the problem for some length of time at the very least. Recommendations? I can swap them out pretty easily if I'm recalling correctly. Just have to change a text file on the server.

Neo_Bri · by **Neo_Bri** » 2018-12-31 12:04 a.m.

Do we have a Captcha?

Also, questions - not sure. No real suggestions.

Matt_K · by **Matt_K** » 2018-12-31 12:31 a.m.

[quote="Neo Bri"]Do we have a Captcha?

Also, questions - not sure. No real suggestions.[/quote]

The captchas, if I recall, were very weak but I can look into it. I have a client who is keeping me quite busy for the next few days. Just got your text will try to get back first thing. Just finished debugging something for like 4 hours... misunderstood documentation thinking something would execute once every minute... but in fact was executing on the first of every hour...

BGuttman · by **BGuttman** » 2018-12-31 9:05 a.m.

Just dealt with 15 posts from same person asking about some law software. Banned the name. Couldn't find the IP to add to the IP address list.

Matt_K · by **Matt_K** » 2018-12-31 10:06 a.m.

Does your ban screen look like this? If you'll noticed on the top left there are three categories:

Ban Usernames

Ban IPs

Ban Emails

The emails they use are obviously throwaways so I'm not worried about them. They can't re-register another user to the e-mail address. If you ban the IP you can hit back and then ban the user. But you don't need to wrory abou tit, if you report it, I'll mop it up. Taking a quick look to se if there's anything I can do with relatively little effort to make it a little difficult for the bots to get in

BGuttman · by **BGuttman** » 2018-12-31 10:40 a.m.

I have the Ban IP's, but I need to know the IP in advance. I can't find the IP in the post.

I don't know if I can report a post awaiting approval, and I don't want to approve any of these.

Matt_K · by **Matt_K** » 2018-12-31 10:47 a.m.

[quote="BGuttman"]I have the Ban IP's, but I need to know the IP in advance. I can't find the IP in the post.

I don't know if I can report a post awaiting approval, and I don't want to approve any of these.[/quote]

Ooh valid point. Don't do anything the next time around, I'll take care of it and figure out what the procedure should be.

As far as IP banning, the IP *should* be autopopulated when you go there (as is the username).

I just enabled another question (what position is low e natural in) so that should keep *some* of the bots at bay for the time being.

Matt_K · by **Matt_K** » 2018-12-31 10:53 a.m.

Okay I have an idea. Yes, leave the next one blank. I can write a script very easily that will act as a 'honeypot'. In other words, it will allow someone to register with the wrong answer. I can have the bot check for the wrong answer and then autoban them every few minutes. The current one should keep them at bay for possibly a few weeks but possibly not long at all, afterall, they just have to come up with the number 7.

Matt_K · by **Matt_K** » 2019-01-01 10:29 a.m.

Phew! That didn't last long. I have a lot of data to work with now though, fortunately it only is cluttering on our end, nobody else can see it. What I'll do is add a honeypot now... basically if they answer it right, it'll let them register and then if they make a post, I'll auto-ban the IP address, email, and username. For now, keep the spam posts. I'll collect them so that I can do analysis on them before deleting them.

BGuttman · by **BGuttman** » 2019-01-01 11:48 a.m.

Good luck. Seems to be 3 spammers and they have been at it since about 10 AM GMT. I noticed 3 new entries while I was looking for real entries.

I can't see the IP of the posters. I hope you can.

BGuttman · by **BGuttman** » 2019-01-01 1:10 p.m.

We got a new one. This one is posting in Russian.

We're up to 123 spam posts, most from the three names (are they 'bots, too?). Let me know if you want me to cull some of the herd.

How's your 'bot working?

BGuttman · by **BGuttman** » 2019-01-01 1:16 p.m.

Looks like you got the Russki.

BGuttman · by **BGuttman** » 2019-01-01 1:34 p.m.

Rough pattern analysis:

The three spammers/spammerbots are posting every 12 minutes or so in a specific order. I really think these are bots since they are so mechanical.

RidgeKi first, then BrantMiz about 2 minutes later, then GalenMl about 3 minutes later.

Matt_K · by **Matt_K** » 2019-01-01 1:44 p.m.

Yeah, almost done. I dont' know PHP and it looks like ther eisn't a function built in so I mad a post on the phpbb suppot forum seeing if there's a way to do it without me coming up with a method of altering the db. You generally want to do everything through the php API they provide if possible. In the meantime, I have the data I need, so I'm going to mop it up here in a second. I have the rest of my bot built so I can identify spammers. Once I have the php I need, it'll take a few minutes and we won't have to worry about it.

Matt_K · by **Matt_K** » 2019-01-01 1:54 p.m.

There, that should take care of all of those posts. I have some other stuff to do but while I'm waiting to hear back from phpbb support, I'll take care of the spam unless anyone feels like they want to take it on. It only takes me a minute to delete everything so if I dont' hear back today I'll prune the spammers once a day. I suspect I'll have something in place by the end of the week.

BGuttman · by **BGuttman** » 2019-01-01 2:17 p.m.

I hupe you didn't have to do a "select and delete". Marking 125 of them is still a major PITA (take it from someone wo's already been down that path).

Good luck finding the tool you need. And thanks for removing the clutter,

Matt_K · by **Matt_K** » 2019-01-01 4:25 p.m.

[quote="BGuttman"]I hupe you didn't have to do a "select and delete". Marking 125 of them is still a major PITA (take it from someone wo's already been down that path).

Good luck finding the tool you need. And thanks for removing the clutter,[/quote]

The site admn actually has an entirely different control panel and I can auto delete all posts when I permaban a user so it only takes a few seconds but it is a little tedious to get into the panel and spell out their names, thus doing it once a day isn't a big deal but doing it every time someone posts something spammy isn't worth it!

I'm collecting all of the subjects and spam texts in a separate table before I delete them. That way, eventually it'll get to the point where I can ban users and possibly make it easier to register for the site because 'll have enough examples of spam for an algorithm to detect if something is legit or not!

Neo_Bri · by **Neo_Bri** » 2019-01-01 11:13 p.m.

Thanks for working on this, guys. We'll need to get a permanent solution set up so we don't have to do the tedious work going on now.

bubbachet · by **bubbachet** » 2019-01-02 10:21 a.m.

The Captchas we used initially were "too hard" for a lot of legitimate users, so we switched to the questions.

We could just use new questions, or install the new Google Picture Captcha plugin.

BGuttman · by **BGuttman** » 2019-01-02 8:25 p.m.

There's another new one. Two posts offering an essay-writing service. I'm leaving him for you, Matt.

Doug_Elliott · by **Doug_Elliott** » 2019-01-02 8:32 p.m.

I think it's somebody practicing their hacking skills.

BGuttman · by **BGuttman** » 2019-01-02 9:42 p.m.

How about the Russian one who just appeared?

Matt_K · by **Matt_K** » 2019-01-03 12:03 a.m.

Apparently phpBB forums in general are getting hit really hard at the moment. Things that previously worked to keep bots at bay seem to be less effective. I was pointed n the right direction on the support forum for the functions that ban IPs and delete posts so I'll do something similar to when I inserted all of those TBF archives except in reverse. In the mean time, I zapped the two of those and all of their posts.

BGuttman · by **BGuttman** » 2019-01-03 5:16 a.m.

Found another one. I managed to report it so you can find it easily. Or do you want us to go back to zapping and deleting?

BGuttman · by **BGuttman** » 2019-01-05 6:32 p.m.

Looks like we got a new one. 3 names, posting about 3 minutes apart, every 12 minutes.

I wonder if they all have the same IP address.

BGuttman · by **BGuttman** » 2019-01-05 6:38 p.m.

They were posting every 2 minutes per cycle of 3. I banned all 3 names to stop the flow, but left the posts for you to evaluate.

Neo_Bri · by **Neo_Bri** » 2019-01-05 7:45 p.m.

Yes, it's pretty out of control. What's our best solution? There are 38 approvals waiting currently (all spam, I imagine).

Matt_K · by **Matt_K** » 2019-01-05 9:08 p.m.

I was almost done with my anti-bot bot today but I had a hardware failure that I've been trying to cleanup. I'm going to try to finish it tonight

BGuttman · by **BGuttman** » 2019-01-06 3:29 p.m.

Got another one (three?). They had just started. Banned the names, left the posts.

Matt_K · by **Matt_K** » 2019-01-06 3:32 p.m.

[quote="BGuttman"]Got another one (three?). They had just started. Banned the names, left the posts.[/quote]

Perfect! I just saw them, working on deleting the posts programmatically now that I'm back up and running again.

Matt_K · by **Matt_K** » 2019-01-06 3:44 p.m.

Also, looks like these might not be bots, but actual people in some instances too:

https://trombonechat.com/viewtopic.php?p=74826#p74826

That's close enough to something that resembles a real post. Its not though. Be sure to give extra scrutiny when you approve posts!

Matt_K · by **Matt_K** » 2019-01-06 8:12 p.m.

Bot is finished. It runs once a minute and checks for users who failed the "honeypot". So that means that if they make 5 posts without any being approved and they didn't enter some variation of "4th" for what position D natural is in... all of their posts get deleted and the IP, EMail, and Username get permabanned.

We also have an override such that if any of the admins or moderators report a post as "SPAMBOT" it also performs that operation. The method to do this is, instead of "disallowing" the post, you hit the "!" button at the top of a post. Then select the reason is "SPAMBOT". If a "normal" user does this, nothing happens other than we are notified of it. But if we do it, as I mentioned, it'll nuke the user so with great power comes great responsibility for the 6 of us!

However, there's one small kink that I didn't quite get worked out but I didn't have enough users I wanted to ban to test with. So it might not work tomorrow but all you should do, if you choose to do so, is report it with the "!" button in the fashion I described. I need to have the bot handle one from start to finish to make sure all of the functions work.

BGuttman · by **BGuttman** » 2019-01-06 9:59 p.m.

Your "honeypot" question may have a flaw for Brass Band trombonists. Their D natural is in 6th position (or 3rd position). Also, D natural is in 1st as well as 4th (at least the ones above the bass clef) for the rest of us.

Still, let's see how this works.

Matt_K · by **Matt_K** » 2019-01-06 10:43 p.m.

[quote="BGuttman"]Your "honeypot" question may have a flaw for Brass Band trombonists. Their D natural is in 6th position (or 3rd position). Also, D natural is in 1st as well as 4th (at least the ones above the bass clef) for the rest of us.

Still, let's see how this works.[/quote]

Hopefully Brass Band people don't have an inherent propensity to spam :biggrin:

The answers so far have been quite humorous. I labeled the field something like "repeat email address" so a bot sees that and thinks it needs to put the e-mail address in a second time. It also puts a default value of "<EMAIL email="email@domain.com">email@domain.com</EMAIL>" and almost 100% of the spammers have either the default value or the exact same email as their email address. One of the bots may be a person because they put "11th" as that was the number that I put in the example. (E.g. I said something to the effect of: "What position is D flat in blah blah blah... (Please include the "st" or "nd" such that if the correct answer is 11, then one would put '11th'".)

Doug_Elliott · by **Doug_Elliott** » 2019-01-07 1:06 a.m.

The st, nd, rd, or th is standard in the US but not in Europe. You might want to change that part.

Matt_K · by **Matt_K** » 2019-01-10 9:41 p.m.

Well, right now they'd have to both answer wrong and then spam >5 times without first having two approved. Although the answers that people are putting for it are... quite interesting. I'll change it so that if they have an "@" symbol followed by something that looks like a domain .

Also for what it's worth, good job on that last one Bruce. They weren't even on the site for 10 minutes before they were banned. I have to figure out a way to make it so that the deleted posts don't show up in my "Show unread" feed. Might have to have it flush the cache a few times a day or somethign.

BGuttman · by **BGuttman** » 2019-01-22 4:13 p.m.

Quick note:

When you choose to disallow a post, the automatic reason is SPAMBOT, which triggers the 'bot to ban the user.

Make sure you don't disallow a duplicate post without changing the SPAMBOT. You could eject a legitimate member.

Matt, can we add a reason "Duplicate Post" without referencing TTF archive?

Matt_K · by **Matt_K** » 2019-01-22 5:08 p.m.

[quote="BGuttman"]Quick note:

When you choose to disallow a post, the automatic reason is SPAMBOT, which triggers the 'bot to ban the user.

Make sure you don't disallow a duplicate post without changing the SPAMBOT. You could eject a legitimate member.

Matt, can we add a reason "Duplicate Post" without referencing TTF archive?[/quote]

It will only delete people if they have <2 approved posts and they answer the honeypot question incorrectly so even if you accidentally report spambot it won't do anything to that user. I can make something more robust in a couple weeks. We can also add that as a reason as well. We've actually never had anyone report any of the archive pages so we might jjust consider converting them to general problems.

Quick Links

Instruments

Marketplace

New Spam