Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel(tm) v2.5.x
Author Message
Guardian2003
Site Admin



Joined: Aug 28, 2003
Posts: 6799
Location: Ha Noi, Viet Nam

PostPosted: Sat Feb 24, 2007 6:48 pm Reply with quote

JoAnne - Sorry for not updating this thread earlier.
Evaders - FYI
Here is what I have found so far based on communications with others who are experiencing the same thing.

These registrations seem to have been done by humans. I say that for the following reasons;
1. I can find no evidence that the new CAPTCHA system in RN 2.10 has been bypassed
2 they fact they are using valid email addresses
3 the accounts are not activated at the same time the registration takes place

The IP address are different - the IP for when the registration takes place and the IP used to 'activate' the accounts are consistently different BUT the IP addresses which are used to do the 'activation' seem to be in the same range which leads me to believe that there may be a number of individuals doing the registrations but the same person (or a very small number of people from the same location) are doing the 'activation's.

The reason we are not seeing anything in Nuke Sentinels Tracked User log is because these accounts are actually dormant (I think Montego found ONE account that has actually been used). So they are registering for an account, someone is clicking the link in the activation email BUT then they never actually log into their account - so Sentinel is only tracking them when they click the activation link but because they never actually log-in, it is not associated with their username.
If you search your raw data logs for each of the suspect usernames, you will probably find 99% of them are from the same IP.

So far I think we have identified only around a dozen different email addresses even though they sign up for more than one account using the same email domain.

If you add these to the forum ban control in the email banning area, this should stop 99% of it.

*@*loan*.com
*@*payday*.com
*@*finance*.com
*@*linkmanager*.com
*@*cashadvance*.com
 
View user's profile Send private message Send e-mail
JoAnne
Worker
Worker



Joined: Oct 18, 2005
Posts: 127
Location: NYC

PostPosted: Sat Feb 24, 2007 7:18 pm Reply with quote

Thank you Guardian2003


But why do you suppose they are doing this if they are not leaving spam?


JoAnne
 
View user's profile Send private message Visit poster's website
Guardian2003







PostPosted: Sat Feb 24, 2007 7:26 pm Reply with quote

I'm pretty sure they will start spamming eventually.

I have just had 5 more register within the last hour but because they are not logging into their acounts the forum ban cntrol isnt doing the job so I would suggest adding those I posted above to Sentinels string blocker instead.
 
CodyG
Life Cycles Becoming CPU Cycles



Joined: Jan 02, 2003
Posts: 714
Location: Vancouver Island

PostPosted: Sun Feb 25, 2007 9:04 am Reply with quote

I had this problem a couple of weeks ago, on a site I don't check everyday.... there were about 25 of these user accounts, all with impossible usernames like: HnVRpHPpIy, bXGbYNMsqn, etc. No spam or anything, just filling up the user table and member list with garbage. I've deleted all those accounts, banned the IPs, and they seem to have gone away. But, I am going to implement my infamous custom registration form for this site. (as soon as the bod approves). No one gets registered automatically. Everything comes through me via email first. I know this isn't a solution for many nukers, but because most of my sites are for persons in my local community, people with real names, it works for me.

Another solution I've dreamed of is an email copy of the registration sent to admin at the time of registration. At least this would give me a heads up on fishy registrations and notify me of new legit registrations sooner than I might come across them on-site.

_________________
"We want to see if life is ubiquitous." D.Goldin 
View user's profile Send private message
Guardian2003







PostPosted: Sun Feb 25, 2007 9:31 am Reply with quote

Yes it would be nice to get a copy of the registration email so webmasters have a heads-up.

It's times like this that CNBYA has definite advantages!!
 
montego
Site Admin



Joined: Aug 29, 2004
Posts: 9457
Location: Arizona

PostPosted: Sun Feb 25, 2007 5:50 pm Reply with quote

Thought that I would also confirm the same. Guardian and I are seeing the exact same thing. From what I can tell, its like Technocrat said, they are going straight to the "finish". I traced them down to they use one IP for the "finish" and then between 10 - 50 minutes later, the activation link comes in from a completely different IP and in many cases, from somewhere completely on the other side of the world.

Guardian and I are testing out a change being done on the RavenNuke side with a new captcha, so we'll see in the coming days if that stops them. If so, then we'll have to figure out how they are doing it in regular nuke. I looked briefly at the code, and I see the gfx_check in the "finish" in PHP-Nuke, but with that weak captcha, it is very possible that they have the right code.

_________________
Where Do YOU Stand?
HTML Newsletter::ShortLinks::Mailer::Downloads and more... 
View user's profile Send private message Visit poster's website
moniek
New Member
New Member



Joined: Feb 26, 2007
Posts: 1

PostPosted: Mon Feb 26, 2007 2:06 am Reply with quote

I also have the same problem with people that are registering with those mail adresses and weird names i noticed it on a couple of my websites.. i tried several things to stop it.
ban certain ip ranges email adresses and names, i even made sure that "account-new_user.html" linked back to index when people are trying to register ... but that didn't help at all .. so to me it also looks like they use some kinda scipt or tag to create the accounts
 
View user's profile Send private message
technocrat
Life Cycles Becoming CPU Cycles



Joined: Jul 07, 2005
Posts: 511

PostPosted: Mon Feb 26, 2007 10:20 am Reply with quote

See I know what I am talking about....sometimes ROTFL

_________________
Nuke-Evolution
phpBB-Evolution / phpBB-Evolution Blog 
View user's profile Send private message
t_henson
Regular
Regular



Joined: Feb 02, 2007
Posts: 65
Location: Cincinnati, Ohio

PostPosted: Wed Mar 14, 2007 2:22 am Reply with quote

guardian, i'm trying to add the emails below to my forum ban control, but its not accepting them. how did you get them added?

*@*loan*.com
*@*payday*.com
*@*finance*.com
*@*linkmanager*.com
*@*cashadvance*.com
 
View user's profile Send private message
wiz
Involved
Involved



Joined: Oct 09, 2006
Posts: 413
Location: UK

PostPosted: Sun Mar 18, 2007 6:06 pm Reply with quote

add them as a string and only add the domain. ie everything 'after' the @
 
View user's profile Send private message Visit poster's website AIM Address
spasticdonkey
RavenNuke(tm) Development Team



Joined: Dec 02, 2006
Posts: 1693
Location: Texas, USA

PostPosted: Tue Mar 27, 2007 10:50 pm Reply with quote

Image

like my CAPTCHA ? lol
 
View user's profile Send private message Visit poster's website
montego







PostPosted: Wed Mar 28, 2007 6:45 am Reply with quote

ROTFL killing me worship

Way too much time on your hands! LOL.
 
Display posts from previous:       
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel(tm) v2.5.x

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©