Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> RavenNuke(tm) v2.5x
Author Message
webservant
Worker
Worker



Joined: Feb 26, 2006
Posts: 206
Location: Springfield, MA

PostPosted: Sat Mar 24, 2012 5:35 am Reply with quote

I upgraded our production site to RN 2.5 this week.
All is well, and I like the changes - kudos to the diligent workers!

Wave

Over the past two days, I've seen almost two dozen registrations.
While I should be thrilled, the pattern is abnormal.
Additionally, all the users have email from hotmail.com

I'm not seeing any spam in the comments or posts in forums.
Just lots of user registrations.
Is this legitimate or am I dealing with a script kitty?

_________________
Awaiting His Shout
Webservant - GraciousCall.org
Romans 8:28-39 
View user's profile Send private message Visit poster's website AIM Address
webservant







PostPosted: Sat Mar 24, 2012 5:37 am Reply with quote

BTW - I installed nukeSPAM yesterday.

I tested it successfully on an entry from the spam forums.
It has not caught anything.
 
nuken
RavenNuke(tm) Development Team



Joined: Mar 11, 2007
Posts: 2024
Location: North Carolina

PostPosted: Sat Mar 24, 2012 7:17 am Reply with quote

Check the ip addresses and email on Project Honeypot and see if they match known spammers.

_________________
Tricked Out News 
View user's profile Send private message Send e-mail Visit poster's website
fkelly
Former Moderator in Good Standing



Joined: Aug 30, 2005
Posts: 3312
Location: near Albany NY

PostPosted: Sat Mar 24, 2012 8:28 am Reply with quote

You might also want to look at the patterns in IP tracking. If you look by users and then look at the anonymous user you can see the pattern they are taking when they register. Or look at some of the new users and see what their pattern of use is. Were they trying to post when they were still anonymous? Do you have Captcha enabled for new registrations ... if so they must be entering that successfully. I have noticed quite a few bots trying to register but they all get rejected by the captcha. You can see that happening right in IP tracking.
 
View user's profile Send private message Visit poster's website
webservant







PostPosted: Sat Mar 24, 2012 10:12 am Reply with quote

CAPCHA is enabled on the second page of user registration.
So, how are they getting through because there are only three IPs involved?

Here is the data:

Quote:
avilalj 46.229.224.170 avilalj Theresia Avila banojdigaelfesriede@hotmail.com
wellscb 46.229.224.170 wellscb Stephine Wells fluqoramulernary@hotmail.com
gilbertte 128.204.196.86 gilbertte Rey Gilbert swbyinneyxebodonita@hotmail.com
beltranih 46.229.224.170 beltranih Matthew Beltran yjkorilqiemapierre@hotmail.com
tracyda 46.229.224.170 tracyda Tracy Cuevas armaneqvudinuwaraney@hotmail.com
darellya 128.204.196.86 darellya Darell Bowers doreyqttahemowbburee@hotmail.com
beanmm 46.229.224.170 beanmm Filomena Bean abrykeilumqiarita@hotmail.com
royro 128.204.196.86 royro Freeman Roy jalisacvupehaywmpagne@hotmail.com
vHumbertoLyonss 46.229.224.247 vHumbertoLyonss Humberto Lyons pillowyxbrituxntoey@hotmail.com
phebesi 46.229.224.247 phebesi Phebe Miller ombesevandoefria@hotmail.com
eMarioOlivero 128.204.196.86 eMarioOlivero Mario Oliver otrsuuthluoglu@hotmail.com
arroyosj 46.229.224.247 arroyosj Harold Arroyo jegonnilamonetyhte@hotmail.com
stewartpw 128.204.196.86 stewartpw Rico Stewart hlyoinristonpura@hotmail.com
ranahl 46.229.224.247 ranahl Rana Gardner mcvadaniviecdaddie@hotmail.com
sMarinaOlivero 128.204.196.146 sMarinaOlivero Marina Oliver sheorrkarihedujge@hotmail.com
fosterlu 46.229.224.247 fosterlu Craig Foster ehkeefnyattaeayxdy@hotmail.com


I'll check honeypot, but my concern is how to detect / stop this.
 
fkelly







PostPosted: Sat Mar 24, 2012 12:12 pm Reply with quote

You can ban the IP's easily enough with NS or even directly in htaccess.

If you have automatic approval on, even with email activation, then any spammer who comes to the site in person and has a real email can get registered. I require approval of new registrations by an administrator. I look at their locations and other factors before deciding whether to approve them.
 
kguske
Site Admin



Joined: Jun 04, 2004
Posts: 6404

PostPosted: Sun Mar 25, 2012 8:23 am Reply with quote

A little research on this:

Amazon Mechanical Turk (http://ws.amazon.com/mturk) and other sites pay pennies for people to do "data entry" (read: comment spam). They do this by posting forum and comment spam, but also be entering signatures with spam links (typically to sites for casinos, performance enhancing drugs, etc.).

Some times, they even go so far as to create an account, post some meaningless forum reply, then, later return to "update" their signature with spam links. They might do this just with the signature.

nukeSPAM will stop a lot of it, but with IP spoofing, cheap domains and endless free email accounts, it isn't possible to block 100%. All of the things fkelly mentioned are good approaches to keep in your toolbox, and Guardian suggested a mod to notify administrators when someone changes their signature, which I think is an excellent idea for yet another tool... Tools like Akismet (which is built into Disqus, which is now integrated with RavenNuke New / Tricked Out News) which analyze the content could also be valuable and effective means for blocking spam. If we could have a generic class / tool for integrating Akismet into Forums and modules with comments...yet another argument for a class-based comment system.

_________________
I google, therefore I exist...
nukeSEO - nukeFEED - nukePIE - nukeSPAM - nukeWYSIWYG
 
View user's profile Send private message
webservant







PostPosted: Sun Mar 25, 2012 12:36 pm Reply with quote

Thank you - all of you. These are all excellent suggestions. I did implement nukeSPAM and added CA Honeypot. There an uncomfortable amount of information flowing into/through the site. I'll look more for Guardian's suggested mod, and keep you posted.

The flow of users seemed to stopped when both of these modules came into play, but I'll keep you posted.
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> RavenNuke(tm) v2.5x

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©