Forum Under SPAM attack

[milandro]

I understand it is a temporary situation which will be corrected at some stage but this shows, eloquently, that this forum has low defenses against spam attacks.

 

I just hope that the passwords and other member’s data are kept under a better watch.

 

Of course it is Sunday, and no one is on permanent watch 24-7  but if this situation should happen again (it is not the first time but this is the most serious time) I am sure that people will go elsewhere

 

Currently one has to wade through over 9 pages of spam.

[FX Admin]

All spammer and their posts should be deleted now, we have still some entries in the cache for the news feed - but these should be gone in a few minutes.

 

Of course we are running measures against spammers but my first ToDo on Monday will be to check if all systems are up-to-date.

 

Andreas

[milandro]

thank you, it is very nasty, I am sure, for you to deal with this, but it rises questions of trusting the system for us too.

 

It’s not only visually disturbing but it means that the doors were not as locked as one would have hoped they were.

 

Thank you for your quick response.

[FX Admin]

First of all:

I understand your concerns and I see it as my duty to explain - hoping this can help to trust the forum.

 

There is a fundamental difference between the registration and posting process and the access to the user data:

 

The registration to the forum MUST be open - we want new members and we welcome everyone.

Spammers use this open door and start pestering us after they got in.

 

Of course we take measures to keep such people out but this is eternal game of Hare and Tortoise (in German it's Hase und Igel).

We manage to keep 99% out but when 1% get through they use this gap until we close it.

 

Your personal data is a completely different thing: These are not meant to be open (like the registration process) thus they are much more save.

 

Andreas

 

PS.: We are not alone with this problem...

http://www.fujix-forum.com

[milandro]

I understand that you are facing a difficult task.

 

I wasn’t suggesting that you are alone in this, but you understand that whether the vault is closed somewhere else, seeing that the door was broken in doesn’t look good from where I am sitting.

[FX Admin]

You can compare it to a bank.

 

Yes, the door is open. But only the front door to leave in our customers.

Nasty guys like spammers mix with the customers and are not always easy to identify.

They get into the customer area (=forum) and start spreading their spam.

 

The vault of a bank (= our databases) is a completely different issue: By definition not meant to open to the public and so much easier to protect.

 

Andreas

[milandro]

I understand that but perhaps I am not succeeding in communicating that, despite what is or what is not, it creates a perception problem. That is more damaging that the real damage they could provide.

[FX Admin]

Sorry.

No, message accepted, fully understood and accepted that such an attack leaves bad taste.

 

My priorities right now:

 

#1 Fight spammers (just deleted another one)

 

#2 Take measures to keep them out more reliably (will happen today - sunny Sunday outside, sigh...)

 

#3 Explain to users what's happening.

 

Andreas

[milandro]

...and here we go again, second attack today. 

 

Just started. 

 

I am on a saxophone forum for 8 years and I’ve never witnessed anything like this. Thanks for the good work that you do but these people seem to have found a way around. 

[Trenton Talbot]

Andreas, are these all freshly registered accounts? If so, you may want to:

 

1. Go on temporary lockdown (turn off registration).

2. Impose a waiting period, when newly registered account cannot post for a week.

3. Set up a photography specific registration captcha. A lot of captcha plugins let you set up your own question/response pairs, so you can do something like "Initially the aperture was set at f/5.6, we opened it one full stop. What's the aperture value now?"

 

#3 is important because this particular bot seems to be human assisted.

[FX Admin]

Thanks Trenton,

 

will do so for tonight (#1).

 

#3 is a little bit to difficult for some of us

 

Andreas

[Trenton Talbot]

#3 is a little bit to difficult for some of us

Oh well, no ignorance captcha then. But at least you can employ some captcha that checks for not just human traits, but lucidity as well. Like "What's the first word in the forum name?" 

[FX Admin]

I agree that this may help against some dumber spammers.

 

But in this case this was a well distributed and Turing-tested human driven attack.

Access came from a wide range of IP addresses with a wide variety of email addresses.

 

I'll disable registration for tonight and will implement more measures tomorrow.

 

Andreas

[FX Admin]

For the time being we control all new registrations.

 

Still some spammers getting through the first line of defense...

 

Andreas

[CRAusmus]

This is not an unusual thing for forums to get spammers.  In all the forums I've been on, I've never had any issues with spammers getting any of my personal information.  And other than locking the doors and not letting new members in, I know of no way for Andreas to prevent such a thing from happening.

 

Just relax.  This is a safe environment Andreas has created for us.

[FX Admin]

Right now a bigger spammer campaign is running - I had attacks (or call it better floods) in 3 of my 5 communities over the last 24 hours.

And I saw it in some other communities too.

 

Andreas

[milandro]

I have been a member for 8 years on sax on the web, spam has been always a very occasional occurrence and we haven’t had much of that at all never seen anything like what we saw here, ever.

 

Another and less pleasant occurrence was caused by people trying to log in with members identity. The system there blocks that IP after 5 wrong attempts. We suspect some wrong doing but haven’t been able to avoid that.

 

Also another problem arose when Tapatalk, which, without the knowledge of the forum owner, got hold of the email addresses of the members and sent the members ( most of whom never used tapatalk) an email which appeared to come from the forum.

 

There are many aspects to security. Relaxing is certainly a good but not necessarily always the best strategy.

 

Better safe than sorry.

[cug]

The system there blocks that IP after 5 wrong attempts.

 

Not a good approach. IP addresses are easy to spoof, easy to obtain different ones, and not a reliable measure at all. It's very likely that you are annoying your real users a lot more than the actual spammers. 

 

Second: even if the whole database of this forum was put in clear on the internet - if you feel less secure due to that, it would be better for you to approach forums more critically: use different passwords everywhere, potentially use different email addresses and/or usernames, be careful with other private information. 

 

And one forum not having seen spam intrusion while another one does isn't indicative to the first applying better measures, it's just as likely that it hasn't been attacked the same way or attacked at all. 

 

Overall, security of a basically public community is a balancing act. You want as many people in as possible but you don't want the wrong ones in. It's cheap today to pay a real person to create accounts in as many forums as possible. There is a whole service industry around spam and it's an arms race between the spammers and the admins of communities. If security and openness get out of balance you end up with systems like the TSA or the Patriot Act. Not something I'd want on public discussion forums.

[milandro]

I wasn’t trying to measure who projects the content of his bladder the furthest.

 

All I ever said is be careful. I was the one who alerted publicly the management about the first and second attack.

 

No good deed goes unpunished, obviously.

[Trenton Talbot]

Not a good approach. IP addresses are easy to spoof, easy to obtain different ones, and not a reliable measure at all. It's very likely that you are annoying your real users a lot more than the actual spammers. 

 

If you cannot remember your own password 5 times in a row, your potential contribution to the forum content seems to be moot. Blocking or throttling offending IP addresses is a very efficient way of fighting bots. At least when it comes to forum spam bots.

 

Right now a bigger spammer campaign is running - I had attacks (or call it better floods) in 3 of my 5 communities over the last 24 hours.

And I saw it in some other communities too.

 

Looks like a championship to me. Check your htaccess and a sitemap file, make sure they are authentic. 

[FX Admin]

If you cannot remember your own password 5 times in a row, your potential contribution to the forum content seems to be moot. Blocking or throttling offending IP addresses is a very efficient way of fighting bots. At least when it comes to forum spam bots.

Banning IP addresses may cause collateral damage.

Spammers don't use single dedicated addresses but come from big IP pools belonging to access providers.

If we ban these adresses or bigger ranges chances are that I ban innocent members.

And the spammers jump to the next address...

In this case we had about 20 spam acccounts with 20 different IP addresses coming from 5 different access providers.

 

Looks like a championship to me. Check your htaccess and a sitemap file, make sure they are authentic.

Sorry?

 

All I ever said is be careful. I was the one who alerted publicly the management about the first and second attack.

You are right - and thanks a lot for taking care.

 

No good deed goes unpunished, obviously.

If you refer to me:

When I explain what happened and what measures we take this is not meant as criticism.

And the discussion (and my 12 year forum admin experience) show that it's always a balancing act...

 

Andreas

[Trenton Talbot]

Sorry?

 

In a sitemap file look for changefreq parameters. There must be a reason why these bots attacked mostly the General forum. If changefreq for General in your sitemap file has lesser timing than any other subforum, it could mean that your site has been indeed hacked and used as a racetrack for the championship (yes, hackers do have sporting events).

 

Same with htaccess: if you haven't changed it in a while, dig out an old backup and compare it to the current version.

[FX Admin]

Thanks for the explanation!

Still learning new stuff...

 

These issues don't apply here: No changefreq parameter given, same priority for all forums, htaccess very short and manually crafted by me

 

Andreas

[cug]

If you cannot remember your own password 5 times in a row, your potential contribution to the forum content seems to be moot. Blocking or throttling offending IP addresses is a very efficient way of fighting bots. At least when it comes to forum spam bots.

 

IP addresses come from pools, a lot of networks don't give fixed IP addresses to their users but recycle them rather quickly. You block IP addresses you block all the people getting that IP in the future. 

 

IP address banning is only a short term measure and needs to be removed after a short time or you cause co-lateral damage. 

 

And there are many, many people who can't remember their passwords. I find it rather disgusting how you judge that, but that's just my personal view - having dealt with customer service for products that are used by hundreds of millions of people ...

[Trenton Talbot]

IP address banning is only a short term measure and needs to be removed after a short time or you cause co-lateral damage. 

 

And there are many, many people who can't remember their passwords. I find it rather disgusting how you judge that, but that's just my personal view - having dealt with customer service for products that are used by hundreds of millions of people ...

 

What kind of idiot bans an IP from dynamic pool permanently? Stop projecting. Oh, and speaking of how I judge that… As someone who had root access to various networks from mid-90s, I've seen user's search histories. Now, that is disgusting indeed.