Jump to content

Forum Under SPAM attack


milandro

Recommended Posts

I understand it is a temporary situation which will be corrected at some stage but this shows, eloquently, that this forum has low defenses against spam attacks.

 

I just hope that the passwords and other member’s data are kept under a better watch.

 

Of course it is Sunday, and no one is on permanent watch 24-7  but if this situation should happen again (it is not the first time but this is the most serious time) I am sure that people will go elsewhere

 

Currently one has to wade through over 9 pages of spam.

Link to post
Share on other sites

All spammer and their posts should be deleted now, we have still some entries in the cache for the news feed - but these should be gone in a few minutes.

 

Of course we are running measures against spammers but my first ToDo on Monday will be to check if all systems are up-to-date.

 

Andreas

Link to post
Share on other sites

First of all:

I understand your concerns and I see it as my duty to explain - hoping this can help to trust the forum.

 

There is a fundamental difference between the registration and posting process and the access to the user data:

 

The registration to the forum MUST be open - we want new members and we welcome everyone.

Spammers use this open door and start pestering us after they got in.

 

Of course we take measures to keep such people out but this is eternal game of Hare and Tortoise (in German it's Hase und Igel).

We manage to keep 99% out but when 1% get through they use this gap until we close it.

 

Your personal data is a completely different thing: These are not meant to be open (like the registration process) thus they are much more save.

 

Andreas

 

PS.: We are not alone with this problem...

http://www.fujix-forum.com

Link to post
Share on other sites

You can compare it to a bank.

 

Yes, the door is open. But only the front door to leave in our customers.

Nasty guys like spammers mix with the customers and are not always easy to identify.

They get into the customer area (=forum) and start spreading their spam.

 

The vault of a bank (= our databases) is a completely different issue: By definition not meant to open to the public and so much easier to protect.

 

Andreas

Link to post
Share on other sites

Andreas, are these all freshly registered accounts? If so, you may want to:

 

1. Go on temporary lockdown (turn off registration).

2. Impose a waiting period, when newly registered account cannot post for a week.

3. Set up a photography specific registration captcha. A lot of captcha plugins let you set up your own question/response pairs, so you can do something like "Initially the aperture was set at f/5.6, we opened it one full stop. What's the aperture value now?"

 

#3 is important because this particular bot seems to be human assisted.

Link to post
Share on other sites

I agree that this may help against some dumber spammers.

 

But in this case this was a well distributed and Turing-tested human driven attack.

Access came from a wide range of IP addresses with a wide variety of email addresses.

 

I'll disable registration for tonight and will implement more measures tomorrow.

 

Andreas

Link to post
Share on other sites

This is not an unusual thing for forums to get spammers.  In all the forums I've been on, I've never had any issues with spammers getting any of my personal information.  And other than locking the doors and not letting new members in, I know of no way for Andreas to prevent such a thing from happening.

 

Just relax.  This is a safe environment Andreas has created for us.

Link to post
Share on other sites

I have been a member for 8 years on sax on the web, spam has been always a very occasional occurrence and we haven’t had much of that at all never seen anything like what we saw here, ever.

 

Another and less pleasant occurrence was caused by people trying to log in with members identity. The system there blocks that IP after 5 wrong attempts. We suspect some wrong doing but haven’t been able to avoid that.

 

Also another problem arose when Tapatalk, which, without the knowledge of the forum owner, got hold of the email addresses of the members and sent the members ( most of whom never used tapatalk) an email which appeared to come from the forum.

 

There are many aspects to security. Relaxing is certainly a good but not necessarily always the best strategy.

 

Better safe than sorry.

Link to post
Share on other sites

The system there blocks that IP after 5 wrong attempts.

 

Not a good approach. IP addresses are easy to spoof, easy to obtain different ones, and not a reliable measure at all. It's very likely that you are annoying your real users a lot more than the actual spammers. 

 

Second: even if the whole database of this forum was put in clear on the internet - if you feel less secure due to that, it would be better for you to approach forums more critically: use different passwords everywhere, potentially use different email addresses and/or usernames, be careful with other private information. 

 

And one forum not having seen spam intrusion while another one does isn't indicative to the first applying better measures, it's just as likely that it hasn't been attacked the same way or attacked at all. 

 

Overall, security of a basically public community is a balancing act. You want as many people in as possible but you don't want the wrong ones in. It's cheap today to pay a real person to create accounts in as many forums as possible. There is a whole service industry around spam and it's an arms race between the spammers and the admins of communities. If security and openness get out of balance you end up with systems like the TSA or the Patriot Act. Not something I'd want on public discussion forums.

Link to post
Share on other sites

Not a good approach. IP addresses are easy to spoof, easy to obtain different ones, and not a reliable measure at all. It's very likely that you are annoying your real users a lot more than the actual spammers. 

 

If you cannot remember your own password 5 times in a row, your potential contribution to the forum content seems to be moot. Blocking or throttling offending IP addresses is a very efficient way of fighting bots. At least when it comes to forum spam bots.

 

Right now a bigger spammer campaign is running - I had attacks (or call it better floods) in 3 of my 5 communities over the last 24 hours.

And I saw it in some other communities too.

 

Looks like a championship to me. Check your htaccess and a sitemap file, make sure they are authentic. 

Link to post
Share on other sites

If you cannot remember your own password 5 times in a row, your potential contribution to the forum content seems to be moot. Blocking or throttling offending IP addresses is a very efficient way of fighting bots. At least when it comes to forum spam bots.

Banning IP addresses may cause collateral damage.

Spammers don't use single dedicated addresses but come from big IP pools belonging to access providers.

If we ban these adresses or bigger ranges chances are that I ban innocent members.

And the spammers jump to the next address...

In this case we had about 20 spam acccounts with 20 different IP addresses coming from 5 different access providers.

 

Looks like a championship to me. Check your htaccess and a sitemap file, make sure they are authentic.

Sorry?

 

All I ever said is be careful. I was the one who alerted publicly the management about the first and second attack.

You are right - and thanks a lot for taking care.

 

No good deed goes unpunished, obviously.

If you refer to me:

When I explain what happened and what measures we take this is not meant as criticism.

And the discussion (and my 12 year forum admin experience) show that it's always a balancing act...

 

Andreas

Link to post
Share on other sites

Sorry?

 

In a sitemap file look for changefreq parameters. There must be a reason why these bots attacked mostly the General forum. If changefreq for General in your sitemap file has lesser timing than any other subforum, it could mean that your site has been indeed hacked and used as a racetrack for the championship (yes, hackers do have sporting events).

 

Same with htaccess: if you haven't changed it in a while, dig out an old backup and compare it to the current version.

Link to post
Share on other sites

If you cannot remember your own password 5 times in a row, your potential contribution to the forum content seems to be moot. Blocking or throttling offending IP addresses is a very efficient way of fighting bots. At least when it comes to forum spam bots.

 

IP addresses come from pools, a lot of networks don't give fixed IP addresses to their users but recycle them rather quickly. You block IP addresses you block all the people getting that IP in the future. 

 

IP address banning is only a short term measure and needs to be removed after a short time or you cause co-lateral damage. 

 

And there are many, many people who can't remember their passwords. I find it rather disgusting how you judge that, but that's just my personal view - having dealt with customer service for products that are used by hundreds of millions of people ...

Link to post
Share on other sites

IP address banning is only a short term measure and needs to be removed after a short time or you cause co-lateral damage. 

 

And there are many, many people who can't remember their passwords. I find it rather disgusting how you judge that, but that's just my personal view - having dealt with customer service for products that are used by hundreds of millions of people ...

 

What kind of idiot bans an IP from dynamic pool permanently? Stop projecting. Oh, and speaking of how I judge that… As someone who had root access to various networks from mid-90s, I've seen user's search histories. Now, that is disgusting indeed.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...