Page 6 of 9

Posted: Tue Feb 22, 2005 2:11 am
by RebirthSephiroth
Yes this is getting very annoying. Although I don't want to disable guest posting, is there an "offical" mod being worked on or something to be done about this?

Also, does it really cause havoc as I read in one users post where he lost 1000s of posts and some mods, and index?

Posted: Tue Feb 22, 2005 2:21 am
by Jaheira
Yes it truly is getting very annoying. I've deleted 5 topics of that in the past 15 mins. One I cannot get to due to me not being a mod of that specific forum. Hopefully something can be done about it.

Arrest pepotamo now!

Posted: Tue Feb 22, 2005 5:11 am
by filmscheduling
Pepotamo1985 has apparently hit about 30k sites, according to my last google search for the name.

Using the word ban/substitution feature can be helpful. You can do a couple of simple substitutions to make the text of his posts harmless. Ban usernames *anonymous* and of course *pepotamo*. He has also posted as "Bill Gates 666".

He has left an email address of pepotamo@tierramedia.org, located in Madrid Spain. It's probably a red herring, maybe an ISP he doesn't like. As another person noted, Pep has linked to his spam to a website in Seville, Spain. He has also linked to a website in Uruguay but most of his activity appears to link to Spain. His links have contained track codes in the URL such as "ctg8febero". So it doesn't take Sherlock Holmes to figure out he speaks Spanish and possibly lives in Spain. The websites he's linking to probably know who is is personally, just my guess.


tierramedia.org
Registrant State/Province:Spain
Registrant Postal Code:18004
Registrant Country:ES
Registrant Phone:+34.636962814
Admin Name:Antonio Javier Garcia Martinez
Admin Organization:TierraMedia.org
Admin Street1:C/Maria Barrientos 4 B, 1-1
Admin City:Madrid
Admin State/Province:Spain
Admin Postal Code:28021
Admin Country:ES
Admin Phone:+34.636962814
Name Server:NS1.TIERRAMEDIA.ORG
Name Server:WWW.SUCUNZA.NET

he has linked to dirtylesbo.com, obviously to make money on referrals:
Domain Name: DIRTYLESBO.COM

Administrative Contact:
Caetano, Martin hosting@liveinteractive.net
Scottsdale, AZ 85251 US 9015064

BUT according to their web page, the offices of liveinteractive.net are apparently based in Uruguay:

Phones:
+ 598 (2) 900 12 95
+ 598 (2) 901 50 64
Montevideo, Uruguay

If Mr. Caetano of liveinteractive.net is paying pepo then that might be illegal. Maybe a PHPBB user in Uruguay can contact that company.. in person! :roll:

Pepotamo is also linking to mcounter.com/lesbian. Mcounter.com is registered with Necostek, another company in Spain:
Necostek
Amador Cubino (acubino@necostek.com)
avd de parayas n2 5izda
Maliano ES Tel. +34.625792586

Here is the reg data for mcounter.com:

Registrant:
Perico Tropovel Sanbernardo
Perico Tropovel Sanbernardo (pericotropovel@gmail.com)
st marc thonin
Ainxous null,23443 US Tel. +555.6548885554

"pepotamo" could be "perico sanberardo". "pepotamo" Sounds like a playful nickname. He has entered bogus data for the registration record.. I wonder what Mr. Cubino thinks of this.

Thoughts anyone? What are the spam laws in Spain? Anybody in Spain been hit by pepotamo? I want pepotamo to fix 30k boards for community service..

Posted: Tue Feb 22, 2005 8:16 am
by wg_mithrandir
Hi guys!

Are the exploits this spambot uses addressed in the 2.0.12 release?

bye, mith

Posted: Tue Feb 22, 2005 11:37 am
by Johan_C
Hi !

Sorry for my poor english :)

For registration, try this

in includes/usercp_register.php

find all occurences of agreed and rename agreed by another var name...

I did this modification on my forum.... let's see if this works...

cu ;)

Posted: Tue Feb 22, 2005 11:50 am
by noth
Pepotamo has hit 2 of my popular forums

I have tried banning him under IP numbers

195.205.139.141 lesbian porno ads on h/rangers 16FEB Pepotamo1985
Guest
61.131.60.68 lesbian porno ads on h/rangers 16FEB Pepotamo1985
Guest
203.200.58.139 lesbian porno ads on h/rangers 16FEB Pepotamo1985
Guest
216.20.117.82 lesbian porno ads on h/rangers 16FEB Pepotamo1985
Guest
66.134.34.26 lesbian porno ads on natn-pcsos 22FEB
195.137.103.31 lesbian porno ads on h/rangers 22FEB Pepotamo1985
Guest
next day he just uses another IP - this is a real threat to all phpBB2 forums

Posted: Tue Feb 22, 2005 1:27 pm
by NeoThermic
wg_mithrandir wrote: Hi guys!

Are the exploits this spambot uses addressed in the 2.0.12 release?

bye, mith


This spambot isn't exploiting anything bar forums that allow guests to post. This is a sad result of trusting people on the web. You'll note in this topic there are ways around it, including visual confirmation for guests to post, which should solve this.

NeoThermic

Posted: Tue Feb 22, 2005 4:44 pm
by filmscheduling
I think Pepotamo1985 is:

Perico Tropovel Sanbernardo
Perico Tropovel Sanbernardo (pericotropovel@gmail.com)
st marc thonin
Ainxous null,23443 US Tel. +555.6548885554

According to reg data for mcounter.com

"pepotamo" Sounds like a playful nickname.

Posted: Tue Feb 22, 2005 5:32 pm
by mikeyman2005
Kanuck wrote: Then either you don't have 2.0.11 or you haven't enabled visual confirmation in the administration panel.

What would really fix all this though, is visual confirmation for guest posting...


Well I do have 2.0.11 and it hasn't been modified but I can't see the Visual Confirmation option in my config panel. Where should it be? How can I activate it?

Posted: Tue Feb 22, 2005 7:49 pm
by PaulHB
NeoThermic wrote: This spambot isn't exploiting anything bar forums that allow guests to post.

I must sadly tell you this is not the case.

I got hit today, and my boards do not allow guest posts. I checked the permissions on the forum that the post went to - guests can read, only registered users can post.

As previously mentioned in this thread it's not that difficult to teach a bot to respond to a verification e-mail. Of course it does mean a valid (if not stolen) e-mail address is needed, so banning that will work until a new address is put in.

Looks like I will have to start using visual confirmation. :evil:

<>< Paul

Posted: Tue Feb 22, 2005 7:55 pm
by PaulHB
mikeyman2005 wrote: Well I do have 2.0.11 and it hasn't been modified but I can't see the Visual Confirmation option in my config panel. Where should it be? How can I activate it?

Go to the admin panel. On the left side click on "Configuration". Eight item down in the configuration panel is "Enable Visual Confirmation" - set it to yes, submit, and test.

<>< Paul

Posted: Tue Feb 22, 2005 11:07 pm
by The_Systech
One thing that I've done though it's not the cleanest solution and I'm not recommending it to anyone else... I didn't want to completely disable guest posts, but from reading through my server logs, and judging from the comments here, it's fairly likely the guy is using a script of some kind. With the server logs, the only entries from the IP's of the "poster" are directly to posting.php, one get, one post per message added.

So to make it at least slightly more difficult to do, I added a referer check to the top of posting.php. The theory being that no legitimate user should hit posting.php before hitting at least one other page on the site first.

Posted: Wed Feb 23, 2005 12:01 am
by tamaraisbraun
Meep! This is happening to my site as well! I was lucky enough to have noticed the posts just as they were posted so no one else saw them. The only sub forums affected were ones I was too lazy to make registered only. But I fixed that mistake and I also banned their name from being registered as well as changed it so all new members have to go through me. There is currently 12 people on my site and I wonder if its all the bot thats spamming. [I was about to get excited that people visit it! LOL]

Posted: Wed Feb 23, 2005 12:16 am
by Einstein
PaulHB wrote: As previously mentioned in this thread it's not that difficult to teach a bot to respond to a verification e-mail. Of course it does mean a valid (if not stolen) e-mail address is needed, so banning that will work until a new address is put in.

I experienced that today ... a bot did register but didn't send any messages. It's time for visual confirmation.

Posted: Wed Feb 23, 2005 1:11 am
by Einstein
This is really getting serious guys. With the latest information this script can both register itself and send guest posts. Without visual confirmation and somehow modified or disabled guest posting, you aren't safe.

Google find now 47 900 hits ... and it's increasing. That's a huge number.