hammered by newly registered members

Get help with installation and running phpBB 3.0.x here. Please do not post bug reports, feature requests, or MOD-related questions here.
Scam Warning
Forum rules
END OF SUPPORT: 1 January 2017 (announcement)
Locked
adrian-smith31
Registered User
Posts: 13
Joined: Tue Jun 12, 2012 9:52 pm

Re: hammered by newly registered members

Post by adrian-smith31 »

My spam registrations have stopped but the server CPU usage is consistentley over 75% usage so much so my host has placed limitations of resources allocated to my site.
I did some investigation and its caused by the site being hammered by bots from multiple IP addresses at the same time all are failing to post / register but it is affecting the server performance.

Blocking a couple of bots in my .htaccess file seems to have reduced it by 50% although CPU usage is still currently higher than normal as I still have around 3 guests trying to register / post at any one time. It was much higher before I blocked the below bots.

AhrefsBot/4.0
Baiduspider/2.0
[ Code removed due to it being potentially read by spammers]

The first example is a bot that scans and downloads all pages from your site for the purposes of them being analysed for loopholes, password cracking etc which can then be sold on to others. For a large forum this can affect the speed of the website dramatically when being scanned. This is how I think they managed to crack the passwords in the first place by analysing the site offline. The second is a genuine chinese bot but due to it constantly trying to post I guess it is being used by spammers.

Hope this may help someone.
Last edited by adrian-smith31 on Sat Nov 17, 2012 12:21 pm, edited 1 time in total.
User avatar
HGN
Former Team Member
Posts: 4706
Joined: Wed Dec 03, 2008 1:53 pm
Location: The Netherlands
Name: Alfred
Contact:

Re: hammered by newly registered members

Post by HGN »

faulksie47 wrote:Is it not possible to block all access to our website / forum to the specific country IP's ? would free the site of the resources they are using as well :-) which they still are ! mostly RU and CN country codes

My particular forum would be of no interest to some countries nor do we need to attract members from the counties the spam bots seem to be mostly using ?
You could block access for IP ranges to your site, through .htaccess. Configuring .htaccess is outside the scope of this board.
It is better not to add large numbers of IP addresses to the ban list of the phpBB board, because that will decrease the performance.
J_M
Registered User
Posts: 269
Joined: Wed Jul 20, 2005 12:26 pm

Re: hammered by newly registered members

Post by J_M »

were sites hit that required the activation by Admin? or just those that required activation by email?

I see that Xrumer can identify whether a site requires email activation... does it not bother if it requires activation by Admin?

thanks
J_M
Registered User
Posts: 269
Joined: Wed Jul 20, 2005 12:26 pm

Re: hammered by newly registered members

Post by J_M »

I typically ban by email/username/IP for any spammer, but if the spammer/bot is using a Proxy am I creating a problem. Or, would an proxy that is used always be illegitimate?

thanks
User avatar
wmtipton
Registered User
Posts: 564
Joined: Thu Apr 26, 2007 8:16 pm
Contact:

Re: hammered by newly registered members

Post by wmtipton »

Just a note for anyone who is interested.
I changed my Q&A last nite to ask about something a bot couldnt figure out, such as "what is the color of the dress of the second figure in the banner above?".
Seemed to have worked like a charm. I was getting about 10-20 spammers signing up per half hour, sometimes a LOT more than that, and this morning I didnt have a single one get thru after changing all of the questions on all of the forums I run.

The one forum as a rose in the background, so I changed the question to just ask what kind of plant is in the background (one word).
Obviously a real spammer could figure it out but if these dirtbags want to put their physical eyes on EVERY forum out there to have to spam us, let them spend every day of their lives spamming a couple hundred boards. :roll:
mysql database backup software - mysql Workbench
J_M
Registered User
Posts: 269
Joined: Wed Jul 20, 2005 12:26 pm

Re: hammered by newly registered members

Post by J_M »

let them spend every day of their lives spamming a couple hundred boards.
I'm afraid that may be the case:

http://www.omg-facts.com/Business/Spamm ... 04?c_val=3

It's entirely possible that the lack of hits for all of us that have changed the question is simply because they haven't found them yet and not because the questions have gotten better.
Funkycowie
Registered User
Posts: 17
Joined: Tue Mar 24, 2009 9:02 pm

Re: hammered by newly registered members

Post by Funkycowie »

I think I got one come through by using 'Sortables' keeping an eye on their activity but its taken a few hours since I installed and opened registration on my site before this happened. They might be genuine.

I like the picture Q&A idea.
User avatar
KevC
Support Team Member
Support Team Member
Posts: 70000
Joined: Fri Jun 04, 2004 10:44 am
Location: Oxford, UK
Contact:

Re: hammered by newly registered members

Post by KevC »

J_M wrote:were sites hit that required the activation by Admin? or just those that required activation by email?

I see that Xrumer can identify whether a site requires email activation... does it not bother if it requires activation by Admin?

thanks
You can't tell that until you hit submit.
A couple of boards I help out on that required admin activation also got hit. I woke up friday morning to find 70 emails in my inbox :)
J_M wrote:I typically ban by email/username/IP for any spammer, but if the spammer/bot is using a Proxy am I creating a problem. Or, would an proxy that is used always be illegitimate?

thanks
All that's doing is making your ban table enormous. Sooner or later your ban list will grind to a halt. I rarely, if ever, see them using the same info twice. I just delete the account. That's it. IP banning isn't much use. As you say they often use proxies and that could potentially be an addressed used by a real user.
-:|:- Support Request Template -:|:-
Image
Cheap UK Hosting
"In the land of the blind the little green bloke with no pupils is king - init!"
J_M
Registered User
Posts: 269
Joined: Wed Jul 20, 2005 12:26 pm

Re: hammered by newly registered members

Post by J_M »

thanks Kevin,

I guess I should take a look at my ban list and see if it's already too big.

The info I found on Xrumer mentioned:

ACTIVATION – activation by E-mail required.

http://xrumerschool.com/category/xrumer

the author mentioned E-mail but it must be ALL activation.
Schwpz
Registered User
Posts: 335
Joined: Wed May 07, 2003 1:33 pm
Location: Planet Zot
Contact:

Re: hammered by newly registered members

Post by Schwpz »

I had a spam post too on my forum asking about where to download X rum er before the spam wave hit it. I wish I hadn't deleted it, or I could have shared the details (time, IP, account name, etc.) =/
Last edited by Schwpz on Sat Nov 17, 2012 4:54 pm, edited 1 time in total.
..:: PlanetZot.com - Your ultimate source for animation! ^^
pat538
Registered User
Posts: 140
Joined: Tue Nov 25, 2003 12:27 am
Location: Evans City pa
Contact:

Re: hammered by newly registered members

Post by pat538 »

I am also getting hundreds of spam the last couple days.

from what I have found, most are from ukraine,russian federation,france, china and israel.

I was thinking of finding all the ip's from those countries.
and put that range of ip's in the "IPDENY MANAGER" of the cpanel.

the way I understand this, is it blocks them from even seeing my message board.

would this slow down my site?

would like some thoughts on this idea.

pat
J_M
Registered User
Posts: 269
Joined: Wed Jul 20, 2005 12:26 pm

Re: hammered by newly registered members

Post by J_M »

Schwpz wrote:I had a spam post too on my forum asking about where to download Xr
unfortunately we are probably giving them the publicity that they wanted
User avatar
durangod
Registered User
Posts: 709
Joined: Tue Nov 03, 2009 1:26 pm
Name: Dave

Re: hammered by newly registered members

Post by durangod »

Same situation here seems to have happened all of a sudden as if someone found an exploit. So i do changd to admin approve till i figure out what to do. At first i also changed my questions to much harder ones but that does not stop them.

I have also started banning the ip from the cpanel as well and if i get two from the same group of ip numbers then i ban xxx. the whole sequence of ip instead of xxx.xxx.xxx(i never do all four just three groups)

Im not sure there is anything else we can do but maybe create another special required field somehow.
User avatar
John P
Registered User
Posts: 1237
Joined: Mon Jan 21, 2008 3:55 pm
Location: Netherlands
Name: John
Contact:

Re: hammered by newly registered members

Post by John P »

Don't think so, on one of our boards we changed the question "How many wheels have a car" to one more because there aren't 4 wheels in a car and the spam stopped immediately.
Logging the answers gives only 3 or 4
Image
Webhosting, Custom MODs, Technical management, MOD installation and Webdesign
User avatar
stevemaury
Support Team Member
Support Team Member
Posts: 51399
Joined: Thu Nov 02, 2006 12:21 am
Location: The U.P.
Name: Steve
Contact:

Re: hammered by newly registered members

Post by stevemaury »

perpetualjon wrote:Count me in too. I got slammed last night on my forum 3.0.10. So I took a chance and updated to 3.0.11 with no change. I've also gone ahead and disabled registration. I've been using a simple QA for several years now with no problems... Definitely looks like somehow there is a bypass of the entire registration process... Hope this gets fixed soon!!
There is no "bypas" of the registration system. But, once again, without links such comments are meaningless.
For REALLY good and VERY inexpensive hosting CLICK HERE

I can stop all your spam. I can upgrade or update your Board. PM or email me. (Paid support)
Locked

Return to “[3.0.x] Support Forum”