Untitled Document
     
Advertisement Click to advertise with us!
     

Spam attack!

#21
About a week ago I installed a plugin into my weblog in an effort to deal with the overwhelming amount of spam that I am getting buried in. This plugin (little piece of software really) checks all incoming traffic on my blog against 2 of these websites that track IP addresses known for spamming. When a known spambot/spammer lands on my site, the connection is automatically terminated. This means that legitimate people should (in theory) be the only ones using the pages, thus getting faster page loads.

During the first week what I've seen is that during a 24 hour period, this plugin is blocking approximately 750 to 800 spambots on my site. That's just crazy!
The IP address identifies only the server, which many users share. You could be blocking lots of legitimate visitors.
 

Helen

Content Expert Saxophones
Staff member
Administrator
#22
The IP address identifies only the server, which many users share. You could be blocking lots of legitimate visitors.
It tests these IP addresses against known spammers, and also has default thresholds that are also adjustable. Pete could probably explain it better, because I believe we use a similar service on this forum.
 

pete

Brassica Oleracea
Staff member
Administrator
#23
Oh, I just ban everyone. I'm really quite antisocial.

I think you're talking about second-level domains, Al. IP addresses are not necessarily for just specific servers, but for specific machines. True, most services (dial-up, DSL, satellite, cable, etc.) use DCHP (i.e. your IP address will change, within a certain range, after awhile), but if someone's hitting you HARD with the spam, sometimes just banning the username isn't enough.

On rare occasions, I've had to ban entire subnets, which could mean banning 256 or more users (depending on what segment I'm starting with) or an entire second-level domain, but that's rare.

Ultimately, the idea behind IP banning is to make life more difficult for spammers and trolls. It's definitely not a cure-all, because if you banned my IP address, I could get another one in a couple minutes. Ban my username AND IP, it'll take me a few more minutes. Ban my entire subnet and username, still more, etc.

FWIW, if you're a known spammer and your IP is 1.2.3.4 (using IPv4, of course), chances are that if I ban 1.2.3.4, I'm not going to ever ban a legitimate user. If I ban 1.2.3.x, there's a greater chance, but doubtful, as most spammers seem to use the same subnets (so I've just banned 256 potential baddies). 1.2.x.x is much more risky and 1.x.x.x may cut me off from teh werld!!!111one

In any event, the service that Helen mentions isn't quite what we have here on the WF. Service #1 (Akismenet or something like that) checks the content of any post against a list of spam-target words and throws the post into "Moderated" where no one can see it, if the service is tripped. Service #2 is me and our Admins: we manually check the IP address, username and/or e-mail address of any new user against lists of known spammer details (Google will pop up hundreds of these services) and if they match, we ban the user and leave a message that says, "Known spambot username, IP address or e-mail address. Questions? Contact me at thesaxinfo@gmail.com." Additionally, I do implement most of the security tweaks mentioned on the vBulletin websites.
 

Helen

Content Expert Saxophones
Staff member
Administrator
#24
In case anyone is interested, the 2 websites that all the incoming traffic on my site is checked against are: Stop Forum Spam & Project Honey Pot. When an incoming visitor is determined to be a spammer, it triggers a message that looks like this:

Spam IP: 212.235.107.70
Accessing: /blog/?cat=173

Checked at Stop Forum Spam
Information
Last Seen: 2009-12-09 09:31:55
Frequency: 54
Call took: 0.221323
Threshold (3) reached. Connection terminated

Checked at Project Honey Pot
Information
Days since last activity: 91
Type: Suspicious & Comment Spammer
Score: 20
Call took: 0.018961
Just this morning I got an email from Project Honey Pot that some of you might find interesting.

Dear Helen:

On Wednesday, December 9, 2009 at 06:20 (GMT), Project Honey Pot achieved a
milestone: receiving its 1 billionth spam message. The billionth message was an United States Internal Revenue Service phishing scam sent to an email address that had been harvested more than two years ago. More than just a single spam email, the billionth message represents the collective work of you and tens of thousands of other web and email administrators like you in more than 170 countries around the world. Together we have built Project Honey Pot into the largest community tracking online fraud and abuse.

To celebrate this milestone, we sifted through five years of data to learn more about spam and the spammers who send it. As a small token of thanks for your help, we wanted to share some of our more interesting preliminary findings. Click the following link for the Full Report:

http://www.projecthoneypot.org/1_billionth_spam_message_stats.php

Highlights include:

- Monday is the busiest day of the week for email spam, Saturday is the
quietest
- 12:00 (GMT) is the busiest hour of the day for spam, 23:00 (GMT) is the
quietest
- Malicious bots have increased at a compound annual growth rate (CAGR) of
378% since Project Honey Pot started
- Over the last five years, you'd have been 9 times more likely to get a
phishing message for Chase Bank than Bank of America, however Facebook is
rapidly becoming the most phished organization online
- Finland has some of the best computer security in the world, China some
of the worst
- It takes the average spammer 2 and a half weeks from when they first
harvest your email address to when they send you your first spam message,
but that's twice as fast as they were five years ago
- Every time your email address is harvested from a website, you can expect
to receive more than 850 spam messages
- Spammers take holidays too: spam volumes drop nearly 21% on Christmas Day
and 32% on New Year's Day
- And much more.....

We have published it under the Creative Commons Attribution license, so don't hesitate to share anything you find interesting. In the end, we couldn't have gathered this data without you.

Thank you for all your help over the last five years. Here's to wishing you happy holidays and a relatively spam-free New Year.

Sincerely,
The Project Honey Pot Team
 
#26
Spam attack

I just got an online pharmacy type spam message in my PM inbox from bevaageta. You are welcome to check my inbox for verification. I have added bevaageta to my ignore list.
 

Steve

Clarinet CE/Moderator
Staff member
CE/Moderator
#27
I just got an online pharmacy type spam message in my PM inbox from bevaageta. You are welcome to check my inbox for verification. I have added bevaageta to my ignore list.
he/she/it was banned :-D

I got it too .. figured he/she/it sent it to probably everyone.
 

Steve

Clarinet CE/Moderator
Staff member
CE/Moderator
#32
<raises hand>
It's fascinating that all this cumbersome spamming work still seems to pay off. :emoji_astonished:
i think the number put out there was about 50% of new members are actually thsse spambots. you'll see signature lines like "Clean White Teeth" or other worse things in the postings.

Management is well aware and are working on solutions. They're just sleeping right now. lol :-D
 

tictactux

Distinguished Member
Distinguished Member
#33
i think the number put out there was about 50% of new members are actually thsse spambots. you'll see signature lines like "Clean White Teeth" or other worse things in the postings.

Management is well aware and are working on solutions. They're just sleeping right now. lol :-D
Yeah, maybe things like captchas after every post are necessary. Which somehow contradicts barrier-free computing, unfortunately.
 

Carl H.

Distinguished Member
Distinguished Member
#34
Yeah, maybe things like captchas after every post are necessary. Which somehow contradicts barrier-free computing, unfortunately.
In my experience, about 30% of the time those things are in-decipherable. I'll take the random spam over those things anyday!
 

pete

Brassica Oleracea
Staff member
Administrator
#35
i think the number put out there was about 50% of new members are actually thsse spambots. you'll see signature lines like "Clean White Teeth" or other worse things in the postings.

Management is well aware and are working on solutions. They're just sleeping right now. lol :-D
More like "drugged senseless". Not exactly sleeping, but it's hard to tell the difference.
 
#36
I just deleted a spam message about pharmaceuticals from my PM inbox. That's the first time I'd seen that.
 

pete

Brassica Oleracea
Staff member
Administrator
#37

Ed

Founder
Staff member
Administrator
#38
I agree it is frustrating and we keep employing the best available methods from the forum software but the bots are getting more complex as time goes on.
 

Carl H.

Distinguished Member
Distinguished Member
#39
I agree it is frustrating and we keep employing the best available methods from the forum software but the bots are getting more complex as time goes on.
Maybe if they had to supply the name and model of an instrument, to be approved by (??) to sign up and post? Hard for a computer to expect that one.
 

pete

Brassica Oleracea
Staff member
Administrator
#40
Take me, for instance. I've been posting online for 12 or so years, created a couple successful websites and even helped run a few forums. No one has yet realized that I'm a bot.
 
Top