By Rhino on

So I was minding my own bees and getting a cup of joe, when I return to my keyboard I see hundreds of users being created (each one triggering an email to me) and all of them are from 95.132.37.166. Each user page was then filled with links, keywords and porn images. I was a little slow moving in trying to stop them (having to take a call about work), and the pages just kept coming.

Troll module allows me to see the user with IP 95.132.37.166 - but I still have to click "block this user" on each one, I can't just radiobutton my way down the row. Very ow carpal tunnel. I wish I could mass-block every user with that IP with one click.

For some reason the SPAM module, where I had checked "users" doesn't actually check for spam on users anymore on Drupal6 (in this incarnation it has before so I'm sure that will be fixed). I had spam module blocking user signups before in d5 and that worked OK, only four or so real people being blocked.

But seeing as I just had so many of these, I'm open to a more general discussion on battling spambots of this type. I've found that Mollum and Spam moduels piss my real users off to no end as they are constantly caught in the spamtrap and yet it never seems to prevent attacks like these (mollum was not on today). What do you do?

(in the end I simply iptables -I INPUT -s 95.132.37.166 -j DROP to this guy - but not everyone has this option)

Categories: Drupal 6.x

Comments

sada.lala’s picture

sada.lala commented

Can you check your site at unmaskparasites.com ?
Please read this http://drupal.org/node/454692 and post any feedback if you see something similar in your site.

Rhino’s picture

Rhino commented

Sure thing. I just saw that there's new upgrades for Drupal that I need to attend to as well (in case that had anything to do with this mornings flood)*

Umasked gave me a clean record: not currently listed as suspicious, all external links (like to technorati etc) are safe.

* update, the only thing out of date today was the Troll module. :) Funny.

johnious’s picture

johnious commented

Perhaps the CAPTCHA module could assist you in that. If (I guess so) there is a form that users create accounts, CAPTCHA can provide some level of identification amongst bots and humans. There are also statistics in the module settings as what was blocked.

Hope the above helps

Rhino’s picture

Rhino commented

I'll turn the captcha back on again (like the other spam protectors, it honestly didn't seem to help much)

It's interesting to note that this guy had images prepared for Drupal site. He links whereufrombb.com/drupal.jpg as image and drupal.html on the same domain as homepage (Don't look, it's just a porn-banner)

johnious’s picture

johnious commented

Even if this is not a hard and fast rule, when forms with a CAPTCHA challenge are submitted, in most of the cases are due to humans instead of bots. Ergo, you could possibly determine whether the "attacker" is human or bot.

Rhino’s picture

Rhino commented

Ah, I had forgotten to turn on email verify module, which is also one of those good little traps to prevent bots from wreaking havoc. http://drupal.org/project/email_verify

Rhino’s picture

Rhino commented

Anyone else have other suggestions or fresh ideas on how to protect against user signup spam?

Since this morning I've enabled the email check, and a math Captcha on user signups, and I do have the "spam" module running, but even an upgrade on that one did not allow me to filter new user accounts for spam.
I'm still getting a new user signup (total spam user with links in their bio leading to russian blogspot adsense scraper blogs, and various Paris Hilton Sex Tape sellers) roughly every ten minutes all day long. I'm getting carpal tunnel deleting them all. Since they never actually get a chance to log in, their IP does not stick to the Troll module which I also have enabled.

Any other fun modules I can use to help stave off this flood of spam? Anyone else feeling the spam today in particular?

gmasky’s picture

gmasky commented

Have you tried the bad behavior module http://drupal.org/project/badbehavior?

Also setup captcha to use image captcha instead of math captcha

cliff’s picture

cliff
he/him
commented

At the bottom of the badbahavior module page, there's a note that says it hasn't been supported since May 13, 2009—not very long to us humans, but perhaps eons in the world of spambots.

I would guess that doesn't necessarily mean not to use it, just not to rely on it exclusively. Right?

– Cliff

arleym’s picture

arleym commented

I am getting the exact same issue, though it's on a site I made a year ago. It hurts to learn about this today. There are currently 1700ish users. Some are real. Ug. Thanks for your suggestions. I guess I'll install all the modules you have... and get spammed anyways. Sigh.

lionheart8’s picture

lionheart8 commented

Have you tried mollom?
I had spam submissions especially in the Guestbook for a while, which I had set not to require registration/log in & kept getting entries there, mostly from Russia & drugs sellers.
I disabled Guestbook entries for anonymous users, but in spite of image capture, managed to get a bot registration or so.
I was advised to use the random option of captcha and in addition installed the mollom module (this apparently does not protect the Guestbook, at least the last time I checked), & the BlockAnonymousLinks module.
Just about every form is checked by one or the other.
Since then, it is now a couple of months since I last received a spam entry.

Rhino’s picture

Rhino commented

Sorry to hear that. Here's all the things that I am doing right now, hope it helps you.

Spam module (with fix - check the latest threads on it, there are some patches)
Email verification check.
Captcha (Now, ASCII Captcha) - gmasky has a point there on using anything but math captcha.
One radio button that a new user must check to prove that they are human - add this in the profile fields.
False account (if one spammer signs up as several innocent looking users I can see it pretty fast)
Advanced User - delete all the bad guys in one fell swoop.
Troll module (to see IP# if spammers do get in and comment)

Regarding Mollum: I did use it for a while but it gave false positives for comments made on the site from legit users and then still let spam through, so I gave up on it pretty fast. It worked perfectly for a couple of weeks, or so I thought, but then legit users emailed complaints to me about their comments getting lost and I can't have that happening it ticks them off. I would still use it if it allowed for comments to be saved so that I could "unlock" false positives.

Oh, and I haven't used BadBehaviour in eons. It simply doesn't work these days.

gmasky’s picture

gmasky commented

I have robots trying to login and create accounts. I could tackle the create accounts via image captch. However captcha in the login block was cumbersome. So I was left with robots trying to log in all the time and failing, on the face of it not harmful but consuming bandwidth. By default only registered users can post comments on our site.

I first tried Bad Behavior, which worked perfectly on our site, all the robot logins stopped. The one downside was it banned even legitimate users. I then removed bad behavior and installed the mollom module. It worked fine but there were sparodic incidents of robots trying/failing to login. After mollom worked for a few days suddenly OG notifications stopped going out and we have become addicted to OG notifications. I am not sure if mollom was directly responsible for this. Even after I uninstalled mollom OG notifications refused to work. I got over that by upgrading to OG 5.x.8.0 and using the messaging-notifications framework which gives me fantastic functionality for OG as well as other content types.

publetariat’s picture

publetariat commented

I'm running drupal 6.10 and I'm not using Organic Groups (I assume this is what the "OG" in the above post refers to). I was also having problems with 'bot registrations and spam comments on my site, and decided to try Mollom---which was created by the same guy who created drupal, so it's got that working for it.

I've been very happy with Mollom on both my drupal sites, and haven't had a single instance of 'bot registration or spam commenting since installing it.

gnassar’s picture

gnassar commented

Just a note: the dev version of Spam from today should now be usable without patches from the issue threads. Might want to give that a shot.

Rhino’s picture

Rhino commented

I have reinstated the Spam module and all of the above (word captcha instead of Figlet captcha these days though since the figlet, much as I like it, came out funny looking in my new theme).

I'm still getting at least one spammer a day, however, and some of them have the gall to post passages from the bible/random word strings which the Spam module and the captcha seem powerless to prevent. I will have to revert to "moderator approval" on all new accounts.

ferrangil’s picture

ferrangil commented

Hello!
We started having problems with users who fill their profile bio with links to random sites (acne, pills, seo sites, ... not too much porn in fact).
I had an easy math captcha, which I changed to an image one, and also I've been using Mollom. They can always register, and it looks like they are REAL people sitting on a computer. With woopra, I saw some are using FF, others IE8, IE7, Chrome...
I also added spamicide (http://drupal.org/project/spamicide) on the registration form (use firebug and comment the display:none to see the field that must be empty to continue with registration). As they doesn't seem to be bots, they doesn't see the field as you and I do with our browser.

I created a simple PHP page to find, list and remove all users which have just a link in the biography field, but I also need to quickly check they are not good contributors which also have an URL in the bio.

I have 2 problems. 1. They are registering into the site. 2. They are adding links to other sites.

An example of the links they post (that's my site, check the links below the username)
http://ibc.lynxeds.com/users/kdolph828
http://ibc.lynxeds.com/users/amykate
http://ibc.lynxeds.com/users/karmawellness
and a couple of screenshots of woopra user/bot behaviours:
http://ibc.lynxeds.com/spammer1.jpg
http://ibc.lynxeds.com/spammer2.jpg

Any help will be highly appreciated!

Rhino’s picture

Rhino commented

Seems I have the same problem (humans hopping past the bot-traps creating link-filled profile pages). Ideas for preventing this in dragging our sites name/googlerank down include;
1) Noindex on all new user pages links (making us less attractive). I do want real users who participate in the community to reap the google-juice benifits of having their homepages linked though.
2) NO READ on new user pages, that is only administrators can see fresh user pages until they actually participate in the community by commenting or similar.

Not sure how to implement either yet. Just throwing it out there.

ferrangil’s picture

ferrangil commented

I have a new idea that might be useful for some sites. In our site, users can upload videos, and then they become contributors.
Users that are not contributors really doesn't need to have a "users page", as they don't have the videos to be listed there.

That allows me to set the bio field (where they type all the links) only available to the role contributor. Not the real solution, but it might help a bit.

How is it possible that some people "works" by spamming other sites?? They also answer the captcha wrong sometimes, it's quite funny to see... India and Pakistan are the top active countries. Also a bit from Singapoore, but much less...

mauryg’s picture

mauryg commented

If you still think that CAPTCHA is an effective solution just remember: your site and 999 others can be hacked for $2.00. Just check out this link:

http://www.decaptcher.com/client/

When you think about this it is almost INhuman. They are using HUMAN reading and response to the captcha. How many captcha's an hour do you think you could read and enter? At 4 seconds per entry you would do 900 per hour, IF you could maintain that response without going blind. And they are charging $2 per THOUSAND? What are they paying the slaves?

Well, with the average household income in some countries sitting at less than $30.00 / week, if they spent about 16 hours a week doing that, they would be earning the national average income (over say the weekend). Not bad really.

Welcome to the global economy

ferrangil’s picture

ferrangil commented

My problem is not gone, but at least there are no links to spam sites. The problem is that I have a lot of registered users, and many of them are "bad" users probably. They are just registered, nothing else (but from woopra I saw they just directly browse to /user/register and then to edit the account to try to add some URL's to the malicious sites). As they can't, they just leave the site.

What about checking the previous URL's of each anonymous user and, if he hasn't visited at least one page from family/*, species/* or video/*, they can't see the register form. They might then (as they are real humans), go to the home page and make a few random click (probably going into a video/* page ) so if they check the register page again, they will succeed. But, at least, some might not even register.

No one of our real users go to the register page before watching a species or video page, so for the major part this is not going to affect it's normal registering process.

Just imagine I want to launch a new feature on the site (or a discount or whatever) and want to email all users... Lots of those emails from the spammers users are not going to be working, but some might... and I would prefer not to send discounts to spammers!! ;)

hokuspokus’s picture

hokuspokus commented

subscribing

ferrangil’s picture

ferrangil commented

More information for this. I saw a guy (using woopra) coming from the following site: onestopseo.wordpress.com/ (removed the http as I don't want to promote that site at all!!)
The guy from the blog suggests to create accounts and posts links to your sites. And he thinks he knows a lot about SEO!!! Holy crap...

Well, just check if your site is there too, and write to the guy and let him know he's stupid at least...

jboukes’s picture

jboukes commented

...as of yesterday I pushed up a new module for review, 'Country Ban', which can be used to set a country to "read only". If a country is set to "read only", they may only view your website, but may not create any user accounts or access any previously created accounts.

The IP you listed is from the Ukraine. If you use this module, just set 'Ukraine' to read only, and you should never have this problem again.

http://drupal.org/node/693196

ferrangil’s picture

ferrangil commented

... but on our site wen can't ban a whole country from contributing into the site, specially active countries like India. There are too many birds there, and too many good users as well as bad ones. But I'll keep watching your module, it could be useful for specific situations, or ban a country during a few days when the activity of adding spam is higher...

iva2k’s picture

iva2k commented

subscribing

--
iva2k

sneakerr’s picture

sneakerr commented

I do not know if there is any but I think one of the solutions could maybe be a User per IP. Each IP can have only one user account attached to it. Else blok user. There are similar modules I think
Check it out

helloadorable’s picture

helloadorable commented

My understanding about this is that if a bunch of users, for example, from the same college are participating on your site they might all have the same IP address.

iva2k’s picture

iva2k commented

I got my sites flooded by spambot user registrations (200-300 a day). I rolled up my sleeves and created BOTCHA module to solve spam problem. Works like a charm on my sites. It works side by side with CAPTCHA and MOLLOM and adds very strong filter that spambots cannot pass. CAPTCHA and reCAPTCHA have been cracked and spambots solve them on first pass these days. I should mention that without CAPTCHA, BOTCHA currently would only protect user registration form, as I did not have time to write big UI to select and configure which forms to protect, so BOTCHA just checks if CAPTCHA is added to the form and if it is, BOTCHA will protect the form as well.

--
iva2k

dg@drupal’s picture

dg@drupal commented

Hi iva2k,
I am not able use BOTCHA.
When I activate it, New user registration tab does not show any text box. Did you face problem like this?

AlanT’s picture

AlanT commented

I've found the BOTCHA module to be one of the best measures I've yet tried to combat the spam problem.

Unfortunately, it doesn't work when there are actual humans involved, but it certainly helps.

This, in combination with the Riddler CAPCHA module (with riddles like "What number is missing in this series: 51, 52, 53, 55, 56?") seems to completely eliminate the bots.

- Alan Tutt

Exceptional Personal Development for Exceptional People
http://www.PowerKeysPub.com

fehin’s picture

fehin commented

BOTCHA is also working great for me. I had over 100 spambots registering per week and in over a week of using BOTCHA now, I haven't seen anyone new spambot user. It blocked everything. Thank you for the great module.