Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
I've set up honeypot module on http://spam-drupal.redesign.devdrupal.org.
I've given the "bypass honeypot" permission to all users that have more than just "auth user".
I've been able to create a test account and log in, but my connection is bad and I can't do more tests atm.
Ideally, somebody would try some spam tool on it...
Comments
Comment #1
WorldFallz CreditAttribution: WorldFallz commentedIs this in lieu of #1694494: Install Mollom on Drupal.org?
I've been meaning to try this module out-- I'll see if I can find a spambot tool to aim at it.
Comment #3
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedThe other issue seems stuck, and since I got a number of complaints during Drupalcon I thought to deploy something rapidly as long as it doesn't break stuff.
Comment #4
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedSince nothing beats real data I've deployed it on d.o for testing. we always get a lot of spammers on the weekend, let's see if this helps.
Comment #5
silverwing CreditAttribution: silverwing commentedthank you
Comment #6
WorldFallz CreditAttribution: WorldFallz commentedone streaming spammer got through: http://drupal.org/user/2280232
Comment #7
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedI also blocked two vietnamese spammers and deleted 500 nodes. There a no log entries about successful honeypot blocks so far.
Comment #8
WorldFallz CreditAttribution: WorldFallz commentedjust got rid of 3 streaming spammers >-0
Comment #9
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedI had a shoe spammer earlier today.
Comment #10
silverwing CreditAttribution: silverwing commentedI Just had 8 (or so) streaming spammers.
Comment #11
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedI think we can safely conclude that this isn't the solution that we are looking for.
Comment #12
WorldFallz CreditAttribution: WorldFallz commentedyeah, I was thinking the same thing. The two most common spammers we have and it didn't stop them.
Comment #13
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedI've made some changes:
1) I hacked the module to _not_ protect the search forms.
2) I made a config change to protect _all_ forms, this will now also include profile forms.
3) I increased the time based protection to 10 seconds (from 5s).
Comment #14
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedI had to exempt a couple more forms. Adding the profile forms explicitly would have been better.
However, we now get blocked submissions of the user registration forms and also the profile forms.
Comment #15
silverwing CreditAttribution: silverwing commentedHopefully we can make the case to use this on the user register forms on our subsites.
ie http://drupal.org/admin/reports/event/638238794
Comment #16
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedYeah, they are sneaking in through the backdoor.
I've now changed the config back to only protect selected forms and implemented support for profile module. Still works.
Comment #17
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedselect count(*) as count, variables from watchdog where type = 'honeypot' and message like 'Blocked%' group by variables ;
We have now
159 user register failures submission of a value in the honeypot field
228 user register submission of the form in less than minimum required time
10 user_profile_form (time limit)
And this is in only a short amount of time....
Comment #18
WorldFallz CreditAttribution: WorldFallz commentedwow--- nice work killes!
Comment #19
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedSome IPs to go with the above:
count | IP
| 6 | 37.113.8.183 |
| 6 | 178.137.84.222 |
| 6 | 27.159.202.56 |
| 6 | 60.188.110.109 |
| 6 | 199.15.234.72 |
| 6 | 27.159.209.200 |
| 6 | 173.254.219.91 |
| 7 | 198.143.175.242 |
| 7 | 199.15.234.134 |
| 8 | 27.159.239.112 |
| 8 | 46.118.119.14 |
| 10 | 95.69.193.232 |
| 10 | 87.98.185.219 |
| 10 | 5.165.192.128 |
| 10 | 173.254.219.75 |
| 12 | 188.143.232.242 |
| 13 | 178.137.167.109 |
| 14 | 79.179.206.138 |
| 14 | 61.147.99.104 |
| 15 | 94.142.128.140 |
| 18 | 46.118.127.75 |
| 34 | 110.85.83.165 |
+-------+-----------------+
Comment #20
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedSo, we've had our first spam from vietnam, how did we fare?
Not too bad: we've blocked about 50 forum form submissions, most of them by spammers that were then later blocked.
We've also blocked about 20 comment form submissions, sadly all of them by legitimate users. Clearly, we need to work on the exemption part.
There were also 10 profile form submisions from profile spammers. I blocked those that weren't already.
I think there are 2 things to do:
1) define criteria by which existing users should be given a "spam exempt" role, write a script and do that.
2) define a personal time limit. Ie after you fail to submit a form in time, you'll need to take more time for the next form. This could not use core's flood mechanism, as it is IP based, but it can be modelled after it. It should expire over time.
We also blocked nearly 5000(!) registration attempts.
Comment #21
gregglesWell that's pretty amazing news...we'll want to get this on g.d.o in a similar configuration. Is your patch in the queue somewhere?
Regarding a script and a role to let people bypass it - http://drupal.org/node/1694494#comment-6433194
Comment #22
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedI think there's a problem with how the module works: the time trap is not recalculated on validation. IMO it should be.
I've fixed that.
I've also added the mechanism as described above.
This is now active on d.o.
Comment #23
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedOne user was so kind to submit 6 failed attempts, so it seems to be working.
Comment #24
killes@www.drop.org CreditAttribution: killes@www.drop.org commentednow using flood to "help" with new user account requests from particular IPs.
Added a "Not a spammer" role on d.o
Comment #25
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedI am slowly adding people to the "not a spammer" role. Takes a while as the script doesn't run very fast.
Comment #26
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedAdded the bypass permission to the role. I've resolved to use some SQL for adding users to it and added aout 70k people to the role.
Comment #27
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedBlocked form submissions from a sunglasses spammer. He still managed to get 10 comments in, though.
+---------+------------+
| uid | timestamp |
+---------+------------+
| 2283604 | 1346807341 |
| 2283604 | 1346807352 |
| 2283604 | 1346807367 |
| 2283604 | 1346807386 |
| 2283604 | 1346807388 |
| 2283604 | 1346807391 |
| 2283604 | 1346807394 |
| 2283604 | 1346807397 |
| 2283604 | 1346807401 |
| 2283604 | 1346807404 |
| 2283604 | 1346807426 |
| 2283604 | 1346807459 |
| 2283604 | 1346807471 |
| 2283604 | 1346807474 |
| 2283604 | 1346807537 |
| 2283604 | 1346807562 |
| 2283604 | 1346807565 |
| 2283604 | 1346807568 |
| 2283604 | 1346807572 |
| 2283604 | 1346807774 |
+---------+------------+
Comment #28
geerlingguy CreditAttribution: geerlingguy commentedI'm happy to accept all the changes in the D6 Honeypot patch from killes; I've tweaked the install/uninstall and some interface text/comments, but it should be functionally equivalent of what killes submitted in his patch at #1774150: Various improvements.
Please check out my updated patch in #1774150-6: Various improvements and let me know if you're happy with it. I'll commit it to the D6 branch and create a new release of both D6 and D7 branches once we get the patch forward-ported.
Comment #29
Heine CreditAttribution: Heine commentedhttp://drupal.org/user/2285802 and http://drupal.org/user/2285794 got through. Blocked & deleted.
Comment #30
killes@www.drop.org CreditAttribution: killes@www.drop.org commented@geerlingguy: thanks, will look in a second!
@Heine: Both users have had some forum forms intercepted, one 2 and one 12. Not sure this is satisfying...
Now that many if not all contributors have the bypass role, we could increase the basic time limit somewhat.
Comment #31
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedThe watchdog logs of failed profile form submissions are great to spot failed profile spammers and block them before they come back (not sure they would).
Many of these actually create accounts on g.d.o so I'll request that the module be installed there as well.
Comment #32
Heine CreditAttribution: Heine commentedI've deleted 96 posts by http://drupal.org/user/2286092
Comment #33
killes@www.drop.org CreditAttribution: killes@www.drop.org commented4 times in the pot :(
I'll increase the setting to 15s.
Comment #34
killes@www.drop.org CreditAttribution: killes@www.drop.org commented15 seems good:
https://drupal.org/user/2274220/
fell into the pot 473 times.
Comment #35
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedhttps://drupal.org/user/2286676
managed to sneak in 9 forum post but fell into the trap 7 times.
Comment #36
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedhttps://drupal.org/user/2286684 from Vietnam fell one into the trap but managed to get 23 nodes in.
Comment #37
WorldFallz CreditAttribution: WorldFallz commentedmore streaming spam: http://drupal.org/user/2286652 (14 nodes deleted)
Comment #38
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedhttp://drupal.org/user/2286652 was careful enough to not fall into the trap.
Comment #39
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedlast night, I caught a spammer from vietnam in the act after he fell once into the trap and posted two forum topics.
Comment #40
WorldFallz CreditAttribution: WorldFallz commentedi'm so over these jackasses, what a waste of life force... more vietname spam (17 posts):
https://drupal.org/user/2287086
Comment #41
geerlingguy CreditAttribution: geerlingguy commentedThat is true dedication. I just which the vietnam poster(s) were devoted to something more positive. Sheesh.
Comment #42
killes@www.drop.org CreditAttribution: killes@www.drop.org commented#1775990: Add hook for time delay additions let's see who's more dedicated.
Comment #43
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedAlso, can somebody save a sample of streaming spam for me? I almost never see those.
Comment #44
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedI've developed a small module that implements above hook, maybe somebody would like to create a test user on http://spam-drupal.redesign.devdrupal.org/ and spam a bit?
Comment #45
killes@www.drop.org CreditAttribution: killes@www.drop.org commented#1776878: Allow toggling of roles (6.x backport) was filed to help with adding people to the "not a spammer" role.
Comment #46
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedthe small module is actually live now and I am eagerly waiting for some spammers....
Comment #47
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedApparently, there was a holiday in Vietnam, but silverwing got me some spammers from China. I've used their input to fine-tune my script.
I was able to reconstruct what some of them are doing, and one reason why the script isn't as successfull is that they work in parallel, ie when creating forms, the forms are all created at the same time and then submitted at the same time. Waiting a couple of seconds isn't that much of a problem then. We could add a counter that counts the created forms for a user, but I am not sure this would work well.
I've instead made changes that should really increase the time limit in case somebody uses spammy terms.
Comment #48
WorldFallz CreditAttribution: WorldFallz commentedmore from vietnam: http://drupal.org/user/2288228
Comment #49
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedIt is in principle working, but I had a stupid bug in my code so the action did not get triggered. The bug is fixed now.
Comment #50
Heine CreditAttribution: Heine commentedhttp://drupal.org/user/2288416 is a sport stream spammer.
Comment #51
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedGreat, did you block him early on? He only managed to get a single post in. He also scored 95 + 15 seconds extra time. :)
He also found the right place to post in. :p
Comment #52
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedhttps://drupal.org/user/2288482 tried to spam a bit but gave up after the time limit increased to 264492 seconds.
Based on the country I think it was intended to be streaming spam.
Comment #53
geerlingguy CreditAttribution: geerlingguy commentedlol, I guess he didn't want to have to wait three days to post something :P
Comment #54
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedthe youths of today, no persistence...
(there's a cronjob that ensures that you don't really need to wait 3 days if you clean up your post)
Comment #55
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedAnother user fell into the trap but still managed to post a node (unpublished). Something is probably wrong with my logic.
Here are the relevant watchdog entries:
mysql> select type, referer, location, from_unixtime(timestamp), concat('https://drupal.org/user/', uid), message, variables from watchdog where uid = 2288542 order by wid asc ;
+----------+-----------------------------------------+-----------------------------------------+--------------------------+-----------------------------------------+-----------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+
| type | referer | location | from_unixtime(timestamp) | concat('https://drupal.org/user/', uid) | message | variables |
+----------+-----------------------------------------+-----------------------------------------+--------------------------+-----------------------------------------+-----------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+
| user | http://drupal.org/user?destination=home | http://drupal.org/user?destination=home | 2012-09-07 18:56:10 | https://drupal.org/user/2288542 | Session opened for %name. | a:1:{s:5:"%name";s:12:"hazirpola789";} |
| honeypot | http://drupal.org/node/add/forum/0 | http://drupal.org/node/add/forum/0 | 2012-09-07 18:57:08 | https://drupal.org/user/2288542 | Spammer %uname (%uid) earned %count spam points and %time extra time. | a:4:{s:6:"%uname";s:12:"hazirpola789";s:4:"%uid";s:7:"2288542";s:6:"%count";i:6;s:5:"%time";i:224;} |
| honeypot | http://drupal.org/node/add/forum/0 | http://drupal.org/node/add/forum/0 | 2012-09-07 18:57:20 | https://drupal.org/user/2288542 | Blocked submission of %form due to @cause. | a:2:{s:5:"%form";s:15:"forum_node_form";s:6:"@cause";s:57:"submission of the form in less than minimum required time";} |
| honeypot | http://drupal.org/node/add/forum/0 | http://drupal.org/node/add/forum/0 | 2012-09-07 18:57:20 | https://drupal.org/user/2288542 | Spammer %uname (%uid) earned %count spam points and %time extra time. | a:4:{s:6:"%uname";s:12:"hazirpola789";s:4:"%uid";s:7:"2288542";s:6:"%count";i:6;s:5:"%time";i:238;} |
| honeypot | http://drupal.org/node/add/forum/0 | http://drupal.org/node/add/forum/0 | 2012-09-07 18:58:52 | https://drupal.org/user/2288542 | Spammer %uname (%uid) earned %count spam points and %time extra time. | a:4:{s:6:"%uname";s:12:"hazirpola789";s:4:"%uid";s:7:"2288542";s:6:"%count";i:6;s:5:"%time";i:238;} |
| honeypot | http://drupal.org/node/add/forum/0 | http://drupal.org/node/add/forum/0 | 2012-09-07 18:59:04 | https://drupal.org/user/2288542 | Blocked submission of %form due to @cause. | a:2:{s:5:"%form";s:15:"forum_node_form";s:6:"@cause";s:57:"submission of the form in less than minimum required time";} |
| honeypot | http://drupal.org/node/add/forum/0 | http://drupal.org/node/add/forum/0 | 2012-09-07 18:59:04 | https://drupal.org/user/2288542 | Spammer %uname (%uid) earned %count spam points and %time extra time. | a:4:{s:6:"%uname";s:12:"hazirpola789";s:4:"%uid";s:7:"2288542";s:6:"%count";i:6;s:5:"%time";i:308;} |
| honeypot | http://drupal.org/node/add/forum/0 | http://drupal.org/node/add/forum/0 | 2012-09-07 19:02:01 | https://drupal.org/user/2288542 | Spammer %uname (%uid) earned %count spam points and %time extra time. | a:4:{s:6:"%uname";s:12:"hazirpola789";s:4:"%uid";s:7:"2288542";s:6:"%count";i:6;s:5:"%time";i:308;} |
| content | http://drupal.org/node/add/forum/0 | http://drupal.org/node/add/forum/0 | 2012-09-07 19:02:13 | https://drupal.org/user/2288542 | @type: added %title. | a:2:{s:5:"@type";s:5:"forum";s:6:"%title";s:98:" WatcH>>>))) Brazil vs South Africa Live streaming Online International Friendly match HD Tv On Pc";} |
| user | http://drupal.org/node/1778308 | http://drupal.org/logout | 2012-09-07 19:02:36 | https://drupal.org/user/2288542 | Session closed for %name. | a:1:{s:5:"%name";s:12:"hazirpola789";} |
+----------+-----------------------------------------+-----------------------------------------+--------------------------+-----------------------------------------+-----------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+
Anybody got an idea?
Comment #56
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedThat's how it is supposed to look like (reversed). No spam came through.
Comment #57
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedhttps://drupal.org/user/2288572 also wasn't keen on waiting.
Comment #58
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedWorks also with spam from vietnam
Note how he logged out and in again to make it go away.
Comment #59
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedSo, how was the night?
I've been blocking some stuck spammers, but from the activity log I see there was some content removed. I am not sure if that was due to sam or for other reasons. I'd like to request that spam until further notice not be deleted,but unpublished so that I can do a post-mortem.
Comment #60
killes@www.drop.org CreditAttribution: killes@www.drop.org commenteda rugby streaming spammer got through with 1 post before blocked. Tuned the list a bit more.
Comment #61
klonos...yeah :/
#482312: Proposal: unpublish rather than delete content
Comment #62
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedAnother one was able to post one post since he simply waited a long time (14 minutes) and the cronjob had reset his stats in the meantime.
Comment #63
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedThis one gave up after noticing that the node that his alter ego managed to create was unpublished:
Comment #64
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedMy impression is that they have pretty much given up. There was one attempt on spam from vietnam last night.
Comment #65
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedA handbag spammer managed to get one in by simply wainting the prescribed amount of time. Lost interest afterwards.
Comment #66
geerlingguy CreditAttribution: geerlingguy commentedI was wondering how things have been going, and also if the current 6.x dev release of honeypot is adequate, or if there are other things you'd like me to try to fix up before focusing on a few things in D7 more.
Comment #67
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedDepends who you ask I guess: /I/ think it works great for being such a simple solution. The spammers probably beg to differ...
I don't think we need further changes to the D6 version, but hafing a D7 version would be really nice.
Comment #68
geerlingguy CreditAttribution: geerlingguy commentedSounds good. I'll work on porting the rest of the patches and testing tonight. Hopefully I'll be able to push out 6.x-1.13 and 7.x-1.13 tonight!
[Edit: Just posted 7.x-1.13 and 6.x-1.13.]
Comment #69
WorldFallz CreditAttribution: WorldFallz commentedStreaming spammer sneaked in: http://drupal.org/user/2298104 (left the node unpublished).
I've been mostly afk (pretty much readonly from a small mobile device) for over a week, but it definitely seems like this simple solution has made a BIG diff!
kudos to geerlingguy for getting the module updated so quickly!
Comment #70
Heine CreditAttribution: Heine commentedhttp://drupal.org/user/2297340 as well, left the node unpublished.
It's much better now, even if some sneak through, they do not completely take over the tracker.
Comment #71
WorldFallz CreditAttribution: WorldFallz commentedmy first porn spam block: http://drupal.org/user/2303464 (left the node unpublished).
Comment #72
mgiffordThis is great news! Thanks @geerlingguy!
Comment #73
WorldFallz CreditAttribution: WorldFallz commentednow we're down to kitchen spam!
http://drupal.org/user/2309024/admin-nodes
Comment #74
WorldFallz CreditAttribution: WorldFallz commentedlatest multi spammer: http://drupal.org/user/2324278/admin-comments
Comment #75
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedThanks, I added some chars to the blocklist.