I've set up honeypot module on http://spam-drupal.redesign.devdrupal.org.

I've given the "bypass honeypot" permission to all users that have more than just "auth user".

I've been able to create a test account and log in, but my connection is bad and I can't do more tests atm.

Ideally, somebody would try some spam tool on it...

Comments

WorldFallz’s picture

Is this in lieu of #1694494: Install Mollom on Drupal.org?

I've been meaning to try this module out-- I'll see if I can find a spambot tool to aim at it.

killes@www.drop.org’s picture

The other issue seems stuck, and since I got a number of complaints during Drupalcon I thought to deploy something rapidly as long as it doesn't break stuff.

killes@www.drop.org’s picture

Since nothing beats real data I've deployed it on d.o for testing. we always get a lot of spammers on the weekend, let's see if this helps.

silverwing’s picture

thank you

WorldFallz’s picture

one streaming spammer got through: http://drupal.org/user/2280232

killes@www.drop.org’s picture

I also blocked two vietnamese spammers and deleted 500 nodes. There a no log entries about successful honeypot blocks so far.

WorldFallz’s picture

just got rid of 3 streaming spammers >-0

killes@www.drop.org’s picture

I had a shoe spammer earlier today.

silverwing’s picture

I Just had 8 (or so) streaming spammers.

killes@www.drop.org’s picture

I think we can safely conclude that this isn't the solution that we are looking for.

WorldFallz’s picture

yeah, I was thinking the same thing. The two most common spammers we have and it didn't stop them.

killes@www.drop.org’s picture

I've made some changes:

1) I hacked the module to _not_ protect the search forms.

2) I made a config change to protect _all_ forms, this will now also include profile forms.

3) I increased the time based protection to 10 seconds (from 5s).

killes@www.drop.org’s picture

I had to exempt a couple more forms. Adding the profile forms explicitly would have been better.

However, we now get blocked submissions of the user registration forms and also the profile forms.

silverwing’s picture

Hopefully we can make the case to use this on the user register forms on our subsites.
ie http://drupal.org/admin/reports/event/638238794

killes@www.drop.org’s picture

Yeah, they are sneaking in through the backdoor.

I've now changed the config back to only protect selected forms and implemented support for profile module. Still works.

killes@www.drop.org’s picture

select count(*) as count, variables from watchdog where type = 'honeypot' and message like 'Blocked%' group by variables ;

We have now

159 user register failures submission of a value in the honeypot field
228 user register submission of the form in less than minimum required time
10 user_profile_form (time limit)

And this is in only a short amount of time....

WorldFallz’s picture

wow--- nice work killes!

killes@www.drop.org’s picture

Some IPs to go with the above:

count | IP
| 6 | 37.113.8.183 |
| 6 | 178.137.84.222 |
| 6 | 27.159.202.56 |
| 6 | 60.188.110.109 |
| 6 | 199.15.234.72 |
| 6 | 27.159.209.200 |
| 6 | 173.254.219.91 |
| 7 | 198.143.175.242 |
| 7 | 199.15.234.134 |
| 8 | 27.159.239.112 |
| 8 | 46.118.119.14 |
| 10 | 95.69.193.232 |
| 10 | 87.98.185.219 |
| 10 | 5.165.192.128 |
| 10 | 173.254.219.75 |
| 12 | 188.143.232.242 |
| 13 | 178.137.167.109 |
| 14 | 79.179.206.138 |
| 14 | 61.147.99.104 |
| 15 | 94.142.128.140 |
| 18 | 46.118.127.75 |
| 34 | 110.85.83.165 |
+-------+-----------------+

killes@www.drop.org’s picture

So, we've had our first spam from vietnam, how did we fare?

Not too bad: we've blocked about 50 forum form submissions, most of them by spammers that were then later blocked.

We've also blocked about 20 comment form submissions, sadly all of them by legitimate users. Clearly, we need to work on the exemption part.

There were also 10 profile form submisions from profile spammers. I blocked those that weren't already.

I think there are 2 things to do:

1) define criteria by which existing users should be given a "spam exempt" role, write a script and do that.

2) define a personal time limit. Ie after you fail to submit a form in time, you'll need to take more time for the next form. This could not use core's flood mechanism, as it is IP based, but it can be modelled after it. It should expire over time.

We also blocked nearly 5000(!) registration attempts.

greggles’s picture

Well that's pretty amazing news...we'll want to get this on g.d.o in a similar configuration. Is your patch in the queue somewhere?

Regarding a script and a role to let people bypass it - http://drupal.org/node/1694494#comment-6433194

killes@www.drop.org’s picture

I think there's a problem with how the module works: the time trap is not recalculated on validation. IMO it should be.

I've fixed that.

I've also added the mechanism as described above.

This is now active on d.o.

killes@www.drop.org’s picture

One user was so kind to submit 6 failed attempts, so it seems to be working.

killes@www.drop.org’s picture

now using flood to "help" with new user account requests from particular IPs.

Added a "Not a spammer" role on d.o

killes@www.drop.org’s picture

I am slowly adding people to the "not a spammer" role. Takes a while as the script doesn't run very fast.

killes@www.drop.org’s picture

Added the bypass permission to the role. I've resolved to use some SQL for adding users to it and added aout 70k people to the role.

killes@www.drop.org’s picture

Blocked form submissions from a sunglasses spammer. He still managed to get 10 comments in, though.

+---------+------------+
| uid | timestamp |
+---------+------------+
| 2283604 | 1346807341 |
| 2283604 | 1346807352 |
| 2283604 | 1346807367 |
| 2283604 | 1346807386 |
| 2283604 | 1346807388 |
| 2283604 | 1346807391 |
| 2283604 | 1346807394 |
| 2283604 | 1346807397 |
| 2283604 | 1346807401 |
| 2283604 | 1346807404 |
| 2283604 | 1346807426 |
| 2283604 | 1346807459 |
| 2283604 | 1346807471 |
| 2283604 | 1346807474 |
| 2283604 | 1346807537 |
| 2283604 | 1346807562 |
| 2283604 | 1346807565 |
| 2283604 | 1346807568 |
| 2283604 | 1346807572 |
| 2283604 | 1346807774 |
+---------+------------+

geerlingguy’s picture

I'm happy to accept all the changes in the D6 Honeypot patch from killes; I've tweaked the install/uninstall and some interface text/comments, but it should be functionally equivalent of what killes submitted in his patch at #1774150: Various improvements.

Please check out my updated patch in #1774150-6: Various improvements and let me know if you're happy with it. I'll commit it to the D6 branch and create a new release of both D6 and D7 branches once we get the patch forward-ported.

Heine’s picture

killes@www.drop.org’s picture

@geerlingguy: thanks, will look in a second!

@Heine: Both users have had some forum forms intercepted, one 2 and one 12. Not sure this is satisfying...

Now that many if not all contributors have the bypass role, we could increase the basic time limit somewhat.

killes@www.drop.org’s picture

The watchdog logs of failed profile form submissions are great to spot failed profile spammers and block them before they come back (not sure they would).

Many of these actually create accounts on g.d.o so I'll request that the module be installed there as well.

Heine’s picture

I've deleted 96 posts by http://drupal.org/user/2286092

killes@www.drop.org’s picture

4 times in the pot :(

I'll increase the setting to 15s.

killes@www.drop.org’s picture

15 seems good:

https://drupal.org/user/2274220/

fell into the pot 473 times.

killes@www.drop.org’s picture

https://drupal.org/user/2286676

managed to sneak in 9 forum post but fell into the trap 7 times.

killes@www.drop.org’s picture

Title: Test honeypot module on http://spam-drupal.redesign.devdrupal.org » Test honeypot module on http://drupal.org

https://drupal.org/user/2286684 from Vietnam fell one into the trap but managed to get 23 nodes in.

WorldFallz’s picture

more streaming spam: http://drupal.org/user/2286652 (14 nodes deleted)

killes@www.drop.org’s picture

http://drupal.org/user/2286652 was careful enough to not fall into the trap.

killes@www.drop.org’s picture

last night, I caught a spammer from vietnam in the act after he fell once into the trap and posted two forum topics.

WorldFallz’s picture

i'm so over these jackasses, what a waste of life force... more vietname spam (17 posts):

https://drupal.org/user/2287086

geerlingguy’s picture

That is true dedication. I just which the vietnam poster(s) were devoted to something more positive. Sheesh.

killes@www.drop.org’s picture

#1775990: Add hook for time delay additions let's see who's more dedicated.

killes@www.drop.org’s picture

Also, can somebody save a sample of streaming spam for me? I almost never see those.

killes@www.drop.org’s picture

I've developed a small module that implements above hook, maybe somebody would like to create a test user on http://spam-drupal.redesign.devdrupal.org/ and spam a bit?

killes@www.drop.org’s picture

#1776878: Allow toggling of roles (6.x backport) was filed to help with adding people to the "not a spammer" role.

killes@www.drop.org’s picture

the small module is actually live now and I am eagerly waiting for some spammers....

killes@www.drop.org’s picture

Apparently, there was a holiday in Vietnam, but silverwing got me some spammers from China. I've used their input to fine-tune my script.

I was able to reconstruct what some of them are doing, and one reason why the script isn't as successfull is that they work in parallel, ie when creating forms, the forms are all created at the same time and then submitted at the same time. Waiting a couple of seconds isn't that much of a problem then. We could add a counter that counts the created forms for a user, but I am not sure this would work well.

I've instead made changes that should really increase the time limit in case somebody uses spammy terms.

WorldFallz’s picture

killes@www.drop.org’s picture

It is in principle working, but I had a stupid bug in my code so the action did not get triggered. The bug is fixed now.

Heine’s picture

http://drupal.org/user/2288416 is a sport stream spammer.

killes@www.drop.org’s picture

Great, did you block him early on? He only managed to get a single post in. He also scored 95 + 15 seconds extra time. :)

He also found the right place to post in. :p

killes@www.drop.org’s picture

https://drupal.org/user/2288482 tried to spam a bit but gave up after the time limit increased to 264492 seconds.

Based on the country I think it was intended to be streaming spam.

geerlingguy’s picture

lol, I guess he didn't want to have to wait three days to post something :P

killes@www.drop.org’s picture

the youths of today, no persistence...

(there's a cronjob that ensures that you don't really need to wait 3 days if you clean up your post)

killes@www.drop.org’s picture

Another user fell into the trap but still managed to post a node (unpublished). Something is probably wrong with my logic.

Here are the relevant watchdog entries:


mysql> select type, referer, location, from_unixtime(timestamp), concat('https://drupal.org/user/', uid), message, variables from watchdog where uid = 2288542 order by wid asc ;
+----------+-----------------------------------------+-----------------------------------------+--------------------------+-----------------------------------------+-----------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+
| type | referer | location | from_unixtime(timestamp) | concat('https://drupal.org/user/', uid) | message | variables |
+----------+-----------------------------------------+-----------------------------------------+--------------------------+-----------------------------------------+-----------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+
| user | http://drupal.org/user?destination=home | http://drupal.org/user?destination=home | 2012-09-07 18:56:10 | https://drupal.org/user/2288542 | Session opened for %name. | a:1:{s:5:"%name";s:12:"hazirpola789";} |
| honeypot | http://drupal.org/node/add/forum/0 | http://drupal.org/node/add/forum/0 | 2012-09-07 18:57:08 | https://drupal.org/user/2288542 | Spammer %uname (%uid) earned %count spam points and %time extra time. | a:4:{s:6:"%uname";s:12:"hazirpola789";s:4:"%uid";s:7:"2288542";s:6:"%count";i:6;s:5:"%time";i:224;} |
| honeypot | http://drupal.org/node/add/forum/0 | http://drupal.org/node/add/forum/0 | 2012-09-07 18:57:20 | https://drupal.org/user/2288542 | Blocked submission of %form due to @cause. | a:2:{s:5:"%form";s:15:"forum_node_form";s:6:"@cause";s:57:"submission of the form in less than minimum required time";} |
| honeypot | http://drupal.org/node/add/forum/0 | http://drupal.org/node/add/forum/0 | 2012-09-07 18:57:20 | https://drupal.org/user/2288542 | Spammer %uname (%uid) earned %count spam points and %time extra time. | a:4:{s:6:"%uname";s:12:"hazirpola789";s:4:"%uid";s:7:"2288542";s:6:"%count";i:6;s:5:"%time";i:238;} |
| honeypot | http://drupal.org/node/add/forum/0 | http://drupal.org/node/add/forum/0 | 2012-09-07 18:58:52 | https://drupal.org/user/2288542 | Spammer %uname (%uid) earned %count spam points and %time extra time. | a:4:{s:6:"%uname";s:12:"hazirpola789";s:4:"%uid";s:7:"2288542";s:6:"%count";i:6;s:5:"%time";i:238;} |
| honeypot | http://drupal.org/node/add/forum/0 | http://drupal.org/node/add/forum/0 | 2012-09-07 18:59:04 | https://drupal.org/user/2288542 | Blocked submission of %form due to @cause. | a:2:{s:5:"%form";s:15:"forum_node_form";s:6:"@cause";s:57:"submission of the form in less than minimum required time";} |
| honeypot | http://drupal.org/node/add/forum/0 | http://drupal.org/node/add/forum/0 | 2012-09-07 18:59:04 | https://drupal.org/user/2288542 | Spammer %uname (%uid) earned %count spam points and %time extra time. | a:4:{s:6:"%uname";s:12:"hazirpola789";s:4:"%uid";s:7:"2288542";s:6:"%count";i:6;s:5:"%time";i:308;} |
| honeypot | http://drupal.org/node/add/forum/0 | http://drupal.org/node/add/forum/0 | 2012-09-07 19:02:01 | https://drupal.org/user/2288542 | Spammer %uname (%uid) earned %count spam points and %time extra time. | a:4:{s:6:"%uname";s:12:"hazirpola789";s:4:"%uid";s:7:"2288542";s:6:"%count";i:6;s:5:"%time";i:308;} |
| content | http://drupal.org/node/add/forum/0 | http://drupal.org/node/add/forum/0 | 2012-09-07 19:02:13 | https://drupal.org/user/2288542 | @type: added %title. | a:2:{s:5:"@type";s:5:"forum";s:6:"%title";s:98:" WatcH>>>))) Brazil vs South Africa Live streaming Online International Friendly match HD Tv On Pc";} |
| user | http://drupal.org/node/1778308 | http://drupal.org/logout | 2012-09-07 19:02:36 | https://drupal.org/user/2288542 | Session closed for %name. | a:1:{s:5:"%name";s:12:"hazirpola789";} |
+----------+-----------------------------------------+-----------------------------------------+--------------------------+-----------------------------------------+-----------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+

Anybody got an idea?

killes@www.drop.org’s picture

That's how it is supposed to look like (reversed). No spam came through.

+----------+--------------------------+-----------------------------------------+-----------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------+
| honeypot | 2012-09-07 19:58:40      | https://drupal.org/user/2288564         | Spammer %uname (%uid) earned %count spam points and %time extra time. | a:4:{s:6:"%uname";s:10:"rakibhasan";s:4:"%uid";s:7:"2288564";s:6:"%count";i:6;s:5:"%time";i:2282;}                      | 
| honeypot | 2012-09-07 19:58:40      | https://drupal.org/user/2288564         | Blocked submission of %form due to @cause.                            | a:2:{s:5:"%form";s:15:"forum_node_form";s:6:"@cause";s:57:"submission of the form in less than minimum required time";} | 
| honeypot | 2012-09-07 19:58:28      | https://drupal.org/user/2288564         | Spammer %uname (%uid) earned %count spam points and %time extra time. | a:4:{s:6:"%uname";s:10:"rakibhasan";s:4:"%uid";s:7:"2288564";s:6:"%count";i:6;s:5:"%time";i:966;}                       | 
| honeypot | 2012-09-07 19:51:10      | https://drupal.org/user/2288564         | Spammer %uname (%uid) earned %count spam points and %time extra time. | a:4:{s:6:"%uname";s:10:"rakibhasan";s:4:"%uid";s:7:"2288564";s:6:"%count";i:6;s:5:"%time";i:966;}                       | 
| honeypot | 2012-09-07 19:51:10      | https://drupal.org/user/2288564         | Blocked submission of %form due to @cause.                            | a:2:{s:5:"%form";s:15:"forum_node_form";s:6:"@cause";s:57:"submission of the form in less than minimum required time";} | 
| honeypot | 2012-09-07 19:50:58      | https://drupal.org/user/2288564         | Spammer %uname (%uid) earned %count spam points and %time extra time. | a:4:{s:6:"%uname";s:10:"rakibhasan";s:4:"%uid";s:7:"2288564";s:6:"%count";i:6;s:5:"%time";i:490;}                       | 
| honeypot | 2012-09-07 19:49:39      | https://drupal.org/user/2288564         | Spammer %uname (%uid) earned %count spam points and %time extra time. | a:4:{s:6:"%uname";s:10:"rakibhasan";s:4:"%uid";s:7:"2288564";s:6:"%count";i:6;s:5:"%time";i:490;}                       | 
| honeypot | 2012-09-07 19:49:39      | https://drupal.org/user/2288564         | Blocked submission of %form due to @cause.                            | a:2:{s:5:"%form";s:15:"forum_node_form";s:6:"@cause";s:57:"submission of the form in less than minimum required time";} | 
| honeypot | 2012-09-07 19:49:27      | https://drupal.org/user/2288564         | Spammer %uname (%uid) earned %count spam points and %time extra time. | a:4:{s:6:"%uname";s:10:"rakibhasan";s:4:"%uid";s:7:"2288564";s:6:"%count";i:6;s:5:"%time";i:308;}                       | 
| honeypot | 2012-09-07 19:48:15      | https://drupal.org/user/2288564         | Spammer %uname (%uid) earned %count spam points and %time extra time. | a:4:{s:6:"%uname";s:10:"rakibhasan";s:4:"%uid";s:7:"2288564";s:6:"%count";i:6;s:5:"%time";i:308;}                       | 
| honeypot | 2012-09-07 19:48:15      | https://drupal.org/user/2288564         | Blocked submission of %form due to @cause.                            | a:2:{s:5:"%form";s:15:"forum_node_form";s:6:"@cause";s:57:"submission of the form in less than minimum required time";} | 
| honeypot | 2012-09-07 19:48:03      | https://drupal.org/user/2288564         | Spammer %uname (%uid) earned %count spam points and %time extra time. | a:4:{s:6:"%uname";s:10:"rakibhasan";s:4:"%uid";s:7:"2288564";s:6:"%count";i:6;s:5:"%time";i:238;}                       | 
| honeypot | 2012-09-07 19:47:36      | https://drupal.org/user/2288564         | Spammer %uname (%uid) earned %count spam points and %time extra time. | a:4:{s:6:"%uname";s:10:"rakibhasan";s:4:"%uid";s:7:"2288564";s:6:"%count";i:6;s:5:"%time";i:238;}                       | 
| honeypot | 2012-09-07 19:47:36      | https://drupal.org/user/2288564         | Blocked submission of %form due to @cause.                            | a:2:{s:5:"%form";s:15:"forum_node_form";s:6:"@cause";s:57:"submission of the form in less than minimum required time";} | 
| honeypot | 2012-09-07 19:47:24      | https://drupal.org/user/2288564         | Spammer %uname (%uid) earned %count spam points and %time extra time. | a:4:{s:6:"%uname";s:10:"rakibhasan";s:4:"%uid";s:7:"2288564";s:6:"%count";i:6;s:5:"%time";i:224;}                       | 
| user     | 2012-09-07 19:46:13      | https://drupal.org/user/2288564         | Session opened for %name.                                             | a:1:{s:5:"%name";s:10:"rakibhasan";}                                                                                    | 
+----------+--------------------------+-----------------------------------------+-----------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------+

killes@www.drop.org’s picture

https://drupal.org/user/2288572 also wasn't keen on waiting.

killes@www.drop.org’s picture

Works also with spam from vietnam

Note how he logged out and in again to make it go away.

+----------+--------------------------+-----------------------------------------+-----------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------+
| type     | from_unixtime(timestamp) | concat('https://drupal.org/user/', uid) | message                                                               | variables                                                                                                               |
+----------+--------------------------+-----------------------------------------+-----------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------+
| honeypot | 2012-09-08 00:18:53      | https://drupal.org/user/2288644         | Spammer %uname (%uid) earned %count spam points and %time extra time. | a:4:{s:6:"%uname";s:5:"sudfy";s:4:"%uid";s:7:"2288644";s:6:"%count";i:17;s:5:"%time";i:1260;}                           | 
| honeypot | 2012-09-08 00:18:53      | https://drupal.org/user/2288644         | Blocked submission of %form due to @cause.                            | a:2:{s:5:"%form";s:15:"forum_node_form";s:6:"@cause";s:57:"submission of the form in less than minimum required time";} | 
| honeypot | 2012-09-08 00:18:19      | https://drupal.org/user/2288644         | Spammer %uname (%uid) earned %count spam points and %time extra time. | a:4:{s:6:"%uname";s:5:"sudfy";s:4:"%uid";s:7:"2288644";s:6:"%count";i:17;s:5:"%time";i:792;}                            | 
| honeypot | 2012-09-08 00:15:24      | https://drupal.org/user/2288644         | Spammer %uname (%uid) earned %count spam points and %time extra time. | a:4:{s:6:"%uname";s:5:"sudfy";s:4:"%uid";s:7:"2288644";s:6:"%count";i:15;s:5:"%time";i:704;}                            | 
| honeypot | 2012-09-08 00:15:24      | https://drupal.org/user/2288644         | Blocked submission of %form due to @cause.                            | a:2:{s:5:"%form";s:15:"forum_node_form";s:6:"@cause";s:57:"submission of the form in less than minimum required time";} | 
| honeypot | 2012-09-08 00:14:54      | https://drupal.org/user/2288644         | Spammer %uname (%uid) earned %count spam points and %time extra time. | a:4:{s:6:"%uname";s:5:"sudfy";s:4:"%uid";s:7:"2288644";s:6:"%count";i:15;s:5:"%time";i:544;}                            | 
| user     | 2012-09-08 00:12:37      | https://drupal.org/user/2288644         | Session opened for %name.                                             | a:1:{s:5:"%name";s:5:"sudfy";}                                                                                          | 
| honeypot | 2012-09-08 00:07:47      | https://drupal.org/user/2288644         | Spammer %uname (%uid) earned %count spam points and %time extra time. | a:4:{s:6:"%uname";s:5:"sudfy";s:4:"%uid";s:7:"2288644";s:6:"%count";i:12;s:5:"%time";i:910;}                            | 
| honeypot | 2012-09-08 00:07:47      | https://drupal.org/user/2288644         | Blocked submission of %form due to @cause.                            | a:2:{s:5:"%form";s:15:"forum_node_form";s:6:"@cause";s:57:"submission of the form in less than minimum required time";} | 
| honeypot | 2012-09-08 00:07:23      | https://drupal.org/user/2288644         | Spammer %uname (%uid) earned %count spam points and %time extra time. | a:4:{s:6:"%uname";s:5:"sudfy";s:4:"%uid";s:7:"2288644";s:6:"%count";i:12;s:5:"%time";i:572;}                            | 
| honeypot | 2012-09-08 00:02:26      | https://drupal.org/user/2288644         | Spammer %uname (%uid) earned %count spam points and %time extra time. | a:4:{s:6:"%uname";s:5:"sudfy";s:4:"%uid";s:7:"2288644";s:6:"%count";i:15;s:5:"%time";i:704;}                            | 
| honeypot | 2012-09-08 00:02:26      | https://drupal.org/user/2288644         | Blocked submission of %form due to @cause.                            | a:2:{s:5:"%form";s:15:"forum_node_form";s:6:"@cause";s:57:"submission of the form in less than minimum required time";} | 
| honeypot | 2012-09-08 00:01:56      | https://drupal.org/user/2288644         | Spammer %uname (%uid) earned %count spam points and %time extra time. | a:4:{s:6:"%uname";s:5:"sudfy";s:4:"%uid";s:7:"2288644";s:6:"%count";i:15;s:5:"%time";i:704;}                            | 
| honeypot | 2012-09-08 00:01:25      | https://drupal.org/user/2288644         | Spammer %uname (%uid) earned %count spam points and %time extra time. | a:4:{s:6:"%uname";s:5:"sudfy";s:4:"%uid";s:7:"2288644";s:6:"%count";i:15;s:5:"%time";i:704;}                            | 
| honeypot | 2012-09-08 00:01:25      | https://drupal.org/user/2288644         | Blocked submission of %form due to @cause.                            | a:2:{s:5:"%form";s:15:"forum_node_form";s:6:"@cause";s:57:"submission of the form in less than minimum required time";} | 
| honeypot | 2012-09-08 00:00:55      | https://drupal.org/user/2288644         | Spammer %uname (%uid) earned %count spam points and %time extra time. | a:4:{s:6:"%uname";s:5:"sudfy";s:4:"%uid";s:7:"2288644";s:6:"%count";i:15;s:5:"%time";i:544;}                            | 
| user     | 2012-09-07 23:59:26      | https://drupal.org/user/2288644         | Session opened for %name.                                             | a:1:{s:5:"%name";s:5:"sudfy";}                                                                                          | 
| honeypot | 2012-09-07 23:54:55      | https://drupal.org/user/2288644         | Spammer %uname (%uid) earned %count spam points and %time extra time. | a:4:{s:6:"%uname";s:5:"sudfy";s:4:"%uid";s:7:"2288644";s:6:"%count";i:17;s:5:"%time";i:612;}                            | 
| honeypot | 2012-09-07 23:54:55      | https://drupal.org/user/2288644         | Blocked submission of %form due to @cause.                            | a:2:{s:5:"%form";s:15:"forum_node_form";s:6:"@cause";s:57:"submission of the form in less than minimum required time";} | 
| honeypot | 2012-09-07 23:54:21      | https://drupal.org/user/2288644         | Spammer %uname (%uid) earned %count spam points and %time extra time. | a:4:{s:6:"%uname";s:5:"sudfy";s:4:"%uid";s:7:"2288644";s:6:"%count";i:17;s:5:"%time";i:576;}                            | 
| user     | 2012-09-07 23:53:08      | https://drupal.org/user/2288644         | Session opened for %name.                                             | a:1:{s:5:"%name";s:5:"sudfy";}                                                                                          | 
+----------+--------------------------+-----------------------------------------+-----------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------+
killes@www.drop.org’s picture

So, how was the night?

I've been blocking some stuck spammers, but from the activity log I see there was some content removed. I am not sure if that was due to sam or for other reasons. I'd like to request that spam until further notice not be deleted,but unpublished so that I can do a post-mortem.

killes@www.drop.org’s picture

a rugby streaming spammer got through with 1 post before blocked. Tuned the list a bit more.

klonos’s picture

killes@www.drop.org’s picture

Another one was able to post one post since he simply waited a long time (14 minutes) and the cronjob had reset his stats in the meantime.

killes@www.drop.org’s picture

This one gave up after noticing that the node that his alter ego managed to create was unpublished:

+---------------+--------------------------+-----------------------------------------+-----------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------+
| type          | from_unixtime(timestamp) | concat('https://drupal.org/user/', uid) | message                                                               | variables                                                                                                               |
+---------------+--------------------------+-----------------------------------------+-----------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------+
| access denied | 2012-09-08 10:18:11      | https://drupal.org/user/2288998         | node/1778688                                                          | N;                                                                                                                      | 
| honeypot      | 2012-09-08 10:16:52      | https://drupal.org/user/2288998         | Spammer %uname (%uid) earned %count spam points and %time extra time. | a:4:{s:6:"%uname";s:8:"masfzaas";s:4:"%uid";s:7:"2288998";s:6:"%count";i:18;s:5:"%time";i:836;}                         | 
| honeypot      | 2012-09-08 10:16:52      | https://drupal.org/user/2288998         | Blocked submission of %form due to @cause.                            | a:2:{s:5:"%form";s:15:"forum_node_form";s:6:"@cause";s:57:"submission of the form in less than minimum required time";} | 
| honeypot      | 2012-09-08 10:16:16      | https://drupal.org/user/2288998         | Spammer %uname (%uid) earned %count spam points and %time extra time. | a:4:{s:6:"%uname";s:8:"masfzaas";s:4:"%uid";s:7:"2288998";s:6:"%count";i:18;s:5:"%time";i:646;}                         | 
| honeypot      | 2012-09-08 10:14:36      | https://drupal.org/user/2288998         | Spammer %uname (%uid) earned %count spam points and %time extra time. | a:4:{s:6:"%uname";s:8:"masfzaas";s:4:"%uid";s:7:"2288998";s:6:"%count";i:18;s:5:"%time";i:646;}                         | 
| honeypot      | 2012-09-08 10:14:36      | https://drupal.org/user/2288998         | Blocked submission of %form due to @cause.                            | a:2:{s:5:"%form";s:15:"forum_node_form";s:6:"@cause";s:57:"submission of the form in less than minimum required time";} | 
| honeypot      | 2012-09-08 10:14:00      | https://drupal.org/user/2288998         | Spammer %uname (%uid) earned %count spam points and %time extra time. | a:4:{s:6:"%uname";s:8:"masfzaas";s:4:"%uid";s:7:"2288998";s:6:"%count";i:18;s:5:"%time";i:608;}                         | 
| user          | 2012-09-08 10:12:10      | https://drupal.org/user/2288998         | Session opened for %name.                                             | a:1:{s:5:"%name";s:8:"masfzaas";}                                                                                       | 
+---------------+--------------------------+-----------------------------------------+-----------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------+
killes@www.drop.org’s picture

My impression is that they have pretty much given up. There was one attempt on spam from vietnam last night.

killes@www.drop.org’s picture

A handbag spammer managed to get one in by simply wainting the prescribed amount of time. Lost interest afterwards.

geerlingguy’s picture

I was wondering how things have been going, and also if the current 6.x dev release of honeypot is adequate, or if there are other things you'd like me to try to fix up before focusing on a few things in D7 more.

killes@www.drop.org’s picture

Depends who you ask I guess: /I/ think it works great for being such a simple solution. The spammers probably beg to differ...

I don't think we need further changes to the D6 version, but hafing a D7 version would be really nice.

geerlingguy’s picture

Sounds good. I'll work on porting the rest of the patches and testing tonight. Hopefully I'll be able to push out 6.x-1.13 and 7.x-1.13 tonight!

[Edit: Just posted 7.x-1.13 and 6.x-1.13.]

WorldFallz’s picture

Streaming spammer sneaked in: http://drupal.org/user/2298104 (left the node unpublished).

I've been mostly afk (pretty much readonly from a small mobile device) for over a week, but it definitely seems like this simple solution has made a BIG diff!

kudos to geerlingguy for getting the module updated so quickly!

Heine’s picture

http://drupal.org/user/2297340 as well, left the node unpublished.

It's much better now, even if some sneak through, they do not completely take over the tracker.

WorldFallz’s picture

my first porn spam block: http://drupal.org/user/2303464 (left the node unpublished).

mgifford’s picture

This is great news! Thanks @geerlingguy!

WorldFallz’s picture

now we're down to kitchen spam!

http://drupal.org/user/2309024/admin-nodes

WorldFallz’s picture

killes@www.drop.org’s picture

Status: Active » Fixed

Thanks, I added some chars to the blocklist.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.