Some appears to be posting beyond the current time limits. I've blocked the user and unpublished the nodes so killes can take a look.

user: https://drupal.org/user/2822079
nodes: https://drupal.org/user/2822079/admin-nodes

Some are only 1 min apart....

Comments

nevets’s picture

Based on the contents I would add that they have been persistent over the last several days using different accounts

WorldFallz’s picture

yeah... i suspected it might have been the same poster, but someone deleted the other posts before I could unpublish them.

Heine’s picture

Sorry, I deleted a bunch and blocked the associated accounts this morning.

Possible problems:

- The timelimit is a hidden field and can be set by the bot.
- A successful form submission is not counted towards a penalty or flood.

nevets’s picture

A couple more, I blocked the users, unpublished the content.

https://drupal.org/user/2822885
https://drupal.org/user/2822877

WorldFallz’s picture

nevets’s picture

And another: https://drupal.org/user/2823463, they sure seem determined.

killes@www.drop.org’s picture

bypassing our spam protection is easy if your content doesn't match the blocklist. I've added some terms.

Jaypan’s picture

Maybe try adding the phone number they keep publishing as one of the terms. It appears to be consistent through the spam.

dddave’s picture

I've left one of those phone-number spams to check: https://drupal.org/user/2824079/admin-nodes

killes@www.drop.org’s picture

added strings

WorldFallz’s picture

these guys are persistent, and now it seems love is the topic of the day: https://drupal.org/user/2828731/admin-nodes

Jaypan’s picture

Then we should ban love!

...oh wait :)

WorldFallz’s picture

now it's both love and black magic-- one might suggest two sides of the same coin ;-)

https://drupal.org/user/2829053/admin-nodes

killes@www.drop.org’s picture

The issue is that these buggers simply wait half an hour before submitting the form, it seems...

I'll add some more strings.

Jaypan’s picture

I'm thinking 'vashikaran' or 'vashikaran specialist' should be blocked. And maybe anything with '+91'.

dddave’s picture

dddave’s picture

silverwing’s picture

WorldFallz’s picture

These jackasses are getting on my last nerve, another: https://drupal.org/user/2831209/admin-nodes

Jaypan’s picture

They're certainly persistent. Are they posting from multiple IPs?

killes@www.drop.org’s picture

I've studied the logs a bit and I think they are exploiting the fact that the temporary spam count gets reset after each cron run.

I've added more strings, but I guess we should start to modify code instead, they already get between 100 and 1000 extra seconds.

dman’s picture

So I guess this is the discussion/gripe thread about this months Indian spammers.
I've arbitrarily deleted and blocked a few hundred posts recently. Some with issue reports, many without.

killes@www.drop.org’s picture

I've now doubled the expiration threshold.

silverwing’s picture

WorldFallz’s picture

This is one of the more egregious incursions.... Like 17 spams: https://drupal.org/user/2834857/admin-nodes

dddave’s picture

I've blocked and unpublished the nodes of said user #2210245: Spam Report btw

killes@www.drop.org’s picture

hmm, that is a strang one. he did collect points (lots of them) but was able to submit the form anyway.

I guess we need to set up a test site and see if we can reproduce this.

silverwing’s picture

WorldFallz’s picture

Yowza... this one has almost 30 .... Sme within the same minute.

https://drupal.org/user/2845367/admin-nodes

WorldFallz’s picture

Issue tags: +Qqqqqqqqqqqqqqqqq

And another similar one ..... 20+ posts, many less than a minute apart.

WorldFallz’s picture

And another one, non-indian, with posts every minute:

https://drupal.org/user/2846647/admin-nodes

dddave’s picture

Issue tags: -Qqqqqqqqqqqqqqqqq

Another massive short-time flooding without "not a spammer" role: https://drupal.org/user/2860961/admin-nodes

and: https://drupal.org/user/2859519/admin-nodes

lizzjoy’s picture

And another https://drupal.org/user/2860081/admin-nodes
Should I delete these nodes as per usual? I only unpublished because it appears to be the same person/s we are dealing with in this issue.

dddave’s picture

Leave them unpublished in case killes can analyse them.

killes@www.drop.org’s picture

my analysis is that somebody needs to set up a dev site and try to replicate this, possibly they are using several tabs at once.

We may need to change honeypot.module to track points in the session, it may not do that atm.

dddave’s picture

Sounds like something we can discuss in the community tools group WorldFallz?

dddave’s picture

Can somebody check if this user https://drupal.org/user/2865031 and all the other aghorinathXYZ user already blocked share the same IP?

dman’s picture

The Indian black magic (+ marriage counsellors/love potions/horoscopes) idiots are still adding accounts and posts.

Over the last few days I've hit maybe a dozen accounts with between 6-20 posts each, usually all within an hour per batch.
Not been bothering to report or record, but I can hang on to the next few bunches and just 'unpublish' them if we are still looking for patterns to forensically identify them...
Otherwise I'll just keep deleting them ad-hoc...

WorldFallz’s picture

Title: defeating our spam protection? » defeating our spam protection -- serious incursion
Priority: Normal » Major

Ok, this one was a serious incursion. 107 posts in the course of a couple of minutes. However, the most concerning thing, is many of them show exactly the same time (in minutes) -- some have as many as a dozen posts showing the same minute:

https://drupal.org/user/2871767/admin-nodes

dman’s picture

Still around. Blocked and *unpublished* this time.
https://drupal.org/user/2872541/admin-nodes

Are these showing phone number that should be getting blocked? Or is this new?

dman’s picture

WorldFallz’s picture

At least those last 3 links were just a couple of posts with variable minutes between them. The link I posted bothered me greatly because it was over 100 in a very short period of time, many with the same minute as time. Hopefully killes got to take a look before they were deleted.

WorldFallz’s picture

Title: defeating our spam protection -- serious incursion » defeating our spam protection -- serious incursion x 2

And another major one (120 nodes)from April 17, 2014 - 04:44 to April 17, 2014 - 06:21, many of them timestamped with the same minute:

https://drupal.org/user/2872703/admin-nodes

blocked and unpublished for review by killes.

WorldFallz’s picture

apparently these asshats have nothing better to do: https://drupal.org/user/2873039/admin-nodes

silverwing’s picture

https://drupal.org/user/2872135/admin-nodes unpublished (not many since they were caught in the act.)

silverwing’s picture

WorldFallz’s picture

and another one with 97 entries: https://drupal.org/user/2873491/admin-nodes

nevets’s picture

Here is one with a 159 entries, https://drupal.org/user/2875403
Blocked the user, unpublished the spam.

I also don't report all such spam I find, most days it seems like I catch maybe half a dozen less prolific posters.

nevets’s picture

And another with 103, https://drupal.org/user/2874793/admin-nodes

User block, content unpublished.

dddave’s picture

Somebody up for the mission killes supposed in #35?

Ayesh’s picture

Came here after reporting a node in same pattern. Post-installation forum is flooded with those.

I thought there is a posting frequency block or something for new users. Those spam posts are new accounts and given the frequency, I think it's easy to spot them. Are the filters disabled now or something?

If there is a need of an extra hand, I am available (to unpublished them, etc).

nevets’s picture

Here is a proficient one, https://drupal.org/user/2879217/admin-nodes, 172 posts is less than 4 hours.

nevets’s picture

And another one with 55 posts in less than 7 hours, https://drupal.org/user/2879981.

Wouldn't it be possible to throttle how many post a user can make in an hour (maybe related to how long they have been a Drupal.org user)

nevets’s picture

Here is one with 150 in less than 4 hours, https://drupal.org/user/2880825/admin-nodes

nevets’s picture

These are becoming really annoying, I seem to spend 30+ minutes each day cleaning up after them.

Here is another one with 169 posts in just over 4 hours, https://drupal.org/user/2881591.

Note I am only reporting the proficient ones here.

WorldFallz’s picture

there's definitely something different going on. I keep removing spammers with the typical 4-5 posts a few minutes apart. But the recent ones with 100+ posts all timestamped with the same minute or within minutes have obviously found a loophole somewhere. I just tested using different browsers, and was not able to bypass the form submission waiting period so they must be doing something else.

dddave’s picture

WorldFallz’s picture

This is really frustrating. I just wasted time deleting another handful of these ass wipes. I seem to remember that there's a module that unpublishes posts/comments with certain words-- i just can't find it atm. If we can block/unpublish nodes and comments with "vashikaran" and "VASHIKARAN", "baba" and "BABA" and "Black Magic", "black magic", and "BLACK MAGIC", which is common to almost all of them and likely has no legitimate use on drupal.org, that would go a long way. Do we use any form of form submit rejection when posts have certain words?

Alternatively, it might be time to look into another form of spam protection.

dddave’s picture

I understood #7 that we already have a (obviously ineffective) blocklist containing most of those words.

WorldFallz’s picture

duh. my bad. we do have a block list. So if these terms on are there, there's hack to get around it which we should close down. If not, then we need to add them. Is there any way more maintainers can view and maybe edit the block list? Or is it something outside of the admin ui?

killes@www.drop.org’s picture

The list is not available in the UI.

I've previously checked that the people who do these spams get allocated spam points for their spam - the list is not the problem.

The issue seems to be that there's a way around the form submit protection that the honeypot module provides.

We need a test site to try to emulate and understand it.

nevets’s picture

And we have a new winner, 321 posts in just over four hours: https://drupal.org/user/2884353

dman’s picture

dman’s picture

I've been silently stamping out half a dozen accounts x a handful of these Indian posts pretty much each evening - is there any benefit in retaining/unpublishing them for analysis still? I think we all know what they look like by now, but if blacklisting the phone number is ineffective ... what *would* be effective?

dman’s picture

Still clearing this out each evening here. Was over a dozen last night, each with between 2 and 8 Voodoo ads.
Also a small number of new players with Markov text, not sure if they are a new pattern yet.
Surely that Phone number should just be blacklisted? They all include it and it's the real trigger..

Failing that, I'll start a Kickstarter to find a local Mumbai hitman that can trace that number and sort something out a bit more permanently...

silverwing’s picture

Thinking we need to revisit spam.module as the current method isn't just ineffective, it's infuriating.

dddave’s picture

Is there the possibility to sprint on this issue in Austin? (I am not there btw) This is a huge drag for all webmasters.

nevets’s picture

I just spent about 1/2 an hour cleaning up more of these.

WorldFallz’s picture

Yeah, it's really infuriating. They probably take over the forums and the recent posts pages just long enough to get some google juice out of it. I've tried unsuccessfully several times to bypass the form time limit and I can't figure it out (though my black hat skills are non existent, lol).

I just got a dev site spun up for the community tools team that we could probably use for testing but my guess is it will need someone who understands the backend of this stuff pretty well to figure it out.

As for other spam protections, I'm not sure what else would be effective. Mollom, besides not being open source, has been roundly criticized in its performance on groups.drupal.org. Don't think that's an option.

What about something old school simple-- 'unpublish posts with these words' type of thing? Optionally we could add a flag or field so that we could queue them up for review with a view somewhere as well.

dman’s picture

Killed another 200 posts over 20 accounts, plus acknowledged and closed another 5 spam reports from the public that noticed them... And am doing similar every night. This is my available 'Drupal' time that I had allocated to D8 patching and testing...

WHY DON'T WE AT LEAST HAVE A BLACKLIST FOR THE PHONE NUMBER THAT IS IN EVERY POST?
Our time is worth more than this...

dddave’s picture

I thought we had had (eg #10) but somehow this doesn't help.

killes@www.drop.org’s picture

Assigned: Unassigned » killes@www.drop.org

The number is blacklisted for quite some time (at least since March) as are other parts of their recurring messages.

These people also do collect the appropriate number of spam points from their use of these terms which are translated into seconds (over 500) that they should not be able to post anything.

The problem is that this latter part does not work for them for some reason. I haven't had time to figure out why and nobody else has had either.

The issue seems to be that the spam points are not permanently stored.

I've looked a bit at the code now and also checked some values in the database.

I think that if you manage to post a lot of content at once, the module isn't used as intended. Ie the honeypot_user table is not yet populated from the other when the content is posted. They may be taking advantage of some small amount of replication delay.

Essentially, you open 20 tabs and then submit them at once.

Oh, and I found that the module only scans the titles not the bodies. Who wrote that piece of crap?...

I've pushed a proposed fix.

dman’s picture

Thanks for the progress update Gerhard. Sorry to keep prodding like I did but ... needed to keep this on the radar. :-}

WorldFallz’s picture

Essentially, you open 20 tabs and then submit them at once.

I did try to do that myself-- i was denied due to the time restriction every time. I even tried with different browsers and was till denied.

Oh, and I found that the module only scans the titles not the bodies. Who wrote that piece of crap?...

which module? That's something I can at least submit a patch for if your proposed fix didn't already.

killes@www.drop.org’s picture

The "who wrote it" was a snarky comment on my own lousy work. ;)

I've pushed the fix to git and I hope Neil can it deploy it later today.

killes@www.drop.org’s picture

The changes have been deployed as of May 15th, 11:03:47 PM.

Did it do any good?

dddave’s picture

Sure looks like it. Less spam and those spammers have only one or two posts.

killes@www.drop.org’s picture

Let's hope that their ineffectiveness will make them go away.

dman’s picture

Feels like it - I've not seen the same pattern from the Voodoo boys for a week!

dman’s picture

Speak too soon.
Looks like a new phone number?
https://drupal.org/user/2902677

Unpublished but retained for inspection
at https://drupal.org/user/2902677/track

dddave’s picture

Could we add "payday" to the forbidden words? https://drupal.org/node/2267745#new is btw something special. That's dedication...

killes@www.drop.org’s picture

@dman: somebody else deleted the content...

@ddave: "payday" was added a long time ago. I added "installment".

@all: I am sorry that my oversight caused so much work.

WorldFallz’s picture

@killes - you have NOTHING to apologize for. This is all the fault of the aßhat spammers destroying the internet. THANK YOU for contributing your expertise and fixing the module!

And definitely seems to have helped-- i've only had to remove 1 single spam post today so far!

We can leave this open a day or 2 more, but if no major incursions reappear, we can close it!

silverwing’s picture

@killes - thank you.

dman’s picture

We've been MUCH MUCH better this week, yay.

Still, I see the same poster. Not successfullyflooding, but still trying the same tricks.

I've blocked and unpublished https://drupal.org/user/2904853/admin-nodes for inspection, but if someone else has nuked it before it can be inspected, the title was
$@$#Love Marriage vashikaran specilist%%% +91-9915467377*****
And the body was

1. Advice for HEALTH PROBLEMS.
2 Advice for LOVE LIFE.
3. Consultation for CHILD.
4. Advice for FAMILY PROBLEMS.
5 Advice for .PROMOTION IN JOB.
6 Advice for.DOMESTIC CONTROVERSY.
7 Advice for.LOVE.
8.FOREIGN TRAVELING.
9.DREAM PROBLEMS.
10. Advice for BUSINESS LOSSES.
11. Advice on Disturbed love life

(I lost further forensic powers like account IP or user email inspection during the D7 upgrade of roles and things)

I got this one at only one post from a 30-minute account. The last set we missed was 6 posts from a < 60 minute account.

... and does trying to post the report blacklist me ... ? lets find out!

killes@www.drop.org’s picture

If people are willing to wait the prescribed (and displayed) time, they can post anything.

And trusted users do not get bothered by the blocklist at all.

I am counting that these people will get tired of posting as did the fridge repairmen from Thailand...

silverwing’s picture

This black magic spammer got a few through minutes apart - don't know if some of the phrases/words used are blacklisted:
https://drupal.org/user/2908699/admin-nodes (unpublished)

killes@www.drop.org’s picture

Something still needs improvement, he got 12 spam points and still got through despite the counter is at over an hour...

WorldFallz’s picture

Here's another with 5 posts about a min apart....

https://drupal.org/user/2909861/admin-nodes

dddave’s picture

WorldFallz’s picture

I just posted a new issue for a similar spammer: #2308403: more spam training. Not sure if we should keep these in one issue (sort of makes sense), or create new ones.

killes@www.drop.org’s picture

Thanks, I've added a few terms.

mlhess’s picture

Status: Active » Closed (outdated)

Closing this as it is 3 years old.