Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Some appears to be posting beyond the current time limits. I've blocked the user and unpublished the nodes so killes can take a look.
user: https://drupal.org/user/2822079
nodes: https://drupal.org/user/2822079/admin-nodes
Some are only 1 min apart....
Comments
Comment #1
nevets CreditAttribution: nevets commentedBased on the contents I would add that they have been persistent over the last several days using different accounts
Comment #2
WorldFallz CreditAttribution: WorldFallz commentedyeah... i suspected it might have been the same poster, but someone deleted the other posts before I could unpublish them.
Comment #3
Heine CreditAttribution: Heine commentedSorry, I deleted a bunch and blocked the associated accounts this morning.
Possible problems:
- The timelimit is a hidden field and can be set by the bot.
- A successful form submission is not counted towards a penalty or flood.
Comment #4
nevets CreditAttribution: nevets commentedA couple more, I blocked the users, unpublished the content.
https://drupal.org/user/2822885
https://drupal.org/user/2822877
Comment #5
WorldFallz CreditAttribution: WorldFallz commentedand another: https://drupal.org/user/2822851/admin-nodes
Comment #6
nevets CreditAttribution: nevets commentedAnd another: https://drupal.org/user/2823463, they sure seem determined.
Comment #7
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedbypassing our spam protection is easy if your content doesn't match the blocklist. I've added some terms.
Comment #8
Jaypan CreditAttribution: Jaypan commentedMaybe try adding the phone number they keep publishing as one of the terms. It appears to be consistent through the spam.
Comment #9
dddave CreditAttribution: dddave commentedI've left one of those phone-number spams to check: https://drupal.org/user/2824079/admin-nodes
Comment #10
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedadded strings
Comment #11
WorldFallz CreditAttribution: WorldFallz commentedthese guys are persistent, and now it seems love is the topic of the day: https://drupal.org/user/2828731/admin-nodes
Comment #12
Jaypan CreditAttribution: Jaypan commentedThen we should ban love!
...oh wait :)
Comment #13
WorldFallz CreditAttribution: WorldFallz commentednow it's both love and black magic-- one might suggest two sides of the same coin ;-)
https://drupal.org/user/2829053/admin-nodes
Comment #14
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedThe issue is that these buggers simply wait half an hour before submitting the form, it seems...
I'll add some more strings.
Comment #15
Jaypan CreditAttribution: Jaypan commentedI'm thinking 'vashikaran' or 'vashikaran specialist' should be blocked. And maybe anything with '+91'.
Comment #16
dddave CreditAttribution: dddave commentedhttps://drupal.org/user/2830309/admin-nodes
Massive: https://drupal.org/user/2829967/admin-nodes
Comment #17
dddave CreditAttribution: dddave commentedAdd vashikaran to the list: #2206129: Moderation report for https://drupal.org/node/2205951
Comment #18
silverwing CreditAttribution: silverwing commentedand some more...
https://drupal.org/user/2831133/admin-nodes
https://drupal.org/user/2831123/admin-nodes
https://drupal.org/user/2831073/admin-nodes
Comment #19
WorldFallz CreditAttribution: WorldFallz commentedThese jackasses are getting on my last nerve, another: https://drupal.org/user/2831209/admin-nodes
Comment #20
Jaypan CreditAttribution: Jaypan commentedThey're certainly persistent. Are they posting from multiple IPs?
Comment #21
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedI've studied the logs a bit and I think they are exploiting the fact that the temporary spam count gets reset after each cron run.
I've added more strings, but I guess we should start to modify code instead, they already get between 100 and 1000 extra seconds.
Comment #22
dman CreditAttribution: dman commentedSo I guess this is the discussion/gripe thread about this months Indian spammers.
I've arbitrarily deleted and blocked a few hundred posts recently. Some with issue reports, many without.
Comment #23
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedI've now doubled the expiration threshold.
Comment #24
silverwing CreditAttribution: silverwing commented...and...
https://drupal.org/user/2833035/admin-nodes
Comment #25
WorldFallz CreditAttribution: WorldFallz commentedThis is one of the more egregious incursions.... Like 17 spams: https://drupal.org/user/2834857/admin-nodes
Comment #26
dddave CreditAttribution: dddave commentedI've blocked and unpublished the nodes of said user #2210245: Spam Report btw
Comment #27
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedhmm, that is a strang one. he did collect points (lots of them) but was able to submit the form anyway.
I guess we need to set up a test site and see if we can reproduce this.
Comment #28
silverwing CreditAttribution: silverwing commentedTen more posts: https://drupal.org/user/2840837/admin-nodes
Comment #29
WorldFallz CreditAttribution: WorldFallz commentedYowza... this one has almost 30 .... Sme within the same minute.
https://drupal.org/user/2845367/admin-nodes
Comment #30
WorldFallz CreditAttribution: WorldFallz commentedAnd another similar one ..... 20+ posts, many less than a minute apart.
Comment #31
WorldFallz CreditAttribution: WorldFallz commentedAnd another one, non-indian, with posts every minute:
https://drupal.org/user/2846647/admin-nodes
Comment #32
dddave CreditAttribution: dddave commentedAnother massive short-time flooding without "not a spammer" role: https://drupal.org/user/2860961/admin-nodes
and: https://drupal.org/user/2859519/admin-nodes
Comment #33
lizzjoyAnd another https://drupal.org/user/2860081/admin-nodes
Should I delete these nodes as per usual? I only unpublished because it appears to be the same person/s we are dealing with in this issue.
Comment #34
dddave CreditAttribution: dddave commentedLeave them unpublished in case killes can analyse them.
Comment #35
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedmy analysis is that somebody needs to set up a dev site and try to replicate this, possibly they are using several tabs at once.
We may need to change honeypot.module to track points in the session, it may not do that atm.
Comment #36
dddave CreditAttribution: dddave commentedSounds like something we can discuss in the community tools group WorldFallz?
Comment #37
dddave CreditAttribution: dddave commentedCan somebody check if this user https://drupal.org/user/2865031 and all the other aghorinathXYZ user already blocked share the same IP?
Comment #38
dman CreditAttribution: dman commentedThe Indian black magic (+ marriage counsellors/love potions/horoscopes) idiots are still adding accounts and posts.
Over the last few days I've hit maybe a dozen accounts with between 6-20 posts each, usually all within an hour per batch.
Not been bothering to report or record, but I can hang on to the next few bunches and just 'unpublish' them if we are still looking for patterns to forensically identify them...
Otherwise I'll just keep deleting them ad-hoc...
Comment #39
WorldFallz CreditAttribution: WorldFallz commentedOk, this one was a serious incursion. 107 posts in the course of a couple of minutes. However, the most concerning thing, is many of them show exactly the same time (in minutes) -- some have as many as a dozen posts showing the same minute:
https://drupal.org/user/2871767/admin-nodes
Comment #40
dman CreditAttribution: dman commentedStill around. Blocked and *unpublished* this time.
https://drupal.org/user/2872541/admin-nodes
Are these showing phone number that should be getting blocked? Or is this new?
Comment #41
dman CreditAttribution: dman commentedOngoing.
Blocked and unpublished
https://drupal.org/user/2872635/admin-nodes
https://drupal.org/user/2872647/admin-nodes
Comment #42
WorldFallz CreditAttribution: WorldFallz commentedAt least those last 3 links were just a couple of posts with variable minutes between them. The link I posted bothered me greatly because it was over 100 in a very short period of time, many with the same minute as time. Hopefully killes got to take a look before they were deleted.
Comment #43
WorldFallz CreditAttribution: WorldFallz commentedAnd another major one (120 nodes)from April 17, 2014 - 04:44 to April 17, 2014 - 06:21, many of them timestamped with the same minute:
https://drupal.org/user/2872703/admin-nodes
blocked and unpublished for review by killes.
Comment #44
WorldFallz CreditAttribution: WorldFallz commentedapparently these asshats have nothing better to do: https://drupal.org/user/2873039/admin-nodes
Comment #45
silverwing CreditAttribution: silverwing commentedhttps://drupal.org/user/2872135/admin-nodes unpublished (not many since they were caught in the act.)
Comment #46
silverwing CreditAttribution: silverwing commentedhttps://drupal.org/user/2873743/admin-nodes
Comment #47
WorldFallz CreditAttribution: WorldFallz commentedand another one with 97 entries: https://drupal.org/user/2873491/admin-nodes
Comment #48
nevets CreditAttribution: nevets commentedHere is one with a 159 entries, https://drupal.org/user/2875403
Blocked the user, unpublished the spam.
I also don't report all such spam I find, most days it seems like I catch maybe half a dozen less prolific posters.
Comment #49
nevets CreditAttribution: nevets commentedAnd another with 103, https://drupal.org/user/2874793/admin-nodes
User block, content unpublished.
Comment #50
dddave CreditAttribution: dddave commentedSomebody up for the mission killes supposed in #35?
Comment #51
Ayesh CreditAttribution: Ayesh commentedCame here after reporting a node in same pattern. Post-installation forum is flooded with those.
I thought there is a posting frequency block or something for new users. Those spam posts are new accounts and given the frequency, I think it's easy to spot them. Are the filters disabled now or something?
If there is a need of an extra hand, I am available (to unpublished them, etc).
Comment #52
nevets CreditAttribution: nevets commentedHere is a proficient one, https://drupal.org/user/2879217/admin-nodes, 172 posts is less than 4 hours.
Comment #53
nevets CreditAttribution: nevets commentedAnd another one with 55 posts in less than 7 hours, https://drupal.org/user/2879981.
Wouldn't it be possible to throttle how many post a user can make in an hour (maybe related to how long they have been a Drupal.org user)
Comment #54
nevets CreditAttribution: nevets commentedHere is one with 150 in less than 4 hours, https://drupal.org/user/2880825/admin-nodes
Comment #55
nevets CreditAttribution: nevets commentedThese are becoming really annoying, I seem to spend 30+ minutes each day cleaning up after them.
Here is another one with 169 posts in just over 4 hours, https://drupal.org/user/2881591.
Note I am only reporting the proficient ones here.
Comment #56
WorldFallz CreditAttribution: WorldFallz commentedthere's definitely something different going on. I keep removing spammers with the typical 4-5 posts a few minutes apart. But the recent ones with 100+ posts all timestamped with the same minute or within minutes have obviously found a loophole somewhere. I just tested using different browsers, and was not able to bypass the form submission waiting period so they must be doing something else.
Comment #57
dddave CreditAttribution: dddave commentedhttps://drupal.org/user/2882539/admin-nodes
196 posts
Comment #58
WorldFallz CreditAttribution: WorldFallz commentedThis is really frustrating. I just wasted time deleting another handful of these ass wipes. I seem to remember that there's a module that unpublishes posts/comments with certain words-- i just can't find it atm. If we can block/unpublish nodes and comments with "vashikaran" and "VASHIKARAN", "baba" and "BABA" and "Black Magic", "black magic", and "BLACK MAGIC", which is common to almost all of them and likely has no legitimate use on drupal.org, that would go a long way. Do we use any form of form submit rejection when posts have certain words?
Alternatively, it might be time to look into another form of spam protection.
Comment #59
dddave CreditAttribution: dddave commentedI understood #7 that we already have a (obviously ineffective) blocklist containing most of those words.
Comment #60
WorldFallz CreditAttribution: WorldFallz commentedduh. my bad. we do have a block list. So if these terms on are there, there's hack to get around it which we should close down. If not, then we need to add them. Is there any way more maintainers can view and maybe edit the block list? Or is it something outside of the admin ui?
Comment #61
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedThe list is not available in the UI.
I've previously checked that the people who do these spams get allocated spam points for their spam - the list is not the problem.
The issue seems to be that there's a way around the form submit protection that the honeypot module provides.
We need a test site to try to emulate and understand it.
Comment #62
nevets CreditAttribution: nevets commentedAnd we have a new winner, 321 posts in just over four hours: https://drupal.org/user/2884353
Comment #63
dman CreditAttribution: dman commentedNow they are moving into handbook vandalism
https://drupal.org/press
https://drupal.org/node/222548/revisions/view/2439350/7202347
This is tricky to weed out because of #1146518: Create view of revisions created by a user (for spam tracking)
Comment #64
dman CreditAttribution: dman commentedI've been silently stamping out half a dozen accounts x a handful of these Indian posts pretty much each evening - is there any benefit in retaining/unpublishing them for analysis still? I think we all know what they look like by now, but if blacklisting the phone number is ineffective ... what *would* be effective?
Comment #65
dman CreditAttribution: dman commentedStill clearing this out each evening here. Was over a dozen last night, each with between 2 and 8 Voodoo ads.
Also a small number of new players with Markov text, not sure if they are a new pattern yet.
Surely that Phone number should just be blacklisted? They all include it and it's the real trigger..
Failing that, I'll start a Kickstarter to find a local Mumbai hitman that can trace that number and sort something out a bit more permanently...
Comment #66
silverwing CreditAttribution: silverwing commentedThinking we need to revisit spam.module as the current method isn't just ineffective, it's infuriating.
Comment #67
dddave CreditAttribution: dddave commentedIs there the possibility to sprint on this issue in Austin? (I am not there btw) This is a huge drag for all webmasters.
Comment #68
nevets CreditAttribution: nevets commentedI just spent about 1/2 an hour cleaning up more of these.
Comment #69
WorldFallz CreditAttribution: WorldFallz commentedYeah, it's really infuriating. They probably take over the forums and the recent posts pages just long enough to get some google juice out of it. I've tried unsuccessfully several times to bypass the form time limit and I can't figure it out (though my black hat skills are non existent, lol).
I just got a dev site spun up for the community tools team that we could probably use for testing but my guess is it will need someone who understands the backend of this stuff pretty well to figure it out.
As for other spam protections, I'm not sure what else would be effective. Mollom, besides not being open source, has been roundly criticized in its performance on groups.drupal.org. Don't think that's an option.
What about something old school simple-- 'unpublish posts with these words' type of thing? Optionally we could add a flag or field so that we could queue them up for review with a view somewhere as well.
Comment #70
dman CreditAttribution: dman commentedKilled another 200 posts over 20 accounts, plus acknowledged and closed another 5 spam reports from the public that noticed them... And am doing similar every night. This is my available 'Drupal' time that I had allocated to D8 patching and testing...
WHY DON'T WE AT LEAST HAVE A BLACKLIST FOR THE PHONE NUMBER THAT IS IN EVERY POST?
Our time is worth more than this...
Comment #71
dddave CreditAttribution: dddave commentedI thought we had had (eg #10) but somehow this doesn't help.
Comment #72
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedThe number is blacklisted for quite some time (at least since March) as are other parts of their recurring messages.
These people also do collect the appropriate number of spam points from their use of these terms which are translated into seconds (over 500) that they should not be able to post anything.
The problem is that this latter part does not work for them for some reason. I haven't had time to figure out why and nobody else has had either.
The issue seems to be that the spam points are not permanently stored.
I've looked a bit at the code now and also checked some values in the database.
I think that if you manage to post a lot of content at once, the module isn't used as intended. Ie the honeypot_user table is not yet populated from the other when the content is posted. They may be taking advantage of some small amount of replication delay.
Essentially, you open 20 tabs and then submit them at once.
Oh, and I found that the module only scans the titles not the bodies. Who wrote that piece of crap?...
I've pushed a proposed fix.
Comment #73
dman CreditAttribution: dman commentedThanks for the progress update Gerhard. Sorry to keep prodding like I did but ... needed to keep this on the radar. :-}
Comment #74
WorldFallz CreditAttribution: WorldFallz commentedI did try to do that myself-- i was denied due to the time restriction every time. I even tried with different browsers and was till denied.
which module? That's something I can at least submit a patch for if your proposed fix didn't already.
Comment #75
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedThe "who wrote it" was a snarky comment on my own lousy work. ;)
I've pushed the fix to git and I hope Neil can it deploy it later today.
Comment #76
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedThe changes have been deployed as of May 15th, 11:03:47 PM.
Did it do any good?
Comment #77
dddave CreditAttribution: dddave commentedSure looks like it. Less spam and those spammers have only one or two posts.
Comment #78
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedLet's hope that their ineffectiveness will make them go away.
Comment #79
dman CreditAttribution: dman commentedFeels like it - I've not seen the same pattern from the Voodoo boys for a week!
Comment #80
dman CreditAttribution: dman commentedSpeak too soon.
Looks like a new phone number?
https://drupal.org/user/2902677
Unpublished but retained for inspection
at https://drupal.org/user/2902677/track
Comment #81
dddave CreditAttribution: dddave commentedCould we add "payday" to the forbidden words? https://drupal.org/node/2267745#new is btw something special. That's dedication...
Comment #82
killes@www.drop.org CreditAttribution: killes@www.drop.org commented@dman: somebody else deleted the content...
@ddave: "payday" was added a long time ago. I added "installment".
@all: I am sorry that my oversight caused so much work.
Comment #83
WorldFallz CreditAttribution: WorldFallz commented@killes - you have NOTHING to apologize for. This is all the fault of the aßhat spammers destroying the internet. THANK YOU for contributing your expertise and fixing the module!
And definitely seems to have helped-- i've only had to remove 1 single spam post today so far!
We can leave this open a day or 2 more, but if no major incursions reappear, we can close it!
Comment #84
silverwing CreditAttribution: silverwing commented@killes - thank you.
Comment #85
dman CreditAttribution: dman commentedWe've been MUCH MUCH better this week, yay.
Still, I see the same poster. Not successfullyflooding, but still trying the same tricks.
I've blocked and unpublished https://drupal.org/user/2904853/admin-nodes for inspection, but if someone else has nuked it before it can be inspected, the title was
$@$#Love Marriage vashikaran specilist%%% +91-9915467377*****
And the body was
(I lost further forensic powers like account IP or user email inspection during the D7 upgrade of roles and things)
I got this one at only one post from a 30-minute account. The last set we missed was 6 posts from a < 60 minute account.
... and does trying to post the report blacklist me ... ? lets find out!
Comment #86
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedIf people are willing to wait the prescribed (and displayed) time, they can post anything.
And trusted users do not get bothered by the blocklist at all.
I am counting that these people will get tired of posting as did the fridge repairmen from Thailand...
Comment #87
silverwing CreditAttribution: silverwing commentedThis black magic spammer got a few through minutes apart - don't know if some of the phrases/words used are blacklisted:
https://drupal.org/user/2908699/admin-nodes (unpublished)
Comment #88
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedSomething still needs improvement, he got 12 spam points and still got through despite the counter is at over an hour...
Comment #89
WorldFallz CreditAttribution: WorldFallz commentedHere's another with 5 posts about a min apart....
https://drupal.org/user/2909861/admin-nodes
Comment #90
dddave CreditAttribution: dddave commentedso this atrocity happened: https://www.drupal.org/user/2958571/admin-nodes
Comment #91
WorldFallz CreditAttribution: WorldFallz commentedI just posted a new issue for a similar spammer: #2308403: more spam training. Not sure if we should keep these in one issue (sort of makes sense), or create new ones.
Comment #92
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedThanks, I've added a few terms.
Comment #93
mlhess CreditAttribution: mlhess as a volunteer commentedClosing this as it is 3 years old.