bbAntiSpam: Discuss how to stop web spam

[Andres]

Hi again Oleg,

I have your mod installed in several of my phpBB forums and, for the most part, it's working great. However, I have one forum located at www.UnitedComplaints.com that has started receiving spambots all of a sudden. You can view the memberlist and see that the last 4 to join, are spambots that joined within the last 24 hours.

I've tested the Textual Confirmation and it works, so they must be getting through a different way. I've attempted to change the TC question but that didn't work. I've now had to set Admin user activation to keep them from spamming the forum, but it is very inconvenient.

Could you please have a look at my forum and see how the spambots are getting through? None of my other 6 forums seem to have this problem.

Big thanks,
Andres

[Ares]

andres,

if you have an OLD copy of phpBB running somewhere else, that uses the same database as your current one, the bots will CONTINUE to spam you from there.

That happened to me. I had 2 phpBB forums on different sites running off of the same database, one of the sites was secured with TC, and the other wasn't. I couldn't figure out how the bots were getting through, untill I realized the bots were still spamming my OLD, unsecured phpBB forum

[admin]

Hi Andres,

thanks for reporting.

There are few reports that spambots pass Textual Confirmation. However, details are unclear. I don't think the problem is in code. Most likely, the bots are assited by cheap human work.

I'm trying to identify the source of the problem. Would you mind installing a sniffer, which will record all the data of the registering users? I hope a pair of days will be enough.
_________________
Oleg Parashchenko, bbAntiSpam
Do you love our tools? Please sponsor further development!

[Guest]

Hi guys, thanks for your prompt replies, as usual.

Ares, all phpBB forums on the same webserver are secured with TC and this is the ONLY forum experiencing this problem.

Oleg, no problem, where do I get the "sniffer" and how do I install it?

Cheers,
Andres

[Andres]

Hi guys,

Just following up.

Now the last 9 registrations have been spambots, something is definitely not right.

Thanks!
Andres

[admin]

Spammers seem released a new version of spambots, which able to answer yes/no and arithmetical questions. I'm trying to investigate if it is so. I need some assistance.

* On the server, in the folder "includes", create a file named "tcsniff.php".

* Change "tcsniff.php" file permissions. Allow write access to everyone.

* Backup the old file "includes/functions_tc.php"

* Download the archive http://bbantispam.com/sniff_functions_tc.zip.

* Unpack the file "functions_tc.php" from the archive and upload it on the server.

* Try to register on the forum and check that the file "tcsniff.php" is updated.

Let it work for a pair of days. Than send me (to <olepar gmail com>) the file "tcsniff.php".

Or, better, send me the file also as soon as possible, after a few successful spam registrations.
_________________
Oleg Parashchenko, bbAntiSpam
Do you love our tools? Please sponsor further development!

[Ares]

[gb]

I have been using TC very happily on my forums, but a short while suddenly noticed spammers signing up again, and contacted Oleg about it.

One thing I did was look at the questions again, and noticed that I had left "are you human?" in - and guessed that it's not much trouble for a spambot to have a 50/50 chance of getting things like that correct.
I have now removed all Yes/No questions from the list, and have instead put in very simple ones to do with the subject of the forum, as anybody signing up will be able to answer them.
For example if it was a forum about sports cars a question might be "write the word Ferrari"... "write the word Jaguar"... or something that simple.

This seems to have worked and the spammers have completely dropped off again. I can imagine they will think of a way round that sometime, but for now it's good!

And thanks again Oleg - TC has been a lifesaver for me!

Cheers
Gareth

[Andres]

Oleg, I'll give that a shot and send it to you in a few days. Thanks!

Ares, I changed to arithmetic only after I noticed they were getting through my original question ("what color is the sky?"), so I don't think the arithmetic is the problem.

Gb, I don't have any YES/NO questions, so there are only 2 possibilities here: 1) they are manually getting through (e.g. human spammer) or 2) there is a loophole somewhere in that specific forum and they are exploiting it and getting through.

Let's see what the sniffer reveals...

Thanks guys!
Andres

[admin]

There is also the third variant: captcha sweatshops (services to deciper CAPTCHAs using low-paid human labour) added support of Textual Confirmation. However, I don't see why they need it. It should be unprofitable, as described here: http://bbantispam.com/atc/, the last section "Why the protection works now and why it will work in the future".
_________________
Oleg Parashchenko, bbAntiSpam
Do you love our tools? Please sponsor further development!

[Andres]

The spambots have spread to my other forums now, so I'm starting to think this might be related to what Ares originally said:

[Ares]

actually, that wouldn't make alot of sense (that they're spreading to your other forums now, too?). if it was a matter of some old, leftover directory that the bots are attacking you from, it should only be a problem with 1 forum, not a problem that spreads.

it still looks like you're using just one question for each one of your TC installations, you should really use more than one.

- add more questions - for all we know, the bots have realized there's just 1 question on your forum(s), and are entering a hard-coded answer each time

- change the default "Answer the Textual Confirmation question to prove you are not a spambot." to something more generic: maybe something like "Answer the security question" - in other words, don't let the bots know they're dealing with TC.

- Oleg - in the TC "blocked attempt" emails that get sent to us, in the future, can the incorrect answer (or lack thereof) the user has entered, be included in the info that is submitted? that way we can easily tell if the bots are at least *trying* to bypass TC.

[Ares]

WOAH NELLY. It looks like 1 of my older, less-used boards has picked up andre's problem, as well.

i have an old board with several simple questions (sky/grass/human), and starting May 20, 2007, I started getting 2-3 spam registrations per day, just like andres.

I'm going to change the questions to more complex ones, I'll let you know if that helps.

I would guess, that the spammers either have the human CAPTCHA sweatshops, or, have hard-coded the capability of answering the really simple (sky/grass/human) questions.

edit:
Over the past few months, I "evangelized" to other phpBB admins, and they got TC installed on their forums. One of these forums is a GAMING community, and inherently they're able to ask "smarter" questions, that bots would be very hard pressed to just know - "what game is our clan best known for?", etc.

Those of us with commercial interests in maintaining our phpBB installations can't ask as advanced questions - gaming clans can ask some really neat questions of their users, while andre certainly couldn't be able to do the same with his users.

Similarly, while I can have Star Trek TC questions on my own personal board, it just wouldn't be appropriate to have those same questions on a phpBB board that I administrate for a client of mine.

both my personal phpBB board, and the GAMING clan's phpBB board I just described, both have not recieved any successful spam registrations.

[Ares]

I believe I've identified the problem.

The bots are apparently smart enough to solve the "sky/grass/human" type of questions, and apparently, questions that are extremely simple arithmetic.

I recently changed the questions on my old board to more complicated, site-specific questions, and the 100% of the bots were stopped. Also, on the other websites I've "evangelized" into using TC, the ones who have complex, site-specific questions, have NOT been suffering from successful spam bot registrations. yet.

[Centurion]