Author |
Message |
Andres Guest
|
Posted: Fri May 18, 2007 1:44 am Post subject: Textual Confirmation working, but spambots still spamming |
|
|
Hi again Oleg,
I have your mod installed in several of my phpBB forums and, for the most part, it's working great. However, I have one forum located at www.UnitedComplaints.com that has started receiving spambots all of a sudden. You can view the memberlist and see that the last 4 to join, are spambots that joined within the last 24 hours.
I've tested the Textual Confirmation and it works, so they must be getting through a different way. I've attempted to change the TC question but that didn't work. I've now had to set Admin user activation to keep them from spamming the forum, but it is very inconvenient.
Could you please have a look at my forum and see how the spambots are getting through? None of my other 6 forums seem to have this problem.
Big thanks,
Andres |
|
|
Ares
Joined: 28 Mar 2007 Posts: 24
|
Posted: Fri May 18, 2007 2:39 am Post subject: |
|
|
andres,
if you have an OLD copy of phpBB running somewhere else, that uses the same database as your current one, the bots will CONTINUE to spam you from there.
That happened to me. I had 2 phpBB forums on different sites running off of the same database, one of the sites was secured with TC, and the other wasn't. I couldn't figure out how the bots were getting through, untill I realized the bots were still spamming my OLD, unsecured phpBB forum |
|
|
admin Site Admin
Joined: 18 Apr 2006 Posts: 805 Location: Saint-Petersburg, Russia
|
Posted: Fri May 18, 2007 3:26 am Post subject: |
|
|
Hi Andres,
thanks for reporting.
There are few reports that spambots pass Textual Confirmation. However, details are unclear. I don't think the problem is in code. Most likely, the bots are assited by cheap human work.
I'm trying to identify the source of the problem. Would you mind installing a sniffer, which will record all the data of the registering users? I hope a pair of days will be enough. _________________ Oleg Parashchenko, bbAntiSpam
Do you love our tools? Please sponsor further development! |
|
|
Guest
|
Posted: Fri May 18, 2007 12:29 pm Post subject: |
|
|
Hi guys, thanks for your prompt replies, as usual.
Ares, all phpBB forums on the same webserver are secured with TC and this is the ONLY forum experiencing this problem.
Oleg, no problem, where do I get the "sniffer" and how do I install it?
Cheers,
Andres |
|
|
Andres Guest
|
Posted: Sat May 19, 2007 12:41 am Post subject: |
|
|
Hi guys,
Just following up.
Now the last 9 registrations have been spambots, something is definitely not right.
Thanks!
Andres |
|
|
admin Site Admin
Joined: 18 Apr 2006 Posts: 805 Location: Saint-Petersburg, Russia
|
Posted: Sat May 19, 2007 3:46 am Post subject: |
|
|
Spammers seem released a new version of spambots, which able to answer yes/no and arithmetical questions. I'm trying to investigate if it is so. I need some assistance.
* On the server, in the folder "includes", create a file named "tcsniff.php".
* Change "tcsniff.php" file permissions. Allow write access to everyone.
* Backup the old file "includes/functions_tc.php"
* Download the archive http://bbantispam.com/sniff_functions_tc.zip.
* Unpack the file "functions_tc.php" from the archive and upload it on the server.
* Try to register on the forum and check that the file "tcsniff.php" is updated.
Let it work for a pair of days. Than send me (to <olepar gmail com>) the file "tcsniff.php".
Or, better, send me the file also as soon as possible, after a few successful spam registrations. _________________ Oleg Parashchenko, bbAntiSpam
Do you love our tools? Please sponsor further development! |
|
|
Ares
Joined: 28 Mar 2007 Posts: 24
|
Posted: Sat May 19, 2007 4:05 am Post subject: |
|
|
Quote: | Spammers seem released a new version of spambots, which able to answer yes/no and arithmetical questions. |
on his United Airlines forum, there only seems to be ONE TC question on the registration page: "what is 2 + 3?"
why don't you try Algebra questions: "If A=42 and B=3, what is A + B?". try some word/color/image questions, as well.
Oleg - it's also possible to capture the user's mouse movements on the reg. page and submit that info along with the normal registration info. As far as determining human or bot... |
|
|
gb Guest
|
Posted: Sat May 19, 2007 10:04 am Post subject: |
|
|
I have been using TC very happily on my forums, but a short while suddenly noticed spammers signing up again, and contacted Oleg about it.
One thing I did was look at the questions again, and noticed that I had left "are you human?" in - and guessed that it's not much trouble for a spambot to have a 50/50 chance of getting things like that correct.
I have now removed all Yes/No questions from the list, and have instead put in very simple ones to do with the subject of the forum, as anybody signing up will be able to answer them.
For example if it was a forum about sports cars a question might be "write the word Ferrari"... "write the word Jaguar"... or something that simple.
This seems to have worked and the spammers have completely dropped off again. I can imagine they will think of a way round that sometime, but for now it's good!
And thanks again Oleg - TC has been a lifesaver for me!
Cheers
Gareth |
|
|
Andres Guest
|
Posted: Sun May 20, 2007 2:06 am Post subject: |
|
|
Oleg, I'll give that a shot and send it to you in a few days. Thanks!
Ares, I changed to arithmetic only after I noticed they were getting through my original question ("what color is the sky?"), so I don't think the arithmetic is the problem.
Gb, I don't have any YES/NO questions, so there are only 2 possibilities here: 1) they are manually getting through (e.g. human spammer) or 2) there is a loophole somewhere in that specific forum and they are exploiting it and getting through.
Let's see what the sniffer reveals...
Thanks guys!
Andres |
|
|
admin Site Admin
Joined: 18 Apr 2006 Posts: 805 Location: Saint-Petersburg, Russia
|
Posted: Mon May 21, 2007 2:23 am Post subject: |
|
|
There is also the third variant: captcha sweatshops (services to deciper CAPTCHAs using low-paid human labour) added support of Textual Confirmation. However, I don't see why they need it. It should be unprofitable, as described here: http://bbantispam.com/atc/, the last section "Why the protection works now and why it will work in the future". _________________ Oleg Parashchenko, bbAntiSpam
Do you love our tools? Please sponsor further development! |
|
|
Andres Guest
|
Posted: Tue May 22, 2007 3:48 am Post subject: Spambots are spreading to my other forums now... |
|
|
The spambots have spread to my other forums now, so I'm starting to think this might be related to what Ares originally said:
Ares wrote: | andres,
if you have an OLD copy of phpBB running somewhere else, that uses the same database as your current one, the bots will CONTINUE to spam you from there.
That happened to me. I had 2 phpBB forums on different sites running off of the same database, one of the sites was secured with TC, and the other wasn't. I couldn't figure out how the bots were getting through, untill I realized the bots were still spamming my OLD, unsecured phpBB forum |
I've installed the Sniffer in the UnitedComplaints.com forum and will install it in a few of the other ones to be more thorough.
I'll report back in a few days.
Andres |
|
|
Ares
Joined: 28 Mar 2007 Posts: 24
|
Posted: Wed May 23, 2007 1:51 am Post subject: |
|
|
actually, that wouldn't make alot of sense (that they're spreading to your other forums now, too?). if it was a matter of some old, leftover directory that the bots are attacking you from, it should only be a problem with 1 forum, not a problem that spreads.
it still looks like you're using just one question for each one of your TC installations, you should really use more than one.
- add more questions - for all we know, the bots have realized there's just 1 question on your forum(s), and are entering a hard-coded answer each time
- change the default "Answer the Textual Confirmation question to prove you are not a spambot." to something more generic: maybe something like "Answer the security question" - in other words, don't let the bots know they're dealing with TC.
- Oleg - in the TC "blocked attempt" emails that get sent to us, in the future, can the incorrect answer (or lack thereof) the user has entered, be included in the info that is submitted? that way we can easily tell if the bots are at least *trying* to bypass TC. |
|
|
Ares
Joined: 28 Mar 2007 Posts: 24
|
Posted: Wed May 23, 2007 2:02 am Post subject: |
|
|
WOAH NELLY. It looks like 1 of my older, less-used boards has picked up andre's problem, as well.
i have an old board with several simple questions (sky/grass/human), and starting May 20, 2007, I started getting 2-3 spam registrations per day, just like andres.
I'm going to change the questions to more complex ones, I'll let you know if that helps.
I would guess, that the spammers either have the human CAPTCHA sweatshops, or, have hard-coded the capability of answering the really simple (sky/grass/human) questions.
edit:
Over the past few months, I "evangelized" to other phpBB admins, and they got TC installed on their forums. One of these forums is a GAMING community, and inherently they're able to ask "smarter" questions, that bots would be very hard pressed to just know - "what game is our clan best known for?", etc.
Those of us with commercial interests in maintaining our phpBB installations can't ask as advanced questions - gaming clans can ask some really neat questions of their users, while andre certainly couldn't be able to do the same with his users.
Similarly, while I can have Star Trek TC questions on my own personal board, it just wouldn't be appropriate to have those same questions on a phpBB board that I administrate for a client of mine.
both my personal phpBB board, and the GAMING clan's phpBB board I just described, both have not recieved any successful spam registrations. |
|
|
Ares
Joined: 28 Mar 2007 Posts: 24
|
Posted: Thu May 24, 2007 3:32 pm Post subject: |
|
|
I believe I've identified the problem.
The bots are apparently smart enough to solve the "sky/grass/human" type of questions, and apparently, questions that are extremely simple arithmetic.
I recently changed the questions on my old board to more complicated, site-specific questions, and the 100% of the bots were stopped. Also, on the other websites I've "evangelized" into using TC, the ones who have complex, site-specific questions, have NOT been suffering from successful spam bot registrations. yet. |
|
|
Centurion
Joined: 25 May 2007 Posts: 5 Location: Poland
|
Posted: Fri May 25, 2007 9:23 am Post subject: |
|
|
admin wrote: | There are few reports that spambots pass Textual Confirmation. However, details are unclear. I don't think the problem is in code. Most likely, the bots are assited by cheap human work. |
Seems that you're right, here's some log:
Code: | ================================================
username => buyviagra
email => 7zg44e@i.com
tc_answer => buyviagra
new_password => buyviagra
password_confirm => buyviagra
website =>
location =>
b_day => 0
b_md => 0
b_year => 0
remote_addr => 75.126.163.11
================================================
username => buyviagra
email => 7zg44e@i.com
tc_answer =>
new_password =>
password_confirm =>
website =>
location =>
b_day => 0
b_md => 0
b_year => 0
remote_addr => 75.126.163.11
================================================
username => buyviagra
email => 7zg44e@i.com
tc_answer => buyviagra
new_password => buyviagra
password_confirm => buyviagra
website =>
location =>
b_day => 0
b_md => 0
b_year => 0
remote_addr => 75.126.163.11
================================================
username => buyviagra
email => 7zg44e@i.com
tc_answer => eiffel
new_password => buyviagra
password_confirm => buyviagra
website =>
location =>
b_day => 0
b_md => 0
b_year => 0
remote_addr => 75.126.163.11
================================================
username => buyviagra
email => 7zg44e@i.com
tc_answer => http://drugspill.com/product_viagra.htm
new_password => http://drugspill.com/product_viagra.htm
password_confirm => http://drugspill.com/product_viagra.htm
website =>
location =>
b_day => 0
b_md => 0
b_year => 0
remote_addr => 75.126.163.11
================================================
username => buyviagra
email => 7zg44e@i.com
tc_answer =>
new_password =>
password_confirm =>
website =>
location => dictionary_.txt
b_day => 0
b_md => 0
b_year => 0
remote_addr => 75.126.163.11
================================================
username => google
email => 7zg44e@i.com
tc_answer =>
new_password => google
password_confirm => google
website =>
location => bb/word8/dictionary.txt
b_day => 0
b_md => 0
b_year => 0
remote_addr => 75.126.163.11
================================================
username => google
email => 7zg44e@i.com
tc_answer => Paris
new_password => 111111
password_confirm => 111111
website =>
location => word8/dictionary.txt
b_day => 0
b_md => 0
b_year => 0
remote_addr => 75.126.163.11
================================================
username => google
email => 7zg44e@i.com
tc_answer =>
new_password =>
password_confirm =>
website =>
location => word8/dictionary.txt
b_day => 0
b_md => 0
b_year => 0
remote_addr => 75.126.163.11 |
I've got 2 TC questions and finally this bot got registered by typing the correct one "Paris" |
|
|
Ok.