Jump to content

IP2.3.6 spambots

Guest rbiss

By Guest rbiss
in Feedback

Recommended Posts

  • Replies 114
  • Created
  • Last Reply
Michael Grand Master

Michael

Posted
Posted

In all likelihood, it is being done by a human registering to do the reCAPTCHA, then plugging his registration info into his PM spamming script. A new KB article was posted today with some tips to stop this from occurring and to clean up afterwards:

https://www.invisionpower.com/index.php?appcomponent=core&module=customer_area&section=kb&do=viewarticle&id=380

rbiss Rising Star

rbiss

Posted
Posted

In all likelihood, it is being done by a human registering to do the reCAPTCHA, then plugging his registration info into his PM spamming script. A new KB article was posted today with some tips to stop this from occurring and to clean up afterwards:



https://www.invision...warticle&id=380



That makes sense. Thanks for the link.
Gabriel Petrelli Collaborator

Gabriel Petrelli

Posted
Posted

In all likelihood, it is being done by a human registering to do the reCAPTCHA, then plugging his registration info into his PM spamming script. A new KB article was posted today with some tips to stop this from occurring and to clean up afterwards:






Could be, but how does that explain the hundreds of registrations from the same user across several IPB forums in a matter of hours?
loccom Community Regular

loccom

Posted
Posted

it does seem on forums i run that if the user email validation is on then this person goes through the emails to get them enabled.

If the software lists loads of sites that then requires someone to do the captcha part, it can easily be done on hundreds of websites.

But if he has to use recaptcha per PM then they will give up.

I liked the idea of certain groups get re-captcha, say new users or normal members, but then if you subscribe to the forum this feature is turned off.

  • Management
Matt Grand Master

Matt

Posted
  • Management
Posted

We are gtting this as well. All members received a PM today and even though this sender is new and a member of our "Newbie" group where PM's can not be sent until they have 12 messages, was still able to send PM's.




If you think this is the case, please send in a support ticket and we'll investigate. I've reviewed the code in IPB 2.3.6 and I can't see how anyone can bypass the group setting.
Mark Grand Master

Mark

Posted
Posted

In all likelihood, it is being done by a human registering to do the reCAPTCHA, then plugging his registration info into his PM spamming script.




That's correct, we spoke with the guys at reCaptcha and are in agreement that this is the case.
Fast Lane! Proficient

Fast Lane!

Posted
Posted

Yup, am using it but they are getting past it. Here's one name that registered. Did a google search to find many IP sites it has registered at.



http://www.google.com/search?sourceid=navclient&ie=UTF-8&rlz=1T4GGLJ_enCA310CA310&q=mignulikz

+





This AHOLE sent over 7 THOUSAND PM's on one of my websites in about 15 minutes. I checked. There is NO FLOOD CONTROL to stop this. My server loads went to 35 (luckily the server bent but did not break). I had to run out of a meeting (thank god my blackberry got dozens of bounced emails from invalid old emails on some accounts). I noticed the loads and put two and two together. I IP banned him and restarted EXIM to be safe. I also wiped the contents of all his PM's (which liked to some Russian Website).

IPB: PLEASE add flood control (like you did for email) for the PM box asap on the 2.x branch! This is very important as an exploit is clearly out there if someone can send 7k PM's in 15-20 minutes.
Fast Lane! Proficient

Fast Lane!

Posted
Posted

as for the suggestion in the IPB article:



To prevent PM spam, you may want to disable the default members group from being able to send PMs and set members to be automatically promoted to a group that does have permission after 10 or so posts. If you need assistance with that, send in a support ticket and a technician will be happy to assist you.



I do not agree. Yes this may work, but as the system works now the new member has NO WAY of knowing why their PM is not working and WHEN it will start working. There is no "welcome PM" built into the system to tell people these things or an elegant "error" message to explain it. Adding this to the welcome/registration email is pointless. No one reads those other than to click the confirmation link.

PLEASE add flood control. Thank you :)
loccom Community Regular

loccom

Posted
Posted

I do not agree. Yes this may work, but as the system works now the new member has NO WAY of knowing why their PM is not working and WHEN it will start working. There is no "welcome PM" built into the system to tell people these things or an elegant "error" message to explain it. Adding this to the welcome/registration email is pointless. No one reads those other than to click the confirmation link.



Spot on mate.. needs that welcome PM

getting so many emails from members asking why they cannot use it.

But not only that, the spammer is posting a few crappy posts to get that upgraded group.

so i have now set my registrations to Admin validation and checking their custom fields as spammers use crappy words.
Michael Grand Master

Michael

Posted
Posted

Could be, but how does that explain the hundreds of registrations from the same user across several IPB forums in a matter of hours?



I can register at lots of different sites in a matter of hours, all I'd need is a list of sites to register at. Google can provide me with a quick list of those sites if I just search for something like "Powered by Invision Power Board".
loccom Community Regular

loccom

Posted
Posted

hmm he has been doing this quite a alot.. like What Fast Lane Posted

http://www.google.com/search?sourceid=navclient&ie=UTF-8&rlz=1T4GGLJ_enCA310CA310&q=mignulikz

over 4000 profiles and all IPB

wonder how much misery this guy has caused for webmasters and members

Mark Grand Master

Mark

Posted
Posted

as for the suggestion in the IPB article:





I do not agree. Yes this may work, but as the system works now the new member has NO WAY of knowing why their PM is not working and WHEN it will start working. There is no "welcome PM" built into the system to tell people these things or an elegant "error" message to explain it. Adding this to the welcome/registration email is pointless. No one reads those other than to click the confirmation link.



PLEASE add flood control. Thank you :)




We know it's not ideal - but it is a temporary solution until we work out something better :)
JayX Apprentice

JayX

Posted
Posted

http://www.stopforumspam.com




SFS is a really useful resource. If someone built a module for IPB that downloaded CSV from SFS every day and updated the ban filters, it'd be great. Naturally, they'd have to have verification of the IPs/etc to make it effective and not strike false-positives, but given the combination of human/bot spamming recently it's awfully difficult to keep up manually.
Gabriel Petrelli Collaborator

Gabriel Petrelli

Posted
Posted

I can register at lots of different sites in a matter of hours, all I'd need is a list of sites to register at. Google can provide me with a quick list of those sites if I just search for something like "Powered by Invision Power Board".




But that would require the time to pull up a list of IPB sites via a search engine, figure out what kind of Captcha these sites are using, invest time in bypassing each captcha, and successfully registering each account, then checking email to activate said account if the board requires email validation.

As the person said below you, an estimate of at least 4000 IPB communities were hit however it is still unclear how many of those communities were using Recaptcha and are updated to IPB 2.3.6. If it can hit hundreds or over a thousand communities within a matter of hours, then it's likely the work of an automated script/automated registration..

What I would do is review a list of IPB websites that are using IPB 2.3.6 with Recaptcha that this member/bot has registered at to see how close together the registrations are. If there's a 100 registrations at a 100 different websites within a matter a minutes or a few minutes, then it is likely the result of a bot.

I just had a bot a few days back that was able to get past Recaptcha and complete it's registration, then proceeded to post a spam thread. Granted the spam issue is no where as bad as with IPB 2.3.5, that isn't to say that some bots are able to get past Recaptcha..
Michael Grand Master

Michael

Posted
Posted

SFS is a really useful resource. If someone built a module for IPB that downloaded CSV from SFS every day and updated the ban filters, it'd be great. Naturally, they'd have to have verification of the IPs/etc to make it effective and not strike false-positives, but given the combination of human/bot spamming recently it's awfully difficult to keep up manually.



My concern with a system like that would be the same sort of problem people ran into when they would enter in the huge search engine spider list into their settings. This caused PHP errors due to the volume of data being stored in the field. If it's just email addresses that would be entered into the ban filters, that would be fine as that's not cached. But IP addresses are stored in the cache and loaded with every page. So having too big of a cache could cause the PHP errors mentioned above, and just loading a large cache on every page load is going to cause more resource usage.
Michael Grand Master

Michael

Posted
Posted

But that would require the time to pull up a list of IPB sites via a search engine, figure out what kind of Captcha these sites are using, invest time in bypassing each captcha, and successfully registering each account, then checking email to activate said account if the board requires email validation.



As the person said below you, an estimate of at least 4000 IPB communities were hit however it is still unclear how many of those communities were using Recaptcha and are updated to IPB 2.3.6. If it can hit hundreds or over a thousand communities within a matter of hours, then it's likely the work of an automated script/automated registration..



What I would do is review a list of IPB websites that are using IPB 2.3.6 with Recaptcha that this member/bot has registered at to see how close together the registrations are. If there's a 100 registrations at a 100 different websites within a matter a minutes or a few minutes, then it is likely the result of a bot.



I just had a bot a few days back that was able to get past Recaptcha and complete it's registration, then proceeded to post a spam thread. Granted the spam issue is no where as bad as with IPB 2.3.5, that isn't to say that some bots are able to get past Recaptcha..



Until you have some sort of evidence that it was a bot that cracked reCAPTCHA, you should always assume it was a person. No one yet has any proof that reCAPTCHA has been cracked. Just because you have reCAPTCHA on and someone registered that posted spam does not mean that a bot cracked reCAPTCHA. Spammers/hackers hire humans to beat CAPTCHA codes for them. That is almost certainly what happened in your case.

You don't need to search out these sites, my reference to Googling for a term was just one way to find a list of IPB sites. Spammer/hackers already have such lists. It's no big effort on their part to write a script that will ping each site on their list and check the registration form code to see what kind of CAPTCHA they have.

I'm as concerned with security as you are, but it does no one any good to make assumptions about what happened without the proper evidence.
Kapi Enthusiast

Kapi

Posted
Posted

My IPB 2.3.6 site hasn't been hit yet, and a number of 1.3 and 2.1.7 boards I'm a member of didn't get hit either, so we're clear for the minute.

EDIT: I've also blocked that username from registering, the one yous were mentioning earlier, that might help a bit.

Gabriel Petrelli Collaborator

Gabriel Petrelli

Posted
Posted

Until you have some sort of evidence that it was a bot that cracked reCAPTCHA, you should always assume it was a person. No one yet has any proof that reCAPTCHA has been cracked. Just because you have reCAPTCHA on and someone registered that posted spam does not mean that a bot cracked reCAPTCHA. Spammers/hackers hire humans to beat CAPTCHA codes for them. That is almost certainly what happened in your case.



You don't need to search out these sites, my reference to Googling for a term was just one way to find a list of IPB sites. Spammer/hackers already have such lists. It's no big effort on their part to write a script that will ping each site on their list and check the registration form code to see what kind of CAPTCHA they have.



I'm as concerned with security as you are, but it does no one any good to make assumptions about what happened without the proper evidence.




I never said it was fully cracked, I said that while it's good at combating nearly all automated registrations, there are some more advanced bot scripts that can get past it.

There's no more evidence than what I posted, and from what I've been reviewing it follows the exact patterns of an automated script. I urge this to be looked into further, nothing is full proof.. ;)
bfarber Grand Master

bfarber

Posted
Posted

From the information we have, it's a human (or more specifically, a group of people) that perform the registration, and then a script likely takes over from there.

There are programs that have people on standby in a queue. A user would use the program to load the site, the captcha that is displayed is feed back through the program to a service, and then a human waiting in a queue would answer the captcha, and finally the program takes back over. These people that answer the captchas get paid something like .01 per captcha they break, but when a program is feeding them as fast as they can answer them, it's worthwhile for them to bother in some countries where one penny is a lot. ;)

We have communicated with reCAPTCHA, and once again, there is no evidence that reCAPTCHA itself has been broken. If it HAD been broken, reCAPTCHA would be responsible for updating it of course - we have no control over the actual reCAPTCHA output, and I am sure they would be doing so asap with so many sites on the internet using their services.

Hang tight people. We're not ignoring the issue.

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Invision Community © 2025 IPS, Inc.
×
×
  • Create New...