Spammer got through via US proxy

[Clover13]

So, I had the first spammer attack in about a year today.

From what I've researched, it looks like the email was identified in a SFS database, but the IP resolved to a proxy located in the US.

The IPS spam system did not block this user and they were able to get in and post a bunch of spam in the forums.

Banning and cleanup was done promptly.

First, any idea why this email that was in SFS wasn't trapped by IPS's spam filters?

Second, how can I improve my spam filtering to prevent this type of thing?

My site is US based, so I've blacklisted non-US IP blocks to a large degree and of course the "bad" bots/spiders.

But when someone jumps through a US based proxy, how do I catch that?

Or is it best to just deal with it on a case by case basis and blacklist the proxy IP?

Obviously it's possible for this scenario to occur again, even if IPS caught this particular email address, if they used an arbitrary one, it wouldn't.

Any recommendations?

[Dmacleo]

I may be way off base but I think this would be a case by case issue.

suppose you could get a list of proxies and block them all but that would be a large endeavor and may hurt normal users.

perhaps for new members hold their posts in mod queue until approved for a few times (I think default sets to 5 in acp, could be wrong) so when new member posts you can see if its spammer before post actually goes through.

[Clover13]

Hmmm, this is an interesting case as I'm watching the user try to access the site from various IPs within the US and one from China.

The account is banned and I have an .htaccess blacklist on their registering IP, but this is a list of IPs that user has used thus far.

I'd imagine trying to keep blacklisting every IP they use will be futile.

 
[ 12.237.189.71 ]
United States
AT&T Services, Inc. / ATT

[ 184.61.254.116 ]
Leesburg, United States
h184-61-254-116.cntral.dsl.dynamic.tds.net
TDS TELECOM / NETBLK-TDSNET-BLK

[ 198.255.223.170 ]
United States
cpe-198-255-223-170.buffalo.res.rr.com
Time Warner Cable Internet LLC / RRNY

[ 50.167.32.111 ]
United States
c-50-167-32-111.hsd1.ga.comcast.net
Comcast Cable Communications Holdings, Inc / CCCH3-4

[ 50.186.112.32 ]
United States
c-50-186-112-32.hsd1.ut.comcast.net
Comcast Cable Communications Holdings, Inc / CCCH3-4

[ 60.247.27.119 ]
Beijing, China
119.27.247.60.static.bjtelecom.net
China Digital Kingdom Technology Co.,Ltd. / MAINT-CNNIC-AP / CDKNet

[ 68.194.77.49 ]
Crompond, United States
ool-44c24d31.dyn.optonline.net
Optimum Online / OOL-CPE-OSNGNY-68-194-72-0-21

[ 70.181.130.214 ]
Encinitas, United States
ip70-181-130-214.sd.sd.cox.net
Cox Communications Inc. / NETBLK-SD-RDC-70-181-128-0

[ 71.183.79.46 ]
Mount Vernon, United States
static-71-183-79-46.nycmny.fios.verizon.net
Verizon Online LLC / VIS-BLOCK

[ 71.45.149.45 ]
Bessemer, United States
71-45-149-45.res.bhn.net
BRIGHT HOUSE NETWORKS, LLC / MTA-5
 

And even further I just noticed in the ACP, when I list the Users IPs...it was originally a list of 10 IPs and is now down to 3 IPs?

Any insight on how that occurs?

I wouldn't think that list would decrease, only increase.

[Dmacleo]

seems to me you could spend all day blocking each proxy he tries and never actually stop him.

I would expect using the new user moderation queue would be the way to go.

[Clover13]

Yeah that's definitely an option too at least until that user/bot gets bored of trying to spam.

Any idea why the users IP list in the IPS ACP would change (decrease)?

[Dmacleo]

no idea really, maybe its just due to the timings you set?

[Clover13]

I guess the IP list cleans up over time? It's quasi-realtime. It's back up to 5 IPs now.

I think he's just hitting the account login from a bunch of different IPs, but the account is banned so there isn't anything he can do.

I plan on just deleting the account, but am trying to gather as much info as I can first to feel out how/what the person/bot is doing.

[Dmacleo]

yeah iirc it defaults to 15 minutes.

system settings----> advanced ------> cpu savings and optimization

Cut off for active user display [in minutes]

[Clover13]

Well this is the lit of IP addresses used by a given member in the Member Management Tools of the ACP.

Unless that list is coupled to that active user display (in minutes) somehow.

[Aiwa]

As IPS has noted in their blog entries, the StopForumSpam database response is considered when weighting what code is returned for a member, but it isn't a sole deciding factor.

Check and see how the member was flagged by the Spam Service, ACP > Stats and Logs > Logs > Spam Service Logs. If they were a Code 2 or 3, then you can probably adjust your settings there and catch him.

If it's a REAL person trying to get in, the ONLY real way to stop them is to require admin validation of new accounts or >control new members with auto-promote. New members can mod-queued until they get X admin approved posts or something. Then they are automatically upgraded to a full member account that isn't mod queued.

Question and Answer won't really do you any good as they will just Google for the answer.

Most spam tools are designed to stop bots from registering on your community.

[Clover13]

Thanks Aiwa.

They were coded as a 1, so not much I can do there.

I'll just have to address is on a case by case basis and implement what both of you recommended if needed (if it becomes a larger scale issue).

Thanks for the feedback guys!

[IveLeft...]

The only Spam our forums get is real human spam - the mods generally kill it dead

We block all dodgy countries in the firewalls, use promote new member after 10 posts and restrict new members from PM's, links etc etc

Compared to the vB we used to use - we now have around 1 spammer every 3 months if that

I think the url block add-on that we use is by nena dice, other than that its all straight IPB stuff

[Clover13]

Cool, thanks for the additional insight on how you do it! :)

I honestly haven't had much of an issue once I blacklisted the spamming countries (unrelated to my niche) and bad bots/spiders via htaccess.

This is the first one that's crept through, and I likewise suspect some human had to at least set up the account before the spamming began.

It's certainly bearable if it only happens once a year and gets knocked down in a short period of time :)