Clover13 Posted April 1, 2014 Posted April 1, 2014 So, I had the first spammer attack in about a year today. From what I've researched, it looks like the email was identified in a SFS database, but the IP resolved to a proxy located in the US. The IPS spam system did not block this user and they were able to get in and post a bunch of spam in the forums. Banning and cleanup was done promptly. First, any idea why this email that was in SFS wasn't trapped by IPS's spam filters? Second, how can I improve my spam filtering to prevent this type of thing? My site is US based, so I've blacklisted non-US IP blocks to a large degree and of course the "bad" bots/spiders. But when someone jumps through a US based proxy, how do I catch that? Or is it best to just deal with it on a case by case basis and blacklist the proxy IP? Obviously it's possible for this scenario to occur again, even if IPS caught this particular email address, if they used an arbitrary one, it wouldn't. Any recommendations?
Dmacleo Posted April 1, 2014 Posted April 1, 2014 I may be way off base but I think this would be a case by case issue. suppose you could get a list of proxies and block them all but that would be a large endeavor and may hurt normal users. perhaps for new members hold their posts in mod queue until approved for a few times (I think default sets to 5 in acp, could be wrong) so when new member posts you can see if its spammer before post actually goes through.
Clover13 Posted April 1, 2014 Author Posted April 1, 2014 Hmmm, this is an interesting case as I'm watching the user try to access the site from various IPs within the US and one from China. The account is banned and I have an .htaccess blacklist on their registering IP, but this is a list of IPs that user has used thus far. I'd imagine trying to keep blacklisting every IP they use will be futile. [ 12.237.189.71 ] United States AT&T Services, Inc. / ATT [ 184.61.254.116 ] Leesburg, United States h184-61-254-116.cntral.dsl.dynamic.tds.net TDS TELECOM / NETBLK-TDSNET-BLK [ 198.255.223.170 ] United States cpe-198-255-223-170.buffalo.res.rr.com Time Warner Cable Internet LLC / RRNY [ 50.167.32.111 ] United States c-50-167-32-111.hsd1.ga.comcast.net Comcast Cable Communications Holdings, Inc / CCCH3-4 [ 50.186.112.32 ] United States c-50-186-112-32.hsd1.ut.comcast.net Comcast Cable Communications Holdings, Inc / CCCH3-4 [ 60.247.27.119 ] Beijing, China 119.27.247.60.static.bjtelecom.net China Digital Kingdom Technology Co.,Ltd. / MAINT-CNNIC-AP / CDKNet [ 68.194.77.49 ] Crompond, United States ool-44c24d31.dyn.optonline.net Optimum Online / OOL-CPE-OSNGNY-68-194-72-0-21 [ 70.181.130.214 ] Encinitas, United States ip70-181-130-214.sd.sd.cox.net Cox Communications Inc. / NETBLK-SD-RDC-70-181-128-0 [ 71.183.79.46 ] Mount Vernon, United States static-71-183-79-46.nycmny.fios.verizon.net Verizon Online LLC / VIS-BLOCK [ 71.45.149.45 ] Bessemer, United States 71-45-149-45.res.bhn.net BRIGHT HOUSE NETWORKS, LLC / MTA-5 And even further I just noticed in the ACP, when I list the Users IPs...it was originally a list of 10 IPs and is now down to 3 IPs? Any insight on how that occurs? I wouldn't think that list would decrease, only increase.
Dmacleo Posted April 1, 2014 Posted April 1, 2014 seems to me you could spend all day blocking each proxy he tries and never actually stop him. I would expect using the new user moderation queue would be the way to go.
Clover13 Posted April 1, 2014 Author Posted April 1, 2014 Yeah that's definitely an option too at least until that user/bot gets bored of trying to spam. Any idea why the users IP list in the IPS ACP would change (decrease)?
Dmacleo Posted April 1, 2014 Posted April 1, 2014 no idea really, maybe its just due to the timings you set?
Clover13 Posted April 1, 2014 Author Posted April 1, 2014 I guess the IP list cleans up over time? It's quasi-realtime. It's back up to 5 IPs now. I think he's just hitting the account login from a bunch of different IPs, but the account is banned so there isn't anything he can do. I plan on just deleting the account, but am trying to gather as much info as I can first to feel out how/what the person/bot is doing.
Dmacleo Posted April 1, 2014 Posted April 1, 2014 yeah iirc it defaults to 15 minutes. system settings----> advanced ------> cpu savings and optimization Cut off for active user display [in minutes]
Clover13 Posted April 1, 2014 Author Posted April 1, 2014 Well this is the lit of IP addresses used by a given member in the Member Management Tools of the ACP. Unless that list is coupled to that active user display (in minutes) somehow.
Aiwa Posted April 1, 2014 Posted April 1, 2014 As IPS has noted in their blog entries, the StopForumSpam database response is considered when weighting what code is returned for a member, but it isn't a sole deciding factor. Check and see how the member was flagged by the Spam Service, ACP > Stats and Logs > Logs > Spam Service Logs. If they were a Code 2 or 3, then you can probably adjust your settings there and catch him. If it's a REAL person trying to get in, the ONLY real way to stop them is to require admin validation of new accounts or >control new members with auto-promote. New members can mod-queued until they get X admin approved posts or something. Then they are automatically upgraded to a full member account that isn't mod queued. Question and Answer won't really do you any good as they will just Google for the answer. Most spam tools are designed to stop bots from registering on your community.
Clover13 Posted April 1, 2014 Author Posted April 1, 2014 Thanks Aiwa. They were coded as a 1, so not much I can do there. I'll just have to address is on a case by case basis and implement what both of you recommended if needed (if it becomes a larger scale issue). Thanks for the feedback guys!
IveLeft... Posted April 4, 2014 Posted April 4, 2014 The only Spam our forums get is real human spam - the mods generally kill it dead We block all dodgy countries in the firewalls, use promote new member after 10 posts and restrict new members from PM's, links etc etc Compared to the vB we used to use - we now have around 1 spammer every 3 months if that I think the url block add-on that we use is by nena dice, other than that its all straight IPB stuff
Clover13 Posted April 4, 2014 Author Posted April 4, 2014 Cool, thanks for the additional insight on how you do it! :) I honestly haven't had much of an issue once I blacklisted the spamming countries (unrelated to my niche) and bad bots/spiders via htaccess. This is the first one that's crept through, and I likewise suspect some human had to at least set up the account before the spamming began. It's certainly bearable if it only happens once a year and gets knocked down in a short period of time :)
Recommended Posts
Archived
This topic is now archived and is closed to further replies.