Jump to content

spam

greek_parea
 Share

Recommended Posts

AlexJ Veteran

AlexJ

Posted
Posted
2 hours ago, Arthmoor said:

They tend to have IP addresses associated with registration from the same part of the world.

This is why you ban ASN. Banning CIDR's will do no good and eventually it will take toll on CPU consumption on your server. However, if you do ban IP address, make sure to block at PREROUTING / RAW so it's quick and fast. 

  • Replies 72
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

Malwarebytes Forums
Malwarebytes Forums

You don't have to send them a password reset request. Also, they have not seemed to take the time to change the email address associated with the account so if you did change the password, I don't thi

Mark H
Mark H

Just a note for the time being... One thing self-hosted folks can do is to block the IP range of the spammer(s) using 109.107.166.230, but that needs to be done in the server firewall. This

AlexJ
AlexJ

For those using Cloudflare (CF), very simple solution. Do managed challenge for this ASN's. CF firewall is extremely fast.  This IP ASN: AS56380 - Normally all this spam bots use VPN/Proxy or dat

Posted Images

Claudia999 Proficient

Claudia999

Posted
Posted
13 hours ago, Hackbart said:

We used this in the past for filtering bad words or fixing misspelling. I have no idea why, but it does not seem to work anymore. I added these filters and monitored our board, and the posts just popped up without moderator approval.

I added word filters on monday and they worked. But previously added filter of IP didn't work.

Dll Experienced

Dll

Posted
Posted (edited)

 

On 1/17/2023 at 7:18 PM, Mark H said:

Just a note for the time being...

One thing self-hosted folks can do is to block the IP range of the spammer(s) using 109.107.166.230, but that needs to be done in the server firewall.

This would be the range to block for that service provider, in CIDR format:

109.107.160.0/19

which blocks 109.107.160.0 through 109.107.191.255

And for that spammer in Iraq... that provider has a huge range of IP's, from 37.236.0.0 to 37.239.255.255 so I personally blocked a fairly small range for them which encompasses the one IP that spammer used:

37.239.8.1/24

(Note: I've added these on my own server already, and it appears I got to it before my sites were hit.)

More blocks can be added as you notice them, but try to keep the ranges small. Blocking a too-large range can cause server issues under the right (wrong?) circumstances.

I'm kinda surprised that this doesn't appear to have been actioned on the Invision cloud - as we had a spammer within the russian range above get through onto a user account this morning?

Edited by Dll
Thomas Hop Collaborator

Thomas Hop

Posted
Posted

Gary send me to this topic. We also have the problem since this week. 

We where thinking that a Google Captcha on Login maybe would solve te problem. Bot can't automatically login then (or maybe less). But is this possible in Invision?

AlexJ Veteran

AlexJ

Posted
Posted
6 hours ago, Thomas Hop said:

We where thinking that a Google Captcha on Login maybe would solve te problem. Bot can't automatically login then (or maybe less). But is this possible in Invision?

That would be hard because Google Login in itself is direct auth - you are good to go. Only 3 options:

1. Word/URL filter based moderation

2. IPTable

3. If you have cloudflare - ASN bans. 

 

PurpleSparkles Apprentice

PurpleSparkles

Posted
Posted
23 hours ago, Randy Calvert said:



I would be more inclined to believe it was a data breach elsewhere if it was long term member accounts that had historically been active and participating on your site suddenly spamming. But an account that was registered and never used that surfaces months later does not scream external data breach. 

In our case we had two long term members who post daily and their account was compromised and started spamming two days ago; same IP and quotes from above... 

Randy Calvert Grand Master

Randy Calvert

Posted
Posted
1 minute ago, PurpleSparkles said:

In our case we had two long term members who post daily and their account was compromised and started spamming two days ago; same IP and quotes from above... 

Yes, in that case...  it was most likely the user using the same password across multiple sites where another site had a data breach.  

AlexJ Veteran

AlexJ

Posted
Posted (edited)
10 hours ago, Unleashed2k said:

I am curious if anyone came up with a SQL query that is easy that can reset all user passwords not logged in since 2021?

Sometimes people don't have access to their email and password is stored in browser for many folks. U should avoid doing that. It will cause pain for a lot of members. 

  

4 hours ago, Randy Calvert said:

Yes, in that case...  it was most likely the user using the same password across multiple sites where another site had a data breach.  

+1 OR I see brute force attempts on week password from this IP's. I noticed that for 2 user accounts on our forums. When I asked them they had very week password, even though IPS default is moderate i believe. So we changed after 3 attempts account gets locked for 12 hrs. 

 

Edited by AlexJ
Unleashed2k Apprentice

Unleashed2k

Posted
Posted

I've already reset the old user passwords but now I have a new problem. It's sending out 50k+ email notifications and my IP got blacklisted for spam. How ironic... Ugh. Is there anyway to cancel/clear that queue? I've already tried clearing my exim queue but it seems that ipboard is still bulk sending these messages. 

wegorz23 Community Regular

wegorz23

Posted
Posted
55 minutes ago, Unleashed2k said:

I've already reset the old user passwords but now I have a new problem. It's sending out 50k+ email notifications and my IP got blacklisted for spam. How ironic... Ugh. Is there anyway to cancel/clear that queue? I've already tried clearing my exim queue but it seems that ipboard is still bulk sending these messages. 

We also think about that but have like 92 000 members. 🙂 

About 3 days left we did not match new problems and filtering and ip ban work just fine.

Good luck everyone 

wegorz23 Community Regular

wegorz23

Posted
Posted

In last 4 days we also received many of failed registers in our forum. 

Spam defense score 4 auto ban that users and we also have that a lot in past days. 

( User registered. Spam Defense checked and returned score 4 - account banned. )

Only today banned ip:

31.173.82.121
37.46.115.44
37.46.115.51
37.139.53.90
45.87.104.125
84.239.40.254
142.54.173.138
145.255.9.153
152.58.123.243
176.124.205.34
176.59.56.243
178.176.76.117
178.176.79.62
185.245.85.231
208.110.81.170
212.129.45.48

90% of that is from russian federation ....


Feel free to add that to ur filter or firewall. 

 

 

 

  • 2 weeks later...
PurpleSparkles Apprentice

PurpleSparkles

Posted
Posted
On 1/19/2023 at 8:26 PM, Randy Calvert said:

Yes, in that case...  it was most likely the user using the same password across multiple sites where another site had a data breach.  

Which site had a data breach? I've been curious trying to track it.

Randy Calvert Grand Master

Randy Calvert

Posted
Posted (edited)

There were over 5000 KNOWN data breaches that occurred in 2022 alone.  Some of the bigger ones last year include:

https://www.usnews.com/360-reviews/privacy/recent-data-breaches

If you're interested in more high level trends in data breaches, check out the annual Verizon Data Breach Investigation Report (DBIR).  

https://www.verizon.com/business/resources/reports/dbir/

Edited by Randy Calvert
  • 2 weeks later...
wegorz23 Community Regular

wegorz23

Posted
Posted

Can some one have solution on that problem ??

We block every day about 5-15 accounts + that spammers where spam defence (4) ban them automaticly. 

185.107.56.156
106.202.182.218
122.173.29.26
103.163.224.42
103.83.145.119
188.126.94.239
122.162.145.40
180.151.26.60
103.163.224.42
119.82.83.120
103.163.224.42
163.198.212.180
188.126.94.246
156.146.55.162
78.24.201.101
156.146.55.159
46.166.182.57
196.196.53.25
185.245.85.231
196.196.53.126
196.196.53.45
109.248.205.130
102.129.143.42
103.50.150.230
46.0.43.66

102.129.143.84
223.178.212.206
122.180.178.0
119.82.83.120
178.249.212.242
182.71.79.227
152.57.80.169
173.239.254.53
37.214.47.29
94.233.240.239
176.125.230.144
180.151.19.51
27.57.72.158
103.47.73.122
119.82.83.120
176.125.230.137
122.161.52.50
119.82.83.120
95.142.120.10
103.83.69.129
176.125.230.143
194.5.53.70
46.8.29.86
160.202.37.39
51.83.213.191

207.244.71.84
122.161.69.140
103.122.169.138
122.161.69.140
103.137.85.130
103.81.215.60
49.36.181.207
103.47.73.122
119.73.96.2
103.81.215.60
185.107.56.157
163.5.123.58
85.221.154.231
103.69.244.168
138.199.59.160
94.254.229.22
163.5.123.44
181.214.173.47
154.6.130.2
31.173.86.73
216.24.216.27
185.246.208.146
194.5.53.23
178.175.132.165
181.214.173.190

 

Thats from last 3 days.

Arthmoor Enthusiast

Arthmoor

Posted
Posted

Better yet - get IPS to implement this:

There should be no good reason to have to spend additional money at the price the IPS package sells for. Especially when a solid working anti-spam system exists that's easily implemented into the package.

Randy Calvert Grand Master

Randy Calvert

Posted
Posted
33 minutes ago, Arthmoor said:

Better yet - get IPS to implement this:

There should be no good reason to have to spend additional money at the price the IPS package sells for. Especially when a solid working anti-spam system exists that's easily implemented into the package.

Given this is not a feature today...  if you want it considered, post it in the Feature Suggestion forum.  Otherwise it will be lost in a sea of support requests.  🙂 

Arthmoor Enthusiast

Arthmoor

Posted
Posted

I did, hence why I linked it here. Maybe more interest in the suggestion will help nudge it along. Besides, I think I made it pretty clear what I was linking when I said "get IPS to implement this".

 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Invision Community © 2024 IPS, Inc.
×
×
  • Create New...