AlexJ Posted January 19, 2023 Posted January 19, 2023 2 hours ago, Arthmoor said: They tend to have IP addresses associated with registration from the same part of the world. This is why you ban ASN. Banning CIDR's will do no good and eventually it will take toll on CPU consumption on your server. However, if you do ban IP address, make sure to block at PREROUTING / RAW so it's quick and fast. dutchsnowden and Cyberg Studio AS 1 1
Claudia999 Posted January 19, 2023 Posted January 19, 2023 13 hours ago, Hackbart said: We used this in the past for filtering bad words or fixing misspelling. I have no idea why, but it does not seem to work anymore. I added these filters and monitored our board, and the posts just popped up without moderator approval. I added word filters on monday and they worked. But previously added filter of IP didn't work.
Dll Posted January 19, 2023 Posted January 19, 2023 (edited) On 1/17/2023 at 7:18 PM, Mark H said: Just a note for the time being... One thing self-hosted folks can do is to block the IP range of the spammer(s) using 109.107.166.230, but that needs to be done in the server firewall. This would be the range to block for that service provider, in CIDR format: 109.107.160.0/19 which blocks 109.107.160.0 through 109.107.191.255 And for that spammer in Iraq... that provider has a huge range of IP's, from 37.236.0.0 to 37.239.255.255 so I personally blocked a fairly small range for them which encompasses the one IP that spammer used: 37.239.8.1/24 (Note: I've added these on my own server already, and it appears I got to it before my sites were hit.) More blocks can be added as you notice them, but try to keep the ranges small. Blocking a too-large range can cause server issues under the right (wrong?) circumstances. I'm kinda surprised that this doesn't appear to have been actioned on the Invision cloud - as we had a spammer within the russian range above get through onto a user account this morning? Edited January 19, 2023 by Dll
Thomas Hop Posted January 19, 2023 Posted January 19, 2023 Gary send me to this topic. We also have the problem since this week. We where thinking that a Google Captcha on Login maybe would solve te problem. Bot can't automatically login then (or maybe less). But is this possible in Invision?
AlexJ Posted January 19, 2023 Posted January 19, 2023 6 hours ago, Thomas Hop said: We where thinking that a Google Captcha on Login maybe would solve te problem. Bot can't automatically login then (or maybe less). But is this possible in Invision? That would be hard because Google Login in itself is direct auth - you are good to go. Only 3 options: 1. Word/URL filter based moderation 2. IPTable 3. If you have cloudflare - ASN bans.
Unleashed2k Posted January 19, 2023 Posted January 19, 2023 (edited) I am curious if anyone came up with a SQL query that is easy that can reset all user passwords not logged in since 2021? Edited January 19, 2023 by Unleashed2k
Dll Posted January 19, 2023 Posted January 19, 2023 You don't need an sql query, there's a tool on the members page in the acp to do it. Mark H 1
Mark H Posted January 19, 2023 Posted January 19, 2023 As mentioned above, this can be done. ACP -> Members page, upper right. On the next page will be filters you can choose to e.g. select ranges by date. AlexJ 1
PurpleSparkles Posted January 20, 2023 Posted January 20, 2023 23 hours ago, Randy Calvert said: I would be more inclined to believe it was a data breach elsewhere if it was long term member accounts that had historically been active and participating on your site suddenly spamming. But an account that was registered and never used that surfaces months later does not scream external data breach. In our case we had two long term members who post daily and their account was compromised and started spamming two days ago; same IP and quotes from above...
Randy Calvert Posted January 20, 2023 Posted January 20, 2023 1 minute ago, PurpleSparkles said: In our case we had two long term members who post daily and their account was compromised and started spamming two days ago; same IP and quotes from above... Yes, in that case... it was most likely the user using the same password across multiple sites where another site had a data breach.
AlexJ Posted January 20, 2023 Posted January 20, 2023 (edited) 10 hours ago, Unleashed2k said: I am curious if anyone came up with a SQL query that is easy that can reset all user passwords not logged in since 2021? Sometimes people don't have access to their email and password is stored in browser for many folks. U should avoid doing that. It will cause pain for a lot of members. 4 hours ago, Randy Calvert said: Yes, in that case... it was most likely the user using the same password across multiple sites where another site had a data breach. +1 OR I see brute force attempts on week password from this IP's. I noticed that for 2 user accounts on our forums. When I asked them they had very week password, even though IPS default is moderate i believe. So we changed after 3 attempts account gets locked for 12 hrs. Edited January 20, 2023 by AlexJ
Unleashed2k Posted January 20, 2023 Posted January 20, 2023 I've already reset the old user passwords but now I have a new problem. It's sending out 50k+ email notifications and my IP got blacklisted for spam. How ironic... Ugh. Is there anyway to cancel/clear that queue? I've already tried clearing my exim queue but it seems that ipboard is still bulk sending these messages.
wegorz23 Posted January 20, 2023 Posted January 20, 2023 55 minutes ago, Unleashed2k said: I've already reset the old user passwords but now I have a new problem. It's sending out 50k+ email notifications and my IP got blacklisted for spam. How ironic... Ugh. Is there anyway to cancel/clear that queue? I've already tried clearing my exim queue but it seems that ipboard is still bulk sending these messages. We also think about that but have like 92 000 members. 🙂 About 3 days left we did not match new problems and filtering and ip ban work just fine. Good luck everyone
wegorz23 Posted January 20, 2023 Posted January 20, 2023 In last 4 days we also received many of failed registers in our forum. Spam defense score 4 auto ban that users and we also have that a lot in past days. ( User registered. Spam Defense checked and returned score 4 - account banned. ) Only today banned ip: 31.173.82.12137.46.115.4437.46.115.51 37.139.53.90 45.87.104.125 84.239.40.254 142.54.173.138 145.255.9.153 152.58.123.243 176.124.205.34 176.59.56.243178.176.76.117178.176.79.62 185.245.85.231 208.110.81.170 212.129.45.48 90% of that is from russian federation .... Feel free to add that to ur filter or firewall. dutchsnowden and PurpleSparkles 2
PurpleSparkles Posted January 28, 2023 Posted January 28, 2023 On 1/19/2023 at 8:26 PM, Randy Calvert said: Yes, in that case... it was most likely the user using the same password across multiple sites where another site had a data breach. Which site had a data breach? I've been curious trying to track it.
Randy Calvert Posted January 28, 2023 Posted January 28, 2023 (edited) There were over 5000 KNOWN data breaches that occurred in 2022 alone. Some of the bigger ones last year include: https://www.usnews.com/360-reviews/privacy/recent-data-breaches If you're interested in more high level trends in data breaches, check out the annual Verizon Data Breach Investigation Report (DBIR). https://www.verizon.com/business/resources/reports/dbir/ Edited January 28, 2023 by Randy Calvert
SeNioR- Posted January 28, 2023 Posted January 28, 2023 (edited) Also check user emails at https://haveibeenpwned.com/ Edited January 28, 2023 by SeNioR-
wegorz23 Posted February 6, 2023 Posted February 6, 2023 Can some one have solution on that problem ?? We block every day about 5-15 accounts + that spammers where spam defence (4) ban them automaticly. 185.107.56.156 106.202.182.218 122.173.29.26 103.163.224.42 103.83.145.119 188.126.94.239 122.162.145.40 180.151.26.60 103.163.224.42 119.82.83.120 103.163.224.42 163.198.212.180 188.126.94.246 156.146.55.162 78.24.201.101 156.146.55.159 46.166.182.57 196.196.53.25 185.245.85.231 196.196.53.126 196.196.53.45 109.248.205.130 102.129.143.42 103.50.150.230 46.0.43.66 102.129.143.84 223.178.212.206 122.180.178.0 119.82.83.120 178.249.212.242 182.71.79.227 152.57.80.169 173.239.254.53 37.214.47.29 94.233.240.239 176.125.230.144 180.151.19.51 27.57.72.158 103.47.73.122 119.82.83.120 176.125.230.137 122.161.52.50 119.82.83.120 95.142.120.10 103.83.69.129 176.125.230.143 194.5.53.70 46.8.29.86 160.202.37.39 51.83.213.191 207.244.71.84 122.161.69.140 103.122.169.138 122.161.69.140 103.137.85.130 103.81.215.60 49.36.181.207 103.47.73.122 119.73.96.2 103.81.215.60 185.107.56.157 163.5.123.58 85.221.154.231 103.69.244.168 138.199.59.160 94.254.229.22 163.5.123.44 181.214.173.47 154.6.130.2 31.173.86.73 216.24.216.27 185.246.208.146 194.5.53.23 178.175.132.165 181.214.173.190 Thats from last 3 days.
Randy Calvert Posted February 6, 2023 Posted February 6, 2023 Use the CleanTalk app. The best 8 bucks you can spend. Malwarebytes Forums 1
Arthmoor Posted February 6, 2023 Posted February 6, 2023 Better yet - get IPS to implement this: There should be no good reason to have to spend additional money at the price the IPS package sells for. Especially when a solid working anti-spam system exists that's easily implemented into the package. wegorz23 and Percival 1 1
Randy Calvert Posted February 6, 2023 Posted February 6, 2023 33 minutes ago, Arthmoor said: Better yet - get IPS to implement this: There should be no good reason to have to spend additional money at the price the IPS package sells for. Especially when a solid working anti-spam system exists that's easily implemented into the package. Given this is not a feature today... if you want it considered, post it in the Feature Suggestion forum. Otherwise it will be lost in a sea of support requests. 🙂
Arthmoor Posted February 7, 2023 Posted February 7, 2023 I did, hence why I linked it here. Maybe more interest in the suggestion will help nudge it along. Besides, I think I made it pretty clear what I was linking when I said "get IPS to implement this". wegorz23 1
Recommended Posts