Dunno if any of you have seen this yet and if so, then laugh me off, if not, please view:



Please view where it says Man under Biography, I've had 10 or more accounts today that do that, with Coppa on, and now I've turned on unique emails again, so we'll see how it goes, but I've never seen this before so just letting you all know.

Peace,

LCF

P.S. Also the ICQ number or whatever is always a random number.

Be advised, different countries as well, not just RU for Russia or India, but also Netherlands:

The Dutch IP is from a well-known data centre in Holland. Contact them and describe what is happening from that box. I am sure they will be more than happy to help you :)

I don't know for sure whether it's human or a bot obviously but there are multiple IP's from mulitple countries, so it's either a human behind an IP Mask or Proxy. Or it's a bot.

It's so formulaic making me think that it's a bot.

The s/n's are strange and don't make sense, the links they have used in there profiles have been a couple of porn sites and then just other sites that make no sense like this link:

http://sjydeadult-furry-art-galleriessjyde.00freehost.com

I don't see the art galleries, blah blah part of that link making any sense.

The ICQ numbers always have the same number of digits and they are always numerical.

Finally the biography is always the same:

Man

Interests they put there s/n

Location is always a country Russia, India, Mexico, etc.

and Occupation is always there s/n again.

Here's another link they posted on there website line:

http://www.rapharmacy.com/item.php?id=5106

There are quite a few threads both on here and on vb.org about this recent bot/spam attack on forums.

There are quite a few threads both on here and on vb.org about this recent bot/spam attack on forums.

Has anyone come up with any solutions as of yet?

Some of them have to be real, while others seem to be bots. I found one was a site called keyweb and they are all about online e-market stuff when I found there website. I thought about complaining but I'd like to see if there is a pattern anywhere.

The recent accounts have been strange names and no info, many users who are not validating there email addresses and now I'm getting one's who are making there user name almost an advertisement.

Like someone using:

TRAMADOL ONLINE CHEAP

as an s/n.

Are you serious?

This is getting a bit ridiculous. But something tells me some of them are real because how could they verify the email address which one did hours later today if they were a bot?

Lastly what do you think is better deleting there accounts or permabanning them, or permaban by IP? Because since I used the COPPA thing now with age, I'm also using age cookie, so shouldn't that cookie know if I ban them that they can't make another account until they are unbanned or clear cookies because my site knows who they are???

http://www.vbulletin.com/forum/showthread.php?t=275800

That should help you. I'm hoping 3.7.4 has a stronger verification system.

I'm sure I'll not come up with the miracle fix to this or anything but I'm just throwing out a thought here, and let me know what you think.

I read what Steve has wrote and my thought is what if the QA options was not only random but flash operated? Meaning flash coding?

The reason why I ask this is because the damn crawl bots from google or most places I've heard cannot read flash coding ( for example SWF files or videos ) and therefore if the bots can't read them, and the questions are random and ever changing, the bots would never be able to register.

Even if I'm wrong about the flash using a system that has 100 different questions pre-programmed in 3.7 will disrupt the bots unless a human wastes hours trying to find the answer to every question and then codes a bot to actually attack a forum that way.

Any thoughts on this anyone?

( ps if not flash/random what about the question being in an iframe, uncrawlable content? )

Why do I feel like I'm fighting Agent Smith here? lolz

Your last line indicates you're still getting bot flooded?
If that's the case, do you run 3.7.3 PL1, and do you use reCAPTCHA or the Q+A option from the HV library?

I got 200 bots in less than a week.

Your last line indicates you're still getting bot flooded?
If that's the case, do you run 3.7.3 PL1, and do you use reCAPTCHA or the Q+A option from the HV library?

A) Floris you would know what version I use, unless you don't have that account information on me, which I doubt. So no, I don't use 3.7.3 PL 1. We didn't upgrade because of the difficulty in changing all the modified templates. It would be a great help if when we changed templates the changed text we did was a different color of text than the default template text. So we could always know what changes we've done.

B) I don't believe we have reCAPTCHA on our version 3.6.8 PL 2.

C) I don't know if we can incorporate the QA Option in our version, if we can apply it, we can do that. But if it's for 3.7 then no, we can't use that.

1 - I am not going to click on every customer account to see their latest download and see what they downloaded, to assume they have. A user can download 3.7.3 pl1, but choose not to upgrade. I would give bad support if I start assuming things. It is a simple question to ask and answer - so we have the facts and can give correct support.

2 - 3.6 has had spam bot captcha breaking in the past, and we recommend to upgrade to 3.7.3 PL1.

3 - see 2.

I received this message in one of the spam messages today.
Perhaps this might help us get some insight in what is going on with the spammers:
Carolem



Demya.com - Forum Post Spammers or Legit Promotion Service?

Promote Your Message on Forums Worldwide

Watch Online Video Demonstration
http://www.youtube.com/watch?v=wALJl6fZ5tY

The Price List:
90,000 Unique Forum Posts: $75
150,000 Unique Forum Posts: $120

** Note: We can post on forums that are specifically relative to your website, products and/or services. This is the most advanced method to penetrating online established communities to promote your website, product and/or services.

Our services not only assists it gaining relative web traffic, but it also immediately improves your search engine rankings. This post was published by automated means!

Feel free to contact me directly via ICQ: 162456288

I flagged the YouTube video for abuse. It probably won't be on YouTube much longer.

What i got from the video is that if you name one of your forum like GENERAL DISCUSSIONS then it will make a post there but if you name it something different then it won't make a post.

This reminds me of when i used PHPBB the bots where only posting in one of my forums because the name was generic and that was in the SUPPORT forum.

1 - I am not going to click on every customer account to see their latest download and see what they downloaded, to assume they have. A user can download 3.7.3 pl1, but choose not to upgrade. I would give bad support if I start assuming things. It is a simple question to ask and answer - so we have the facts and can give correct support.

2 - 3.6 has had spam bot captcha breaking in the past, and we recommend to upgrade to 3.7.3 PL1.

3 - see 2.

Then the question has been asked and answered for your recommendation and there is no support for us.

WE CANNOT UPGRADE TO 3.7 OR ANY FUTURE VERSION OF VBULLETIN!

I turned on Moderate New Members but will have a unique code made for new registrations in the future such as the ideas I listed above.

I wonder what makes a forum a particular target....there must be some sort of pattern.

I'd just like this question answered assuming I didn't have moderate new members on:


Lastly what do you think is better deleting there accounts or permabanning them, or permaban by IP? Because since I used the COPPA thing now with age, I'm also using age cookie, so shouldn't that cookie know if I ban them that they can't make another account until they are unbanned or clear cookies because my site knows who they are???

Ok seriously I just had a member join with moderate new members on and they are not listed on my members to moderate.

What maintenance function do I have to run in order to reset the system so that it knows that I have to moderate members?

I'm not being flooded but its as if I have no control over my admin cp in vBulletin anymore, I might as well pass out my damn password.

Jeez

Why would you not have access to your admincp anymore? Sounds like a separate issue aside from the bots connecting.

3.6 is outdated, and 3.7 is the latest stable branch. We strongly recommend to upgrade so known bugs are fixed, and better tools are available to you.

Another thought is rather than moderating new members is to just moderate their first posting.

Why would you not have access to your admincp anymore? Sounds like a separate issue aside from the bots connecting.

3.6 is outdated, and 3.7 is the latest stable branch. We strongly recommend to upgrade so known bugs are fixed, and better tools are available to you.

Nowhere in my statement did I say I did not have access to my admin CP anymore.

I stated that it's as if it's not doing what it's supposed to. I thought that Moderate New Members made it so they couldn't post until I approved there registration, and after I turned it on, someone registered a few hours later and did not appear in the "members to moderate" usergroup. It's as if they automatically were moderated and allowed to post.

We are unable to upgrade to 3.7, I've said that 3 times now.

If you can't upgrade to 3.7 use the nospam plugin from vborg, and carrie's recently released plugin that detects spikes.


I have no control over my admin cp in vBulletin anymore I don't see how this is relevant. what "no control" don't you have?

Another thought is rather than moderating new members is to just moderate their first posting.

The spam (including links to boost search engine ratings) can reside in the profile. There is not necessarily any need for them to post anything further.

I don't see how this is relevant. what "no control" don't you have?

NVM on this, I think I understand how it works.

They register and until they go and verify there email address they can't change there profile information, which they still can't until I moderate them and allow them.

I seen the same Tramadol one again come through but it did go to moderated usergroup.

The only thing I want to make sure is that they don't appear in my memberlist or can't edit there profile or biography lines until I moderate there membership. Otherwise moderating there membership is completely useless as they will still make an account with there profile info.

I'll check the addon's at .org and see if there is anything we can do. If everything has been cracked though, we'll have to get something custom coded.

I was mistaken thinking it wasn't working because no one showed up in moderated usergroup, but that's because many of them aren't or can't verify there email address.

This question still remains unanswered:


Lastly what do you think is better deleting there accounts or permabanning them, or permaban by IP? Because since I used the COPPA thing now with age, I'm also using age cookie, so shouldn't that cookie know if I ban them that they can't make another account until they are unbanned or clear cookies because my site knows who they are???

http://www.vbulletin.com/forum/showthread.php?t=275800

That should help you. I'm hoping 3.7.4 has a stronger verification system.

This approach (adding registration question) stopped them. I had one board w/ 30 spammers registering last week. No further registrations, although they still appear to be trying.

After the 2nd spammer register in another board, I added the reg. ? in my other 3 boards this weekend.

No further problems!

... at least not yet :(

I don't see what the fuss is about to be honest, I've only seen one spam bot in the last four weeks or so. Although I will suggest banning this IP address:

121.230.20.1

Or just any from China.

I got 200 bots in less than 4 days.. :(

Since I added a custom form field question to the registration page (while still using reCaptcha) I've had zero bots.

7 pieces in two days...hmmm...a bit higher than usual.

If it amuses you, I found the TOS of the source of spambot attacks. The software TOS.


Registering in site botmaster.net and purchasing the software described in this site I commit myself to use it solely for personal needs and bar from proposing to the third persons. I acknowledge that this rule violation will entail serious consequences for me. I do not consider the software described in this site illegal. The author does not bear the responsibility for my application of this software.[/endtos]

If it amuses you, I found the TOS of the source of spambot attacks. The software TOS.

[/endtos]
Those ToS are pretty much worthless and wouldn't stand up in court, even if they were in regards to a legal product. It doesn't outline what exactly it considers "personal", "needs" or what "serious consequences" are.

It also doesn't matter what the reader regards as illegal or not, that is up to the court to find.

Also, the wording and structure is horrible. It's a grammarian's nightmare.

Also, the wording and structure is horrible. It's a grammarian's nightmare.

That's Google Translate for you. Can't seem to find a tear to shed though. I mean it is the site of the company selling the spam bot that is attacking your sites.

Also, the wording and structure is horrible. It's a grammarian's nightmare.

What did you expect? Them to major in grammar? Sorry. That won't happen. :) It's sorta sad that the spam bots have better grammar than the creators.

Remember kiddez. Grammarz r impant 4 u posts. Otherwise no 1 cn understood u. Grammarz is vry impotent 4 terms of srivce. K?

I got 200 bots in less than 4 days.. :(


That's bad!

How comes some people like you are being very hit so much, while others are not?

That's bad!

How comes some people like you are being very hit so much, while others are not?


Google perhaps? I guess it hits the most relevant sites first.

I have no control over my admin cp in vBulletin anymore
I don't see how this is relevant. what "no control" don't you have?

That isn't what he said, Floris. He said this:

... its as if I have no control over my admin cp in vBulletin anymore...
The bold part, its as if, means it is similar to or just like he has no control. It's a colloquialism. He still has control, it just doesn't SEEM like it sometimes.

Jim

Got one of these today, after changing to Q&A from captcha images. My forum is not even mainstream, strange.

I've had a couple over the past few days... first time ever since I switched to vB a year ago! I have custom questions at signup too, and email verify.

I have noticed 2 things about my SPAM signups... their birthdays are January 1st 1980 and their timezone is set to GMT +8.

I'd love the ability, one day, to have more banning/registration denying options. My board is far from mainstream... a high school alumni site in fact for one specific high school. I'd love to ban registrations based on a certain timezone being entered, or even a certain birthdate. That would kill every spam registration i've had so far... unless of course it's not a bot!

Well I'm having a psychotic paranoid attack now. What if the bots are crawling this forum for boards to attack? I began posting again 2 days ago, and this bot now appeared! :eek:

Anyway, I'll live :) heh (if they don't manage to deface my site that is)

Well I'm having a psychotic paranoid attack now. What if the bots are crawling this forum for boards to attack? I began posting again 2 days ago, and this bot now appeared! :eek:

Anyway, I'll live :) heh (if they don't manage to deface my site that is)

My test/development forum is available to the public since it has its own license and one day I'll actually develop the site. The only place its linked to is at www.vBulletin.org (http://www.vBulletin.org) in a single post. I have had 2 (maybe 3) bot registrations but no spam...

Why? I moderate new users and only approve those that I wish to. Though the site will probably be wiped clean again today and have vBulletin 3.8.0 Beta 1, Blog 2.0 beta 3 and Project Tools 2.0 installed. Will probably install the Bot Detector and Keyword Spam Rating addons and remove new user moderation and captcha from registering to see how it does. Currently it uses Recaptcha and has a required field which is a selection menu during registration.

Well I'm having a psychotic paranoid attack now. What if the bots are crawling this forum for boards to attack? I began posting again 2 days ago, and this bot now appeared! :eek:

Anyway, I'll live :) heh (if they don't manage to deface my site that is)

I don't think they're finding them here. I have 4 vBulletin boards.

* The only one linked from here had two spam bots registered, no evidence of any continuing effort
* The board with the the most (30+ spam) bots registered before I implemented the extra registration question, is not linked from vbulletin.com, and they are continuing to try. Almost ever time I look at the user list, someone has been in register.php in the last 15 mins.
* Two other boards (neither linked from here) haven't been hit at all.

I am now receiving spam in my forum email after this bot.

Well I got tired of it and turned off my registrations. I don't know how you can tell Wayne, whether it's a user or a bot, unless you start memorizing IP's or banning IP's.

My only guesses is emails or usernames that don't make sense at all, or emails that clearly indicate a website. Obviously duplicate IP's is a given but still it's like you never really know who to moderate.

So then after a few days I turned it back on and 24 hours later I had 9 users to moderate, and it looked like 7 of them were for sure bots, and the other 2 I couldn't tell.

I don't know how you can tell Wayne, whether it's a user or a bot, unless you start memorizing IP's or banning IP's.

Don't need to memorize or ban IP addresses.

If it is from a problematic email domain, they aren't allowed to register. There is a list around here somewhere.

The current bot, uses gmail email addresses because it has been broken as well. If the user has a gmail email address and does not exist as a user on one of several key sites listed on the registration form, then they are deleted.

If by chance a bot does get through, I use a mod to rate posts by specific keywords. If they score about a certain threshold they are automatically moderated. If they score above a higher threshold they are rejected.

I have a second addon that uses heuristics to determine if there is an outbreak of spam on the site and like the beginning of any epidemic it innoculates the site.

Finally, the site will use the Spam Management tools to check the post with Akismet to see if it is spam or not. Just incase the previous measures fail to catch it.

If you read my posts however, I am of the mind that restricting registrations isn't exactly the best way to move forward. Trapping spam and preventing it from becoming public is. This would be similar to how email clients work today. They don't prevent people from contact you for the most part but they will look at the messages and move those marked as spam to another location out of your site. In my opinion filtering like this is a proper proactive response to the situation. Banning users and IP addresses only works reactively and is a battle any webmaster will ultimately lose.

If it is from a problematic email domain, they aren't allowed to register. There is a list around here somewhere.

The current bot, uses gmail email addresses because it has been broken as well. If the user has a gmail email address and does not exist as a user on one of several key sites listed on the registration form, then they are deleted.

If by chance a bot does get through, I use a mod to rate posts by specific keywords. If they score about a certain threshold they are automatically moderated. If they score above a higher threshold they are rejected.

I have a second addon that uses heuristics to determine if there is an outbreak of spam on the site and like the beginning of any epidemic it innoculates the site.

Finally, the site will use the Spam Management tools to check the post with Akismet to see if it is spam or not. Just incase the previous measures fail to catch it.

1) I'd love to know where that list is.

2) Both gmail and hotmail have been broken, but I know some of my friends for example use gmail, so how does that determine alone, that they are bots and not real people?

As far as a user on several key sites, how would you determine that?

3) I would imagine a mod that looks for excessive links in sigs or posts would be a nice red flag system.

4) I have no idea what Heuristics is.

5) When did vB get Akismet, I only know of Wordpress having that.

1) I'd love to know where that list is. Stickied at the top of this forum.

2) Both gmail and hotmail have been broken, but I know some of my friends for example use gmail, so how does that determine alone, that they are bots and not real people?Do your friends usually register with names like Jiuwqero? A little common sense and logical reasoning can go a long way in weeding improper registrations out.

As far as a user on several key sites, how would you determine that?They are required to enter the site where they found the link to the site. I check to see if the user name exists on that site. If they do then they get approved. If they do not, then they get deleted.

3) I would imagine a mod that looks for excessive links in sigs or posts would be a nice red flag system. I don't check for links. It weighs by the keywords of the post. If a post has a single link and hundreds of cellphone brandnames it is still spam but if you allow a single link it would be approved. Keywords are a much better indicator of spam than links will ever be. Users are not allowed signatures until they have 10 valid posts.


4) I have no idea what Heuristics is.
Dictionary helps here. http://dictionary.reference.com/browse/heuristics


5) When did vB get Akismet, I only know of Wordpress having that. Its a standard feature of vBulletin 3.7.X but I know that you can never upgrade due to your current installation.

I've never heard that word Heuristics used in my 29 years of life, so yeah, a bit taken off guard.

The usernames are sometimes obvious but not if they are from other countries or non-american or english speaking, because then they could be spanish or something else legitimate.

I don't want to moderate members really, but I do have 2 choices, it seems like a dedicated bot program is doing this, or meaning it's one type that is mimicking itself. What I did was turn off allow "edit profile", which in turn doesn't tell me which one is real and which one is the bot pattern.

So my two choices are turn on Moderate Members and allow them to edit profile so I can see which one's are the bot and delete them. The only nasty thing is that I'd have to view each one of there user pages in the ACP and getting 10 a day is annoying.

The other option is to delete the profile field for member websites and just let them join, since that is where they are posting there advertising links. We don't allow signatures until 30 posts, and the other thing is, these bots never post, only one human did saying

SPAM FOREVER!!!
spam.com

I was like whatever. But if I delete the website field and just allow my users to post there links in there sigs naturally after 30 posts, then I probably can eliminate the problem.

Since I also delete all users every 3 months that have 0 posts. If anyone knows of the Prune command to do that or query or whatever I can run, that would be great since I've only in the past been able to delete them one by one.

The Akismet thing is on vb.org but it's not an issue at the moment for me since the spam bots aren't posting, they are only creating accounts with a profile and a URL link.

I have no idea what you meant by this:


They are required to enter the site where they found the link to the site. I check to see if the user name exists on that site. If they do then they get approved. If they do not, then they get deleted.Unless that is specific to your site that they have to enter a profile field of what site they found us from. If they enter something like google.com, through a search they ran, I don't see how you can distinguish between bot and normal member.

Pretty Intense article on Bot Attacks found here:

http://www.wired.com/wired/archive/14.11/botnet.html?pg=2&topic=botnet&topic_set=

Since I also delete all users every 3 months that have 0 posts. If anyone knows of the Prune command to do that or query or whatever I can run, that would be great since I've only in the past been able to delete them one by one.
I already told you how to do that and you even wrote in the thread this morning that you were gonna bookmark that thread.

I am sorry but if you are unwilling to make changes then I can not say anything else but that these problems will not go away.

Users using 3.7.3 PL1 or newer with reCAPTCHA and/or Q+A setup, report back that the abuse has stopped. The nospam addon that adds Q+A to 3.6, has resolved it for 3.6 users too.

I already told you how to do that and you even wrote in the thread this morning that you were gonna bookmark that thread.

That question was for users awaiting email verification, not 0 post users, I mean 0 post users regardless of usergroup.


I am sorry but if you are unwilling to make changes then I can not say anything else but that these problems will not go away.

Users using 3.7.3 PL1 or newer with reCAPTCHA and/or Q+A setup, report back that the abuse has stopped. The nospam addon that adds Q+A to 3.6, has resolved it for 3.6 users too.

I didn't even ask you to speak again,

can't and unwilling are 2 different things.

Wake up.

Ok, since you can't converse with me on a normal level you are now ignored. Good luck fixing your issue. I hope you resolve it.

Ok, since you can't converse with me on a normal level you are now ignored. Good luck fixing your issue. I hope you resolve it.

Ok ignore me, I'm fine with that. I wasn't even talking to you in my last 5 posts.

Don't worry we will.

Once again, no professionalism from a vb employee.

Actually I just had one of these bots that change profile fields to weird stuff after going to Q&A, just a heads up.

If you can't upgrade to 3.7 use the nospam plugin from vborg, and carrie's recently released plugin that detects spikes.

I did fine the no spam plug in, but I didn't find a detect spike plug in after 4 searches and member name search.

---------------------------------------------

On a side note they are using a bunch of servers:

internetserviceteam.com ---- this is all i found on them, the who is goes nowhere http://www.forumpostersunion.com/showthread.php?t=3041

broadbandcorbina.ru

ubiquityservers.com

keyweb.de

I did fine the no spam plug in, but I didn't find a detect spike plug in after 4 searches and member name search.

From her profile: SpamBot Detector: An alert algorithm designed to detect and act on ... (http://www.vbulletin.org/forum/showthread.php?t=192812)

Dunno if any of you have seen this yet


Where is your style from mate ? Very neat :D

From her profile: SpamBot Detector: An alert algorithm designed to detect and act on ... (http://www.vbulletin.org/forum/showthread.php?t=192812)

Thanks I couldn't tell which carrie they were talking about.


Where is your style from mate ? Very neat :D

It's custom, we made it ourselves.

Genesis
- WOL Avatars 30 x 30 pixels in left column
- Palatino Linotype Font
- Category Headers and Buttons are a grunge effect graphic
- Buttons use Georgia Font
- PNG Icons for everything except ava's/buttons
- We use the Country Flag Hack on WOL and use Animated Flags to show the countries
- Banner for style is called Nova Convergence by our website artist: http://alexiuss.deviantart.com/ he deleted it from his gallery though
- PNG Forum Icons for all the main page or forum index sections, not subforums.

-----------------------------------------------

Back on topic I submitted an abuse ticket to ubiquity.com after contacting them via phone, they said they are going to look into the IP address since it was one of there's.

I have stopped my SPAM issues so far. They were just starting up for me, and it was gaining momentum daily it seemed. Using an htaccess file to block most of Asia, especially China. Also, since my Site is real name based, adding in a Regular Expression for the username helped a lot!

Don't worry we will.

Once again, no professionalism from a vb employee.
Grow up you goose.

Hmm blocking Asia from my forum could be nice. Is there a sticky somewhere teaching how?

Grow up you goose.

Quit being a fanboy defender of there lack of professionalism, you and I have both seen this a thousand times.

K thanx bye

lol I have more infractions than you have posts, big fella.

kthnxbai.

If we are going to start attacking eachother, .. thread closed.