Spam bots defeat Recaptcha.

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • guppy
    New Member
    • Aug 2007
    • 4
    • 3.6.x

    I've spent a while today reading the threads here on spam handling over the last couple of months. Thank you for having so much in one place, it's helped get my mind straight.

    Capchas and email verification are fine for rejecting spambots. A lot of people are still reacting to spambots so it's as well to have those tools available.

    Spamborgs aren't stopped by Capchas and email verification. I don't care whether they're inconvenienced, my sole need is to stop them. The only thing that'll stop them is a mature blacklist fed by honeytraps, just the way email spam was handled at that stage in its development (with user reports taking the place of the honeytraps - I think we can automate rather better now).

    In the absence of a mature blacklist module I'm going to put new users on moderation and only take them off after I've been presented with a sensible post in a meaningful context. I'm not prepared to expose my users to spam and that's the cost to the newbies. I can recognize a spam account from the way it's named and configured and the email address it uses and the IP origin but I'm not prepared to put that many hours into fighting them, I need to batch filter new users onto my site and moderating new users will do that.

    Here's the internal memo I just sent about the problem:
    There's no adequate module for vBulletin yet.

    I might look at the code and decide whether there's a sensible single place to put a two-line patch to query the honeypot.org database. If you want to leave the release level as it is until the new year I'll do it with what's there. If it's in your mind to get current then I'll leave it a while. Have you a preference? I may well not be able to put a patch in place anyway. At the point where I have the new user email registration returned, before switching it off "waiting for confirmation", I can http a query for the confirmation IP address and the registration IP address and if either of them give a positive I can change the new status to banned instead. Maybe that's five lines. To whatever extent the honeypot database is accurate it provides a solution. I'd definitely dry-run all the existing hand-banned accounts against it first to see that they and I agree.
    Last edited by guppy; Sun 12 Oct '08, 6:29am.

    Comment

    • jebs49
      New Member
      • Mar 2008
      • 20
      • 3.6.x

      Same Problem, No Solutions

      Originally posted by sullivanmar
      I am getting hit on my site too. I do have a few questions I'm hoping some can help with.

      I had not previously set up moderation on new registrations. But as a result of all of this, I turned this on a few days ago. I am now getting 8-10 moderation requests a day that I'm able to do a mass delete on using the moderation page.

      However, somehow I am also still getting 6-7 actual registrations a day that seem to be bypassing the moderation step. Can someone explain how this might be possible?

      Also, once they have registered, is there a way to do a mass delete of these invalid registrations? The method I use now is to search for Users/New Registrations. But this method requires me to select each user one at a time, select delete, confirm delete, research new registrations, and start the cycle again. Is there a faster way?

      Thanks
      SullivanMar,

      I am having the very same problem. I spent most of the day yesterday reworking and updating my forum to fix this. I thought I had fixed it because I did a test registration myself and I was sent to the moderation cue. This morning my mailbox was filled with more spam registrations that were not sent to the moderation cue. They got through and are shown as registered users. I have no idea how that is possible.

      This is really frustrating. I don't have the time to constantly be fighting these international idiots. I still don't know what they are actually getting out of this game.

      FT

      Comment

      • sullivanmar
        Member
        • Jan 2005
        • 41

        Originally posted by TGRS
        Hello. I might be able to help you, but I want to make sure that I understand you first.


        --I have never seen anything like this, and I want to understand this more. When you say that they 'bypass' the moderation step; in other words, you are getting new user signups that go directly from the registration form, into the 'Registered Users' usergroup, without any intervention from you, is that correct? Please explain. I know of a way that this might be possible, but I just want to make sure that you are not overlooking something first.


        --Ok, but here's the thing: if you turned moderation on for newly registered users, that also means that both the good and bad guys (so to speak) will need to be moderated; therefore, you are going to have to examine each one to make sure you are not rejecting a legitimate user registration. Are you following what I am saying?
        Well, I will need to check more closely if this continues to happen. I seem to be getting new registrations in two classes,
        • Ones that show up as needing moderation in the CP. I can delete them using the delete radio button.
        • But once I've done this I still have a batch that I can find by doing user/search for new registrations. These are still in "Waiting email confirmation" so they haven't been able to post to my site. But I don't understand why I'm getting both classes. I'm pretty sure the usernames in each are different but I'll check again.
        I am prepared to check the registrations closely. In my case, our board is a fairly small community and I can usually tell if one is legit or not. If in doubt, I send an email to check.

        I may not see this again as I've since installed Recapcha.

        Comment

        • TGRS
          New Member
          • Sep 2004
          • 29

          Originally posted by sullivanmar
          But once I've done this I still have a batch that I can find by doing user/search for new registrations. These are still in "Waiting email confirmation" so they haven't been able to post to my site. But I don't understand why I'm getting both classes.
          --You're getting both because the ones inside the "waiting email confirmation" usergroup, have not yet authenticated their email address, that's why they're still in there. The ones that are inside the "awaiting moderation" usergroup, are the ones that have authenticated their email address, and are now waiting on you to approve (or moderate). Both of the above scenarios are perfectly legitimate, in that you will sometimes get users (bad and good users) that fail to authenticate their email address. This has nothing what so ever to do with the original issue that you reported, regarding the bypassing of moderation. As you gain more experience running discussion boards, you will begin to understand this concept better.

          Comment

          • sullivanmar
            Member
            • Jan 2005
            • 41

            Originally posted by TGRS
            As you gain more experience running discussion boards, you will begin to understand this concept better.
            Thanks. That explains it fine. I just hadn't thought of it that way. As I said, the community on my board is small and registrations are (were?) normally only a handful a month.

            The better news is that both types seem to have stopped since implementing Recapcha.

            Thanks for the help.

            Comment

            • aussiefooty
              Senior Member
              • Nov 2008
              • 1902
              • 6.0.X

              Probably best to get rid of the free emails just to stop the spambots /pornbots from joining up
              Aussiefootyforums

              New Site New forum
              Come and talk sports all day long


              Comment

              • killerkitten
                New Member
                • Mar 2009
                • 3

                Very interesting thread, if 2 months old - has any progress been made on this issue by anyone?

                Comment

                • Wayne Luke
                  vBulletin Technical Support Lead
                  • Aug 2000
                  • 73981

                  Originally posted by killerkitten
                  Very interesting thread, if 2 months old - has any progress been made on this issue by anyone?
                  Personally, I have not seen any spam bots defeat ReCaptcha. There was a period when their algorithm was broken and it let any two words through. I believe they have fixed this. However since ReCaptcha is a third-party service, any concerns about the quality of their service should be directed to their website.

                  With vBulletin, there are other ways to defeat spambots that have been incorporated into the software besides Captcha and Turing algorithms. These are your best bet to completely reduce spam. See:
                  How to Reduce Spam and Registration Bots

                  There are also a number of addons at www.vbulletin.org designed to try and combat spam and bot registration ranging from keyword density algorithms to detecting bot activity via load times and other automated behavior.
                  Translations provided by Google.

                  Wayne Luke
                  The Rabid Badger - a vBulletin Cloud demonstration site.
                  vBulletin 5 API

                  Comment

                  • dtg-forums
                    Member
                    • Jan 2007
                    • 45
                    • 3.6.x

                    HELP: IP BLOCKING (And Block List)

                    Originally posted by cyburbia
                    Be careful about banning a short octet in APNIC IP space. The majority of Chinese IP blocks will fill an entire short octet, but you may find cases where xxx.xxx.[0-127].xxx is in China, and xxx.xxx.[128-255].xxx is in Australia, New Zealand, or some other country. in this case, there's no easy way to block through vBulletin; you've got to do it in .htaccess with either CIDR blocks or regular expressions.
                    So, what does this mean?

                    Here is a list of my blocked IP addresses -- ALL of which:
                    * Posted more than TWO spams
                    * Were checked by SamSpade.org
                    * Proven to be in China, or some other country with no business in my forum
                    * added to the list
                    * user deleted, along with all his posts

                    However, one listed as BLOCKED on this list got back in this morning.

                    Are any of these in the octet mentioned in quote above?????

                    114.241.1*
                    114.246.15*
                    114.246.163.116
                    114.246.163.2*
                    116.205.17.232
                    116.23.149.215
                    116.234.5*
                    116.7.255.88
                    116*
                    117.15.2*
                    117.25.5*
                    117.25.5*
                    117.8*
                    118.71.176.109
                    119.14*
                    119.146.198.205
                    119.150*
                    119.152.44.6*
                    119.27.1*
                    120.8*
                    121.145.14.9
                    121.204*
                    121.224*
                    121.229.196.1*
                    121.230*
                    121.231.9.81
                    121.231.9*
                    121.235*
                    121.239*
                    121.247.55.153
                    122.156.52.3*
                    122.162.209.185
                    122.162.211*
                    122.163.107.5
                    122.167.22.43
                    122.169.1*
                    122.172.30*
                    122.174.72*
                    122.23*
                    122.5*
                    122.53.159.238
                    123.1*
                    123.23*
                    123.6*
                    124.253.74.240
                    124.253.8*
                    124.253.83.1*
                    124.7.104*
                    124.7*
                    124.92.73*
                    125.11*
                    125.115.12.240
                    125.120.1*
                    125.120.1*
                    125.131.2*
                    125.209.1*
                    125.254.11.15*
                    125.33.0*
                    125.33.25*
                    125.34.2*
                    125.37.22*
                    125.60.248.153
                    125.7*
                    125.70.58.1*
                    125.78.242.237
                    125.8*
                    125.82.22.46
                    174.132.18.164
                    195.225
                    196.202.78*
                    196.220.10
                    196.29.219.2*
                    196.3.182.250
                    196.3.183.72
                    200.215.89.1*
                    201.39.1.130
                    202.105.106.1*
                    202.106.1*
                    202.106.1*
                    202.106.1*
                    202.106.111.2*
                    202.106*
                    202.106*
                    208.78.62.1*
                    209.11.241.2*
                    209.5.112.2*
                    211.15*
                    211.158.21.152
                    212.100.250*
                    212.150.96.0
                    212.150.96.1*
                    212.150.96.2*
                    212.247*
                    213.232.20*
                    216.139.164.86
                    218.104.6*
                    218.104*
                    218.109.15*
                    218.24*
                    218.6.2*
                    218.6.26.223
                    218.6.26.223
                    218.6.9*
                    218.6*
                    218.74.2*
                    218.82.58.108
                    218.84.1*
                    219.148.0*
                    219.150*
                    219.253.180.226
                    220.114.15*
                    220.161.1*
                    220.176.220*
                    220.178*
                    220.179.217.214
                    220.180*
                    220.249.1*
                    220.250*
                    221.10.15*
                    221.134
                    221.135
                    221.135.255
                    221.139.49.98
                    221.20*
                    221.200.210.157
                    221.225.2*
                    221.6.130.1*
                    222.127.22*
                    222.129.20*
                    222.131.1*
                    222.18*
                    222.183*
                    222.240.29*
                    222.35.15*
                    222.6*
                    222.64.100*
                    222.64*
                    222.65.62*
                    222.76.69*
                    222.77.23*
                    222.85.9*
                    38.119.107.11*
                    41.20*
                    41.204.224.20
                    41.219*
                    41.234.132.122
                    58.14*
                    58.144.2*
                    58.144.68.49
                    58.2*
                    58.22.141.146
                    58.22*
                    58.223.6*
                    58.24*
                    58.240.18*
                    58.242.206.72
                    58.242.206.72
                    58.34.0*
                    58.41.18.2*
                    58.49*
                    58.65.1*
                    58.81.1.88
                    58.83.3*
                    58.83.4*
                    59.17*
                    59.176.10*
                    59.32*
                    59.40*
                    59.41.174.35
                    59.5*
                    59.6*
                    59.61.11*
                    59.61.111.146
                    59.61.161.38
                    59.92.85.170
                    59.92.85*
                    59.95.2*
                    60.12.45.2
                    60.168*
                    60.17*
                    60.208*
                    60.217.255*
                    61.135.0*
                    61.135.2*
                    61.135*
                    61.145*
                    61.169*
                    61.17.90*
                    61.17*
                    66.232.147.62
                    66.28.144.20
                    67.198.201.226
                    69.89.27*
                    72.27.143.81
                    75.150.246.118
                    75.56.167.5
                    78.25.48.50
                    78.46.75.5*
                    80.73.3.110
                    80.78.20*
                    81.199.43*
                    81.222.64*
                    82.128*
                    82.73.5.132
                    83.229.9*
                    86.51.144.143
                    86.51*
                    87.242.11*
                    87.244.194.121
                    87.247*
                    88.229*
                    89.124.235.130
                    89.19*
                    92.113.207

                    Comment

                    • JPnyc
                      Senior Member
                      • Jan 2005
                      • 205

                      just block all the countries in Asia. Problem solved. If your forum is anything like ours, you get no legitimate traffic from that region anyway, or at least not enough to worry about.

                      Comment

                      widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                      Working...