Author Topic: Protecting the board from spammer and malware ASSSholes  (Read 170 times)

The Gorn

  • I absolutely DESPISE improvised sulfur-charcoal-salt peter cannons made out of hollow tree branches filled with diamonds as projectiles.
  • Trusted Member
  • Wise Sage
  • ******
  • Posts: 22324
  • Gorn Classic, user of Gornix
Protecting the board from spammer and malware ASSSholes
« on: January 16, 2018, 12:13:18 pm »
This afternoon this individual joined the site:



The IP address of this new person resolves to the University of California Office of the President: http://ucop.edu/

But what was very strange was that the "Guest" (not-logged-in) visitor count escalated around that time to over 80. That is extraordinary and there's no reason for it. This is a small unpopular site.

...Except that  there were dozens of visitors visiting one single post on this forum. There were maybe 4 or 5 posts each of which had many "visitors" landing on those pages.  And I kept seeing "Attempting to register" statuses.

It was too much of a coincidence for me.

I deleted the account of this "Sumprit" asshole with the Hotmail address. Who is probably a marbled mouthed SE Asian spammer.  I'm assuming that Sumprit was scoping the board out in preparation for spamming or an attack and that he was responsible or tied to the invasion of bots. 

I then located a plugin for SMF that lets me throttle the number of unregistered guests. I set the limit to 10 guests. It will still let search engines in.

It makes me angry how many utter jerkoffs there are on the internet. We dont' even have anything worth stealing here, and someone wants to rip us off anyway.  >:(
« Last Edit: January 16, 2018, 01:01:36 pm by Blockchain Gorn »
Gornix is protected by the GPL. *

* Gorn Public License. Duplication by inferior sentient species prohibited.

benali72

  • CCF Winner's Circle - Supporter
  • Wise Sage
  • *
  • Posts: 2718
Re: Protecting the board from spammer and malware ASSSholes
« Reply #1 on: January 19, 2018, 09:09:37 pm »
Man, that's really bizarre!  But I guess there's an awful lot of bizarre behavior on the web....

JoFrance

  • CCF Winner's Circle - Supporter
  • Wise Sage
  • *
  • Posts: 2395
Re: Protecting the board from spammer and malware ASSSholes
« Reply #2 on: January 20, 2018, 04:09:28 pm »
That's really unusual.  It almost sounds like an attempted DOS attack.  What post were they visiting? 

The Gorn

  • I absolutely DESPISE improvised sulfur-charcoal-salt peter cannons made out of hollow tree branches filled with diamonds as projectiles.
  • Trusted Member
  • Wise Sage
  • ******
  • Posts: 22324
  • Gorn Classic, user of Gornix
Re: Protecting the board from spammer and malware ASSSholes
« Reply #3 on: January 20, 2018, 05:01:29 pm »
SMF's view for admins shows a list of all users, members and visitors, and some indication of what each one is doing at the present time. That is what I was watching.

There were many (at least a couple dozen or more) visiting some older post from one of the public sections. I'm guessing that someone wrote a bot that scraped search engines for some links inside this site, which would be these posts, and the bot was poorly written and drew attention to itself by allowing many instances of accessing exactly the same post. I was observing some of the visitors attempting registration.

There is just no valid reason there should be almost a hundred accessors of this site at one time.
Gornix is protected by the GPL. *

* Gorn Public License. Duplication by inferior sentient species prohibited.

The Gorn

  • I absolutely DESPISE improvised sulfur-charcoal-salt peter cannons made out of hollow tree branches filled with diamonds as projectiles.
  • Trusted Member
  • Wise Sage
  • ******
  • Posts: 22324
  • Gorn Classic, user of Gornix
Re: Protecting the board from spammer and malware ASSSholes
« Reply #4 on: January 21, 2018, 08:44:01 am »
Let me be clearer about what I saw and how simple it is to recognize spammers when they come in like this.

And, the details don't matter so that's why I am only saying it was "a few posts", not which ones. It's random, just the spammer's choice of URLs to come in through.

First of all, we only get a completed user registration resulting in a new member about once a month. That's the screenshot at the top of this thread. And it's an Indian name (strike 1, a BIG one). Plus a Hotmail address (nobody legitimate uses Hotmail anymore.) Plus an IP address that resolves to .edu, which is very unlikely to be legitimate. Put together I had no trust in this profile's user.

I have much more trust when: the name is not foreign sounding; the email is some ISPs or is Gmail or Yahoo; and when the IP address resolves to a residential internet provider and has words like "cable" or "fios" embedded in it.

Not rocket science, obviously.   

The board has this list I can view and most of you can't.



This list was standing at 89 - and spanned multiple pages - when I noticed. And this was maybe 1/2 hour after the Indian guy registered.

The number-of-visitors throttle plugin isn't perfect. This list has 18 total guests and it's supposed to be limited to 10.

What I see when I launch a private browsing session (not logged in) and visit as a guest now is this screen - the guest quota is filled and therefore it doesn't show me any posts or page indexes. Any registered user can still log in and see everything, however.



Gornix is protected by the GPL. *

* Gorn Public License. Duplication by inferior sentient species prohibited.

JoFrance

  • CCF Winner's Circle - Supporter
  • Wise Sage
  • *
  • Posts: 2395
Re: Protecting the board from spammer and malware ASSSholes
« Reply #5 on: January 21, 2018, 03:40:49 pm »
It looks like bots trying to see where they can get in.  I always saw this kind of thing when I oversaw networks.  It was 24/7, looking for a chink in the armor.  Bastards.