The Era Of Big Spam Is Over.

[lazytown]

renaming register.php no longer works

First, thank you for posting this and trying to help. I have everything suggested installed with all the hostnames/agents set up correctly. It is working (mostly), but we need to be aware of something important. Several of the suggestions are good, but they are not foolproof and some are not helping anymore.

"Rename register.php by BOP5" is now completely useless and a waste of time to implement. Perhaps once it worked, but spam software (xrumer, etc) must now just be looking at the register link to figure out the URL, so the filename really doesn't matter anymore. I renamed register to completely random numbers/letters, two separate times, and all settings are correct. I did not use the word "register" or any words in the name. Within 30 minutes, the spambots are filling out forms on the new register filename. I know they are getting past the rename plugin trick because I'm getting PMs with them being blocked by the hostname plugin (which does work quite nicely). How long before the spammers get past that one, or just use different hostnames and we have to start updating that regularly? This is definitely not foolproof because the main block (renaming register.php) is no longer useful. The timer is also not stopping most of them, and I don't want to increase it much beyond 26 seconds or so.

Obviously spam software will continue to get smarter, so we need to have some humility instead of proclaiming, with hubris, that the era of big spam is over and posting that on all the other vbulletin.org anti-spam mods.

I have stopforumspam (through the glowhost plugin) running as an additional layer of protection. I wish there was an updated stopforumspam plugin that used their new "confidence" data and worked a little better, but no one seems to want to take that on. For now, it is still a very useful tool to add to what you have listed.

 

[Max Taxable]

First, thank you for posting this and trying to help. I have everything suggested installed with all the hostnames/agents set up correctly. It is working (mostly), but we need to be aware of something important. Several of the suggestions are good, but they are not foolproof and some are not helping anymore.

"Rename register.php by BOP5" is now completely useless and a waste of time to implement. Perhaps once it worked, but spam software (xrumer, etc) must now just be looking at the register link to figure out the URL, so the filename really doesn't matter anymore. I renamed register to completely random numbers/letters, two separate times, and all settings are correct. I did not use the word "register" or any words in the name. Within 30 minutes, the spambots are filling out forms on the new register filename. I know they are getting past the rename plugin trick because I'm getting PMs with them being blocked by the hostname plugin (which does work quite nicely). How long before the spammers get past that one, or just use different hostnames and we have to start updating that regularly? This is definitely not foolproof because the main block (renaming register.php) is no longer useful. The timer is also not stopping most of them, and I don't want to increase it much beyond 26 seconds or so.

Obviously spam software will continue to get smarter, so we need to have some humility instead of proclaiming, with hubris, that the era of big spam is over and posting that on all the other vbulletin.org anti-spam mods.

I have stopforumspam (through the glowhost plugin) running as an additional layer of protection. I wish there was an updated stopforumspam plugin that used their new "confidence" data and worked a little better, but no one seems to want to take that on. For now, it is still a very useful tool to add to what you have listed.

There was never any claim it is foolproof. Nothing ever is.

Yes we need to always be updating the lists for the two mods that use them. Comes with the territory.

The era of big spam IS indeed over. Spam is not ended, it is greatly minimized. But we DO believe it can be completely stopped on vBulletin installations because we have done it on several sites that had serious spam problems.

You are having issues we haven't seen. Please provide a link to your site for further study. PM it to me if you don't want it posted on open board.

 

[Max Taxable]

By the way it is also possible that if you are heavily modded, you could have some conflicts that are interfering with the anti-spam plugins. It's not at all uncommon. Especially if you have one suddenly stop working, that was working for you before.

 

[lazytown]

The rename register.php is working as it should, I've tested it, it's just the spambots are smarter than this method now. I know I could easily program around it. I still think it's a mistake to say anything regarding spam is "over." It's just delayed for a while until enough forums start using it and then the spammers feel the need to up the ante. They are one by one getting past each protection method.. First the rename register, and now the timer. Both are already defeated. If they can defeate almost every human detection method (captcha, questions, etc), spoofing IPs, they can defeat all the other methods too. The battle rages on, nothing is "over" and if you think it is, one day, when enough boards adopt these anti-spam measures, we're all going to get hit at once with a ton of spam. So we need to stay vigilant and always several steps ahead. I, for one, think the "stopforumspam" database is still quite useful as another layer.

 

[Max Taxable]

The rename register.php is working as it should, I've tested it, it's just the spambots are smarter than this method now. I know I could easily program around it. I still think it's a mistake to say anything regarding spam is "over." It's just delayed for a while until enough forums start using it and then the spammers feel the need to up the ante. They are one by one getting past each protection method.. First the rename register, and now the timer. Both are already defeated. If they can defeate almost every human detection method (captcha, questions, etc), spoofing IPs, they can defeat all the other methods too. The battle rages on, nothing is "over" and if you think it is, one day, when enough boards adopt these anti-spam measures, we're all going to get hit at once with a ton of spam. So we need to stay vigilant and always several steps ahead. I, for one, think the "stopforumspam" database is still quite useful as another layer.

The timer is defeated. Really? I haven't seen that. You're aware it's not intended to stop human spammers, right? Just autospam.

Link to your site? What you're describing isn't happening anywhere else on any site I've secured. And that counts some BIG boards that had BIG spam troubles.

If you don't like us saying "The era of big spam is over" that's fine. This isn't something we just hatched one day, this is years and years of making it so.

Don Meredith: "It ain't braggin' when you can DO it."

If you want some help please provide a link to the site in question.

 

[Max Taxable]

Note: We need to remove "tor" from the list on PHUAR list.

 

[lazytown]

The timer is defeated. Really? I haven't seen that. You're aware it's not intended to stop human spammers, right? Just autospam.

Link to your site? What you're describing isn't happening anywhere else on any site I've secured. And that counts some BIG boards that had BIG spam troubles.

If you don't like us saying "The era of big spam is over" that's fine. This isn't something we just hatched one day, this is years and years of making it so.

Don Meredith: "It ain't braggin' when you can DO it."

If you want some help please provide a link to the site in question.

Don't get me wrong, I'm happy for the software and links provided, together they are catching almost all of them. The point is they are getting past some barriers easily compared to a year ago.

The timer is defeated by simply setting your spam software to register after let's say 30 seconds after hitting the form. That's all it takes. They can't actually register faster than the timer allows. Maybe 60% are stopped by the time and 40% by hostname. The point is that they are getting by 2 of the layers (I have 4 or 5 layers). And as I mentioned, renaming register.php isn't stopping them at all. I'm sure you've noticed this if you have logging turned on.

 

[Max Taxable]

Don't get me wrong, I'm happy for the software and links provided, together they are catching almost all of them. The point is they are getting past some barriers easily compared to a year ago.

Hey Man I completely understand your frustration. Spam O Matic stopped working for you for some odd reason and now you're getting spammed again. I totally get it - I have been at this spam and botnet fighting stuff for fifteen years now.

The timer is defeated by simply setting your spam software to register after let's say 30 seconds after hitting the form. That's all it takes. They can't actually register faster than the timer allows. Maybe 60% are stopped by the time and 40% by hostname. The point is that they are getting by 2 of the layers (I have 4 or 5 layers). And as I mentioned, renaming register.php isn't stopping them at all. I'm sure you've noticed this if you have logging turned on.

They won't ever do that, because it costs time. Imagine a million botnet zombie computers out there on a botnet, each one now has a added 30 seconds per site it hits. Greatly reducing the number of sites it can hit per hour, per day, and so on. There is also NO way the page load times can be predicted. There's no way to predict what the timer settings are for every site. So now this number becomes what, 60 seconds?

I own a paid license for the XRumer program and have it installed, and not only is there NO time adjustment on it, it also does not tell you of registration failures, much less the reason.

The thing you seem to be dismissing is, the several boards we have secured, that get NO spam at all. None.

The timer is not designed to stop the human spammer. It is also dependent on page load times. So that if a autospammer is using a really bad proxy with lots of hops, such as tor for example, load times are affected. This is why the timer setting being shortened merely helps the spammers.

The hostname blocker - ADD the hostname of spammers who get through, to the list. The lists aren't be-all-end-all they require constant addition. Post your additions here and we will add them to the lists available for download.

No one I am aware of is having any issues at all with rename register. The couple of folks who came here and had issues with it, we fixed.

We're cooking up a all-in one anti-spam mod which also takes care of the occasional human spammer that does get through, in a way that will blow your mind. Stay tuned.

And again, please PM me the link to your site.

 

[O.N.]

Hi Guy's been using the system for a couple of days I have had a couple of spammers join up i have a couple of questions.

1. in the Prevent Hostname or Useragent from Registering section i have added the Hostnames from the word doc however on the word doc there was nothing for the Useragents.....where do i get them from?

2. in the Spambot Stopper Options i noticed you guys said to hide the count down time....i cant see any option to do this i have my timer set to 35 seconds and i can see it counting down. Also in this section the only options i have selected are Minimum Elapsed Time,Show 'No Permission' page if filled out too quickly ,Force Wait for Minimum Time...should i be doing anything else here?

 

[Max Taxable]

Hi Guy's been using the system for a couple of days I have had a couple of spammers join up i have a couple of questions.

1. in the Prevent Hostname or Useragent from Registering section i have added the Hostnames from the word doc however on the word doc there was nothing for the Useragents.....where do i get them from?

You can either add the list of user agents we provide with the download, or just ignore this section of "prevent hostname" because user agents are covered in the "ban Spiders" Mod.

2. in the Spambot Stopper Options i noticed you guys said to hide the count down time....i cant see any option to do this i have my timer set to 35 seconds and i can see it counting down. Also in this section the only options i have selected are Minimum Elapsed Time,Show 'No Permission' page if filled out too quickly ,Force Wait for Minimum Time...should i be doing anything else here?

That's the 'Force Wait for Minimum Time' setting and I recommend 'no' for this. Also, for the "Action" setting, 'Action to take when the registration form is filled out too quickly,' I recommend 'Stealth (show 'Registration Complete' message but don't create user).' You don't need or want any "gotcha" messages.

I have had a couple of spammers join up

You should post their IP and User Agent strings here for adding to the appropriate lists.

 

[O.N.]

Can you pm me the list for the Useragents to block i've looked and looked and i dont have it only have the Hostnames.

As for User Agent strings how do i find out that info....all i normally do is add their IP address to my blocked IP list.....thats very long because for several years i literally let people in manually and checked every IP address 1 by 1....lol i had no idea about how to block spam.

 

[Max Taxable]

Can you pm me the list for the Useragents to block i've looked and looked and i dont have it only have the Hostnames.

Both lists are in the download link provided in the OP.

As for User Agent strings how do i find out that info....all i normally do is add their IP address to my blocked IP list.....thats very long because for several years i literally let people in manually and checked every IP address 1 by 1....lol i had no idea about how to block spam.

I do this: Always show User Agent string in Who's Online v4.2.0 and up - vBulletin.org Forum

 

[O.N.]

Both lists are in the download link provided in the OP.

I do this: Always show User Agent string in Who's Online v4.2.0 and up - vBulletin.org Forum

ahhh now i see, i have a webmaster and he has the vbulletin access not me, so i'll have to get him to do it as im not a member, i can only get the downloads from here.

EDIT: actually looks like I am a member just did a password request see if i can find it now.

 

[O.N.]

logged in but it says "You are currently showing up as unlicensed"

any chance you can pm it to me so i can do it now....either that or i will get my webmaster to do it when he is free tomorrow.

 

[Max Taxable]

It's just a simple template edit, not a mod. Here it is:

You want to see User Agent strings in WOL, for lots of reasons but I primarily use it to collect information on bad spiders and bots for adding to ban lists for same. You also want to order what you see in WOL, by most recent hit time. This is easy.

In the Navigation Manager, just change the Target URL from:

online.php{session.sessionurl_q}

To:

online.php?ua=1&order=desc&sort=time&pp=40&page=1{session.sessionurl_q}

Now when you click on "Who's Online," you get the full picture without having to mess with settings in WOL.

This changes nothing for anyone not permissioned to see IP addresses - they still won't see them or the UA they will get just the regular, same WOL page they always have. Except now the entries will be ordered by most recent to top, of course.

And.... That's it. Enjoy.


Have your 'webmaster' add your email address to his member's area and then add it to your vBorg account, and you will show as licensed.

 

[O.N.]

ok so for instance this guy is a spammer on there right now what should i do with this info:

88.80.20.220
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.72 Safar


here is another one:

37.59.132.136
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.72 Safar

 

[Max Taxable]

Ya look up the IP address here: http://whatismyipaddress.com/ip/88.80.20.220 and from that you usually get a hostname.... To add to the list. For this one it is:

cust.prq.se

How do you know these are spammers? They got registered and spammed you? The second one should not have been able to register since OVH is on the blocked hostname list.

Make sure that Mod is set to do its own IP checks, in the options.

From the user agents posted, looks like the same device being used, same OS and same version of the browser. I don't recommend blocking Chrome though.

 

[O.N.]

Ya look up the IP address here: http://whatismyipaddress.com/ip/88.80.20.220 and from that you usually get a hostname.... To add to the list. For this one it is:

cust.prq.se

How do you know these are spammers? They got registered and spammed you? The second one should not have been able to register since OVH is on the blocked hostname list.

Make sure that Mod is set to do its own IP checks, in the options.

From the user agents posted, looks like the same device being used, same OS and same version of the browser. I don't recommend blocking Chrome though.

I knew they were spammers because i could randomly see what they were looking at i then google search their IP address it usually gets a hit for stop forum spam and then i know they are a spammer. If i need to look deeper i do a who is and see what country they are from, usually india etc, since our forum is Australian based we block almost everyone from anywhere else except normal places like USA, UK etc.

 

[O.N.]

Make sure that Mod is set to do its own IP checks, in the options.

so you are saying in this section "Prevent Hostname or Useragent from Registering" i should enable "Do WHOIS"?

Just spoke to my webmaster about the useragents list he said: the user agent list was added in the ban spiders mod so essentially we don't need to do anything.

 

[Max Taxable]

so you are saying in this section "Prevent Hostname or Useragent from Registering" i should enable "Do WHOIS"?

Yes.

Just spoke to my webmaster about the useragents list he said: the user agent list was added in the ban spiders mod so essentially we don't need to do anything.

Keep in mind the difference - "Ban Spiders" does just that, blocks anything on the list and redirects it, or whatever you have it set to do. "Prevent Hostname" only blocks the registration page for those on that list. Those on that list can still browse the site. They just, can't register.