Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Spammers, all of a sudden?

I've been using vanilla forums, for about 5 months now, and I haven't had any problems with spammers, till about 2 weeks ago. All of a sudden they popped up, and every couple days, they'll just spam like crazy, and take over the "recent discussion" page.

Has anyone else had this problem? And how would I stop it?

«1

Comments

  • LincLinc Detroit Admin

    Use the Akismet & Stop Forum Spam addons, and lower the thresholds for the latter in its settings. If some still get thru, try the Approval registration method.

  • Hi, same problem here.
    They register with a yahoo/hotmail address and with a username like LETTERnickname : Gjordan, Lnicky...
    Even with the Security Check at the registration.

  • peregrineperegrine MVP
    edited May 2014

    In addition to what linc said....

    try the Approval registration method.

    and check the reason for joining to stop suspicious applicants.

    in vanilla 2.1 you can also use captcha and approval.

    or
    http://vanillaforums.org/addon/botstopapproval-plugin

    or
    http://vanillaforums.org/addon/botstopapproval

    to filter and delete Applicants use this plugin
    

    http://vanillaforums.org/addon/cleanser-plugin or the BulkEditor plugin

    to filter and restrict login attempts, use the
    

    http://vanillaforums.org/addon/registrationrestrictlogger-plugin

    to filter capabilities of an applicant
    

    remove permission in that role for viewing activity and profile.

    http://vanillaforums.org/discussion/24785/poll-which-registration-method-and-plugins-do-you-use-to-deter-spammers-and-their-efficacy

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • LincLinc Detroit Admin
    edited May 2014

    Make sure you have "Require users to confirm their email addresses" checked under registration and that your Unconfirmed role (or whatever yours is set to be right below that) is set to not have any 'Add' permissions.

    If they have to confirm their email address, you can keep cranking the Stop Forum Spam settings lower until it stops. My Stop Forum Spam thresholds are typically 3, 5, 15, 20.

  • SerafSeraf New
    edited May 2014

    My problem isn't the spam itself. I have lot of bots who register but don't confirm their mail.
    I have the captcha enabled on vanilla 2.1.
    I use social login too (facebook+twitter+openid) (google don't work :() but many of bot seems to register with yahoo address.
    Sometimes, one of the bot is a member, so he has confirmed the mail, but it's rare.

    Seems a bit weird to have to install plugin to prevent bot from registering.

    Any clue ? I didn't have any bot until the upgrade to 2.1

    If it can help, here's the log :
    69.12.67.230 - - [18/May/2014:06:16:37 +0000] "GET /index.php?p=/entry/register&Target=discussions HTTP/1.1" 200 3468 "http://forum.lisa-project.net/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36" 69.12.67.230 - - [18/May/2014:06:16:39 +0000] "POST /index.php?p=/entry/register HTTP/1.1" 200 3595 "http://forum.lisa-project.net/index.php?p=/entry/register&Target=discussions" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36" 94.23.156.152 - - [18/May/2014:06:16:40 +0000] "GET /index.php?p=/entry/register HTTP/1.1" 200 3464 "http://forum.lisa-project.net/index.php?p=/entry/register" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36" 94.23.156.152 - - [18/May/2014:06:16:40 +0000] "GET /index.php?p=/entry/register&Target=entry%2Fregister HTTP/1.1" 200 3468 "http://forum.lisa-project.net/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36" 94.23.156.152 - - [18/May/2014:06:16:42 +0000] "POST /index.php?p=/entry/register HTTP/1.1" 200 3589 "http://forum.lisa-project.net/index.php?p=/entry/register&Target=entry%2Fregister" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36" 69.12.67.230 - - [18/May/2014:06:16:43 +0000] "GET /index.php?p=/entry/register HTTP/1.1" 200 3464 "http://forum.lisa-project.net/index.php?p=/entry/register" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36" 69.12.67.230 - - [18/May/2014:06:16:43 +0000] "GET /index.php?p=/entry/register&Target=entry%2Fregister HTTP/1.1" 200 3468 "http://forum.lisa-project.net/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36" 69.12.67.230 - - [18/May/2014:06:16:46 +0000] "POST /index.php?p=/entry/register HTTP/1.1" 200 3595 "http://forum.lisa-project.net/index.php?p=/entry/register&Target=entry%2Fregister" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36" 173.0.60.208 - - [18/May/2014:06:16:47 +0000] "GET /index.php?p=/entry/register HTTP/1.0" 200 11620 "http://forum.lisa-project.net/index.php?p=/entry/register" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36" 173.0.60.208 - - [18/May/2014:06:16:48 +0000] "GET /index.php?p=/entry/register&Target=entry%2Fregister HTTP/1.0" 200 11651 "http://forum.lisa-project.net/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36" 173.0.60.208 - - [18/May/2014:06:16:56 +0000] "POST /index.php?p=/entry/register HTTP/1.0" 200 11843 "http://forum.lisa-project.net/index.php?p=/entry/register&Target=entry%2Fregister" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36"

    Cheerz

  • peregrineperegrine MVP
    edited May 2014

    seraf said:
    Any clue ? I didn't have any bot until the upgrade to 2.1

    what is your goal?

    do you not like the approval process of registration?
    do you want to stop people from registering with yahoo e-mail addresses?
    do you want to stop people from those ip addresses?
    do you not like plugins?
    are you married to captcha?
    how are you differentiating from a bot automating registration vs. a person registering?

    what is the reason for joining from most of the spammers?

    you seem like you don't want to have a specific question during registration asked specifically for your forum? as used in the botstop plugins.

    or are you just posting a beef about vanilla not having options in the core?

    you need to ask yourself and answer these questions? and then specifically state what you want to do with specifics.

    do you feel that installing vanilla 2.1 caused bots to be attracted to your site, or is it a merely a coincidence and a spurious correlation.

    and then state specifically what you want to do, there have already been several discussions and plugins dealing with registrants, if you don't want to use them because they are plugins, that is your decision.

    is the goal to use captcha or to block spam applicants. which is more important to you?

    http://vanillaforums.org/discussion/24785/poll-which-registration-method-and-plugins-do-you-use-to-deter-spammers-and-their-efficacy

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • @peregrine‌ I wasn't complaining about Vanilla ...
    About my forum, it's just a fact : I ran the 2.0.18 during more than one month without any bot, and since I upgraded to 2.1, I have 1 or 2 bots who register per day. Sometimes they are confirmed members, and sometime unconfirmed. When they confirm, they spam on discussions.

    I thought the captcha used in the registration form was strong enought to stop bot. That's why I posted my message above, to know if someone else have the same problem.
    I think spam/security is a very important feature and should be merged in the core, that's why I was asking if a plugin was needed.

    So I will need to add a question for bots.

    Thanks for answers anyway

  • Double check the permissions. They can get corrupted, especially if people import rather than upgrade.

    grep is your friend.

  • peregrineperegrine MVP
    edited May 2014

    @Seraf said:
    peregrine‌ I wasn't complaining about Vanilla ...
    About my forum, it's just a fact : I ran the 2.0.18 during more than one month without any bot, and since I upgraded to 2.1, I have 1 or 2 bots who register per day. Sometimes they are confirmed members, and sometime unconfirmed. When they confirm, they spam on discussions.

    I thought the captcha used in the registration form was strong enought to stop bot. That's why I posted my message above, to know if someone else have the same problem.
    I think spam/security is a very important feature and should be merged in the core, that's why I was asking if a plugin was needed.

    So I will need to add a question for bots.

    Thanks for answers anyway

    for preventing applicant registration of bots

    Alot of people have been happy with the botstop (botstop approval) that have a specific question that is a bit tough.

    and the registration restrict logger can help as well.

    I know some folks do this with great success.

    they don't use confirm e-mail registration or captcha.

    they use botstop approval and registration restrict logger with approval registration.

    If you use approval registration:
    as far as humans who want to register, some people look at the reason for joining, if the email or reason for joining is questionable. The send out a personal e-mail. If they don't get a reasonable response in a day or so the don't approve applicant.

    it all depends where you want to spend your time (personal approval of applicants so to speak) or deleting spammers.

    I have never used or looked at the plugins below. but some people like them as well.
    As far as spammers, spamming your forum discussions. I think the akismet and stop forum spam help there).

    You will note this forum as well as spammers, so it happens.

    I don't think there is one size fits all. You apply what you need depending on your problem.

    Everybody has a different approach to solving things.

    Just my gut feeling - there would not be so many downloads of the cleanser plugin - if few people had spammers, so it is a fact of life as you know.

    Miscreants will attempt to break into sites, launch DOS attacks, and spam things so they become ususable.
    or try to register as admin or root and try to break into your forum or wordpress or anything you've got.

    you can also stop spamming of applicants by restricting what applicants are allowed to do on activity page, wall, etc.


    also.

    What type of spam do unconfirmed email members create on you forum???

    if they create any spam (aside from the act of registering), then you can tighten up permissions. or if you ported as x00 says - you may have introduced some problems.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • vrijvlindervrijvlinder Papillon-Sauvage MVP

    I think BotStop and BotStop approval are the best specially if you make the question hard enough to have to google the answer.

    It is great for Bots and Bot-People (those who spam like Bots).

    Have not had any spam since I started using it.

  • Hi, I am no longer a Vanilla user, so I hope you won't mind my coming into this discussion. I have been a member of this forum for 8 years and I used to be active back then. I had a small Vanilla forum for many years, as part of a larger website. It wasn't used much, just providing visitors with the opportunity to make a comment.

    After about 6 years of satisfactory use, I was suddenly hit with spammers by the literal hundred. I cranked up my spam protection, but that left me with hundreds of applications to deal with each week, for very little genuine traffic. But I didn't want to crank up the barriers to joining too much, for it wasn't a long term community (where that isn't a barrier) but just a way to allow visitors to comment. In the end, I found it all too much work and I closed the forum. For I had an alternative.

    I also had a Wordpress blog integrated into the web site, and Wordpress has a killer anti-spam app called "WP Captcha Free", which works (as much as I understand it, which isn't much) by identifying bots by their behaviour that is different to humans - the time they take to write a response, the IP address they come from, etc. It seems to work perfectly. So I simply set up some comment pages as part of the Wordpress segment, and I have spam free comments without any vetting on my part. After two years, it really does seem to be "set and forget".

    I have asked before whether the same approach would work for Vanilla, and I'm not sure if it won't, or just that no-one has tried it yet.

    I would like to use Vanilla again one day, but I'll need to resolve this spam problem. I can't tell from the discussion here if my problem has been solved, or hasn't. Is Botstop the answer to what I want (i.e. does it do similar to WP Captcha Free?) or does it still require a lot of maintenance to delete identified spammers? I'm not sure if Akhismet is the answer either. I think it would make things so much easier if the documentation could include some explanation of the anti-spam add-ons and what is considered best anti-spam practice. I realise this is a voluntary forum and community, and anything like this requires goodwill and time as well as knowledge. So it's just a suggestion.

    Thanks for the opportunity to express this view.

  • peregrineperegrine MVP
    edited May 2014

    as afar as I can see captcha-free has nothing to do with applicants or approval, it deals with comments.

    correct me if I am wrong.

    I feel there is no need to express what I already expressed in terms of what plugins I found effective for each spam problem, since I have stated it before. Best thing for anyone to do is try the suggestions and report back, and then attempt to follow counter suggestions based on issues. Some people find the solutions effective, some people don't want to do things a certain way, to each his own - problems as well as solutions.

    Many of the issues are the belief that captcha is infallible, some people may not want approval registration, and some people haven't set up their permissions effectively.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • vrijvlindervrijvlinder Papillon-Sauvage MVP

    yes and I use a similar plugin to botstop in WP and works very well. I get 2 spam a year.

  • whu606whu606 I'm not a SuperHero; I just like wearing tights... MVP

    @ercatli‌

    It may not all be in one place, but there are a high number of threads relating to Spam, with differing suggestions as to what works.

    On our forum, using BotStop (with Approval modification) with Registration Restrict Logger has stopped virtually all spam applicants.

    I (and others) have posted this quite a few times.

    For those who complain about spam, who haven't tried this combination, well, what can you say?

  • Hi everyone, thanks for responses.

    1. I don't understand enough to know whether the difference between applications and comments, but I would have thought allowing open forum posts would have been the same as blog comments. (I would prefer to have open posting rather than applications and joining because I want to use the Vanilla forum more or less as a place for occasional comments.)

    2. My problem with understanding the various comments on spam and anti-spam add-ons is that I just don't know enough. That is partly because I don't visit this forum so much these days, but I think I would have found it difficult even when I was more regular. I will look further at Botstop + RRL, as you suggest whu606, but my "problem" is that I no longer have a forum to try it on. My questions are trying to help me see if I think there is enough certainty about anti-spam that it is worthwhile to set up a new forum now.

    Thanks again, I will continue to look and see.

  • whu606whu606 I'm not a SuperHero; I just like wearing tights... MVP

    @ercatli‌

    All I can say is:

    Botstop unmodified was doing a great job, and then suddenly we got a slew of spambot applicants.

    Taking advice on here, and thanks to the efforts and generosity of @peregrine, using the modified Botstop and RRL, they are pretty much history.

    I can't assure you that you would have the same experience, but I also can't really see why you wouldn't.

  • OK thanks for your reassurance.

  • shumooshumoo New
    edited May 2014

    I'm late to the discussion here so you may have already chosen a solution.

    I found that I had only 2 types of bots on my site. The first would get to the confirm email screen with captcha and would fail to confirm their email address. The 2nd would confirm their email address but have obvious text in their "why do you want to join us" field.

    Here's what I did to basically negate all maintenance needed to deal with spammers.

    1. Turn on Confirm email
    2. Turn on Approvals
    3. Enable Captcha
    4. Write a backend query to identify all users in the confirm email role who have not confirmed their email within X hours (I use 24 for a small site). Add ban records for those email addresses and delete the users from the user table. Message me for more details on this if you're interested.
    5. Install and EnableBotStopApproval - this addon asks a human question of your choice (2 choices actually but only 1 is posed to the user) and a basic word/arithmetic question. You need approvals turned on to use this.
    6. Enabled approvals for a new Vanilla Role I created and added veteran/trusted users to it.

    Like I said earlier, it's a fairly private site with only about 3k views a day. This may not be a scalable solution but I don't have to touch a thing anymore whereas before I was spending at least an hour a day managing spam/users. I spend maybe an hour every 2 months now reviewing applications for membership which all appear to be people and not bots.

  • peregrineperegrine MVP
    edited May 2014

    @shumoo
    I'm glad you are using the BotStopApproval and it works for you.
    you said you were using BotStopApproval plugin which I wrote. I've been trying to get feedback if it works with captch enabled and for what version of vanilla. I also have written registrationrestrictlogger. Would you be interested in testing a few options with me. So I might add more options. I am unable to test things with captcha and various email configs on my localhost. That is why I am asking and wondering if you want to test a few things. If so, pm me please. And if you do use botstopapproval plugin, can you add some feedback under the plugin, there as to what configuration you are using, and works for you. (e.g. approval or captcha) and the config settings in config.php related to registration you are using (not the botstop questions :)).

    The good thing about registration restrict logger is it will keep the number of applicants to a minimum if you use it properly and won't bloat your user table with deleted users, and if you delete users from the users table you would probably want to optimize your user table frequently since a large number of deletions may impact it (I seemed to have read that deleting large number of records can cause issues if you don't optimize, but I can't prove it).

    I may be able to improve some things with a conscientious and alert tester.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • x00x00 MVP
    edited May 2014

    This probably warrants a discussion on its own, but I'd happily develop a comprehensive anti-bot plugin with a nice interface, if people fork up the money.

    As far as bot registration there are broadly there games in town:

    1. The numbers game (put the maths on your side)
    2. The unfamiliarity game, be obscure, different, variable.
    3. The taxing game, make multiple registrations more expensive in terms of resource an time.

    I exclude white/black list as these are not general solutions, but additional measures and as central spam checking which is beyond registration.

    The only true non human test are those that do the first, however many captcha just don't play the numbers game very well, and people don't know the difference, so consequently they can be cracked by brute force alone.

    Contrary to popular belief recatcha does actually in general, play the numbers game quite well. But being popular mean there is more effort toward finding weakness and exploits.

    I really like this idea

    http://research.microsoft.com/en-us/um/redmond/projects/asirra/

    Which plays the numbers game really well (and provides a good explanation).

    A good way to stop bot registrations is to use a combination of 1 with 2 and or 3.

    Asking some randomized question that only your core audience would know. Being a moving target can help and relates to 3 as well as 2.

    An example of 3 would be SMS based registration. It is not impossible but more taxing to set up many mobile numbers, where the bot would need to get the confirmation code.

    No offense to Bots Stop but it doesn't do 1, and doesn't play 2 sufficiently well and is not 3. It is pure chance that the spammer haven't caught up.

    grep is your friend.

Sign In or Register to comment.