Jan 2013 forum updates/maintenance log & SPAMMER BOT actions

[bajadulce]

TOPIC merged w/ topic in general forums.

Got several emails notifications from members alarming of the recent spammer bot invasion and am looking into helping.

The issue is the ease of which a bot can register, become an instant member, and immediately start posting spam!

I don't have access to the required board sytems to make those kinds of changes.
(Admin > System > System settings). So Greg will have to set this up or will have to get in touch w/ him. I can't temp turn off registration nor change the current question atm.

... to be continued. Post comments/suggestions

EDIT:
LindaS just informed me that she doesn't appear to have the ability to flag a user as a spammer. This auto bans/auto deletes the members account and ALL content which is a quick and easy way to fight spam bots. But I also don't seem to have permissions to update/modify Member groups as well. So will have to hold up on that as well.

[linda s]

To everyone on this site. We are being deluged with spam postings. I have been deleting them for an hour and they come as fast as I can delete them. Warning the IP address is Russian and if you click on any link it will be a virus. The worst kind of virus and very hard to get rid of. It is a key reading virus that will be able to see every keystroke you make. Passwords, bank statements. Do not take a peek for any reason. Our spam blocker has completely broken down and I can't sit here all day. Steve the message you left about these spammers in the news section asks for suggestions but no replys are possible in that posting. Please correct it so people can give you some ideas about how to stop this

Linda S

[Maineah]

It would be a good ideal to look at the recent status updates and don't click on any names that look fishy.

[shim 'n bucket]

Warning the IP address is Russian and if you click on any link it will be a virus.

This isn't the first time you have had to deal with virii on your site. It happens consistently. Passing virii to your users is irresponsible.

The Cure:

1. Shut your site down now.

2. Cease and desist doing business with GoDaddy.com.

3. Cease and desist using IP.Board Forum Software. They are totally incompetent with regards to internet security. This is actually THEIR problem to begin with.

If any of the above tough love solutions are not doable due to cost or labor considerations see #1.

Again. Passing virii to your users is irresponsible.

[linda s]

This is not my site. I am just the babysitter. The most I can do is warn you and put the offenders in temporary detention. Hopefully the owners will find a solution to the problem. This site is a great resource and has tons of information and if a new home is neccessary I'm sure it will take time. In the mean time just don't click on the obviously suspicious links and everything will be fine. We are in luck. Their English sucks so they are easy to pick out.

Linda S

[bajadulce]

We gotta do something about this bot issue asap before it gets any worse. We can expect 100+ new registered users a day here soon. Gotta turn off registration completely right now and come up w/ a new process.

I talked w/ some buddies and they all agreed that image captcha is near worthless these days. Spam bots are only getting better at filling in registration forms and reading images. A strong security question that is unique (*read below for an idea) seems to be the only method.

Our current question with the key words "president" and answer "Obama" is pretty poor. Was something to come up with at the moment as our previous arithmetic question was compromised. integer answer is a poor string. But "Obama" is a poor string as well.

Here's the best route:

*Security question:

Place a slogan w/ a unique word in the banner. The banner is an image. There are no text characters etc to read. And unlike image captcha, it is not displayed on the registration page (which is key) Bots are only scanning images on the registration page for captcha NOT outside the page. This makes it easy for the users to "find" the answer as it will be in the banner clear as day. Bots will have no clue.

EDIT:

Here's a website (A programming site nonetheless) that uses this banner concept.

Check it out, try and register there!

http://board.phpbuilder.com/index.php

Here's their logo/banner:

And here's their security question:

Q: Fill in the blank, from the forum logo:

PHP

" _______ sharing knowledge since 1999"

And their answer "php developers" is a complex string containing spaces etc. No bot will brute force that.

We need to come up w/ something simple like that as well.

Toyota Motorhomes

"Sharing knowledge since XXXX"

Q: Fill in the blank according to our site logo:

Toyota Motorhomes

"Sharing knowledge _______"

Answer:

"since XXXX"

[stamar]

there needs to be a captcha type thing for new users and that gets rid of that type of spammer.

[bajadulce]

http://toyotamotorho...view=getnewpost

This would solve this issue once and for all. Please read and offer feedback/comments if you get a free moment.

I don't have access to the boards as needed. I only have semi-admin permissions, but have started a conversation w/ Greg, Linda, Derek, and John and hopefully Greg will respond here soon. All this can be taken care of pretty easily.

[linda s]

So do you guys think it might be a bad idea to send them a message in Russian. I'm getting so tired of this I feel like I need to take out my agression somewhere. Deleted like 100 posts and topics today. Oh and it would not be a nice message at all. I can swear with the best of them and easy to translate on google.

Linda S

[Derek up North]

Well, the latest Uggs/Headphone Spammer seems to have given up (at least for now). I must have deleted 40 of his posts in a little over an hour.

[bajadulce]

I must have deleted 40 of his posts in a little over an hour.

Deleted like 100 posts and topics today

All of us members really appreciate your efforts! Thnx.... But I'm afraid it's a lost cause at this point. You'll soon be overwhelmed as this will only be compounded as more and more bots get through. You are no match for a computer that can process millions and millions of instructions 24 hours a day, 7 days a week. You'll lose, and it's not worth it to even try at this point.

Cheesy Analogy:

We need to fix the hole in the fence, kick out all the dogs that are using our backyard as a bathroom, and then go about cleaning up the mess they've already left. Otherwise, we'll just be cleaning up after the same dogs forever.

I will call Greg tonight (in a few hours) Let him get a chance to get home and eat dinner.

This will be taken care as soon as I get a hold of him. All these bots will be gone and no new ones will get through the new registration system proposed.

[waiter]

I deleted about 40 between 4am and 6am.

John mc

[bajadulce]

Thnx John. Tho don't spend too much time on the issue. You guys shouldn't have to be doing this.

Steve the message you left about these spammers in the news section asks for suggestions but no replys are possible in that posting. Please correct it so people can give you some ideas about how to stop this

Just now reading this. Ok will look into. MIght have enough access to be able to fix that right now.

Edit:

That forum's permissions has now been updated. Did have access to that. Now members can reply to topics there, but can't create/start new topics. Probably what Greg had planned, but just missed/forgot to add reply permission.

Also, I just left a message w/ Greg's cell

7:30 pm our time.

[Gulfstream Greg]

Here is an update for everyone.

bajadulce accidently deleted all of us (users) from the site last night. So presently the site is offline. I have not been able to restore the paths to any of the images for the gallery or profiles. I am working with Invision Power Services on getting everything straight. Once things are back in order I and Invision will address the spammer problems.

[linda s]

In Steve's defense he had spent hours deleting and banning all the spammers who had crashed our site and it was late and he just hit the wrong key. Big mistake but I'm sure everything will be fine soon. Thanks Greg

Linda S

He get a free I made a mistake pass today cause it's his Birthday

[Gulfstream Greg]

I lay no blame, sorry if it came across that way. It happens and I have a few notches on my belt from similar accidents. Any how Invision seems to have dropped me from the Q. I will rattle their cage again. The topper today was shortly after getting Steve's message my main PC gave the blue screen of death. It,s still dead with no recovery in sight. I then had to scramble off to work and find small slivers of time to figure out what was up. The users have been restored, not sure why the paths to all the images have gone bonkers. And Happy B-Day Steve. Don't worry it will all work out. Thank you everyone for helping with the site. My time is limited for the weekend as my wife's purse got stolen last weekend and we are still dealing with that. I am working presently from an 11 inch laptop screen until I get my main PC back alive.

[linda s]

Steve had some really good ideas started before the big goof. You guys need to talk.

Linda S

[Gulfstream Greg]

OK here is an update. Invision and myself have done a thorough search of the files on the server. It appears that deleting the users also deleted the images. I will ask godaddy if they can restore the boards folder to what ever point in time they have. Any backups I will have are on my PC that will not boot.

[bajadulce]

Yep.. It was one of those OH CRAP moments to be sure!

The sad part of all this is that I had spent a good chunk of time doing a slew of maintenance and was for the most part DONE for the evening.

if interested:

* temp Halted registration.

* Banned about 300+ members that had been flagged as spammers by either the 3 moderators or myself over the course of the past 6+ months

* banned/flagged as many spammers as I could find out of the Jan5-Jan11 pool of registrants. Something like 100+ new registrants during this short time period. Almost ALL being spambots that are now "restored"... need to send them packing.

* updated a few forums so that the permissions were correct (i.e. nobody could respond in News, donations, and a few other missing permissions)

* created a "moderator group" that had global power rather than just assigning to "forum" duty. i.e. now they could actually BAN spammers and/or flag members as spammers.

* threw together a quick banner updated from the ancient "artwork contest" we had a few years ago. One of the submissions had a funny slogan that was used as "something" for now.

* turned registration back on w/ an updated security question related to this banner and the silly slogan.

* merged a couple of the forums @ bottom of list together to possibly help organization. The News and Forum help being brought together as 1 for example.

And everything was set! The hole was fixed. The majority of the bots were chased out and had been deleted (had been extra careful w/ my filters and the delete button). We were good to go...

And then just as was about to exit, saw what was clearly a bot that I had missed. Rather than just flag it as a spammer or let the new moderator group test drive their new permissions, I decided to just purge him as I had done earlier that night. It was late, I was tired, and the prune filters weren't what I thought they were... BOOM! And I had no backup of the gallery folder nor the avatar folder. I had played w/ fire 1 too many times w/o a backup and lost... and now it was time to go to bed dejected... It was then, that I realized it was 1:30 AM and just happened to be Jan11th, my birthday.

The main issue right now is getting all those new registered users from Jan5-Jan11th (registration is off right now) flagged as spammers asap. Maybe only a handful of that group is legit and is pretty obvious. So that would be the first order of business again.

EDIT/UPDATE:

I'm going to head back into the ADMIN panel and try to take care of some of this stuff I mentioned above. Just as an example, take a look at this ONE page. There are nearly 5 pages just like this one = representing members joining between Jan5-11th. I've circled a single member that is legit.

The PINK represents members that have been flagged by you moderators as spammers. The rest have an open invitation to post crap all they want. So this time rather than delete these guys and risk screwing up, am simply going to quarantine them to the banned group as per Greg's suggestion (we can deal w/ them another time if needed). You moderators will be able to do the same @ the forum level here soon as well.

IF a legit member who signed up during this short interval gets "banned" I apologize. I am looking out for obvious usernames/email addresses, but likely I will mistake an unusual member name as a bot.

[bajadulce]

The forementioned maintenance items have been taken care of again and hope the boards see a dramatic reduction in spam bots.

As you can see, the banner w/ the silly slogan has been reuploaded. The artwork as well as the slogan are from this ancient thread. Nothing is set in stone, but it is something. The registration answer is contained in that slogan and thus makes up a complex and unique string.

Please don't hesitate to offer a better slogan or upload artwork you'd like to consider for that matter.

Registration is still OFF atm. The banner is displayed on the registration page and would like to change that, but I'm too tired and don't want to screw something up. Tho I doubt bots could string those words together even if it was right in front of their face. Bots are definitely scanning images on the registration page tho and why test them!

[waiter]

I love the slogan "Moving at the speed of Parked" Fits perfectly :-)

Thanks for all your work. this is a valuable resource and would hate to see anything happen to it.

John Mc

88 Dolphin 4 Auto

[Gulfstream Greg]

Here is an update. There are over 7000 directories in the uploads folder. Still trying to get the upload dir restored. Its so big that it keeps timing out and stalling. GoDaddy has no way to directly restore it. I can through the history archives. As it looks I will have to go through each dir to restore. So that said unfortunately the logo change Steve has done might and probably has gotten over written. So be patient until I get this done.

I am also trying to get my main PC back working. It changed the partition letters of the boot drive. The C drive is now D and of course it will not boot.

I am working on the board using a small laptop. with tons of disruptions from outside sources.

[Gulfstream Greg]

OK I think its all back. Looks like some thumb nails for the gallery are missing such as pdf icons etc. Going to be updating the system to the latest version now.

[Gulfstream Greg]

Everything at latest version now

[Derek up North]

Can't say I see any difference. Which is a good thing, I guess. Thanks.

[WME]

Looks the same, but "they" are all gone.

[bajadulce]

I was apprehensive about the registration page displaying the banner (should not bee seen on registration page), but would need access to the .php files on the server to do anything about that. That prob is overkill tho. I see only 2 members have registered since the new banner password system in the last 4 days as opposed to 35+ daily new bots that were pouring into the forums! Need to keep monitoring tho, as there are no other steps in the process of becoming a member.

There are a few things still "broken" on the site, and some things that might be improved on, but overall seems to be good.

For instance, would be nice if instead of the facebook sidemenu portal wasting valuable sidebar real estate, a menu that automatically displayed any new thread in the Rally forum (sort of a news portal) would be a nice feature and a way to get a little more attention/heads up for the advertised event.

A sidebar feature that displayed the 5 most recent posts in all the forums would be useful as well. The current "status" update window/bar is somewhat annoying as ppl aren't using it as intended. Rather replace it w/ the aforementioned idea. Has anyone noticed that I axed the "Calendar"?

[90toydolphin]

one thing that i've noticed is i don't seem to be actually signing out. it acts like i have but when i got to the link to sign in it doesn't ask me to sign in and at the top right my choice is to sign out instead of sign in and i can access everything without signing in as such. i will try changing my password then come here again and see what happens. anyone else having the same experience?

[bajadulce]

Randy, log out then immediately try to log in and check to see if the little box "remember me" is checked or not @ the login page.

dunno. Cookies might not have been working properly before and now are w/ the IPB update.

[90toydolphin]

i just changed my password and said no to remember me, seens to be working as it used to except now i have to enter the new password. all's well, thanks.

[Gulfstream Greg]

one thing that i've noticed is i don't seem to be actually signing out. it acts like i have but when i got to the link to sign in it doesn't ask me to sign in and at the top right my choice is to sign out instead of sign in and i can access everything without signing in as such. i will try changing my password then come here again and see what happens. anyone else having the same experience?

Check to see if your browser is entering your user name and password for you. Mine does.

I was apprehensive about the registration page displaying the banner (should not bee seen on registration page), but would need access to the .php files on the server to do anything about that. That prob is overkill tho. I see only 2 members have registered since the new banner password system in the last 4 days as opposed to 35+ daily new bots that were pouring into the forums! Need to keep monitoring tho, as there are no other steps in the process of becoming a member.

There are a few things still "broken" on the site, and some things that might be improved on, but overall seems to be good.

For instance, would be nice if instead of the facebook sidemenu portal wasting valuable sidebar real estate, a menu that automatically displayed any new thread in the Rally forum (sort of a news portal) would be a nice feature and a way to get a little more attention/heads up for the advertised event.

A sidebar feature that displayed the 5 most recent posts in all the forums would be useful as well. The current "status" update window/bar is somewhat annoying as ppl aren't using it as intended. Rather replace it w/ the aforementioned idea. Has anyone noticed that I axed the "Calendar"?

I am OK with turning all that stuff off. No one used the calendar. As far as the status it just seems that it was being used to ask questions.

[Gulfstream Greg]

OH ya forgot to mention, Steve I put up a modified logo of the "at the speed of parked" because during my replacing all the lost images the one you did got over written. If you want to change it out to yours go ahead.

[bajadulce]

Looks good w/o that facebook and status update menu.

Will have to upload a picture of what was referring to about building a "recently updated Toy Rally" block for the sidemenu where the calendar, facebook, and status update used to live.

@ Logo/Banner.

I like yours as well

the logo from the art contest is still there (on the IP.Board skin which is no longer the "default" one. You could just right-click "save picture as" and then add it to the "default" one. Personally I like the IP.Board skin slightly over the "blue" default one just because it is lighter overall. Tho the rich blue is nice too and it's all just comes down to individual tastes).

Looks like you have a few experimental skins you were goofing with (Crazy & Dark) that are pretty wild. Might be a bit confusing if some member happen to switch to one of those by accident (those skins have their own logo's as well btw none of which contain the "slogan"). Maybe you might want to disable those and leave permissions just for yourself if want to continue to work on them. They look like something you were just goofing around with and didn't mean to have available to members/guests?

I don't seem to have permission to do anything template/skin related other than change logos. So I can't disable any of those skins nor make the "IPB" one the default.

Look & Feel > Template > Skins or something like that.

Also Linda mentioned that spammers/banned members were still being able to update their "status". I tried to look at "manage groups" to check the permissions on that, but don't seem to have access to that anymore.

I haven't logged on as a "guest" nor as a "member test" account, but banned members should be hidden from the member list as well as members not being able to look at those profiles of banned members (esp banned members who are able to still be able to update their "status" w/ malicious links etc).

@ SPAM CONTROL:

Looks like the bots are totally stumped as there have been only 7 new registered since the banner/question update. And all of those look like legit members who've managed to answer the security question and find the answer they needed.

... Go 49'ers.

[5Toyota]

thank you all for a lot of hard work. i too am having a problem signing out it says i am but when i get back on it always says i am still signed in

[90toydolphin]

same thing here 5toyota