Spam User Signups at AGD and elsewhere

[Guard Dog]

AGD and some of my other forums (vbulletin) are getting hit with tons of user signups lately. Thanks to Jeff, my user moderator, none of the spammers are getting through to us.

Yesterday he notified me that there were about 300 signups. Today looks like it is going to beat that record. It gives him a little extra work to do! If you are a user who is valid and has been rejected, please send us an email... some WILL fall through the cracks, but it keeps AGD clean.

 

[Daera]

We've also been getting them from xrumor I think. It looks like our new spam sign-ups are mostly coming from Russia.

Spam of any kind is ICK!

 

[Perc]

I'm sure you (and Jeff) know about stopforumspam.com? They have a large database of spammers that many people contribute to.

Here are some mods made for various forums using the db: Stop Forum Spam - Contributions

I'm using the mod for SMF on my (non gambling) forum and so far it has stopped most without me having to do much at all. I just take a quick look at the list of flagged members awaiting approval, select all (because so far they've all been correctly flagged as spammers), and reject their registration.

 

[Bonus Paradise]

We have banned many spammers the last few days.
Never had that many. Was already wondering what is going on now.

We had them with all kind of IP's, and many using a proxy.
I am thankfurl for stopforumspam.com!


If I not find a suspect new member on stopforumspam I google the e-mail and usernames, many times you get results which are enough proof to ban.

 

[darmac]

Same here over 400 in spammers alone but only 1 posted?

 

[Bonus Paradise]

Same here over 400 in spammers alone but only 1 posted?

Did you check their profiles, do you have members open to view for guests?
I notice lately many signature spammers on forums,
I suggest everyone to either make the member list not public
(Don't do that if you have all member profile pages already indexed in google, you might loose to many pages at once . but if your start a forum, then you should think about this 1st - want your members public or not? ),
or find a way to not allow them adding a signature or homepage link to their profile.
There are Mods to not allow them adding links unless they have xx posts and such.

I am not allowing them to add links under 15 posts, and guess what..... some are really still doing the job and make their 15 posts, LOL

 

[Simmo!]

If its of any use, one thing I did on my old vb forum was to put a bit of PHP code in the header of the registration page to check the referal was from another page on my domain and if not it simply showed a blank page (with no clue as to why it was blank!). It didn't get rid of all the manual spammers but it killed the bot signups and those coming in to the registration page from an outside link overnight.

 

[darmac]

I have a bot for spammers, these are manuel, seems to have started after I was doing SEO with the forum link. BP I will check on that, and thnx for the info Simmo too

 

[Daera]

Did you check their profiles, do you have members open to view for guests?
I notice lately many signature spammers on forums,
I suggest everyone to either make the member list not public
(Don't do that if you have all member profile pages already indexed in google, you might loose to many pages at once . but if your start a forum, then you should think about this 1st - want your members public or not? ),
or find a way to not allow them adding a signature or homepage link to their profile.
There are Mods to not allow them adding links unless they have xx posts and such.

I am not allowing them to add links under 15 posts, and guess what..... some are really still doing the job and make their 15 posts, LOL

I also don't allow guests to view member profile pages. I use that mod that let's you set how many posts members have to have before posting links, and other things. Most spammers don't get posts out with links that don't have to first be moderated by us, but some of the clever ones do.

I don't need to Google or have to check stopforumspam to know who's bad news. Their profile tells me, since I think they're registered automatically with bots/xrumer. Here's part of one that just registered.

State or Providence : california
Country : diamondguy
Gaming I'm interested in. : Slots
Attn: AOL Users : 123456
How did you find us? Please be specific. : XRGXGX

All of the crap that's causing us headaches look similiar to that. The state and country are usually goofy. They either say the same thing for both state and country, or something goofy like this one did, putting their user name next to country. That line about Attn: Aol Users should have been left alone, but these guys change it to 123456, pretty much everytime. And the last line, sometimes just says "google" but the registrations this last few days have the goofy capital letters. We had a whole slew register just today, that all have the same in their profiles as this one.

One of the new registrations today made their user name "XRumerTest". So I guess it is xrumer they're using.

For now, new users need to be moderated because they're coming in to fast to try and just catch them one by one.

Hey Simmo, I like what you said you did with the PHP code in the header. Unfortunately, I don't know PHP at all. Anything that helps keep them from even registering would be helpful. I don't suppose you have that code at your fingertips and would be willing to share, do you?

 

[Guard Dog]

Just an FYI - check 'visitor messages'. vBulletin seems to have left that part a bit open by default and many register just to post in this little used section of vB to drop links.

Yes, we use stopforumspam along with a google search for each user registered. takes some time, but it is worth it to stay clean.

 

[darmac]

I checked, guests cannot view members profile

 

[Simmo!]

Hey Simmo, I like what you said you did with the PHP code in the header. Unfortunately, I don't know PHP at all. Anything that helps keep them from even registering would be helpful. I don't suppose you have that code at your fingertips and would be willing to share, do you?

Here you go. This code goes right at the top of the vBulletin "register.php" script (back up your old one first just in case).

One change to make first: the number 25 on the first line is the length (number of characters) of http://www.somedomain.com (you will change www.somedomain.com to your domain obviously so the 25 will change too). That HAS to be exactly right:

<?php
//Check its a link from within the site (stop direct bots)
if (substr($_SERVER['HTTP_REFERER'],0,25) != "http://www.somedomain.com") {
	//Now check its not a click from an activation email
	if ($_GET['a'] != "act" && $_GET['a'] != "ver") {
		echo "<html><head><title>Register</title><META NAME=\"ROBOTS\" CONTENT=\"NOINDEX\"></head><body></body></html>";
		exit;
		}
	}
	
//Check standard fields for "123456" string (spammers use it)
foreach ($_POST as $p) {
	if (strpos($p,"123456") !== false) {
		exit;
		}
	}
	
//Check userfields for "123456" string (spammers use it)
foreach ($_POST['userfield'] as $key => $p) {
	if (strpos($p,"123456") !== false) {
		exit;
		}
	}

It's been a couple of years since I used it so someone needs to check it doesn't bomb if you are clicking from an activation email after a registration.

Note the two "123456" checks too - I found a lot of spammers/bots used this string to fill in fields so if it finds it it shows the blank page too. Up to you if you keep that or not.

Hope it's useful.

Cheers

Simmo!

 

[Webzcas]

Andy, do a search for the isbot modification on vbulletin.org. I use this on my politics forum and Bryan also uses something similar on Casinomeister.

It allows you set a designated time for users to complete the registration process at a forum. If for example the registration is completed in 10 seconds or under, the registration gets denied.

If like on Casinomeister there is a lot of info that has to be completed on signing up, you could easily set it to 30 seconds.

This modification stops 95% of the bots signing up. The majority take less than 2 seconds to complete the signup process.

If you can't find the exact modification, let me know and I'll check my politics forum to see what it is actually called.

 

[lots0]

I don't use vb and I havent seen any increase in spam sign-ups.
So it makes me think that someone may have found a new exploit in vb.

Along with a capcha I use a hidden bate field in the registration page. People can't see it, but the bots can and the bots think they need to fill it out, an easy way to spot the spammer.

 

[Daera]

Thank you VERY VERY much Simmo and Webzcas!! Your info. is very helpful.

I installed isbot first, because it looked a bit simpler for an idiot like me to get to work. And almost immediately I got 2 emails like this:

Sent: Saturday, January 08, 2011 11:08 PM
Subject: User Blocked from Registering


The following user name with email address was blocked by the Is Bot mod: faurburgy - rcjnym@ultrastartv.com (3 seconds transpired

Looks like isbot is working!

Now I'm going to add your code Simmo.

I can't tell you how happy it made me to see a couple of them blocked from registering right away.. yeah!

Thank you very much you two!

 

[Bonus Paradise]

I not have spam bots, the spammers I get are human.
Have 3 to 10 a day, last days. Before I had this amount in a week.

It does not cost me to much time to check these few out daily,
still it bothers me.

Using Enhanced Image Captcha - Vbulletin.org, think it stops many bots

 

[Simmo!]

Now I'm going to add your code Simmo.

Make sure you test the registration process afterwards and the confirmation link in the email Daera - its been a while since I used it

@Bonus Paradise: you may still find many of them are coming in from a link in some black-hat software or list or something, in which case the referal checking code can't do any harm to try

 

[Guard Dog]

Obviously we are not the only ones hit lately There is a big (getting bigger) thread at vBulletin about this:

vBulletin Community Forum

I have already set up something that will hopefully stop the trend of spam registrations. I'm sure Jeff will be happy for that!

 

[Guard Dog]

Looks like it is working. No spammer registrations since install and over 50 blocked. Nice.

 

[Daera]

Looks like it is working. No spammer registrations since install and over 50 blocked. Nice.

Looks like what is working? I'm confused. What are you using? Isbot?