SPAMBOTS - how can we stop them - read FIRST post.

Temporary forum to obtain support while phpBB.com is offline.
Please use the support forum on phpBB.com
Forum rules
Temporary forum to obtain support while phpBB.com is offline.
Please use the support forum on phpBB.com
Locked
hundrambit
Registered User
Posts: 1
Joined: Sun Feb 08, 2009 6:43 am

Re: SPAMBOTS - how can we stop them - read FIRST post.

Post by hundrambit »

I looked in Apaches access.log to see what exactly those bots are doing, and see following sequence all the time.

This first GET request always appears in an attempt, every time, I have not seen single attempt without this request (what does the bot finds out in this request?);

Code: Select all

xx.113.16.66 - - [02/Feb/2009:08:43:55 +0100] "GET /posting.php?mode=reply&f=40&t=86&sid=559b49ce72c1f1a6d43130e7a46ddc17 HTTP/1.0" 200 53751 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; KTXN)"
About 15 reply attempts are made directly after (I include only first 3 of them);

1;

Code: Select all

xx.113.16.66 - - [02/Feb/2009:08:44:06 +0100] "GET /ucp.php?mode=confirm&id=b18ce156deecfd6a345b75920d10b1ba&type=3&sid=a1e30c2fc0acf5fb7e06d246fd142797 HTTP/1.0" 200 4884 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; KTXN)"

Code: Select all

xx.113.16.66 - - [02/Feb/2009:08:44:14 +0100] "POST /posting.php?mode=reply&f=40&sid=a1e30c2fc0acf5fb7e06d246fd142797&t=86 HTTP/1.0" 200 53598 "http://forum.xx.info/posting.php?mode=reply&f=40&t=86&sid=559b49ce72c1f1a6d43130e7a46ddc17" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; KTXN)"
2;

Code: Select all

xx.113.16.66 - - [02/Feb/2009:08:44:20 +0100] "GET /ucp.php?mode=confirm&id=9006fed82fb7d9940884d6fb550609f0&type=3 HTTP/1.0" 200 5386 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; KTXN)"

Code: Select all

xx.113.16.66 - - [02/Feb/2009:08:44:28 +0100] "POST /posting.php?mode=reply&f=40&sid=a1e30c2fc0acf5fb7e06d246fd142797&t=86 HTTP/1.0" 200 53598 "http://forum.xx.info/posting.php?mode=reply&f=40&t=86&sid=559b49ce72c1f1a6d43130e7a46ddc17" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; KTXN)"
3;

Code: Select all

xx.113.16.66 - - [02/Feb/2009:08:44:33 +0100] "GET /ucp.php?mode=confirm&id=d7ca691f51333bf436879e585e68e315&type=3 HTTP/1.0" 200 5501 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; KTXN)"

Code: Select all

xx.113.16.66 - - [02/Feb/2009:08:44:41 +0100] "POST /posting.php?mode=reply&f=40&sid=a1e30c2fc0acf5fb7e06d246fd142797&t=86 HTTP/1.0" 200 53598 "http://forum.xx.info/posting.php?mode=reply&f=40&t=86&sid=559b49ce72c1f1a6d43130e7a46ddc17" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; KTXN)"
The bot does not succeed most of the time, he succeeds only ~3 replies out of 15.

Maybe this will be useful for someone who actually understands what is happening under this procedure. For now I had to close all the forums for "registered only" (version 3.0.4). :(
NoDeity
Registered User
Posts: 22
Joined: Wed Sep 22, 2004 7:16 pm

Re: SPAMBOTS - how can we stop them - read FIRST post.

Post by NoDeity »

The install file says it was designed for 3.0.2. I don't know whether it would work on 3.0.1 but I probably wouldn't do it myself.
e-lemon-ator
Registered User
Posts: 15
Joined: Fri Feb 06, 2009 2:24 pm

Re: SPAMBOTS - how can we stop them - read FIRST post.

Post by e-lemon-ator »

"I used to be indecisive, but now I'm not too sure!" ;) - Thanks 'No Deity' for your help.
NoDeity
Registered User
Posts: 22
Joined: Wed Sep 22, 2004 7:16 pm

Re: SPAMBOTS - how can we stop them - read FIRST post.

Post by NoDeity »

You're welcome. Hope it helps.
User avatar
Denio
Registered User
Posts: 4
Joined: Sun Feb 08, 2009 11:36 am

Re: SPAMBOTS - how can we stop them - read FIRST post.

Post by Denio »

Hi everyone!

I've just updated to PHPBB 3.0.4. I have some bots registered to my board.. amazing how much time people spend to make others go mad.. :?

I have loads of problems and hopefully some of you can help me. After I updated my BB some of the admin pages looks strange :D I mean if I want to change the captcha parameters I get stuck every time. I submit the page with the changes and a white blank page appears, thats all.. Anyway, I couldn't find that stuff where I set that admins need to approve the newly registered users first posts. Under Board Configuration / Post setting I have "Limit editing time" but the variable some of you have mentioned. Confusing..

I find it pretty hard to install a mod and I use special templates and styles. Subsilver and prosilver are not my taste :)

Since I disabled posting for unregistered users, I'd only need that "first post approval" thing.. Last, but not least: automatic sign-in does not work so all of the users need to login every time they visit my site. In the admin page it is enabled. This is my first post here and it was nice to see that I recieved a letter with an activation link to submit my registration. I guess that is also a mod.. Hopefully there will be a fixed version.
User avatar
James N
Posts: 143
Joined: Thu Jun 29, 2006 7:35 pm

Re: SPAMBOTS - how can we stop them - read FIRST post.

Post by James N »

Denio wrote:Since I disabled posting for unregistered users, I'd only need that "first post approval" thing..
ACP>post settings>enable queued posts
Denio wrote: Last, but not least: automatic sign-in does not work so all of the users need to login every time they visit my site. In the admin page it is enabled.
Check your cookie settings Knowledge Base - Fixing incorrect cookie settings
Denio wrote:This is my first post here and it was nice to see that I recieved a letter with an activation link to submit my registration. I guess that is also a mod.. Hopefully there will be a fixed version.
ACP>user registration settings>user
User avatar
Denio
Registered User
Posts: 4
Joined: Sun Feb 08, 2009 11:36 am

Re: SPAMBOTS - how can we stop them - read FIRST post.

Post by Denio »

James N wrote:
Denio wrote:Since I disabled posting for unregistered users, I'd only need that "first post approval" thing..
ACP>post settings>enable queued posts
Denio wrote: Last, but not least: automatic sign-in does not work so all of the users need to login every time they visit my site. In the admin page it is enabled.
Check your cookie settings Knowledge Base - Fixing incorrect cookie settings
Denio wrote:This is my first post here and it was nice to see that I recieved a letter with an activation link to submit my registration. I guess that is also a mod.. Hopefully there will be a fixed version.
ACP>user registration settings>user
Thank you so much. Probably I have something going wrong in my ACP modul.. there is NO "enable queued posts" or such.. I found cookie settings :) Hopefully it will now be ok. "ACP>user registration settings>user" - nothing there..

Can it be happen that my ACP is not updated?
FirstTracks
Registered User
Posts: 10
Joined: Wed Feb 04, 2009 8:45 pm

Re: SPAMBOTS - how can we stop them - read FIRST post.

Post by FirstTracks »

FYI I installed the AntiBotQuestion mod linked from the first post in this thread yesterday, and since then...nothin'!! It may also help that the answer to the question is obtained by the user by looking at a JPG file that contains the answer. Until the CAPTCHA is fixed, this works for me.
User avatar
James N
Posts: 143
Joined: Thu Jun 29, 2006 7:35 pm

Re: SPAMBOTS - how can we stop them - read FIRST post.

Post by James N »

Denio wrote:
Thank you so much. Probably I have something going wrong in my ACP modul.. there is NO "enable queued posts" or such.. I found cookie settings :) Hopefully it will now be ok. "ACP>user registration settings>user" - nothing there..

Can it be happen that my ACP is not updated?
Please fill out the Support Request Template.
e-lemon-ator
Registered User
Posts: 15
Joined: Fri Feb 06, 2009 2:24 pm

Re: SPAMBOTS - how can we stop them - read FIRST post.

Post by e-lemon-ator »

Nearly fell for this one that was emailed to me. I am always getting emails from forum members forgetting their usernames so nearly fell for it. The email was from postmaster@thetwohs.plus.com (let the bots gather his email) - http://www.thetwohs.plus.com looks like it is parked.
have changed my e-mail to john@the twohs.plus.com and cannot remember my password or user name as I have not used the forum for some time. can you help please? .
I expect this is a result of email file that was hacked. Sorry if this is posted in the wrong place - It's spam.
Locked