Regular visitors will no doubt notice that the main part of this site, www.syslog.org, which is the wiki, was down for the past week. I would like to sincerely apologize and explain what happened.
Last week, I opted to upgrade my FreeBSD 8.2 server to CentOS 6. I needed to do this for a few reasons. Due to work pressures, I don’t have a tremendous amount of time to muck with keeping up with the recent spate of FreeBSD vulnerabilities and paches (keeping in mind most of them are with 3rd party components like OpenSSL). The other big reason is that CPanel has sunset support for FreeBSD. I could see signs of the lack of support starting to show.
My datacenter isntalled CentOS on a new drive. I’m not a big Linux guy, but I can be dangerous. After the installation, I had a lot of problems restoring functionality to some sites I host for others. I spent a long, long time debugging those problems. I made a brief check to ensure that my sites, syslog.org among them, were operating normally. Unfortunately, I checked the forum and the blog, but not the actual main site. I moved on to installing the Config Server Firewall and grappling with a spate of email issues, including a deluge of spam, since my spamassassin customizations hadn’t carried over.
Well, being one to try to make lemonade out of lemons, I decided to use this “opportunity” to kick start a migration I had been thinking about for a while. So many years ago, I moved syslog.org to PMWiki with the idea that the site could be somewhat community driven. What has happened instead is that primarily only spammers are interested in making wiki contributions, PMWiki became a bit of a bear for me to keep updated and the content became stale.
Over the past few years, I have really grown to love WordPress. I’ve made a number of personal sites and sites for friends/organizations I help out with using WordPress. So, today formally launches the migration of syslog.org wiki over to WordPress. There are a lot of details yet to work out, but I am confident it’ll work out.
In the mean time, all of the old content is still available on the wiki site. I fully intend to take the migration opportunity to update the tools, seek out new tools and other sources of information about logging and log management.
Again, my apologies for any inconvenience while the site was down.
Categories: Syslog.org Tags:
In a previous post, I described a spam attack the syslog forum was under. The attack intensified pretty dramatically after that post. This time, though, it was a focused attack by a bot-net registering dozens of accounts per hour. I had read that the CAPTCHA system in SMF, even at the highest setting, had been programmatically defeated and registration bot scripts that can decipher the CAPTCHAs are readily available, so I installed the reCAPTCHA package, which has worked well on other sites. Interestingly, the rate of bot-originated spam registrations increased after switching to reCAPTCHA. It would seem that reCAPTCHA is also broken. I found an anti-bot registration puzzle package on the SMF mod site and gave it a shot this morning.
Since installing the puzzle package I have not had a single spam registration. It’s only been a few hours since implementing it, but that has saved me from deleting about a hundred accounts. As I watch the web logs, I can see the bots still diligently trying to create accounts, but are very fortunately not being successful.
I am concerned for a few reasons:
- I am probably pissing off the owner of a bot-net, which could end up with my site being DDOS’d. Hopefully, he will instead lose interest and pick on another site.
- The anti-bot puzzle package uses colors as one of it’s tests. This makes the site inaccessible for those who are blind or color blind. Hopefully this is a manageable problem because a reloading the registration page will likely present them with a different question that can be answered by the visually impaired.
- I suspect that this new obstacle is only going to be effective temporarily, until the scripts can be updated to handle the puzzles. If a script can be made to decipher CAPTCHAs, one can certainly be made to break the relatively trivial anti-bot puzzles.
Other interesting observations:
The bot-net was not simply executing scripts. The spam wave appeared to be controlled a scripted interface to normal browsers running on owned PC’s. All of the hosts reported either being IE 6 or IE 7, running on various versions of Windows and reporting different tool-bar plugins, leading me to believe that it was indeed actual browsers being scripted. Another indication is that the bots were also viewing Adsense ads on the forum site, which incrementing the viewed ad count (sadly, that didn’t result in any extra income). Most of the hosts were using generic ISP IP addresses from all over the world.
I have managed the syslog.org site for over a decade now and I have seen a lot of spammers. Fighting the spam battle used to be pretty straight forward on this low volume forum running the Simple Machines software. When a forum only gets a few posts a week, it’s pretty easy to pick out the spam. For a while, the spammers were hell-bent on submitting cleverly written posts with a signature that included a link to the site they were spamming. I like to think of this period in forum spamming as “fitting in”. They didn’t contribute to the conversation, but it wasn’t obnoxious, either. My read is that the spammer hoped the comment would be ignored by moderators. Legit people making real contributions to the forum were and are welcome to include a link in the signature, but everyone else got banned.
“Fitting in” morphed into a much more blatant kind of spam I call the “dump and run”. In the “dump and run”, the spammer submits a post that is generally quite long in the form of a short story or informational paragraph about the topic of the site being spammed. Key words in the post are linked back to the site being promoted. Clearly these posts don’t fit the context of nearly any forum, and so are going to stick out as spam everywhere. Here are my theories on this type of spam: Read more…
RSS Error: A feed could not be found at http://www.syslog.org/forum/.xml/?type=rss. A feed with an invalid mime type may fall victim to this error, or SimplePie was unable to auto-discover it.. Use force_feed() if you are certain this URL is a real feed.