In a previous post, I described a spam attack the syslog forum was under. The attack intensified pretty dramatically after that post. This time, though, it was a focused attack by a bot-net registering dozens of accounts per hour. I had read that the CAPTCHA system in SMF, even at the highest setting, had been programmatically defeated and registration bot scripts that can decipher the CAPTCHAs are readily available, so I installed the reCAPTCHA package, which has worked well on other sites. Interestingly, the rate of bot-originated spam registrations increased after switching to reCAPTCHA. It would seem that reCAPTCHA is also broken. I found an anti-bot registration puzzle package on the SMF mod site and gave it a shot this morning.
Since installing the puzzle package I have not had a single spam registration. It’s only been a few hours since implementing it, but that has saved me from deleting about a hundred accounts. As I watch the web logs, I can see the bots still diligently trying to create accounts, but are very fortunately not being successful.
I am concerned for a few reasons:
- I am probably pissing off the owner of a bot-net, which could end up with my site being DDOS’d. Hopefully, he will instead lose interest and pick on another site.
- The anti-bot puzzle package uses colors as one of it’s tests. This makes the site inaccessible for those who are blind or color blind. Hopefully this is a manageable problem because a reloading the registration page will likely present them with a different question that can be answered by the visually impaired.
- I suspect that this new obstacle is only going to be effective temporarily, until the scripts can be updated to handle the puzzles. If a script can be made to decipher CAPTCHAs, one can certainly be made to break the relatively trivial anti-bot puzzles.
Other interesting observations:
The bot-net was not simply executing scripts. The spam wave appeared to be controlled a scripted interface to normal browsers running on owned PC’s. All of the hosts reported either being IE 6 or IE 7, running on various versions of Windows and reporting different tool-bar plugins, leading me to believe that it was indeed actual browsers being scripted. Another indication is that the bots were also viewing Adsense ads on the forum site, which incrementing the viewed ad count (sadly, that didn’t result in any extra income). Most of the hosts were using generic ISP IP addresses from all over the world.
I have managed the syslog.org site for over a decade now and I have seen a lot of spammers. Fighting the spam battle used to be pretty straight forward on this low volume forum running the Simple Machines software. When a forum only gets a few posts a week, it’s pretty easy to pick out the spam. For a while, the spammers were hell-bent on submitting cleverly written posts with a signature that included a link to the site they were spamming. I like to think of this period in forum spamming as “fitting in”. They didn’t contribute to the conversation, but it wasn’t obnoxious, either. My read is that the spammer hoped the comment would be ignored by moderators. Legit people making real contributions to the forum were and are welcome to include a link in the signature, but everyone else got banned.
“Fitting in” morphed into a much more blatant kind of spam I call the “dump and run”. In the “dump and run”, the spammer submits a post that is generally quite long in the form of a short story or informational paragraph about the topic of the site being spammed. Key words in the post are linked back to the site being promoted. Clearly these posts don’t fit the context of nearly any forum, and so are going to stick out as spam everywhere. Here are my theories on this type of spam: Read more…
RSS Error: A feed could not be found at http://www.syslog.org/forum/.xml/?type=rss. A feed with an invalid mime type may fall victim to this error, or SimplePie was unable to auto-discover it.. Use force_feed() if you are certain this URL is a real feed.