View Full Version : Spammers!!!



WhereRWe?
01-07-2011, 12:08 PM
Most of you probably haven't noticed, but in the last week we've been getting bombed with spammers joining GCM.org - 15-20 per day. At first I thought it was just because I've been trying to delete them and block their IP addresses as fast as I could, and was making them mad.

But I started checking, and it is not just us - many other forums are getting hit as well. Here's a discussion (http://www.stopforumspam.com/forum/viewtopic.php?id=2098).

I'd say 90% of the spam is coming from ISP's in Russia and the former Soviet republics. Why? BTSOOM! :D:D

So - if you see a "new user" listed, and they suddenly disappear, I got them! LOL!

Ekidokai
01-07-2011, 12:32 PM
Your doing a great job. I have not seen any of them.

I do wonder how they know about my short comings? Can you do anything about that?

WhereRWe?
01-07-2011, 02:23 PM
I do wonder how they know about my short comings? Can you do anything about that?

I could suggest the name of a urologist... ;);)

EMSDanel
01-07-2011, 05:24 PM
Ooooooh.......good one:D

brdad
01-07-2011, 10:09 PM
Sometimes we forget what goes on behind the scenes. Bruce does do 99.9932187234% of the new membership approvals and deletion of spamers in the process, as well as sending out welcoming emails to the new members.

Kudos to Bruce for doing all that!

JustKev
01-07-2011, 10:25 PM
Sometimes we forget what goes on behind the scenes. Bruce does do 99.9932187234% of the new membership approvals and deletion of spamers in the process, as well as sending out welcoming emails to the new members.

Kudos to Bruce for doing all that!

Many, many kudos.

NativeMainer
01-08-2011, 12:46 AM
Yeah, I'll add my thanks here as well. I haven't seen a darned thing.

dufzor
01-08-2011, 01:28 AM
I have not seen a thing. Thanks to all the behind the scenes people!

WhereRWe?
01-08-2011, 08:17 AM
Fourteen more spammers had joined up when I logged on this morning. LOL!

Ekidokai
01-08-2011, 03:07 PM
!4 mre spammers. That's incredible. Do they really think that anyone will pay any attention to any of their crap? Except the grwth cream.

WhereRWe?
01-08-2011, 04:56 PM
!4 mre spammers. That's incredible. Do they really think that anyone will pay any attention to any of their crap? Except the grwth cream.

We're up to 22 for the day so far. What bothers me is that they're starting to use US based ISP's, which makes it very difficult to block email originating from those ISP's - we don't want to block REAL geocachers from logging on.

We had a case recently where one of our well-known members was blocked from the site because they changed ISP's - to one that was blocked a long time ago before we really knew what we were doing. LOL!

WhereRWe?
01-08-2011, 07:14 PM
Here is a profile of the typical spammer we've been getting lately:

There is a new user, LuChenVahn at Geocaching Maine

To view their profile, go here:

http://www.geocachingmaine.org/forum/member.php?u=2547

Email Address : vasilisaandreeva20.10@gmail.com
Birthday : August 9, 1981
Referrer: N/A
IP Address: 94.181.176.2

First Name : QQQOU
Last Name : LuChenVahn
Location : USA
Postbit Template Selection : Horizontal Postbit

If you check the IP address at "WhoIs (http://www.whatismyip.com/tools/ip-whois-lookup.asp)", you'll see that this person is logging on from a Russian ISP:

role: Network Operation Center CJSC ER-Telecom Company Penza branch
address: ZAO Elektrosvyaz-Penza
address: Kalyaeva st. 7A
address: 440600 Penza
address: Russian Federation
phone: +7 8412 260342
fax-no: +7 8412 520803
e-mail: [Email Removed]
admin-c: UON5-RIPE
tech-c: STLK1-RIPE
tech-c: ZPM2-RIPE
nic-hdl: ETHD2-RIPE
notify: [Email Removed]
changed: [Email Removed] 20070126
source: RIPE
mnt-by: MNT-ERTHOLDING

And if you check the "Stop Forum Spam (http://www.stopforumspam.com/search/?q=LuChenVahn)" website, you'll see that this "user" has been busy lately.

But it's fun trying to keep them out! LOL!

cano
01-09-2011, 10:26 AM
reCaptcha, this forum is using is vulnerable to cracking. You should use different CAPTCHA. Also you should add one field asking for geocaching profile URL. And implementing various negative captchas
Vast majority of spammers could be filtered out at this point.
Next implement a behavioral analysis, what users do when they register. Rest of the spammers could be filtered out here.

dubord207
01-09-2011, 03:39 PM
That's just what I was thinking cano, that and sending the spammers an internet virus that sets their computers on fire!:D



reCaptcha, this forum is using is vulnerable to cracking. You should use different CAPTCHA. Also you should add one field asking for geocaching profile URL. And implementing various negative captchas
Vast majority of spammers could be filtered out at this point.
Next implement a behavioral analysis, what users do when they register. Rest of the spammers could be filtered out here.

WhereRWe?
01-09-2011, 05:10 PM
That's just what I was thinking cano, that and sending the spammers an internet virus that sets their computers on fire!:D

These are obviously bots that are joining from "zombie" computers - owners that let their computers get taken over by spambots.

Ekidokai
01-09-2011, 05:27 PM
That's just what I was thinking cano, that and sending the spammers an internet virus that sets their computers on fire!:D

What fire? Where?

Electrocution works much better. Really gets their attention.

WhereRWe?
01-09-2011, 06:21 PM
reCaptcha, this forum is using is vulnerable to cracking. You should use different CAPTCHA. Also you should add one field asking for geocaching profile URL. And implementing various negative captchas
Vast majority of spammers could be filtered out at this point.
Next implement a behavioral analysis, what users do when they register. Rest of the spammers could be filtered out here.

I think Rick changed this today - I see that the verification process is now "question and answer" (not reCaptcha), and some of the questions (14-7=?, for example) were added today. :D:D

attroll
01-10-2011, 12:05 AM
The process was not just a CAPTCHA issue. We also had someone that manually screens all the new applicants that register on the site and approves them. Somehow this user got past the approver.

Yes I did change the verification process to see if that will help any.

WhereRWe?
01-10-2011, 08:20 AM
Somehow this user got past the approver.


Sheesh! Not! This person had posted that PM before I even got up that morning. Note my first comment (http://www.geocachingmaine.org/forum/showthread.php?t=5025) on the issue, which was in response to email received from a member about an "inappropriate post". I don't know why he was able to post a PM BEFORE he was validated, but he won't post again. LOL!

(Only 14 "new members" this morning. We're doing better. LOL!)

brdad
01-10-2011, 08:22 AM
We did have an issue where people were able to PM (but not post) before being approved, but I thought we had fixed that.

WhereRWe?
01-10-2011, 08:52 AM
We did have an issue where people were able to PM (but not post) before being approved, but I thought we had fixed that.

I looked, but I could not find anything to allow or deny sending a PM. That was the first thing on my mind yesterday - how could he send a PM without being validated? :confused::confused:

attroll
01-10-2011, 09:54 AM
I don't understand that either right now because people can not post PM's until they are registered users.

brdad
01-10-2011, 03:54 PM
(COPPA) Users Awaiting Moderation
Unregistered / Not Logged In
Users Awaiting Email Confirmation

All have Maximum Stored Messages: 50

This does not seem right to me, as it states "If you set this to 0 users from this usergroup will not be able to use private messaging."

It seems this might be our issue, but I'd rather get verification, Rick.

WhereRWe?
01-10-2011, 04:31 PM
(COPPA) Users Awaiting Moderation
Unregistered / Not Logged In
Users Awaiting Email Confirmation

All have Maximum Stored Messages: 50

This does not seem right to me, as it states "If you set this to 0 users from this usergroup will not be able to use private messaging."

It seems this might be our issue, but I'd rather get verification, Rick.

Sheesh! Took me a while to find this, but I agree with you Brdad. Changing this should solve that problem, but I'll leave it to Rick to change the parameters...

attroll
01-11-2011, 10:43 AM
(COPPA) Users Awaiting Moderation
Unregistered / Not Logged In
Users Awaiting Email Confirmation

All have Maximum Stored Messages: 50

This does not seem right to me, as it states "If you set this to 0 users from this usergroup will not be able to use private messaging."

It seems this might be our issue, but I'd rather get verification, Rick.
This is storage for messages sent to them. It has nothing to do with sending messages. If you have a user in moderation or any other of this status then you may want to send them a PM telling them why. if it is set to "0" then they will not get the message.

These three groups have the option to send PM to off. So they should not be able to send a PM. I will have to created another account and have Bruce not approve it and see if I will be able to send a PM. I am busy right now and getting ready to head out. I will do it when later. If one of you two want to try it, your more then welcome.

brdad
01-11-2011, 05:10 PM
Unapproved member brspammerdad may have sent you two PMs. They appeared to send fine, but when he looked in his PM outbox, it was empty.

WhereRWe?
01-11-2011, 05:27 PM
Unapproved member brspammerdad may have sent you two PMs. They appeared to send fine, but when he looked in his PM outbox, it was empty.

I didn't get any PM's from "him". And I checked - his IP address does not show up in the StopForumSpam (http://www.stopforumspam.com/) database, and his ISP is Verizon, so I'll probably just go ahead and approve him. LOL!

brdad
01-11-2011, 07:52 PM
I changed the "Users Awaiting Email Confirmation" group to 0 and brspammerdad cannot send any PMs, in fact the option is removed from all menus.

There is still an issue with email confirmation, brspammerdad never got an email from the site. He did, however, misspell his email address on the first try. :rolleyes::(:rolleyes:

EDIT: email corrected, email came quickly. lol

brdad
01-11-2011, 08:12 PM
Once I confirmed email, I was one again able to send PMs without being approved. Setting the Max to 0 again hid the PM menu altogether.

I think we'll have to leave these set to 0 until we upgrade, Rick.

I set the unregistered/Not Logged in to 0 as well, even though I tried and cannot send PMs when not logged in.

attroll
01-12-2011, 03:18 PM
Sounds good to me Dave. Thank you.

WhereRWe?
02-17-2011, 09:34 AM
I just got rid of another spammer, but i was intrigued by the IP he was logging in from - 205.202.120.216:

OrgName: State of Nebraska / Office of the CIO
OrgId: STATE-19
Address: 501 South 14th street
City: Lincoln
StateProv: NE
PostalCode: 68508-2711
Country: US

Here's the information he logged in with:

There is a new user, troubonnoma at Geocaching Maine
Email Address : n.e.p.obed.im.i.v.o.l.peb.ni.se.a@gmail.com
Birthday : February 9, 1967
Referrer: N/A
IP Address: 205.202.120.216
First Name : QCCCOCQCQ
Last Name : troubonnoma
Location : Tajikistan

:D:D

brdad
02-17-2011, 03:45 PM
The IP address 205.202.120.216 definitely belongs to State of Nebraska / Office of the CIO.

Did you ban the IP?
Did you send them an email to let them know?

WhereRWe?
02-17-2011, 04:37 PM
Did you ban the IP?
Did you send them an email to let them know?

Yes.
No.

That IP has been a source of spam (http://www.stopforumspam.com) for at least a year, with 142 entries at stopforumspam.com since Jan 2010. They probably don't care...

:D:D

fins2right
02-21-2011, 09:35 AM
Question? What program do you use to get address's off the I.P. numbers? Or is that part of the website setup?

WhereRWe?
02-21-2011, 01:03 PM
Question? What program do you use to get address's off the I.P. numbers? Or is that part of the website setup?

Go to a website that will do a "Whois (http://www.whatismyip.com/tools/ip-whois-lookup.asp)" lookup. For example, if you click on the hyperlink, the site will show a number in a box - your IP address. Click on "Whois Lookup" and it will tell you about your ISP. Or you can substitute another IP address - of a new member of GCM.org for example - to see where he logged in from.

I get a notification when someone joins GCM.org, which includes email address, user name and IP address. I check them out before I validate them on GCM.org. If they're an obvious spammer, I delete the user and block the IP address from the website (which I now do a little more carefully since I recently blocked part of Roadrunner.com. LOL!)

:D:D