DaniWeb Spam Attack

Im sorry that this site is also experiencing this garbage...

Seems like almost EVERY SITE IM ON gets this and its sad :(

The best thing you can do happygeek is put ALL NEW USERS ON MODERATION,meaning nothing they post is visible to anyone but the staff group.. (After a few messages and staff sees they are OK,they add them to the reg member group)

On a couple other sites im onthey do this (Some VBB some other)

Good luck my friend :)

That would be impractical as all moderators are volunteers and already devote a huge amount of their free time to keeping the community running smoothly. Throw in having to actively approve everyone who wants to post here, manually, one by one, would be a step too far when there are 100+ new members joining every day. Perhaps the other sites you mention either have fewer new members to deal with or are moderated by paid staff?

I dont know to be honest buddy.......

But seeing you dont have alot of staff maybe it would be too much to deal with :(

On the other hand IT MAY BE WORTH NEW MEMBERS WAITING A FEW DAYS TO BE APPROVED.. (Ya gotta think of it that way my friend.... If they are a GOOD MEMBER they wont mind waiting)

Don't think I'd wait. :(

If you are after help with a coding problem and it is urgent you won't wait, you will go try find the answer elsewhere.

They need help for their homework or project and waiting a few days is a good thing? How long would you wait when you need help with a problem? I'd expect everyone would just go somewhere else.

Ya im sorry guys,

Im just thinking about the site and how we can stop the spam......

Have you tried blocking all IPs from russia David?? (Block them @ the server so if they enter www.daniweb.com/forums into thier address bar NOTHING LOADS)

I think we are missing the main point here. It's not so much about banning users but rather validating users. And what do most websites use these days? To my knowledge captcha fields and random questions. So perhaps for users who have made less than 60 posts, they need to fill out a captcha field each time they make a post or create a new topic. But after they have made 60 posts then the captcha disappears. I think that would make more sense. :)

> And what do most websites use these days?

OpenID providers which pretty much brings down the possibility of mass registrations since the spammers would now be up against OpenID providers for spamming rather than Daniweb itself.

Have you tried blocking all IPs from russia David??

That was brought up as an option, but I suspect Dani doesn't want to risk losing legitimate members from an IP range in the name of spam defense.

And what do most websites use these days? To my knowledge captcha fields and random questions.

Daniweb has both those on registration as well.

So perhaps for users who have made less than 60 posts, they need to fill out a captcha field each time they make a post or create a new topic.

Yeah, no, that's punishing everyone for the misdeeds of a minority. Though there are regular registration practices that Daniweb doesn't do, which I feel are a primary reason for why these attacks are so painful. Sadly, Dani doesn't seem to agree.

Are the spams in Russian and Chinese (language)? I reported a couple of French and Russian spams a few days ago. Perhaps identifying Cyrillic or Chinese characters on post submission could stop the post in its tracks?

Or at least they could be flagged as dodgy - "Post waiting for moderation" or similar. Although, that would probably make life just as awkward for mods. Or there again, perhaps not. Do these concerted attacks last for long periods? Do spammers get p'd off after a certain time? Or do they keep on going until they kill the site? Seems a bit silly to me if they do - like a pathogen killing its host.

What about disabling or automatically snipping links in noob posts? Or prevent the insertion of a url in the edit box. OK, it doesn't stop the spam post, but it may stop the usefulness to the spammer. If they care that is.

Language varies, patterns are spotted in such things as IP grouping, registration details, username etc and that helps us eliminate pools of spambot created accounts.

This particular attack, which we have beaten from the perspective of stopping new registrations but are still fighting with regards to clearing up spam (I estimate there are a couple of hundred accounts yet to post) has lasted over a week now. I would say 7-10 days from start to finish of the main attack phase is pretty average, but the drip effect continues long after.

Ya i know bud....

Scammers are the scum of the internet... I WOULD HAVE THE MOST SPAMMERS COME FROM THE USA!

I am glad its calmed down a little,im sorry you ever had to deal with this :(

What are you yelling about? That statement makes no sense at all! I though you were a native English speaker.

captcha has long ago been cracked and is no longer reliable. At most it provides a very minor speedbump to amateurs, but it can do nothing to stop these concerted attacks.

Indeed the only way to do it is to require posts to be pre-approved by moderators, which is simply not an option for high volume sites like Daniweb (though a system of community moderation, where people with say 1000 posts and at least 2 years' membership can see such posts and get an "approve" button could possibly work to at least get the bulk approved).

Switching to openID for account management might be an option, but merging existing accounts will be a major pain (and openID isn't perfect by far, I've several times lost accounts there when they once again did something to their systems, and unable to either recreate them with the same name or recover them by any means, so apparently the name is still claimed but can no longer be accessed, thank providence for a personal domain and being able to create email addresses on the fly).

Those spammers are really ' hardworking ' after all. They actually bother to change the language every time they spam.

Well looks like we can see what the main feature of dooms day (the end of the world) will be. The internet being bumped offline due to spammers sending so much spam to every forum and every blog. G' how I hate spammers. But I guess they are what add security to the online market. :)

Spammers are but a small part of the ITSec market, to be honest - even if you look at them purely from the perspective of malware distribution they are just a speck on the screen.

What are you yelling about? That statement makes no sense at all! I though you were a native English speaker.

Sorry buddy,im not yelling...

I meant to say "I figured all spammers come from the USA"

Have you tried blocking all IPs from russia David??

that wont be too good a decision. So many innocent ones would be affected.

RULES OF THUMB:
The most important of these rules is: don’t take it personally. Spammers don’t want to degrade your site. They simply want to get people to their sites and make a larger profit.

1. Don’t Ban Specific IP Addresses

Don’t bother banning IP addresses. Although this is the most logical thing to do, it rarely helps much. Most comment-spammers bounce requests off other computers and servers, so you’ll likely never be able to eradicate them from your site entirely.

2. Don’t Allow HTML

There is no reason for a user of your site to be able to write HTML or JavaScript. This should be obvious, but there are many Websites that allow users to use either, or both, of these languages.

If you feel the need to allow the user to include links, there are a number of ways by which you can code to accommodate that functionality, without making your site vulnerable to attack. The most common method is to inform the user that all URLs will be converted to links automatically, then convert any content that starts with http:// to a link.

3. Use Non-Descriptive Form Names

Good programming requires the use of descriptive names, but in avoiding comment spam, you should stay away from names that describe a form’s fields. Form element names like "Comment" make it too easy for spammers to access your comment system.

4. Use rel="nofollow" for All Links

If you allow site users to include links in their comments, add rel="nofollow" to the tag, as shown below:
view plainprint?

<a href="<a class="sublink" href="http://www.daniweb.com"></a>" rel="nofollow">Daniweb</a>

This technique allows search engines bots to ignore the link, so the spammer gains no benefit from adding links to your comments.

i don't know if daniweb follows these rules of thumb for stopping spammers. If no, then maybe they can be applied in respective places.

Best Wishes!

Sorry buddy,im not yelling...

I meant to say "I figured all spammers come from the USA"

Very few of them do.

4. Use rel="nofollow" for All Links

If you allow site users to include links in their comments, add rel="nofollow" to the tag, as shown below:
view plainprint?

<a href="<a class="sublink" href="http://www.daniweb.com"></a>" rel="nofollow">Daniweb</a>

This technique allows search engines bots to ignore the link, so the spammer gains no benefit from adding links to your comments.

You also want cross browser compatibility. I just tried using that link in chrome and it didn't display any link at all but rather just displayed the text in the browser window " rel="nofollow">Daniweb</a> . So perhaps it would be better to use the following.

<script src="gotolink.js"></script>
<a href="#" onclick="gotolink('aACas1@e2rERY7sdfg9at4#WQ$T%fcSDG6$AAW%R9;E#$a23aserwy234a!%$58SDF',259)" rel="nofollow">Daniweb</a>

And the gotolink.js file can be an encrypted file which decodes the link with the offset number provided. Now that would be a more cross browser solution. Only problem is if javascript is disabled then links won't work. :(

The few fake accounts that I have noticed all seem to have "Man" listed as their "Computer Specs and OS Flavor" and "Executive (C-level)" as their "Primary Role".

Has anyone been analyzing data patterns in all the fake account entries? Or just looking for an uncommonly large number of posts?

Or am I just being nosy (and I should leave this to the pro's)?

The few fake accounts that I have noticed all seem to have "Man" listed as their "Computer Specs and OS Flavor" and "Executive (C-level)" as their "Primary Role".

Two patterns that haven't been lost on us. ;) There are others as well, but I won't mention them so as to avoid helping the odd spammer who actually reads threads rather than posting to them.

Has anyone been analyzing data patterns in all the fake account entries? Or just looking for an uncommonly large number of posts?

At the risk of false positives, we've been using such patterns to ban new registrations before they ever post. Hopefully the attack isn't having as much of an effect on the community as the previous one due to proactive bans.

"Executive (C-level)" seems to be a default value of some kind. I can't see anyone actually typing that in, but some valid members have that phrase in their info.

"Man" on the other hand is a spammer. I haven't seen one valid member with it.

> "Executive (C-level)" seems to be a default value of some kind
Yes, it's one of the choices in a dropdown menu.

Change it to "I am a Spammer"!!!! They obviously just choose a default. And a human would change it.

Question:
What's the average time from creating the member to the actual spam post? At least for any posts that are not done during the registration session?

It's not the default. The default is blank. It just so happens to be the first item in the list though.

I think that most accounts are in stealth mode for a couple of months before posting, right??? Not really sure, it's not something we have the ability to track.

How can we help Dani?