New to the community? Start here

Spammers getting through TOS and Activation Email

I am having spammers sign up and activate the blog. I have the terms of service set up and did not have this problem until the last few weeks. Now I get 5-15 new blogs to delete daily from this new threat.

They all have the same look, [email protected]’s.

lydia5778607 ([email protected])

There have been a few that come from the same domain. I have not checked for repeated IP addresses.

So this new threat can fill in the right fields on the sign-up page, check the box for TOS and then click on the activate link in the email sent to them, is the way it looks.

Suggestions for defeating this?

Thu, 19 Feb 2009 15:18:33
  • drmike
    • DEV MAN’s Mascot

    I have not checked for repeated IP addresses.

    Gotta admit that’s something I would be checking. We went through this one one of my installs a couple of weeks ago. Manual signups run through a VPS from IP addresses out of Korea.

    While I’m against Captchas, I’m beginning to think about a signup email that, along with having a link to click on, adding in a math question or something along those lines.

  • daansys
    • WPMU DEV Initiate

    I checked the IP addresses and they are coming from a variety of IP’s as well. There are a few repeated IP’s of the extremely over zealous spammers.

    I changed the default radio button to user. To see what happens for now.

    I am not a code person, so is there a simple way to compare the user name and email address, if they match (characters before the @ sign) disallow?

    daansys

  • drmike
    • DEV MAN’s Mascot

    There probably is but considering we have valid email addresses with the same pattern, you;re going to get a lot of false positives.

    You may be able to use a service like Project Honeypot to help:

    http://www.phsdl.net/

    Heh, any service that calls Akismet a problem is OK in my book. :slight_smile:

    But just looking at the mu forums and the amount of manual spam that’s over there, where folks are dragging up six month old threads and pretty much just repeating what’s already been posted shows that folks are going to be stuck with spam no matter what they do. :slight_smile:

  • uncobeth
    • WPMU DEV Initiate

    I noticed that a lot of the sploggers are using curl and other user agents to automate signups, so I did this in my .htaccess file:

    RewriteCond %{HTTP_USER_AGENT} ^curl [NC,OR]

    RewriteCond %{HTTP_USER_AGENT} ^WWW-Mechanize [NC, OR]

    RewriteCond %{HTTP_USER_AGENT} ^gooblog [NC]

    RewriteRule ^.*$ http://healthblogs.org/faqs [R,L]

    This works on other domain names, but not on my wpmu installation for some reason, so I’m trying to figure out why. If anyone gets it to work, it would sure help!

    I also edited the signup stuff to forbid any numbers in the usernames and to flash them an error message telling them that they need to contact us about their blog signup. This has virtually stopped it.

    These people make me so ill. I’m trying to figure out how to use OSSEC to find multiple instances of wp-signup from the same IP to block them, too.

  • iblogcity
    • WPMU DEV Initiate

    I had the exact same problem a few days ago. Each sign-up was coming from the same IP, about an hour apart. I installed WP-Ban and started redirecting any traffic from the IP to “You’ve been banned”. They just switched IPs. I finally installed WP-Captcha, and it seems to be stopping them from getting through. However, there have been 600+ attempts to access the sign-up page since from the IPs I banned since then. That tells me someone is still trying using the old IPs and there are probably attempts from new IPs being blocked by captcha all day.

  • drmike
    • DEV MAN’s Mascot

    I have to admit that I’m troubled with the term “You’ve been banned.” All I can see in my mind is a 90 year nun sitting at her computer, having trouble, and getting that message. She’d reach through the computer with her ruler and start whacking some knuckles…

    At the very least, I do hope you display some contact method on that page for folks to contact you if they run into trouble and can reach you for assistance. Maybe a better message along the lines of “We’ve detected a problem with your actions. For the time being, we have blocked your access to our servers. Please contact us…”

  • iblogcity
    • WPMU DEV Initiate

    drmike,

    Thank for the suggestion. It never really occurred to me that someone might actually be reading that message, since I’m 100% sure that each of the banned IPs was being used by spammers and 99% certain they’re using bots.

    Since it’s not too difficult to make it appear that an attempt is coming from one IP address when it is actually originating with another, there is a very real chance that some innocent people will end up getting banned. I’ll add a more customer friendly message and a contact just in case.

    Thanks

  • drmike
    • DEV MAN’s Mascot

    It never really occurred to me that someone might actually be reading that message

    Akismet does that if you set it to autodelete on posts older than 30 days if it detects your comment as spam. Not sure if they ever resolved that.

    On our spam system, if you hit the filters ‘x’ amount of times within ‘y’ minutes, we’ll go ahead and block you at the routers for ‘z’ amount of hours. I know my MT install does the same thing with the htaccess file. That may be something to consider that as well although blocking an AOL proxy IP address is just to easy to do.