Rick

Recent Spam Attacks on CenTexTalk.com

Rate this Entry
Recently, my discussion forum, CenTexTalk.com was hit by a cyber attack from spam bots originating primarily from China, Japan, Ukraine, and Poland. On Friday, November 16, 2012, I started receiving notification of many new users to the forum. Unless there is a local topic of interest, usually involving the local government or a local school district, usage like this is unusual. I decided to check the originating IP addresses and the new user accounts. I also noticed that they all listed an ICQ account (no one does that anymore), therefore, I went ahead and banned the usernames and Internet protocol addresses from the forum.

When I went home, I installed a small modification called, "Spammers Suck" from the Vbulletin modifications forum, which blocked registrations that filled out the registration form within a humanly impossible, 15 seconds. That modification would send me an email every time it blocked a registration. Two more got through, so I set it to block them at twenty seconds and set the software to require manual verification of new users before they could post messages. Also contained in the email was the Internet protocol address of the spammer. I then went in to the server control panel and blocked a series of Internet protocol addresses which would eventually help prevent more spam bots from the same location from attempting to access the forum.

Here is a copy of the message that I receive when a spam bot attack is blocked.

A registration was prevented by bot blocker; visitor information below.


Time Difference: 6 second(s)

Username: freedrugsed
Email: vilidshdaaas@gmail.com
IP: 37.215.170.136
User Agent: Opera/9.80 (Windows NT 6.1; U; ru) Presto/2.10.229 Version/11.62

On Sunday morning, I noticed that one of the moderators had deleted twelve messages from a spam bot that had registered before the attack began. I referred to that as a “sleeper” account and decided to look for more of them. I was able to find four more of these “sleeper” accounts and immediately banned them from the forum and subsequently, blocked those Internet protocol addresses from accessing the server as well.

Suspecting a vulnerability on the server, I contacted the host and asked them to scan the server for malicious software, a request that they refused to honor, so, needless to say, given all the issues I have had with them lately, I am now actively searching for a new host for my websites. I also am planning to upgrade the forum software to the latest version since the vulnerability may be contained in the software.

These spam bots are somehow, able to get through the human verification that I had installed in the program, so I am sure that there is a vulnerability contained in the software.
Another characteristic to these attacks is that they make more than one attempt to establish an account. This was noticed when the spam bot prevention software sent me the notification email. I noticed that each time I was notified, I was receiving two emails containing the same user name, email address and internet protocol address. At first, I thought this was caused by an error with the modification, but then realized that the reporting times for filling out the forms were slightly different. In an attempt to hinder this, I decided to use the option in the modification that allows me to redirect the bot to another website. This should prevent subsequent attempts at registering a nuisance account name.

At this point, the attack seems to have been thwarted since it has been more than 48 hours since a spam bot has registered although, I am still receiving notifications of blocked attempts and occasionally, one gets through and manages to register. I am able to receive email notifications whenever someone completes a new registration, so if I see an unfamiliar IP address, I quickly check its origin and take appropriate action if it is from a known spamming region.

The possible damage these attacks do to a forum is at several levels. First, it is an annoyance for users who wish to partake in discussions since they click on the forums, expecting to find a new discussion and are bombarded with sales pitches and links. Which brings me to my next point and that is regarding the links. The links posted by the spam bots could send the users to websites with malicious code that could infect their computers. It would not take long for the entire forum to become inundated with these messages. Another possibility for this increased activity is the timing of it since it began two weeks before “Black Friday”, the busiest shopping day in the United States. Several of the links that were posted were to shopping sites and I assume those sites contained counterfeit items. Some of the links and email addresses were to perfume and clothing domain names. It was noted in the news recently that the federal government had shut down several websites that were selling counterfeit merchandise.

Regardless of where the attacks originated from and why, the existence of these spam bots creates a lot of headaches for administrators of conversation forums as well as the blogs and other open comment websites and must be dealt with or they will destroy a forum. I run a forum for humans and with very few exceptions for local small businesses; I do not allow excessive advertising.
0 Thanks, 0 Likes, 0 Dislikes, 0 LOL, 0 Saddened by, 0 WTF
Tags: None Add / Edit Tags
Categories
Uncategorized

Comments

  1. Mestral's Avatar
    Just got around to looking at these blogs again and saw this.
    Just want to say: Thanks.
    0 Thanks, 0 Likes, 0 Dislikes, 0 LOL, 0 Saddened by, 0 WTF
  2. Shotgun Jeremy's Avatar
    Keep up the good work on here, Rick. Sometimes these forums can be a handful.
    0 Thanks, 0 Likes, 0 Dislikes, 0 LOL, 0 Saddened by, 0 WTF