FYI 500EBOARD IS UNDER ASSAULT

[xfadmin]

FYI to everyone,

For the past 4-5 days, the 500Eboard has been under a constant assault by a very persistent spammer, or spam-bot. This spambot is originating in Russia. It has been banned, deleted, IP-banned, discouraged, sent to Coventry, and had every other type of discipline done to it, and it keeps coming back like the Terminator.

We believe the forum's defenses against posting are robust enough that it will NEVER get through, but it is on its fourth iteration. We have learned how it is working.

We also believe that additional spambots will be targeting this forum in the future. With the bolstered defenses, we do not believe that the spammers will get through, but they may indeed find a way around the defenses. Hopefully the spammer will give up and eventually go away.

Please see the attached tables, which show the spambot's IP addresses (it is using MANY of them). IP address attacks and access attempts are originating every 3-4 minutes from various IP addresses -- sometimes several attacks in a row from the same IP address, and then the spambot takes another IP address and continues the attack.

It is likely that this is going to continue for quite some time into the future. Do note that we have plenty of excess server capacity, so the spambot attacks should NOT affect server or site performance.

Best regards,
@xfadmin

 

[JC220]

For someone not in the know may I ask what is the actual goal of these spam bots? To post garbage adverts? Why would they target a small bunch of 036 anoraks?

In any case thank you for keeping them out!

 

[ace10]

Can you send John Connnor back in time to kill the black hat?

 

[Jlaa]

Can you send John Connnor back in time to kill the black hat?

Better hope the black hats don’t send T-800 or T-1000 after Connor.

Terminator Fight Scorecard: The T-800 vs. the T-1000

The Terminators—you can’t live with them, you can’t live without them. That’s the way the world James Cameron created began to work in the second installment in the franchise, Terminator 2: Judgment Day, where Arnold Schwarzenegger’s T-800 was not the villain (as he was in the 1984 original)...

www.motionpictures.org

 

[2phast]

For someone not in the know may I ask what is the actual goal of these spam bots? To post garbage adverts? Why would they target a small bunch of 036 anoraks?

In any case thank you for keeping them out!

Having dealt with these threats many times in the past, the spambots can be posting legit spam, advertisements for everything from Viagra to bogus sites selling items worth thousands for pennies, of course you would never get what you ordered. The secondary purpose is to mislead people into clicking on links that takes you to what seems to be a legit page for something useful, but the code imbedded in the page injects malware onto your system. This malware may encrypt your files and demand a ransom or it may install a "backdoor" or "keylogger" into your system, allowing criminals to compromise account id's/passwords. These bogus links could also be used for massive DDOS attacks, turning your computer into remote controlled zombie.

It's worth the spambot's time to target any and all forums, regardless of size.

 

[xfadmin]

We had seven, separate attempted registrations last night from spammers. From their past attempts, we were able to figure out their automated methodology and put some additional changes into effect that removed their ability to register.

What their methodology is to do, is to register with a false/nonexistent gmail e-mail address. Note that gmail addresses generally are considered "vetted" and safe, and many many of our members use them as their forum email address.

While the spammer's registration is pending (and the XenForo system receives a "bounceback" email noting that their email account doesn't exist -- a dead giveaway of this methodology), they go back in and then immediately change their e-mail address to a new gmail address. These "new" gmail addresses have a lot of periods in them, and typically take the form of something like "ty.lersm.ith.foru.mtmp@gmail.com"

These email addresses are also intended to circumvent the two layers of automatic forum defenses that the forum has, which checks all user names, e-mail addresses, and IP addresses against online databases of known spammers. Generating a random email address and user name, and using a rotating IP address, conveniently gets around all of these system checks.

So the way to block these registrations (so they can't change the email address) is to REJECT any email address that has more than two "periods" in it. This means that a "dave.gsxr.boise@gmail.com" address would be OK, but a "dave.gsxr.boise.124@gmail.com" email would be automatically rejected.

The spammer made seven different tries last night; none of them worked. The photo below shows all of the attempted spammer registration attempts in the past 48 hours. Two of the registrations listed below are legitimate, and went through just fine.



But they keep upping their game. So the onslaught will continue in the future. But this single battle, is won, for now.

 

[xfadmin]

Six more separate attempts today to register for the forum by the Russian spammers, between 1:07 and 1:20 PM.

So far, the email schema above seems to be holding them at bay.

 

[alabbasi]

I wonder if it's the BMW M5 guys who are behind this.

 

[atg]

Maybe just put Russia on hold for awhile?

 

[gerryvz]

Maybe just put Russia on hold for awhile?

@xfadmin told me that he has a country-ban already in place for several countries, but unfortunately Russia is a country where we have a significant number of legitimate members as well, so it would not work in that instance.

 

[JoeB]

Maybe just put Russia on hold for awhile?

There's also no guarantee that the originating source isn't using a tor circuit or vpn that has a russian Ip mask. changing source IP for this kind of thing is almost impossible to prevent using source IP. Also blocking sourceip ranges can affect legitimate users as spoofing techniques are common practice. Sometimes the source of these attacks comes from a malware infected device and the owner of that device has no idea they are facilitating the attack vector.
These things are a lot more complicated than most are aware. The fact that exploits are easily searchable through CVE's make life a doddle for an intelligent programmer with access to git libraries choc full of code suitable for malicious use.
fork it, Make a few small changes to suit individual use case, and compile. et voila, new and improved or slightly varied nuance.

Nothing is simple anymore. the machines already have it over us... doesn't matter how smart the lifeform between keyboard and chair is.

 

[Kyiv]

Is it okay to say (in jest) "fucking Russians"?