This spam attack is ridiculous

Can't figure something out? Want to understand something in more depth? Need input, paintovers, pointers? Ask away!

This spam attack is ridiculous

Postby Sypheck » Mon Aug 10, 2015 11:52 am

So can we update the spam filters or something again? I've seen spam bots on forums before but this is a little insane, there is literally like 10 pages of spam threads on this particular forum and the rest are kind of getting buried as well.
User avatar
Sypheck
Level 2: Steller Sea Lion
 
Posts: 29
Joined: Tue Apr 14, 2015 11:46 pm

Re: This spam attack is ridiculous

Postby Vielmond » Tue Aug 11, 2015 7:33 am

The spambots are onto us. The version of reCAPTCHA used here isn't a good protection. It should look like this:

Image

instead of the home address number alone. Google uses what users input to figure out those addresses in Street View. That means that they trust what the user inputs to some extent—they'll occasionally accept random numbers as valid. Even if they only let pass, let's say, 1 in 100 attempts, it's troublesome, because Permanoobs has another issue: sid.

Infinite attempts

Curiously, we have discussed another issue generated by the sid use in another thread. In registrations case, that's what happens: After X incorrect attempts the registration system should block you from trying for a considerable amount of time. However, since Permanoobs is unable to set cookies and sessions this can be instantly bypassed. All you need to do is erase the sid from the URL bar and keep trying. That means spambots can attack Permanoobs 24/7. Quick math:

Let's say they succeed in only 1% of their attempts to guess the captcha, and try once every 2 seconds: (86400s / 2) / 100 = 432 new fake profiles per day. They don't even need so many profiles to become the pain they are.

Looking at the members list it seems they register 5-85 profiles per day, and each profile creates 5 threads before being discarded. Those spambots identified this vulnerability and are now happily exploiting it. They won't stop until actions are taken.

The solution would be: 1. Use another captcha plugin, or the double reCAPTCHA version, or even the new reCAPTCHA 2.0. Permanoobs uses phpBB, I'm sure there are some readily available for download. 2. Fix sid issue. That would add an extra layer of security by requiring an extra step from bots to bypass the system blocks. Bots pick the easiest targets, don't be the lowest hanging fruit and they'll seek an easier target to bother.
User avatar
Vielmond
Level 5: Grey Seal
 
Posts: 101
Joined: Mon Jun 09, 2014 10:21 am
Location: Brazil

Re: This spam attack is ridiculous

Postby chazillah » Tue Aug 11, 2015 6:43 pm

Vielmond wrote:The spambots are onto us. The version of reCAPTCHA used here isn't a good protection. It should look like this:

Image

instead of the home address number alone. Google uses what users input to figure out those addresses in Street View. That means that they trust what the user inputs to some extent—they'll occasionally accept random numbers as valid. Even if they only let pass, let's say, 1 in 100 attempts, it's troublesome, because Permanoobs has another issue: sid.

Infinite attempts

Curiously, we have discussed another issue generated by the sid use in another thread. In registrations case, that's what happens: After X incorrect attempts the registration system should block you from trying for a considerable amount of time. However, since Permanoobs is unable to set cookies and sessions this can be instantly bypassed. All you need to do is erase the sid from the URL bar and keep trying. That means spambots can attack Permanoobs 24/7. Quick math:

Let's say they succeed in only 1% of their attempts to guess the captcha, and try once every 2 seconds: (86400s / 2) / 100 = 432 new fake profiles per day. They don't even need so many profiles to become the pain they are.

Looking at the members list it seems they register 5-85 profiles per day, and each profile creates 5 threads before being discarded. Those spambots identified this vulnerability and are now happily exploiting it. They won't stop until actions are taken.

The solution would be: 1. Use another captcha plugin, or the double reCAPTCHA version, or even the new reCAPTCHA 2.0. Permanoobs uses phpBB, I'm sure there are some readily available for download. 2. Fix sid issue. That would add an extra layer of security by requiring an extra step from bots to bypass the system blocks. Bots pick the easiest targets, don't be the lowest hanging fruit and they'll seek an easier target to bother.


i tried looking into this but i have no idea how i can update the captcha. i will let the seal know but i also know he's super busy right now.
(maybe you want to help me look into it?)

it was such a pain in the arse deleting all those threads lol
User avatar
chazillah
Level 11: Ringed Seal
 
Posts: 866
Joined: Thu Apr 17, 2014 7:01 pm

Re: This spam attack is ridiculous

Postby Vielmond » Tue Aug 11, 2015 7:34 pm

chazillah wrote:i tried looking into this but i have no idea how i can update the captcha. i will let the seal know but i also know he's super busy right now.
(maybe you want to help me look into it?)

it was such a pain in the arse deleting all those threads lol


Sure, sent you a PM. I can only imagine how annoying it is to hunt down those threads; and it's even worse once you realize those Fifa coins profiles don't create obvious spam threads, they post random answers like "i don't know" on existing legit threads. Sneaky bastards.
User avatar
Vielmond
Level 5: Grey Seal
 
Posts: 101
Joined: Mon Jun 09, 2014 10:21 am
Location: Brazil

Re: This spam attack is ridiculous

Postby chazillah » Tue Aug 11, 2015 10:54 pm

Vielmond wrote:
Sure, sent you a PM. I can only imagine how annoying it is to hunt down those threads; and it's even worse once you realize those Fifa coins profiles don't create obvious spam threads, they post random answers like "i don't know" on existing legit threads. Sneaky bastards.


thanks for the help. hopefully the problem is solved for now! *_*
User avatar
chazillah
Level 11: Ringed Seal
 
Posts: 866
Joined: Thu Apr 17, 2014 7:01 pm

Re: This spam attack is ridiculous

Postby Schwanzus Longus » Tue Sep 29, 2015 1:15 am

Where can I proof I'm no spam-bot? I just want to create a sketchbook :3
Schwanzus Longus
Level 0: Southern Fur Seal
 
Posts: 6
Joined: Mon Sep 28, 2015 12:22 pm

Re: This spam attack is ridiculous

Postby Sophie_Draws » Tue Sep 29, 2015 1:29 am

PM one of the mods if you're struggling to create one :)
User avatar
Sophie_Draws
Level 9: Spotted Seal
 
Posts: 462
Joined: Tue Jun 03, 2014 11:50 pm
Location: England

Re: This spam attack is ridiculous

Postby Schwanzus Longus » Tue Sep 29, 2015 1:55 am

Thank you :)
Schwanzus Longus
Level 0: Southern Fur Seal
 
Posts: 6
Joined: Mon Sep 28, 2015 12:22 pm

Re: This spam attack is ridiculous

Postby ErnieTheMighty » Sat Oct 17, 2015 9:02 pm

Setting some sort of application system to send to mods to approve their posting rights would be awesome.
Sketchbook | DeviantART | Tumblr | Facebook | Skype - cyklopas261 | Yeeeeeah!
User avatar
ErnieTheMighty
Level 9: Spotted Seal
 
Posts: 426
Joined: Mon May 12, 2014 9:59 am
Location: Lithuania


Return to Questions, Help & Explanations

Who is online

Users browsing this forum: No registered users and 2 guests