Just deleted a bunch of spam user accounts

Submitted by C B Wright on

The new fun game the blogspammers have adopted when plaguing my site is to create an account and try to create posts in the Eviscerati Forums. This worked for a while until I changed a few settings so that my spamcatcher could do its thing... but even though they haven't been able to break through Mollom for a few weeks, they keep registering accounts.

So today I purged a lot of spam accounts from the roles. I'm pretty sure I only purged spam accounts--their account names are rather, ah, distinctive--but it's possible I accidentally nuked some legitimate accounts as well. If that happened to you, I'm sorry. On the other hand, you might want to avoid using account names like "petergrflkmmmbtp" in the future.


Comments are active for 30 days after publication. If you wish to comment after 30 days please use the Forums.

How about Andrewgrflkmmmbtp?

How about Andrewgrflkmmmbtp? Or Petergrflkmmmbtq? Would those be ok?

It will be handled on a case

It will be handled on a case by case basis, and on all cases similar to that the answer will be "no." :D

Writer, former musician, occasional cartoonist, and noted authority on his own opinions.

I generally don't bother

I generally don't bother registering an account anywhere unless I need one to make a comment.  I'd wind up forgetting the password anyway.  Besides, with MY screenname, you'd probably think spambot anyway.

Those are some very dead

Those are some very dead forums. Maybe it'd be easier to close them down rather than maintain them?

I have as-yet unrealized

I have as-yet unrealized plans...

Writer, former musician, occasional cartoonist, and noted authority on his own opinions.

One thing you could do is to

One thing you could do is to rename the signup page, then set up a page with the old name that only has a .php script that bans the IP of anyone who uses it.
In addition, the signup page needs to run a script that checks the referrer info, to see where the browser was referred from. Unless that is a legitimate page... BanHammer!

You could add a hidden text string that the script can look for in the signup data sent from the signup page. (Some spamtools sends a stream of data, as if it was a 'PUT' from a signup page, and formats it based on which forum SW you run)




So, your idea is to ban legitmate users (or library patrons) that get infected with one of these spambot things.

Well, "janessazlrxmdihwi" and

Well, "janessazlrxmdihwi" and "tracybeardsmore" seem to have outwitted your defenses this morning... <:-||


Yes, I see they have upped

Yes, I see they have upped their game...

Writer, former musician, occasional cartoonist, and noted authority on his own opinions.

Not at all. Do you know much

Not at all.
Do you know much about the info sent to/from a browser?
It's quite easy to see if a specific browser from a specific machine has been to any of the pages leading to the Signup page. If a browser requests the signup page WITHOUT having visited the 'pre-signup' page, it's not a real user but a bot using a script.
It's possible to see how long it takes from a signup page is loaded until the Form data is posted. Anyone doing it in less than 15 secons, for example, is either a world-class typist, some schmuck who doesn't bother to do it properly(do we really want anyone who can't bother to fill in the fields properly), or an automated script running at full tilt.

Spambots doesn't generally 'watch' what a user is browsing. In fact, the 'owner' of the spambot doesn't want the owner of the computer to know that it's there at all.

A ban may be permanent(I tend to permaban IP blocks to services such as iPredator and well... pretty much anything Russian and Ukrainian) or it could be a temporary ban.
There may be a 'BanHammer' page explaining that the IP is banned and why, with contact info to help resolve the problem.



Nothing I said suggested that you advocated claiming a spambot when there had not been any.  It was your next step "banhammer" which still seems to apply to the computer and any user that happens to use it.  If you advocate that, then you do, in fact, advocate locking out legitimate users who are unfortunate enough to get infected.  I am not sure why you said "not at all."  You have advocated, after identifying a spam attack, lockiing out the IP -- which might also be used later by a legitimate user.

Please note that very few, if

Please note that very few, if any, publicly available computers(libraries, net cafes, hotel lobbies, whatever) are used directly by spammers. They don't sit down at one, then surf around looking for forums to dump their crappy messages on.
They run long searches to identify possible sites to attack, and one thing they search for is specific pages with specific information to ID what kind of board and version. (Some boards are easier to penetrate)
This is why I advocate renaming the signup page.

Some are able to find the signup page even if has been renamed, by searching for the links leading to the page.
Which is why I suggest a hidden variable that also gets transferred from the signup page to the 'processing' page. This should stop most if not all automated signups.

Anyway, all that is done through botted or rooted computers on the net.
There may be keyloggers or other nastyness on those computers. Wouldn't it be a good idea to tell a user that the computer has been doing 'nasty stuff' online?
In the case of a collection of computers behind a NATing firewall, where it will look to the outside as every machine is using the same IP, the admin of that site REALLY should be made aware of the issue. Or he may be in on the scams, already.

The only way to really make them take notice is to lock their access out from sites they want to visit, with a message that their computers has done 'nasty' stuff online. emailing site admins very rarely does anything good.
In the case where the site admin is in on it, it may just end up with your own email addy is used as the 'sender' of an  spam message sent out to a couple of million email users... (Have you ever been flooded with 'stop sending me this crap' messages, 'This is illegal, I'm reporting you to... ' messages, 'unsubscribes' and so on?)

On a lot of networks, alerting the admin really doesn't do anything but waste your time(ComCast is one... They bl**dy fools even advises their customers not to set up routers with firewalls enabled... ). They'll never pass on a 'your computer is spewing spam, you need to clean it up' message.

Banning the IPs of those computers are really the only way of 'reaching out' to those users.


We (Shirley and I,) wondering

We (Shirley and I,) wondering if there will be chapters after twelve of a Rake by Starlight?

There will! I'm working on

There will! I'm working on them now. I mean, not right this minute, but I am actively working on them.

Writer, former musician, occasional cartoonist, and noted authority on his own opinions.