Diagnosing spam attack of 100 topics

Yes both of those are enabled - I’d like to know which is triggering the moderation as ideally I’d like to disable TL0 users threads going into moderation (It’s all tl0 topics not just the first one right?)

Ah, so it is. I had mis-read it. Did you enable that option for both posts and topics, or just one of the two?

Oh, I remember the setting we had you undo, was the disabling of auto block fast typers on first post, that alone will likely solve the issue you experienced with 100 topics being created that were pure spam. You probably do not need to send TL0 into the moderation queue intentionally.

And if you ever get an opportunity, setting up Akismet is well worth it (if you haven’t already). Between fast typing and akismet, we rarely have actual spam posts shown on our latest view for any length of time. It really does keep the forum clean and what does get through, mods/users are quick to flag so it gets hidden.

I believe it is for topics only.

Tbh DC has been brilliant to date, with just the odd human spammer getting through and they usually post in an existing topic and are easily identified. This is the first time we’ve had a co-ordinated attack on this forum (we get them periodically on other forums I admin that run different software).

It would be great to see what is triggering requiring approval (I’m guessing it is the TL0 posters, but am hoping it’s the fast typing posters).

Have you checked the Staff Action Logs area? I can’t recall if that helps identify the cause.

Yep, it just says Deleted via post moderation queue

It does actually differentiate between the two:

So looks like TL0 restrictions need to stay in place… for now…

1 Like

Quick update to say in the last 24hrs there’s been 9 accounts blocked by moderation queue and 8 accounts blocked by typing too fast.


A strategy we use on another forum is checking user profile location/country field with the IP country - automating that check (and perhaps other honeypots) might prove useful as well…

2 Likes

How many got through then?

1 Like

You can blacklist ip ranges in Admin, Logs as needed, up to 255.*.*.* if necessary.

Also if you do not have Akismet set up yet, why not? Realize these are humans so only anti-human techniques will work.

2 Likes

…none :slight_smile:

They all got caught via quick typing or TL0-moderate-threads.

I wish we didn’t have to use TL0-moderate tho, I know from personal experience what a pain it is joining a forum then posting a thread which you want a quick answer to but it goes into moderate… sometimes for days. Hopefully that won’t happen as we have quite a few mods onboard.

I read that you hate spam, thank you for making DC unfriendly to spammers :smiley:

That’s good to know. When we first got hit by a huge spam attack (several years ago) we resorted to simply banning several of the worst culprits by country - on a server level. Not ideal but was very effective.

I’m going to have to look into it. I vaguely remembering trying it (on my blog I think) and found that it didn’t really do much, but that was a long time ago.

When it’s installed on DC do we get some sort of notifications (in the logs) of how many posts/threads Akismet is catching? Also, is it given precedence so that we can use the block by fast typing and put tl0 users threads in moderation as fail-safes? This would also help determine whether it’s worth keeping.

The only other drawback (which isn’t too big a deal for the programming forums) is posts being sent to akismet (on some of the forums I run some posts can be of a highly personal nature).

try turning off tl0 moderation queue and see what gets through, paste some screenshots here of spam that sneaks past.

3 Likes

Hi Sam, shall I keep it on (so our Twitter feed isn’t affected) but take screen grabs and post those here if the logs say it’s a TL0 related incident?

Here’s the first lot:

That’s the entire thread content (so title spam).

Based on what we’ve seen so far, a large string on numbers (I assume tel numbers) is present in nearly all the threads. I wonder if we could use custom spam rules (actually I think XF has this feature) so certain things can trigger posts or threads to be put in the moderation queue.

So for example:

IF - TL0 User
AND - more than 6 digits in thread title
Require approval

or

IF - TL0 User
AND - content includes more than one link
Require approval

or
IF - User posts link to thisdomain.com
Place account into moderate

Do you think something like this could be handy?

This is easily doable today, see: auto block first post regex , adjust it to taste!

I will see if I can split that setting up so there is a seperate one for title and body…

One sec, did any of the spam actually land, it is hard to tell if the fast typing would have caught it anyway.

Also no idea how that is passing the built in entropy test for body. Did you disable that?

4 Likes

According to the logs, it was caught by TL0-moderate. Previously others have been caught by fast-typing so I assume fast typing is checked first? If not I can disable our Twitter-poster and turn the TL0-moderate off for a few hours to see if they continue to get caught (probably tomorrow as the weekends are our quietest periods) - just let me know if you need me to do that.

That would be cool - there’s definitely a pattern, but it’s only in the titles at present.

I had changed them to 3 (not sure why :/) reverted now :blush:

Pleased to update the last spam from this group was 2 days ago :slight_smile:

However, they do seem attack periodically - usually a couple of times a year per site with the attack lasting several days. I’ll report back if we encounter it again.

Huge thanks to the DC team for all their help and their continued intense dislike of spam and doing everything they can to minimise it :thumbsup:

6 Likes