Our forum is getting "bamwar" spam


(Joshua Granick) #1

Our forum at http://www.openfl.org has been under attack from spam bots :frowning:

What once was a quiet hamlet became pages and pages of spam. We now have discourse-akismet installed, the good news is it properly detects incoming new spam whenever it runs. With great effort, we deleted all of the older posts that already gone through.

The bad news is that the spam traffic continues, while reading this post we had 20 more. Akismet is run every 10 minutes, is there something that could be done before that happens?

For example, what if there was a way to detect “probable spam”, keeping a post hidden for 10 minutes or so, so there is time for it to be run against Akismet? If it is not spam, it could be shown and new post notifications could go out, no real harm is done.


Spambots from Tor exit points keep taking over my forum
(Scott Trager) #2

Ouch - getting hit with a Bamwar is never fun :frowning: - this can go on for days…

@sam - is there any way to adjust the settings on Akismet to be more effective against this kind of spam? We’ve had a number of bamwar “campaigns” hit our forums over the years and they are a real pain to clean up after.


#3

I’d like to know this too - Our existing xenForo install gets a fair amount of spam signups/threads every day and I’d like to have that problem go away when we move to Discourse at the end of August.

Does Akismet not scan every post as its made?


(Kane York) #4

Should we add a “delete spam” bulk action? So you could clean it all up from the topic list.


(Joshua Granick) #5

Akismet has helped tremendously to fight the “wake up to tons of spam on the forums” problem

You see in the image that @strager took that within the 10 minute window (before the “CheckForSpam” job is run) it continues to pile up. We have temporarily disabled new user registrations – certainly not a good long-term solution – until (hopefully?) this quiets down

We did start a poll to vote for our favorite spammer:


(Erlend Sogge Heggen) #6

That seems overly drastic. Wouldn’t a better initial measure be to require approval-by-moderator for all first-time posts?


(Dean Taylor) #7

It looks like Trust Level 0 users are checked faster than every 10 minutes…
… what Trust Level are the default for your new users?


(Neil Lalonde) #8

Instead of disabling new user signups, try using the “approve post count” setting. Set it to 1 so you have to review the first post from every new user before it appears.


(Jeff Atwood) #9

Have you manipulated trust defaults or other Discourse new user settings? New users are strictly rate limited so once you add Akismet to check for human spammers (which these are) you should not have a problem.

Also trust level 0 users are required to pass through Akismet before posting. We also recently added topic title as a check for Akismet so make sure you are on the latest version of our official Akismet plugin!

I strongly suspect you may have changed these defaults? If so I strongly recommend you revert them to default.


(Jeff Atwood) #10

I just cleaned up a bamwar on talk.commonmark.org so I have info.

Here are the accounts that were used:

ariel122iori@gmail.com
dlcjsghk4@gmail.com
argie121ikuya@gmail.com
alchemy1236emori@gmail.com
mingoksong@gmail.com
antook1316ikuei@gmail.com
aagaard1165akashi@gmail.com
aakre1167akifumi@gmail.com
aaker1166aki@gmail.com
anacino1162aiji@gmail.com
anchor1289gengo@gmail.com
andrei1294genya@gmail.com
ando1292genki@gmail.com
andrews1295giichi@gmail.com
aadland1164aiya@gmail.com
andy1296ginga@gmail.com
angel1298gou@gmail.com
angela1299gouki@gmail.com
angeles1300goushi@gmail.com
annjo1312ikkei@gmail.com
anthony1313ikki@gmail.com
antilop1314ikkou@gmail.com
antonio1315iku@gmail.com
cameronbrown02@mail.com
gfdhgfhg433@gmail.com
jajahgdgad187@gmail.com
ertetwetg78@gmail.com
ttttttttttt1478@gmail.com
shooipoip478@gmail.com
fgdfhdh154@gmail.com
jamypineda1234@gmail.com
meguilapascubillo4787@gmail.com
pineschuway489@gmail.com
delmadela1234@gmail.com
bong289balo@gmail.com
durtkadurdksak@gmail.com
javina111malay@gmail.com
rkdskadksak@yahoo.com
eocldksak@gmail.com
forisj0828@nate.com
tmxktkdan5@gmail.com
didwodksak@gmail.com
estillertricia63@gmail.com
anne998ann@gmail.com
raudi885dew@gmail.com
jona109jo@gmail.com
alona268bane@gmail.com
tricia594trish@gmail.com
wanda213dang@gmail.com
jhoy789jo@gmail.com
vip043680@naver.com
p01072896066@gmail.com
kalamansi123juice@gmail.com
qfafafaa@yahoo.com
afafafqfwqfq@yahoo.com
hbt9126@gmail.com
balagtas158junya@gmail.com
balagyas159kadoma@gmail.com
cessyah@email.com
baldo162kai@gmail.com
balatbat161kageki@gmail.com
bernard456pot@gmail.com
ldh5429@gmail.com
cessyah1330@gmail.com
park791212@gmail.com
qkrehdrb2016@daum.net
p01066037635@gmail.com
yabam100@gmail.com
ganutan456anthony@gmail.com

69 unique email accounts so far. Seems to be using gmail (almost) exclusively, and possibly Google auth login as well.

Here are the IP ranges that got banned after deleting all those users as spammers:

Commonalities are:

210.89.162.*
211.233.*
104.131.*

And that’s… about it, really, pretty good variety of IPs here. I haven’t geolocated them yet but that might assist as well. As you can see they have a lot of users and they mostly come from different IPs and unique email addresses on a legit provider which makes this more challenging. (The ultimate challenge is when they all come from Tor, but this is not that.)

I went ahead and bumped up two Discourse site setting defaults to assist in blocking this kind of human spam in the future:

rate_limit_new_user_create_topic: 120 (was 60, this is in seconds)
max_topics_in_first_day: 3 (was 5)

These should only affect TL0 users, but we do prevent first day new topics in total for the first 24 hour life of the account.


(Kane York) #11

Hmm, maybe someone found a way to bot Google account signups, sold a batch of “clean” accounts to the spammers, and the spammers were using the Google OAuth to sign in without going through the email confirmation.

Yeah, looks like these guys love Google accounts: Stop Forum Spam IP Check - 213.229.75.30 (! that IP was not included !)


(Jeff Atwood) #12

I just checked, and these are almost all IP ranges from South Korea. So that’d be another way to slow these guys down, if we had a geolocate IP at the time of signup check, and you could block certain countries from registering, that’d be a cool plugin!

Note that they do have a handful of other country IPs mixed in there like the one from Italy, and another from NY, so I think they have a few tricks up their sleeve if they keep getting blocked based on geolocation of IPs.


(Erlend Sogge Heggen) #13

Or, not quite as drastically, you could have a TL-1 tier, that “suspicious IPs” were automatically started out on. TL-1 users would face even higher rate limits, fewer max topics and require post approval.


(Jeff Atwood) #14

Well, we want to make more use of “blocked” user state (right now, only used in one specific spam instance, posting lots of duplicate URLs) and also the approval queue, so…


(cpradio) #15

Not to go too far left field, but is talk.commonmark using the Akismet plugin? Did the bamwar spam get past that?


(Jeff Atwood) #16

No, we want to look at mitigation before it even gets to Akismet in this case. This kind of spam should be stopped in a variety of different ways, “defense in depth”, etc etc etc etc


(Joshua Granick) #17

@DeanMarkTaylor Thanks for the code snippet :smile:

We had tried Trust Level 0 (we use Trust Level 1 by default) but had not seen improvements. Seeing that Akismet is triggered in this way (should it be first number of posts instead?) is helpful

I like Trust Level 1 better because it has been common for legitimate users to sign up for the first time just to share screenshots and links for a new game they have developed. Otherwise, these end up being “I don’t know why, but I can’t post images” type posts


(Dean Taylor) #18

I’ve asked this question before @codinghorror kindly pointed me toward the newuser max images setting allowing you to change the maximum images a TL0 user can upload per post. For me I set it to 2 no complains since.


(Jeff Atwood) #19

As @deanmarktaylor noted, just edit the setting to allow 1 image per new user. if you make TL1 the default without some kind of external vetting (paid accounts, or SSO) you will be in a world of hurt and suffering pretty quickly.


(Jeff Atwood) #20

I updated my earlier post with final stats.

Ok phase 1 of improvements here are going out. I want to be coy about the specifics because spammers but you can read commit logs for today and yesterday to get more detail.

We should be much more resistant to casual 100% human spamming now, as well as any potential browser scripted spam.

(But from what we saw, and the data we gathered, bamwar is unquestionably human spam. Very, very persistent and annoying human spam with lots of IP addresses and valid emails at their disposal.)