"Questionable" account checks at the time of signup?


(Gabriel Mazetto) #1

Why do that, when you can use “Project Honeypot”, that does it in a much better, distributed way.

We can also check IP address during the registration, to require admin approval:
http://www.projecthoneypot.org/

The best part is that you do all the checks with simple DNS requests that will be cached by your DNS provider.

I’m sorry for not suggesting this first (I just came around it a few days ago). @codinghorror, do you think this can be added?


Spambots from Tor exit points keep taking over my forum
(Jeff Atwood) #2

Checks at the time of account creation I am definitely in favor of, that is a very inexpensive time to do checks.

edit: I don’t know if this would help with the original problem, which was about spam accounts created using Tor exit point IPs, but I think it is a good idea in general.


(Lowell Heddings) #3

Love it. That would definitely solve the problem for just about everybody.


(Jeff Atwood) #4

I would not expect account creation checks to be a silver bullet, but it might reduce some signups that are questionable. It’s a game of percentages.


(Lowell Heddings) #5

For a tech forum there’s virtually no reason for anybody to be using Tor anyway.

I understand the reason for needing Tor and allowing people to exercise their free speech in oppressive countries and speak out without getting persecuted… it just doesn’t apply to a lot of forums, and anybody signing up for my forum using Tor is probably trying to do something they shouldn’t.


(Jeff Atwood) #6

Just throwing in some more signup time ip checks that @downey recommended

I guess reaching a threshold with account signup checks would force the account into manual approval queue, which we already have. Might be kind of annoying to have several of these accounts appear every day in your queue though, when you don’t normally approve new accounts.


(Jeff Atwood) #7

Just summarizing for @techapj who is going to experiment with doing these checks and logging the results, here are the services to check new user signup IPs against:

  1. Blocklist Removal Center - The Spamhaus Project
  2. SpamCop.net - Blocking List ( bl.spamcop.net )
  3. Inspect an IP | Project Honey Pot
  4. http://www.stopforumspam.com/search
  5. Tor Network Status -- Tor Exit Query

Interestingly, this may present a problem… if a user logs in from a validated email service, say, Facebook or Google, they don’t have to wait for an email with a link to have a valid account, they have a valid account immediately after signing up and can begin posting – subject to standard new user sandbox rate limits, of course.

It’s almost like you can’t really approve someone’s account until you hear back from these ~5 different services, to know if the user account should be put in a manual approval queue first.

Well, anyway, @techapj will experiment with doing these checks at signup time, see how long they take, and log the results behind the scenes. No user-facing UI or outcome yet.

(The other potential problem is users who sign up for a new user account from a “good” IP and then switch to an “evil” IP later. Not sure how realistic that is, though…)

edit: we are putting this on hold for a bit as the last few live spammer IPs we checked against these 5 lists had basically zero hits across all lists :warning: . We’ll continue to spot check live spammer IPs against the 5 lists above, but it isn’t looking so good as a “magic bullet” to prevent spammers from signing up at this point.


(Jeff Atwood) #8

This wiki reply will contain the result of manual spammer lookups by IP against the above lists.

Copy this template as you do lookups and edit the results.

182.189.141.173 at 14-09-29 on meta

  1. SpamHaus → no hits
  2. Spamcop → no hits
  3. Project Honeypot → no hits
  4. Stop Forum Spam → no hits
  5. Tor node → no

122.177.148.29 at 14-09-29 on bbs

  1. SpamHaus → no hits
  2. Spamcop → no hits
  3. Project Honeypot → possible mail server
  4. Stop Forum Spam → no hits
  5. Tor node → no

65.49.68.178 at 14-09-29 on bbs

  1. SpamHaus → CBL hit: appears to be infected with a spam sending trojan, proxy or some other form of botnet.
  2. Spamcop → no hits
  3. Project Honeypot → no hits, seen by honeypot
  4. Stop Forum Spam → 2 hits
  5. Tor node → no

118.113.226.223 on HTG

  1. SpamHaus → no hits
  2. Spamcop → no hits
  3. Project Honeypot → no hits
  4. Stop Forum Spam → no hits
  5. Tor node → no

39.55.161.2 on HTG

  1. SpamHaus → no hits
  2. Spamcop → no hits
  3. Project Honeypot → no hits
  4. Stop Forum Spam → no hits
  5. Tor node → no

182.186.166.231 at 14-09-30 on meta

  1. SpamHaus → CBL hit: It appears to be infected with a spam sending trojan, proxy or some other form of botnet.
  2. Spamcop → no hits
  3. Project Honeypot → The Project Honey Pot system has detected behavior from the IP address consistent with that of a dictionary attacker
  4. Stop Forum Spam → 1 hit
  5. Tor node → no

182.186.155.223 at 14-10-01 on meta

  1. SpamHaus → no hits
  2. Spamcop → no hits
  3. Project Honeypot → no hits
  4. Stop Forum Spam → 3 hits
  5. Tor node → no

111.95.159.184 at 14-10-02 on bbs

  1. SpamHaus → no hits
  2. Spamcop → no hits
  3. Project Honeypot → no hits
  4. Stop Forum Spam → no hits
  5. Tor node → no

39.36.229.35 at 14-10-02 on meta

  1. SpamHaus → no hits
  2. Spamcop → no hits
  3. Project Honeypot → no hits
  4. Stop Forum Spam → 3 hits
  5. Tor node → no

182.186.190.155 at 14-10-12 on meta

  1. SpamHaus → no hits
  2. Spamcop → no hits
  3. Project Honeypot → no hits
  4. Stop Forum Spam → 1 hit
  5. Tor node → no

Stop Forum Spam - Spam Countermeasures
(Jeff Atwood) #9

Don’t list PBL hits… that’s meaningless. It just means the IP is a “home” computer and shouldn’t be running a mail server or sending mail. But posting a message on Discourse is not sending an email, that’s just using a web browser, which a home IP address can definitely be doing.

http://www.spamhaus.org/pbl/query/PBL1546707

This IP address range has been identified by Spamhaus as not meeting our policy for IP addresses permitted to deliver unauthenticated ‘direct-to-mx’ email to PBL users.