Server Help

Trash Talk - Anti-spam harvesting

Mine GO BOOM - Thu Sep 21, 2006 3:59 pm
Post subject: Anti-spam harvesting
Being a good server admin, I try to check the logs as often as I can to find weird things. Well, last night something weird happened, I got a browser who's useragent string was dragonfly(ebingbong@playstarmusic.com). A quick google search resulted in exactly what that user agent means.

Turns out that that it is a spam harvester. Wonderful. Do a full scan of any activity that this bot has done:
Code: Show/Hide
72.29.233.182 - - [25/Aug/2006:22:17:38 -0700] "GET /robots.txt HTTP/1.1" 200 464 "-" "dragonfly(ebingbong@playstarmusic.com)"
72.29.233.185 - - [15/Sep/2006:20:47:42 -0700] "GET / HTTP/1.1" 200 42550 "-" "dragonfly(ebingbong@playstarmusic.com)"
72.29.233.185 - - [20/Sep/2006:23:46:38 -0700] "GET /groupcp.php?g=5&sid=3dd0955fd6ca58328e8156a24a4128fa HTTP/1.1" 200 21694 "-" "dragonfly(ebingbong@playstarmusic.com)"
72.29.233.185 - - [20/Sep/2006:23:46:38 -0700] "GET /profile.php?mode=signup&sid=3dd0955fd6ca58328e8156a24a4128fa HTTP/1.1" 200 14963 "-" "dragonfly(ebingbong@playstarmusic.com)"
72.29.233.185 - - [20/Sep/2006:23:46:38 -0700] "GET /viewtopic.php?p=65284&sid=3dd0955fd6ca58328e8156a24a4128fa#65284 HTTP/1.1" 200 47409 "-" "dragonfly(ebingbong@playstarmusic.com)"
72.29.233.185 - - [20/Sep/2006:23:46:38 -0700] "GET /profile.php?mode=viewprofile&u=144&sid=3dd0955fd6ca58328e8156a24a4128fa HTTP/1.1" 200 14334 "-" "dragonfly(ebingbong@playstarmusic.com)"
72.29.233.185 - - [20/Sep/2006:23:46:39 -0700] "GET /profile.php?mode=viewprofile&u=241&sid=3dd0955fd6ca58328e8156a24a4128fa HTTP/1.1" 200 14333 "-" "dragonfly(ebingbong@playstarmusic.com)"
72.29.233.185 - - [20/Sep/2006:23:46:40 -0700] "GET /profile.php?mode=viewprofile&u=309&sid=3dd0955fd6ca58328e8156a24a4128fa HTTP/1.1" 200 14334 "-" "dragonfly(ebingbong@playstarmusic.com)"
72.29.233.185 - - [20/Sep/2006:23:46:40 -0700] "GET /profile.php?mode=viewprofile&u=1085&sid=3dd0955fd6ca58328e8156a24a4128fa HTTP/1.1" 200 13950 "-" "dragonfly(ebingbong@playstarmusic.com)"
72.29.233.185 - - [20/Sep/2006:23:46:40 -0700] "GET /profile.php?mode=viewprofile&u=824&sid=3dd0955fd6ca58328e8156a24a4128fa HTTP/1.1" 200 13950 "-" "dragonfly(ebingbong@playstarmusic.com)"
72.29.233.185 - - [20/Sep/2006:23:46:40 -0700] "GET /profile.php?mode=viewprofile&u=277&sid=3dd0955fd6ca58328e8156a24a4128fa HTTP/1.1" 200 14334 "-" "dragonfly(ebingbong@playstarmusic.com)"
72.29.233.185 - - [20/Sep/2006:23:46:40 -0700] "GET /profile.php?mode=viewprofile&u=955&sid=3dd0955fd6ca58328e8156a24a4128fa HTTP/1.1" 200 14334 "-" "dragonfly(ebingbong@playstarmusic.com)"
72.29.233.185 - - [20/Sep/2006:23:50:07 -0700] "GET /profile.php?mode=editprofile&sid=3dd0955fd6ca58328e8156a24a4128fa HTTP/1.1" 302 - "-" "dragonfly(ebingbong@playstarmusic.com)"
72.29.233.185 - - [20/Sep/2006:23:50:08 -0700] "GET /login.php?redirect=profile.php&mode=editprofile HTTP/1.1" 200 14842 "-" "dragonfly(ebingbong@playstarmusic.com)"
72.29.233.185 - - [20/Sep/2006:23:50:08 -0700] "GET /viewtopic.php?p=65286&sid=3dd0955fd6ca58328e8156a24a4128fa#65286 HTTP/1.1" 200 38543 "-" "dragonfly(ebingbong@playstarmusic.com)"
72.29.233.185 - - [20/Sep/2006:23:50:07 -0700] "GET /faq.php?sid=3dd0955fd6ca58328e8156a24a4128fa HTTP/1.1" 200 61091 "-" "dragonfly(ebingbong@playstarmusic.com)"
72.29.233.185 - - [20/Sep/2006:23:50:09 -0700] "GET /profile.php?mode=viewprofile&u=81&sid=3dd0955fd6ca58328e8156a24a4128fa HTTP/1.1" 200 14334 "-" "dragonfly(ebingbong@playstarmusic.com)"
72.29.233.185 - - [20/Sep/2006:23:50:09 -0700] "GET /profile.php?mode=viewprofile&u=225&sid=3dd0955fd6ca58328e8156a24a4128fa HTTP/1.1" 200 14333 "-" "dragonfly(ebingbong@playstarmusic.com)"

As you can see, it did a check a long time ago to find out information about the site. Then last night, it make a quick attack and grabbed a bunch of email addresses, both from topic viewing, group listings, and then direct profiles on people posting in those topics. I assume it went into the profiles to grab IM account numbers/names.

To try my part at trying to prevent spam attacks, I disabled public viewing of anyone's email address. What does this mean? It means, if you are registered, nothing is different. Hover over an email link, and it is a real email link to that user. If you are a guest browsing, you are redirected to the forum's built-in emailing feature, which then forwards you to login. Thus, no bot will be able to view email addresses anymore, and search engine's caches of the site will no longer include email addresses.

Want this on your forums too? In includes\functions.php find the function named init_userprefs. Inside the first if statement checking $userdata['user_id'] != ANONYMOUS just throw in the following statement anywhere inside the brackets:
$board_config['board_email_form'] = 0;

Now go into the admin panel for your forums, the General Configuration section and set User email via board to enabled. Save files and settings and check your forums out as a user and as a guest.

This does not protect users from posting emails in messages or IM accounts. IM accounts I'm not going to bother protecting (unless you guys really get spammed, all mine are set to auto-block anything unless on my list already) and in messages I don't feel that it is being done very heavily. But it won't be hard to make the public's viewing of email accounts in text be non-linked and shown as [EMAIL: bob .at. blah .dot. com] or something equally as stupid and not used yet.

Server Help Forums - Protecting you when it may start to effect me

Solo Ace - Thu Sep 21, 2006 4:40 pm
Post subject:
So...

Chambahs is the only one who got screwed?
BDwinsAlt - Thu Sep 21, 2006 5:25 pm
Post subject:
Wow that's gay. What kind of retard would so something like that? I wouldn't waste my time making a bot that collects email address and sends people junk email. I only read emails from people I know.
Mine GO BOOM - Thu Sep 21, 2006 5:51 pm
Post subject:
Look at the user profiles, there are a bunch listed (see the userid=XXX?). As for who does it? There is lots of money in junk mail. Want evidence? Look at your spam in your own email box. If there wasn't money there, you wouldn't see that much junk.

In fact, there is so much money there, that a bunch of viruses now are designed to make your computer into relays for spam or into the harvesters themselves. Reach almost any research done into viruses that start up IRC bots and see what type of commands are very common; DDoS and Email.
Quan Chi2 - Thu Sep 21, 2006 11:29 pm
Post subject:
Oh man. This is probably a new potential phpBB exploit. AWESOMNESS!!

No, but seriously, that must bite for Chambahs, but atleast I wasn't screwed, so we can all be happy. icon_smile.gif The end.
Cerium - Fri Sep 22, 2006 12:05 am
Post subject:
The real question, is why these bots dont just report themselves as known browsers? I don't support the spammers in anyway, but if you're going to go through all the effort, why not atleast do that much? That way, people like MGB here aren't able to see and counter their activity as easily.
Mine GO BOOM - Fri Sep 22, 2006 12:18 am
Post subject:
Quan Chi2 wrote:
Oh man. This is probably a new potential phpBB exploit. AWESOMNESS!!

You are just stupid. Bots have been harvesting for a long, long time. I just forgot about the fact that they still pick off these forums, and since I've added protection from bots registering, the email-protection I enabled will work wonderfully. And Cerium is right, this one was just a stupid one.

Take for example the email I use to post on shanky.com or Server Help's front page: thats just a honey pot and is loaded with junk. Not once has anyone actually sent a valid email address to it. So you guys are not in the clear, your email address has long ago been harvested. But in the days of '6 million valid email addresses' the market is demanding email addresses that are fresh. So, unless you've click links or had your client download off-site pictures in a message and your email address is not harvested for the next 3-6 months or so, you'll get slightly less spam because the age of your address will be too old that the big names will not add them to their latest sales.
Chambahs - Fri Sep 22, 2006 4:20 pm
Post subject:
WTF? Nothing happend to me...what are you guys talking about?
K' - Fri Sep 22, 2006 6:11 pm
Post subject:
Mine GO BOOM wrote:
Take for example the email I use to post on shanky.com or Server Help's front page: thats just a honey pot and is loaded with junk.

I still be paying for posting news on that page with me real email.
Chambahs - Sat Sep 23, 2006 4:11 am
Post subject:
Right...so anyone wanna tell me why "I got fucked"?
Cerium - Sat Sep 23, 2006 4:20 am
Post subject:
Well... Your father has an attraction to young boys and you like to sleep on your stomache.
Anonymous - Sun Jun 08, 2008 10:18 pm
Post subject:
I still dont get what happend here icon_sad.gif
Dr Brain - Sun Jun 08, 2008 10:28 pm
Post subject:
It took you 2 years to post how you didn't understand something?
Anonymous - Sun Jun 08, 2008 10:45 pm
Post subject:
Lmao, no, i was just revisiting the forums, (killing time) and i stumbled across this topic. Care to explain?
Samapico - Mon Jun 09, 2008 8:44 pm
Post subject:
oh LOL
I thought this was a recent issue hahahaha

I presume you had made your email visible or something
All times are -5 GMT
View topic
Powered by phpBB 2.0 .0.11 © 2001 phpBB Group