[Dshield] Under attack by bloggers

Chris Wright dshield at yaps4u.net
Tue Jan 31 13:02:58 GMT 2006


This is a quick reply, so I haven't had time to confirm the exact details,
but...

When I had the latest and greatest PHP version installed on a public test
server I own, I was intending to see what sort of activity from the spammers
it would get.  

I 'think'  (first unchecked assumption), that if you go check your list of
members you will see that there are quite a few who have never completed the
sign up process.
What I believe the spammers to do is to apply for an account, but they never
intend to complete the process.  
By attempting to create a new account on your phpBB installation, they have
already managed to leave a fake email, and, the main aim of a link to some
dodgy site.
It is the member list pages that they are after infecting. 
There are some scripts out there that will then if succesful try and log in
and create spam posts, but the member list page on my test blog was full up
within weeks and I think this was their main aim (second unproven
assumption).

I had an automatic verification requirement of their email set up, (so once
they replied to an account, they had to respond to the application).  Since
most of the applications used false email addresses, they never actually got
set up.  It wasn't until a few days later when I checked the list of members
because that table seemed larger than I expected when I found all of the
Spammer created accounts waiting to set up.

phpBB does not remove accounts that have failed to complete the sign up
process (may be it should do after a preset amount of time, at least have a
manual clean function).

Perhaps phpBB could do with a better verification process when a user
submits an email address. It might be time to use a similar process to that
used by most bloggers.
(In fact I think its time I headed over the the phpBB forum and checked out
to see if any of these are in the pipeline, or suggest some new ways if need
be).

To get round the problem was quite simple in the end, and it's the same sort
of thing I did with most of my blogger installations...
i. Do a search and replace for the sign up page filename and change it to
something completely different. (Instead of signup.php for example, change
it to 42theanswer.php).

Most of the spammers scripts are so damned stupid, once the find a site that
has phpBB installed, they go look and load 'signup.php' and nothing else.
In the 4 years I've ran various blogs and flavours of phpBB it beats 99.99%
of them (first known assumption :)  You might get the odd manual spammer,
but it is nothing in comparisson to the hits you get without renaming it.
I even started to write a PHP script to automatically rename the files but
I've never needed to install it (so I never finished it).
Its not as if someones says "hey, double u double double u dot some great
site dot com has a phpBB" and they think let me go direct to 'signup.php',
since they almost always go to that page via the main index or similar. So
renaming the page doesn't hit you on site rankings, people unable to find
the page etc.
And when they do wise up and scan the indexes to locate the true link it
will take so much of their resources to scan for all the page links it won't
be worth there while. (And then I'll finish my script so they will have to
do it regulary.

As regards to Blogger, I have been an active advisor on a number of blogger
forums for some while and it has been a problem that has incresed more since
Google took over.  But this was simply down to the massive uptake by Joe
Public to get a blogger blog.
At first Blogger didn't have any verification steps during the submission of
a comment or trackback, but now they have.  Since they installed that
feature, it has dropped a lot, but is still open to abuse.
They also have a report button on their taskbar which allows you to report a
Spam Blog (the new correct term for the spam blog escapes me right now).
Simalary, they also scan their blogs and use a rating system and will
suspend any blog they suspect to be Spam based, or has links to lots of
blogs with no relevent content.  Some people are being hit and have to
appeal, but it has reduced the amount of bad blogs out there, (but it is
still a major problem, so they are working on it).
Plus, there are moves afoot to add some new features in the future similar
to those used on Moveabletype (MT) but we don't know when they will arrive
and they are only rumblings in various forums.

Regards

Chris


> -----Original Message-----
> From: list-bounces at lists.dshield.org 
> [mailto:list-bounces at lists.dshield.org] On Behalf Of Malcolm Warden
> Sent: 31 January 2006 11:03
> To: list at lists.dshield.org
> Subject: [Dshield] Under attack by bloggers
> 
> I installed some new code to my phpbb last night to catch any 
> attempt to create a new user account by a spambot (which, if 
> successful, would then post links back to increase its 
> master's site rating with Google etc).
> I was very suprised to catch the first one within seconds!
> 
> The site has been live for years without any spam 
> registrations and I believe that up to now the robots have 
> failed visual confirmation and just been dropped silently to 
> the floor.
> The concern is that robots are getting smarter so I needed a 
> second line of defence.
> 
> I am now seeing these things at all too frequent intervals - 
> mostly pointed back to blogspot.com. The pages that they link 
> to are meaningless semi-English probably created by a robot 
> but with links on to the usual suspects - poker, loans and sex sites.
> 
> Here are a couple of examples:
> http://enprofessionalpokerchips.blogspot.com/
> http://thatcasinoontariowindsor.blogspot.com/
> http://anringtonesprint.blogspot.com/
> 
> It seems odd to me that blogger.com is now owned by Google 
> but clearly being abused on a grand scale to distort Google 
> and other searches.
> http://www.blogger.com/about
> 
> I could have some fun with this - a small change in the php 
> to censor any link to blogspot 
> that gets through the defences and redirect it to.... The 
> Vatican...   or ...  an abuse page at 
> Google or ...
> 
> Anyone have any ideas about the best way to pass this on to 
> blogger.com or Google themselves? I could easily automate the 
> whole thing to forward the links by e-mail.
> 
> Any other suggestions on what else to do?
> 
> TIA
> 
> Malcom Warden
> -- Malcolm Warden
> 
> [P] 01608 685592
> [F] 01608 685595
> [M] 07905 185406
> 
> 
> _________________________________________
> Learn about Intrusion Detection in Depth from the comfort of 
> your own couch:
> https://www.sans.org/athome/details.php?id=1341&d=1
> 
> _______________________________________________
> send all posts to list at lists.dshield.org To change your 
> subscription options (or unsubscribe), see: 
> http://www.dshield.org/mailman/listinfo/list
> 



More information about the list mailing list