The MU forums have moved to WordPress.org

Nothing stops splog and spammers (25 posts)

  1. Caddy
    Member
    Posted 13 years ago #

    I mean nothing.

    site is here http://talkdelaware.com/blogs/

    I have had 200 splogs register in the last 3 days.

    I had security question setup as a password you had to email me to get. They got past that, I changed it, they still got past it. I have Re-Captcha, they get past it.

    I DISABLED NEW SIGNUPS, they STILL are signing up. HOW IS THIS? Am I missing something here?

    I thought it may be a vulnerability in the older MU so I upgraded yesterday, STILL getting in.

    What could it be? HELP....please

    -Caddy

  2. andrea_r
    Moderator
    Posted 13 years ago #

    Then you have existing SPAM USERS creating new splogs.

    Captchas are actually pretty easy for splogs to get around.

    If you are 100% positive you've gotten rid of all spammy users, there's other things you can do:
    - moderated signups
    - bots stoppers on the server level
    - rename the signup file
    - make sure you filled in all the banned email domains in Site Admin -> Options

  3. Caddy
    Member
    Posted 13 years ago #

    can they create new spam users though? and I am 100% sure i dont have any spam users, i only have like 15 blogs and unless one got hijacked by a spammer i know all those people personally.

    i have installed montyspam beta, tested it, and it is working as far as i can see.....now time to wait and see if it works....

    if not ill take those extra steps, thanks andrea!

  4. Caddy
    Member
    Posted 13 years ago #

    welp, monty didn't stop it.

    I have double checked, all the blogs/users i have now are not spam.

    i have disabled registration in admin

    so now if i still get spam, what does that mean? someone is adding them via the database? or is there a vulnerability i dont know about?

  5. andrea_r
    Moderator
    Posted 13 years ago #

    If you still get splogs, start checking your access logs.

  6. Caddy
    Member
    Posted 13 years ago #

    sorry for the newbyness, but how do i do that?

    and yeah, i had 2 new users and splogs since i did that above...

  7. MrBrian
    Member
    Posted 13 years ago #

    Try the wordpress hashcash plugin.

  8. Caddy
    Member
    Posted 13 years ago #

    that seems to be only helpful with comment spam. and fwiw i actually removed the wp-signup.php file in the directory and am still getting signups....

  9. andrea_r
    Moderator
    Posted 13 years ago #

    Access logs are server logs.
    Do you have anything in the banned email domains field?
    Have you started banning IP addresses?

  10. Caddy
    Member
    Posted 13 years ago #

    no i havent done that yet as i am kinda a noob with WP, it is all new to me, I run vbulletin forums mostly.

    but im reading and learning, thanks for you alls help. Ill check my logs at home, blocked here at work :(

  11. MrBrian
    Member
    Posted 13 years ago #

    It's not just for comment spam, it works with signups also.

  12. au8ust
    Member
    Posted 13 years ago #

    I got the same problem.
    Banning email, limited country signup, disable registration, delete the wp-signup.php, de-integrate bbpress, delete bbpress, use re-captcha, use signup question, upgraded to the latest version of wpmu, all of them can't stop splog :(

    One of the splog signed up at my site is using the IP 65.171.115.141 so I looked into the access log...

    65.171.115.141 - - [05/Oct/2008:08:05:09 +0700] "GET /wp-activate.php?key=365b3fcc9ef07937 HTTP/1.1" 200 3769 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

    65.171.115.141 - - [05/Oct/2008:07:57:13 +0700] "GET /wp-activate.php?key=ec73c40f3b6383ce HTTP/1.1" 200 3662 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

    65.171.115.141 - - [05/Oct/2008:06:23:44 +0700] "GET /wp-activate.php?key=5480009380c6b987 HTTP/1.1" 200 3653 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

    65.171.115.141 - - [05/Oct/2008:06:06:31 +0700] "GET /wp-activate.php?key=f94ac39405a650f5 HTTP/1.1" 200 3653 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

    65.171.115.141 - - [05/Oct/2008:05:46:52 +0700] "GET /wp-activate.php?key=701003000c6114ae HTTP/1.1" 200 3653 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

    The IP address 65.171.115.141 just make directly access to the activation link, no referrer, no prior path.

    Sorry for my bad English.

  13. Klark0
    Member
    Posted 13 years ago #

    HashCash knocks em dead.

  14. Trent
    Member
    Posted 13 years ago #

    I like HashCash as well, but block them at the server as well. If you have Advanced Protection Firewall with linux, I would

    apf -d 65.171.115.141

    Sometimes spammers get creative and get through all the filters and blocking them at the server level is the only way.

  15. au8ust
    Member
    Posted 13 years ago #

    Thanks Trent, I've added the line.

  16. au8ust
    Member
    Posted 13 years ago #

    Hmm.. there must be something wrong, even I've added the deny list in /etc/apf/deny_hosts.rules for 65.171.115.141 I still got spammed by 65.171.115.141 :(

    Will try HashCash now...

  17. lunabyte
    Member
    Posted 13 years ago #

    If you added it manually, did you restart apf?

    if you do it as noted above, it flushes and becomes active immediately.

  18. Caddy
    Member
    Posted 13 years ago #

    ok so i feel dumb after looking back at this...lol

    i checked the emails i was getting, ALL the IP's were the same, so i did a disallow in htaccess and haven't had a 1 since.

  19. au8ust
    Member
    Posted 13 years ago #

    @Caddy - Same me. I've added the IP to deny list in .htaccess and now no more splog :D

    However, I still wondering how could spammer signed up while there is no wp-signup.php ?

  20. andrea_r
    Moderator
    Posted 13 years ago #

    Because they are hitting the activate-new-blog script. The functions for adding a new blogs are scattered in a few different files.

  21. kwatog
    Member
    Posted 13 years ago #

    sorry for replying on this old thread but I need advice. Instead of creating a new thread, I'll just post here as I have the same problem.

    I already did the following :
    Akismet
    hashcache
    signup question
    disabled registration
    blocked certain IPs in .htaccess
    checked wp_capabilities (no other admin)

    Still, I get bogus registrations. No blogs were created but they were able to complete the registration. In effect, they can comment on the blogs.

    My wpmu has only five blogs, all but one was created by me. The other is created by my friend. My wpmu installation has bbpress integrated with it.

    Now, I also installed project honeypot in bbpress. Anything else you can suggest?

  22. andrea_r
    Moderator
    Posted 13 years ago #

    They're coming in thru bbpress. Disable the registrations on it.

  23. r-a-y
    Member
    Posted 13 years ago #

    Follow Andrea's advice for bbPress and also read Darcy Norman's article on restricting spam signups via .htaccess:
    http://www.darcynorman.net/2009/05/20/stopping-spamblog-registration-in-wordpress-multiuser/

  24. kwatog
    Member
    Posted 13 years ago #

    yes, they are coming thru bbpress based on the logs. so I implemented the simple plugin in http://bbpress.org/forums/topic/howto-disable-registration just now.

    The fix thru the .htaccess is also good but the spammers has tons of IPs that even if I deny access on certain blocks, the list will still be too many to be placed on .htaccess. But I still left those that are persistent in .htaccess.

    I'm also thinking of using the API of http://www.stopforumspam.com/ although they only allow up to 5000 queries per day. Although there's an option of creating my own API since the database of the IPs is downloadable.

    I'll update the post on the result of the disabling o the registration. By the way, I stopped using bad behavior as it blocks me too.

    Thanks to all!

  25. kwatog
    Member
    Posted 13 years ago #

    after disabling the registration in bbpress, there are no longer.

    I now have the following installed on my wordpress mu
    Akismet
    hashcache
    signup question
    blocked certain IPs in .htaccess

About this Topic