SMF Spam attack problem !!

Since yesterday I'm repeatedly getting spam registrations. I never have had a spam problem before. It seems someone has found a loop hole in SMF security.
Who else having this problem ?

 

after the most recent update, i don't think there are any holes at the moment. someone found your site and decided to dive in.

whats your registration setup too? email verification? any captchas in place?

 

i have it on my Forum Webmaster Indonesia which is use SMF 1.1.7 as forum engine.

email verification and captcha are active.

 

well it kinda stinks when someone is willing to sit there and register multiple accounts manually, then spam your forum.

banning email addresses, user names and ip numbers is about all you can do with members already registered.

there is an Akismet Spam Protection mod available at SMF, but its a little outdated. it might be installable. haven't tried it lately.

something similar had happened to a client, all of a sudden a bunch of new members spamming it up. maybe something is afoot with SMF.

 

This is not just a guy manually doing. Its a bot attack. I checked on smf community forum and this is not just me its happening everywhere and for all versions 1.x.x. I have capcha on too but it by pass it some how it seems.

Only way to shop this at the moment is using mods "are are u a human"| or Re capcha ".

 

your referring to this thread at SMF:
http://www.simplemachines.org/community/index.php?topic=273816.0

the first post has good info in it.

 

There was another thread which everyone use for crying they seemd locked it and put all information into this one.

 

I have www.vizslaforums.com which is a tiny forum. It has a nice small community of people who know each other well. But also (starting 2-3 days ago) we started getting 10-15 spam members registering in a day, it sounds similar.

It already had email and captcha verification, but I have increased the captcha difficulty and will wait to see if it makes a difference.

 

Yes I made the captcha difficulty to high and put on email activation. Its been now like 20 hours no new spam registrations.

 

Ok, well if it carries on I will look for a mod that stops people from posting links with less than 15 posts.

None of my members will mind since it is a small community about dogs, so they don't want links anyway.

The thing is, I run www.computalk.net with vBulletin and it also had a huge rise in spam recently until I implemented a no links mod until members get 15 posts.

 

Even vbulletin is having problems. Before I implemented the 15 posts needed to post a link, there were 89 spammers on the last day. But having this link limit stops them dead as all the posts have links and the bots can't get around it.

 

I agree SMF is secure. While I admit that I find vBulletin far the best, I can only afford to run it on my biggest forum.

All the rest run on a mixture of free scripts, right now only MyBB and SMF. SMF is very good, it is easy to use and has many features. I have to say I hate the default theme, but that's the only thing.

As it is stated in the forum post at SMF, this isn't a hole in SMF, it is just SMF has been a big target by bots recently.

 

I was having this problem but not now, I set the registration so they have to be approved by me...So I check the track-ip and find where they are...

 

Just stfu RectangleMan, you have already given up in another topic. SMF is not insecure, MyBB has had 18+ security patches in the last 3 months, SMF has had 4 in the same time period.

Whoever started this topic, if you don't have email activation enabled on your forum, you should do so by going to Admin > Registration > Method of registration employed for new members and Choose Member Activation

 

That just got you reported.

Obviously SMF fans have some difficulty discussing things with civility. I said my peace.

Okay...you win. Feel better yet?

I prefer to discuss the benefits of mybb. I am not here to bash SMF. To make you happy I will repeat what I have said multiple times. SMF is a great software and it's very secure. How else you want that phrased?

 

ban their IP
and set sensor words for their site
that will stop them spamming when they find out their sites got blocked out hehe
this is what i did for my spammers

 

Since I have enabled email activation and made capcha level to maximum. Have't got a single spam after that.


.

 

Let's try to get this thread back on track...

If you Google "captcha hacked" you'll see that hackers have found various ways of cracking through the captcha requirements of many systems.

I would recommend that you increase the difficulty (strength) of your captcha and seek out a good anti-SPAM plugin. A plugin that checks the email address used to register against a domain of known forum/blog spammers would be great - after verifying that the email was sent from the actual email server of the domain.

 

My sons SMF Forum:

About a week - 2 weeks ago my sons SMF forum started getting hit by spammers. I updated his forum to the latest version, and increased the difficulty of the captcha image - it was set to the lowest setting. Increasing the difficulty of the captcha did not help, he kept getting spammers signing up everyday. Most of the spammers were posting sexual images and links to downloadable .EXE files.

A couple of days ago I turned on email activation, and they are still signing up, but not as bad. Since I turned on email activation the spam went from 2 - 3 a day, to maybe 1 or 2. Some of the spammers sign up, but never activate their account. Other spammers, sign up and activate their account by clicking the link in their email. While looking up some of the spammers, I found where one spammer had signed up on hundreds of forums in the last 24 - 48 hours. This would not be possible for a real person, we have to sleep and eat sometime.

Instead of deleting the spammers account, I change their account name by a letter or two, change their password and change their email address. So its like getting a free member.


My daughters SMF Forum:
No problems with spammers, but she has only been online for a month.


My wifes VBulletin Forum:
I had the site set up with captcha and one more check box the person had to click, but no email verification. The spammers were coming through right and left.

For some reason hotmail, gmail and sometimes yahoo will block the vbulletin activation emails, so that is not an option.

Last night I changed the settings in the human verification options. Now they have to answer 1 of 4 random questions and type in the answer. Hopefully this will stop the spam bots, but will not stop a real person. If this does not stop the spammers, the next step is to setup Recaptcha in my wifes forum. Looking through the VBulletin.com support section last night, it looks like Recaptcha is effective in stopping spam bots.


My Forum:
No problems with spammers, maybe 1 or 2 a month.

===============


To answer the question directly, yes, I have noticed an increase of spam over the past week or two. But not only in SMF forums. They are also hitting VBulletin forums that have not set up good spam control. As for the SMF and VB captcha, it might be of little help against the new bots.

Its not a point of one forum software being better then the other. We should be working together to help each other fight this problem. Because today it might be my forum that gets spammed, but tomorrow it might be yours. We have a common enemy, and united we can defeat them. But divided, we will fall one by one.

 

Out of 4 SMF forums I own (excluding test boards), the only two that got spammed were fairly inactive. Out of the two that didn't get hit, one had reCAPTCHA installed (I installed that after a previous spam problem a while back). No clue why the fourth one didn't get hit - perhaps because it's such an active forum.

I installed the reCAPTCHA mod on a couple of other boards I help out with that were having spam issues, and that seems to have stopped the spammers for now as well.