Forum Index » Website & Forum Admin/Support » site being hacked


Display Avatars Sort By:
Roger Caffin
(rcaffin) - BPL Staff - MLife

Locale: Wollemi & Kosciusko NPs, Europe
Partial solution to SPAM on 10/15/2012 19:07:36 MDT Print View

Hi all

We have a partial solution. I stress - only partial. Background (provided to me by a BPL reader with greater knowledge about the SoTA than me): the standard spamming SW has recently been upgraded so it can now attack Forums with greater 'skill'. (Who wrote that stuff? A dark alley is needed.)

What this also means is that the spam is coming from a bot, not from a person. Interesting. That allows counter-measures.

When you click on the Report Posting button I get an email pointing to the posting and the poster. It used to be that Addie also got the message, but Addie is on leave having a baby. When there are a lot of emails with the same heading close together, Gmail lumps them into one thread. I have a stack of email threads with over 60 emails in each thread, all re spam! No complaints mind you: those Reports are vital!

So I get a pointer to the spammer registration. When I go to the page with registration details for the spammer, it lists all the postings for that registration. Doubtless many of you have looked at your own pages? Anyhow, some time ago we implemented a special button which allows me to 'mark as spammer', which blocks that person/registration from doing any more postings. Ben K has just now added a second button saying 'delete all postings by spammer'. So, the Forum threads are now nice and clean again. Just two button clicks per source.

But what happens when the spammer SW gets updated to snow-storm us with registrations? Sigh.

I said 'partial'. A full solution is to 'moderate' all new registrations, so that their first few postings have to be approved before they appear. If a spammer registered and then tried to spam-storm us, I would get an email about the first few postings before they appear. This would block the spammer, at the cost of just a small effort. Alternately we could set it up so the spammer has to reply to a 'random' Q from me about backpacking. That would also block bots.

But it would mean that a newcomer would not be able to post anything until I had woken up, attended to my email, and approved the posting. We haven't done this YET, because of the frustration it would create. Will we need to? We don't know yet.

Cheers

Dena Kelley
(EagleRiverDee) - M

Locale: Eagle River, Alaska
Re site being hacked on 10/15/2012 20:21:54 MDT Print View

Thanks Roger.

Harald Hope
(hhope)

Locale: East Bay
not credit stuff on 10/15/2012 20:23:21 MDT Print View

Eugene, I want to make very clear, I'm not talking in any pro/anti bpl manner in this statement, only a purely technical response, but the issue of automated forum spamming is totally unrelated to credit card processing or site or member security. No hacking is involved, there is nothing at all connected. No server security is or was compromised, spamming of this type is NOT cracking or hacking. Millions, literally, of websites that feature automated member signups have this problem, and the problem has gotten much worse this year.

Again, this is not related to bpl members/non-members happiness/unhappiness, that's a fine topic for chaff or whatever, but on a technical level, there is nothing at all risky about such spamming in terms of site and server security, absolutely nothing. Now, if you click on the links they post, well, then you're on your own, those links can lead to nasty things, so don't do it. Same as for email spam in that way. Hopefully you all know this, if not, now you do.

bpl has just been spared the worst of this in the past, and they have responded quite well to this relatively new issue, so I don't fault them at all in this case, it's a weird world out there in the interweb, bpl was just sheltered from it. Dealing with these issues can be hard, so cut the guys some slack, this isn't the same as gear questions, it's a different part of the world.

Tom Kirchner
(ouzel) - MLife

Locale: Pacific Northwest/Sierra
Re: Partial solution to SPAM on 10/15/2012 20:24:01 MDT Print View

"But it would mean that a newcomer would not be able to post anything until I had woken up, attended to my email, and approved the posting. We haven't done this YET, because of the frustration it would create."

Sounds like an object lesson in delayed gratification, a novel concept I admit in this I WANT IT AND I WANT IT NOW age. Hopefully it won't come to that, but if it does I should think any reasonable person would be understanding.

Eric Lundquist
(cobberman) - F - M

Locale: Dry side of the Eastern Sierra's
Re: Partial solution to SPAM on 10/15/2012 20:29:55 MDT Print View

Roger,

Thank you for taking the time and explaining the process by which BPL moderators remove the spam posts. It's great that we are now able to delete their posts as well as just marking them as spam. I think that limiting a new user to wait for approval of their comments would jeopardize new followers. Instead of a backpacking question chosen by you and thereby approved by you, could we setup a few rotating backpacking questions (yes/no, multiple-choice) as part of the new user signup page instead?

Mary D
(hikinggranny) - MLife

Locale: Gateway to Columbia River Gorge
"The other lightweight site" on 10/15/2012 20:41:35 MDT Print View

Roger, that's wonderful that you were able to get rid of the spam accumulation!

The site I help moderate (backpacking.net) doesn't get the amount of traffic this one does, so it's easier to manage. So far, we haven't gotten nearly the volume of spam. Finally, we have ten moderators instead of one--all but one (the site owner) are volunteers who have been invited to participate by the site owner. All of us are frequent contributors who have been members for quite a few years and are on the site at least daily and usually several times a day. I generally check early in the morning (by which time any spam has usually been removed by those in an earlier time zone) and before going to bed (when I occasionally catch a few).

Actually, we do not invariably check all new posters. Instead, when reading new posts on the forums (again, not as many as here), we watch for spammers and for those who make a number of inconsequential posts (such as "I like that" and "I agree") or posts in completely incomprehensible English ("There is a group that is by means of goats to keep the balds approximately Roan Mountain bald. They are consumption back the insidious variety that have infiltrated into the area."). (Yes, that's an actual recent sample!) The favorite tactic lately seems to be to post 10-15 such posts and then insert a spam link into them. When we look up the IPs for the latter, they are often from Asia. Of course we don't ban anyone on the basis of IP source and/or poor English--we enjoy having genuine contributors from overseas! We have a forum branch for moderators only where we communicate about such folks so everyone can keep an eye on them. We don't ban anyone until the actual spam appears. I've often used that branch to ask for consensus on a dubious post before deleting it or banning the poster.

The forum has a rule about not allowing "for sale" ads until the member has made ten "approved" posts (meaning posts with some content). That's another reason we watch for inconsequential posts, to catch those trying to get to the 10 post mark only because they want to post a classified ad. The software doesn't allow posting in the classified ad branch for those with less than 10 posts. Exceptions can be made by the site owner. We have banned a few who have posted 10 inconsequential posts within a few days just to be able to post an ad.

Our main defense against a wholesale attack such as the last two on BPL are alert members (which BPL also has) and enough moderators that at least one of us will find out within an hour. I haven't seen a mass delete feature; I suspect only the site owner can do that. I suspect there are other safeguards in the forum software (a standard bbs software package) that I don't know about.

As far as BPL goes, I think having 20 or so volunteer moderators in various parts of the world would go quite far in halting spambot attacks like the two recent ones before they become overwhelming--which they certainly did last night! I don't know how BPL can possibly manage with only one or two moderators!

Edited by hikinggranny on 10/15/2012 20:50:02 MDT.

Ken Helwig
(kennyhel77) - MLife

Locale: Scotts Valley CA via San Jose, CA
Re: "The other lightweight site" on 10/15/2012 21:07:22 MDT Print View

Dead set against "volunteer moderators" why? Most on here have paid for a subscription, be it yearly or life. I don't want others telling me what to do on here or to play nice so to speak. Nope, totally against it. I paid for many years on here and do not need others how to conduct myself that are my peers.

Mary D
(hikinggranny) - MLife

Locale: Gateway to Columbia River Gorge
Trying to stop the spam! on 10/15/2012 21:23:35 MDT Print View

The alternative is continuing wholesale spam attacks like last night. Which would you rather have? Actually, this is completely up to Ryan, as the site owner. As mentioned earlier, I'm not volunteering for BPL because I already have responsibilities elsewhere. Also, I haven't been a member here that long. Ken, I'm quite sure you're not planning to spam this site!

Maybe there's an easy and cheap software fix to block more than, say, 10-15 posts per hour. Or more than 5 posts per day from a new member (under 30 days). Might be something to look into! If it's not an easy and cheap fix, though, the site won't get it (per Ryan).

Edited by hikinggranny on 10/15/2012 21:44:09 MDT.

Nick G
(HermesUL) - F
Other options to fight registration spam on 10/15/2012 21:35:33 MDT Print View

1. Maximum of two posts per new user (until approved). This wouldn't eliminate it, but it'd cut down the speed of the hacking dramatically.
2. Volunteer "Registration Moderators" which ONLY have the power to approve new users, based on their response to a simple registration question, such as "Why are you interested in lightweight backpacking" or "What are the five most important items in your pack?". Questions that would be fun and easy for an interested user to answer, and could even be posted to the new user's profile to make it more interesting (I know mine is boring as heck). You could even open the power of approving new users to all paying and/or established users without consequence.

I like the second option. Both options would eliminate the lapse time and human that comes with everyone having to stare at spam posts until Roger wakes up.

Mary D
(hikinggranny) - MLife

Locale: Gateway to Columbia River Gorge
Stopping spam on 10/15/2012 21:41:35 MDT Print View

I think it would be safe to limit the automatic limit or volunteer moderation to non-paying members only. If a spammer is willing to pay $25, let him/her spam! :-)

drowning in spam
(leaftye) - F

Locale: SoCal
Re: not credit stuff on 10/15/2012 22:06:12 MDT Print View

Harold, I completely understand that you weren't saying that spamming was equivalent to hacking. What I'm saying is that if this spamming could not have easily been largely blunted in the past year, it makes me question what's going to happen when there IS a security threat.

Dena Kelley
(EagleRiverDee) - M

Locale: Eagle River, Alaska
Re Volunteer Moderators on 10/15/2012 23:34:37 MDT Print View

Ken Helwig, you are making much ado about nothing. Nearly every forum has volunteer moderators, and for the most part they spend their time cleaning up spam. Which is exactly what those of us who volunteered here were offering to do. I have zero interest in keeping you or anyone else polite, let alone banning a paid member. I simply didn't want to see the forum get spammed to the point where people won't even try and read the posts, which is what it was getting to as of last night.

Roger Caffin
(rcaffin) - BPL Staff - MLife

Locale: Wollemi & Kosciusko NPs, Europe
re Spam and Security on 10/16/2012 03:14:45 MDT Print View

Hi Eugene

> I've since had to cancel that credit card. I'm not saying the fraudulent activity on
> my credit card was the fault of BPL due to lax security as I simply don't know, but
> it wouldn't surprise me if it was.

It would surprise the he11 out of me if it was! Really!

> With this kind of response to spam, a malicious attack by an amateur ...
Not the same thing at all. Basically, the spammer was just using what is called SEO or Search Engine Optimisation. Seriously bad manners and unethical to most people, but definitely NOT hacking. There was zero breach of security.

On a side note, it seems that Google knows about SEO (of course!!!) and looks for it with its robots. When it finds it happening, the company paying for the spam gets down-graded in the search rankings. This upsets some companies who feel using a spammer for SEO should be considered ethical. Snerk! Put them on page 100 I say.

On a second side note: I would get an offer of SEO for my FAQ web site about every two days. Oh, they are keen. Plonk.

Cheers

James Marco
(jamesdmarco) - MLife

Locale: Finger Lakes
Spam and Security on 10/16/2012 05:22:05 MDT Print View

One of the things that IS being done is to impose a time-out rule. This at least limits the extent of the posters damage. Mostly a measure against hackers, it can be opened up a bit, from the current 30sec to a full minute. This will help a bit.

Erik Basil
(EBasil) - M

Locale: Atzlan
Re: Spam and Security on 10/16/2012 07:44:12 MDT Print View

What James is referring to is called "Flood Control" in more modern, packaged BBS products and it's in effect on sites including Backpacker Mag's forums. A 1-minute buffer *would* annoy some fast-key members of this site, but it will certainly also reduce impact from spam-bot activity when it occurs.

I have something to do with a site that gets a lot more traffic than this one, and that is a regular target for both spam and "true hacking". In terms of spam-controls, I strongly suggest that the Mod/Admins use specific IP bans on the individual IPs used. This is very effective in practice, despite the fact that spammers can and do shift IP's. (Many of us here do, too, whether we know it or not). The fact is, however, if you don't ban the IP, it will continue to be used.

Don't worry: there are plenty of IP's for legit visitors even if you have an IP Ban list that's pages long.

Mary D
(hikinggranny) - MLife

Locale: Gateway to Columbia River Gorge
Reducing spam on 10/16/2012 13:20:31 MDT Print View

On the "other" site I help moderate, we regularly use IP bans. It may slow things down but it sure doesn't stop them--we have a number of "regular" spammers (Ergo baby carrier, asian escorts) that keep coming back every week or so with different IP numbers. There are databases of spamming IPs, but again, the spammers keep coming back with new ones.

Any one solution is only partial and temporary!

I'd say your current need is for more moderators so there can be quick action when another mass attack occurs (which it will!). There is no lack of alert members here! It would have made a lot of difference if the spammer could have been banned in the first half hour!

Edited by hikinggranny on 10/16/2012 13:24:14 MDT.

drowning in spam
(leaftye) - F

Locale: SoCal
Forum index corrupted on 10/16/2012 22:37:17 MDT Print View

See, what I was talking about was a real technical challenge. Spam takes very simple technical solutions to largely hold it back.

It's nice that there's finally a way to delete all the posts associated, but that should have existed a long time ago, and worse, it seems to have caused its own problems. Now threads aren't showing up in the forum listings, and it appears to have been caused by this.

So again, I'm saying that when this spam problem can't be solved correctly with very simple solutions, there's little reason to expect that more complex problems aren't going unnoticed, and have little reason to expect that those more complex problems could be handled. It's a matter of technical capabilities.

Roger, I'm sorry you're the face to this problem. You shouldn't be. It should be Ryan, or maybe Addie. Most of us understand that you're doing what you can, with the limited tools this forums provides you, and we thank you for your efforts.

Roger Caffin
(rcaffin) - BPL Staff - MLife

Locale: Wollemi & Kosciusko NPs, Europe
Re: Forum index corrupted on 10/17/2012 00:15:31 MDT Print View

Hi Eugene

> Now threads aren't showing up in the forum listings,
Can you point to any examples of this please? Deleting a posting by X should NOT remove the whole thread!

Exception: I did delete some threads which had been created by the spammer solely for the spam. Some of those threads had a few comments in them about the spam. Those comments have been deleted as well of course, but they had no other significance.

Cheers

drowning in spam
(leaftye) - F

Locale: SoCal
Re: Re: Forum index corrupted on 10/17/2012 01:55:49 MDT Print View

Roger,

The threads aren't removed, just not in the listing.

To find an example, go to Greg's profile:
http://www.backpackinglight.com/cgi-bin/backpackinglight/forums/profile.html?u=greg23

He posted "spam" in a few threads. Those that haven't been bumped will not be visible.

Here's an example:
http://www.backpackinglight.com/cgi-bin/backpackinglight/forums/thread_display.html?forum_thread_id=59795&skip_to_post=592369#592369

The last post in that thread was by Greg was on the 14th, but if you back into the forum level, you won't see anything newer than the 8th.

rowan !
(romonster) - M

Locale: SF Bay Area
The Amazing Disappearing Threads! on 10/17/2012 02:10:29 MDT Print View

Roger says:
"Can you point to any examples of this please? Deleting a posting by X should NOT remove the whole thread!"

This one:
http://www.backpackinglight.com/cgi-bin/backpackinglight/forums/thread_display.html?forum_thread_id=69229&skip_to_post=#

Since I posted in it, I can see it in my forum profile, and can access the thread from there. The most recent post was on 10/14/2012 18:45:54 MDT. But if you look at the index of General Lightweight Backpacking Discussion, the thread doesn't appear there.