UseBB Community

Dear UseBB users and developers,

I'd like some tips and hints regarding an annoying problem I am having. I am not very knowledgeable about web security so perhaps you can suggest me how to tackle the following: I installed UseBB perhaps 2 years ago and things were fine, however for several months now, I have been getting a lot of spam users (sometimes 20 a day) registering to my forum. First I thought adding a re-captcha will solve the problem, so I did add it. I also have a custom question in the registration process. These are functioning as supposed to, but they don't help. The problem must be something else, seems like the bots are bypassing the security measures in the registration. Perhaps bugs in MySQL or Apache, or something, because the machine is running a rather old Scientific Linux distribution and was not updated for quite a while. Finally I updated it so I have the latest versions of the programs available in the repositories, though those might still be quite behind the most current stable releases. The problem is still present, though maybe not as severe as it was before the update.

It would be nice if somebody can suggest some quick things to check/do to prevent this annoying problem of spam. I simply do not have the time to master things like PHP, MySQL, Apache, etc... Below I have some relevant info about the system.
Thank you very much in advance for any tips you might want to suggest!
----
UseBB version: 1.0.10
PHP version: 4.3.9
SQL server driver: MySQL/4.1.22
HTTP server: Apache/2.0.52 (Scientific Linux)

kernel:
2.6.9-89.0.20.ELsmp #1 SMP Tue Feb 2 14:13:40 CST 2010 x86_64 x86_64 x86_64 GNU/Linux

Either these are bots registering and posting stuff, or they are real humans.

If they are bots a custom anti-spam question could solve it. Preferrably add multiple ones which can not easily be "calculated" using an algorithm. You might also want to change this every week or couple of weeks.

If they are humans there is nothing you can really do, perhaps except for checking if they come from one IP address or a group of and eventually blocking it. But even then, there are anonymous proxies everywhere which help these people to bypass the blocking.

Over here, there are anti-spam questions set and I don't have a lot of issues with spamming. Every couple of weeks I have to remove a user and a few posts, probably someone who registered manually.

As far as I know there is no leak in the system that would allow bots to bypass the spam measures, but you never know...

Thanks for your quick reply!
In my case it is hard to believe that every day 20 people will sit down and go through the re-captcha and the random security question to register... Though, I should say, some of these spammers post meaningful things, followed by web links in their signatures. I am leaning towards thinking that something in my system is not secure and these spammers are bots that somehow bypass the registration completely, by exploiting some bugs and hacks, or insecure config of something in my server.

If something strange is happening can to some degree be verified by investigating the access logs of the HTTP server. If you can get access to them and take the IP address of a spammer from the forum you could search (grep) through them and see their actions. On Unix/Linux this would be easy to do using

grep <ip-address> <filename>

If it really would be a security issue at least any strange requests through GET would be visible.

If you don't know how to do this you could always send me an access log and some spammers' IP addresses via e-mail.

Will do that, thanks for the comments!

@Vader: Have you tried the confirmation mail which includes a link to click on?

Another "solution" would be to turn on admin confirmation which urges your users to wait for your approval. If you do so, you may want to state it somewhere in your forum that they must contact you by another media, lets say phone or chat (ICQ/Jabber).

But spammers became very tricky in the years, they found us, the admins, as an insecure channel. "Social enginering" is they "technic" to bypass security.

So it may not solve your problem because they will try to "convince" you to approve them.

UseBB 2 will have better "tricks". I am for example thinking of making new users a member of a "New members" group. Being in this group will make the user's first x posts to be moderated and require approval in order to be seen.

Also, Mollom will much likely be integrated.

Dietrich wrote

I am for example thinking of making new users a member of a "New members" group.

Make it so that they cannot do anything till approved.

ie, cannot post messages, alter profile, etc.

This is quite possible now as well, except for they cannot log in.

By allowing them to make a few posts you can usually quickly see whether or not they are bots and can post reasonable on-topic replies or topics.

It should also somehow be possible to disallow people to post links when they are not approved to.

@Quix0r: yes I am using e-mail activation where they click on a link.

@William & Dietrich: I guess one can give these options to admins, and not hard code them, because you don't want to make the forum too restrictive. By the way, recently the trend is that I get spammers who instead of posting links, have their links in their signatures. So, if many people have this problem, you guys might want to think about options like not allowing signatures for new users before they post a few posts. Just an idea...

By the way, I started asking much harder custom questions during registration and this seems to have cut down the number of spammers significantly. Well, at the same time I updated every package installed on the server, so dunno what exactly reduced the spam.

Today I added a big pile of code to make it possible to remove a user's posts at once when the user is being removed. So any spam bots getting through can now (1.0.11 in CVS) easily be removed without having to delete the posts manually.

I hope to release 1.0.11 later this month.

This is awesome, thanks!

I have my first spammy account. It is irylle12 and you should block that user. Just enter that nickname into your favorite search engine... IxQuick says >130.000 (!) results. And please also block the email address irylle12[at]yahoo.com (by replacing [at] with @).

Thanks for sharing! Though my experience is that these people come with different nicknames and e-mails.

In my experience the spammer people come with different nicknames and e-mails. What is the simple way to avoid them.

I find a lot of the spammers are also updating their signatures with links and then just randomly posting. I've created a little modification for UseBB Zone that doesn't allow anyone to post links unless their accounts are over 30 days old. Not the greatest script, but seems to be doing pretty well so far. I'll post up a how-to shortly.

I was thinking of adding something like this in 1.0.11. First idea was to disable links in signatures for some time. Haven't implemented anything yet though.

I need those links in my signature, please don't disable them. Look here at my profile: http://forum.mxchange.org/profile-1.html I need to link bug tracker, wiki etc. so my users (it is about a free software) can easily find the required information.

@Gaia: Can this feature be disabled in your mod e.g. through ACP?

Ok, I've added it to UseBBZone: http://usebbzone.com/file.php?id=76

Here's the direct file: http://usebbzone.com/disablelinks.txt

Quix0r: I wouldn't suspect that the links would be disabled for an admin . For my script, as long as you are registered for longer than 30 days, it allows you to use links. The signature based edits are optional, however I would strongly recommend them.

No, there are no ACP edits for this script.

A little off-topic: Some logging of failed registration attempts (including all fields and wrong answer) would be nice, to see how much spammers are hammering at your registration page and for analyzing the (spammy) registration attempts.

Quix0r wrote

I need those links in my signature, please don't disable them. Look here at my profile: http://forum.mxchange.org/profile-1.html I need to link bug tracker, wiki etc. so my users (it is about a free software) can easily find the required information.

The disabling will not be for all users, but for example those who didn't post 5 or more posts.

Ofcourse for this to be fully effective there should be a manual approval for the first x posts, and a moderation queue is not present in UseBB 1.

Can't this '5' be 'x'? I mean configurable and not hard-coded.

Indeed, this will be the case, to make this a configurable setting. But I have not yet decided on what to do and implement.

Having now the same problem here. A lot spam accounts have been registered within the last 3-4 days. No problem before that and for many days. I try (no re-captcha here, because it is beatable) the custom questions now. Let's see, how much I can do here.

Edit: Aaahh, saving settings results in a download of the config.php! I hope no one got this? I use 1.0.11 here and libapache-mod-php5 (no FastCGI or so).

You are offered to download config.php whenever it is not writable by PHP.