Search Results for 'spam'
-
AuthorSearch Results
-
May 6, 2010 at 10:02 pm #76998
In reply to: Here come the spammers!!!
Jeff SayreParticipant@foxly-
This is a very nice summary of the problem. Thank you for providing the introduction to the various attack vectors spammers currently use.
I would argue, as you know, that WP / BP also needs to combat registration spam–even though it is the hardest issue to address. There area a number of BP.org members that are looking for a solution, however imperfect, that will noticeably reduce spam signups. If a person is infected with a small viral load, the resulting illness often will not be as severe as if they had received a large dose of invading organisms. The same can be said with website spam signups. Any reduction is better than none.
But, as this is your thread and I do not want to take your thread off topic (or have others do what I just did ), I will ask that we table that discussion for another thread at another time and focus in this thread on solutions to combating spam once a spam account has successfully registered.
Once again, this is a great start to the conversation.
May 6, 2010 at 7:26 pm #76972In reply to: Here come the spammers!!!
Hugo AshmoreParticipantWhile you’re preparing part 2 I’ll make the comment (probably unpopular) that too an extent this is an issue that BP, WP, Automatic must accept some responsibility for in that WP has always followed the course of making it as easy as possible for inexperienced people to set up a blog/blogs the principle of ‘Out Of The Box’ and ‘5 Minute Install’ all designed to promote the app/s to those users who otherwise might be put off, it’s a marketing ploy to ensure that the app gains widespread and popular use (that is being deliberately cynical to make a point) It is due to that that I say there is a duty of care that falls on the App not on the user or community. I know how to get down and dirty with htaccess files, to read logs, enable various methods to deal with an issue – as do many others here – but lets not forget most don’t! I would suggest that it’s time to pull together all the various approaches to dealing with spam in one clear stickied post, make the steps as clear as possible but emphasize that these steps are of paramount importance to follow (thinking about it that may already exist?) Until such time as Foxly or the dev team comes up with the core improvements.
For the record I have enabled most of the steps found in various threads here and elsewhere and also disabled sub blog registration and receive no more than around 6 -8 spam sign ups a day, which we can deal with quite quickly and effectively, I’m still slightly puzzled as to why some appear to have such ongoing issues though, very sympathetic but puzzled nonetheless.
May 6, 2010 at 6:00 pm #76958In reply to: Here come the spammers!!!
foxlyParticipantAll About BuddyPress Spam
From what I’ve seen over the past few days, the range of knowledge about spam in the BP community ranges from zero to PhD research project. So, to get this thread off to a productive start, I’m going to give everyone some background info on why spammers target our installations, how they do it, and what we can do to reduce or eliminate these kinds of attacks.
1) Why do spammers attack BP communities?
-> Spam is 100% economically motivated. Spammers do what they do because it’s very profitable. Even if only 1 out of a million messages the spammer sends actually reaches somebody, if it cost $2 to send out those million messages and the spammer makes $50 by tricking one person into giving them a credit card number, the spammer is going to throw every resource they have into sending out more messages …because they’re getting a 2500% return on their investment.
-> Given the choice between multiple sites, a spammer will pick the one that gives the largest payout.
Gmail is a “hard” target, with users that are experienced with spam. If a spammer sent a billion spam messages to accounts on Gmail, 99.9% of them would be probably be deleted by automated filters at other ISP’s along the way before even arriving at Gmail. The first thousand messages that arrived at gmail would likely be delivered but would be put in user’s spam folders; and the remaining 999,000 messages would be flat-out refused by Gmail’s servers.
Because anyone with an email account is familiar with spam, probably 999 of those 1000 users would ignore the spam message and 1 user might act on it. So if it cost $20 to send those billion messages and the spammer made $50 by tricking the one person into giving them a credit card number, they’ve only made $30 for all that work.
BP communities are usually “soft” targets that are inexperienced with spam.
Once a spammer gets into a BP community, every single message they send is delivered to a member, and most members are NOT expecting to be attacked by other users on the site.
If a user called “site_news” sends everyone a message that says: “Our site just got featured on Oprah! check out the video! http://www.youtube.com/watch/dQw4w9WgXcQ.cn” every single member is going to get that message, and probably half of them are going to click on the link. (did anyone notice what’s wrong with that “YouTube video” … )
Then, assuming there are 50,000 members on the BP site, half of them click on the link, half of those people are using Internet Explorer, and the attack site the link points to installs a backdoor on computers running IE …at $2 / install the spammer has just made $25,000!
Now, if *you* were a spammer, which site would you attack?
2) How do spammers find BP communities?
Using Google.
Example: http://www.google.ca/search?hl=en&q=%2B”is+proudly+powered+by+WordPress+and+BuddyPress” (front page of every BP site on the net)
Example: http://www.google.ca/search?hl=en&q=inurl:%22/community/members/%22+%2Bbuddypress (members page of every BP site on the net)3) How do spammers attack websites?
-> Most spam attacks are done using robots, because sheer volume of posts is usually the winning factor. In situations where there is a “captcha wall” or other defense blocking registration to a “high value” site (hint: yours), spammers will use people in low-wage countries to break the captcha and sign up on the site. The going rate is about $2 per 1000 captchas.
http://www.decaptcher.com/client/
Once inside the site, they will then use bots to post spam to all the members on the site.
-> There are literally *thousands* of different programs available that spam websites, and they all have *different* venerabilities.
For example, this program: http://forums.digitalpoint.com/showthread.php?t=1124949
a) Will DEFEAT a “hidden fields” challenge,
b) Will DEFEAT a “javascript proof of work” challenge,
c) Will FAIL a “captcha” challenge
d) Will FAIL an “Akismet” challenge
e) Will FAIL a “Hashed Form Field ID” challengeBut this program: http://www.botmasternet.com/more1/ , wikipedia: http://en.wikipedia.org/wiki/XRumer , video of it running: http://www.youtube.com/watch?v=AL2i4SNPJmg
a) Will DEFEAT a “hidden fields” challenge,
b) Will DEFEAT a “javascript proof of work” challenge,
c) Will DEFEAT a “captcha” challenge
d) Will DEFEAT an “Akismet” challenge (uses proxy networks, never sends the same message twice)
e) Will DEFEAT a “Hashed Form Field ID” challenge
f) Will FAIL a “enter the numbers with a triangle over them” challenge (as used by PlentyOfFish.com)
g) Will FAIL a “click on the photos of cats but not the photos of dogs” challenge4) How do we stop spammers from attacking BP communities?
-> By making it frustrating and unprofitable (but not necessarily impossible) for spammers to target us; while making these tactics invisible to normal users.
I will cover how I propose to do this in the next post.
^F^
May 6, 2010 at 4:44 pm #76948In reply to: Here come the spammers!!!
modemlooperModeratorYou rock!
May 6, 2010 at 4:06 pm #76942In reply to: Here come the spammers!!!
foxlyParticipantThe goal is to limit:
1) Spam PM’s
2) Spam friend requests
3) Spam comments
4) Spam group creation
5) Spam group postsOnce a spammer / troll / hostile has created a member account on the system.
The goal is NOT to stop:
6) Spam comments on blog posts from non-members.
-> Already handled by dozens of plugins7) Spam in profile fields
-> Limited damage. Will be handled by @francescolaffi ‘s GSoC project8 ) Spam blog creation
-> Limited damage. Will be handled by @francescolaffi ‘s GSoC project9) Spam sign-ups
-> Impossibly hard target. The only effective countermeasure is phone verification + geo IP + proxy blacklist; as implemented by Craigslist, eBay, PayPal, Elance, and many others.Full background on all this stuff in about an hour.
Thanks!
^F^
May 6, 2010 at 2:15 pm #76931In reply to: Here come the spammers!!!
Andrea RennickParticipantAnd this would specifically deal with spam from actual users who have managed to sign up and and now using the internal messaging system to spam, correct?
And not spam signups, spam blog. Just to clarify.
May 6, 2010 at 3:37 am #76868In reply to: fyi: WP-reCAPTCHA works fine with BuddyPress
Peter KirnParticipantHi r-a-y — would you be interested in posting your validation function code? (pastebin it perhaps?)
Just want to avoid reinventing the wheel. I also found a plugin in bpdev that appears to be doing this, as well, even down to adapting the existing WPMU recaptcha plugin, but it doesn’t seem to work / was never finished. I haven’t worked out just why yet, however.
http://bp-dev.org/download/You active bpdev-core and then bpdev-nospam.
May 5, 2010 at 8:49 pm #76820In reply to: Here come the spammers!!!
foxlyParticipantSounds good to me. Give me a day or so to put some thought into it, then I’ll post a more structured proposal.
^F^
May 5, 2010 at 8:39 pm #76819In reply to: Here come the spammers!!!
Jeff SayreParticipantOkay, per IRC dev chat, let’s use this thread for discussions on ideas to combat registration spam and other types of spam.
May 5, 2010 at 7:01 pm #76810In reply to: Private Message Spam and Abuse
xspringeParticipantEven more spam now, coming from this user: https://buddypress.org/community/members/joymab/
May 5, 2010 at 6:48 pm #76807In reply to: Here come the spammers!!!
Paul Wong-GibbsKeymasterInitial reaction from Jeff & I is that you detail what you have in mind before you dash off in one direction etc
May 5, 2010 at 6:46 pm #76806In reply to: Here come the spammers!!!
r-a-yKeymaster@foxly – Come into the #buddypress-dev irc room on Freenode and let the team know what you have in mind!
You can also use a java web version of IRC if you don’t have a client:
http://java.freenode.net/?channel=buddypress-devMay 5, 2010 at 3:16 pm #76765ToshParticipantI did actually, still shows the spammer as spam free.
May 5, 2010 at 2:54 pm #76762thekmenParticipantdid you try
if( $bp->loggedin_user->id == '59' ){
just to see if it works without the get_option(‘bp_spammer_cp_bp’) bit?May 5, 2010 at 2:49 pm #76761ToshParticipantTried that but now it treats the spammer and the person not marked as spam. As spam free.
May 5, 2010 at 2:39 pm #76758thekmenParticipantyou are missing an =, should be:
if( $bp->loggedin_user->id == get_option(‘bp_spammer_cp_bp’)){
techguyParticipantxspringe,
There is someone doing a Google Summer of Code project which is working on a plugin for BP that will report objectionable content. I expect spam will be part of the objectionable content that can/will be reported with that plugin. You can support his efforts: https://buddypress.org/community/groups/bp-moderation/xspringeParticipantAnd the spamming continues. Anyone else getting spammed?
May 4, 2010 at 1:11 pm #76568In reply to: Spam registrations
stwcParticipantUse the search before posting. There are literally dozens of threads about this common problem.
May 3, 2010 at 7:58 pm #76487In reply to: Private Message Spam and Abuse
5887735InactiveThanks for the link. I’m going to try that if my current changes don’t work. I changed the register slug and added more required fields to the signup page. I’ll let you know if it works.
PS
Looking at that code it seems it still let admins send PMs. If that’s true could it also be changed to allow other “ranks” such as authors, subscribers, etc.?May 3, 2010 at 7:05 pm #76485In reply to: Private Message Spam and Abuse
r-a-yKeymasterTry this until a more, full-featured privacy component is available.
Remove send private message button for non-friends:
http://blog.etiviti.com/2010/03/buddypress-hack-remove-send-private-message-for-non-friends/May 3, 2010 at 6:59 pm #76483In reply to: Private Message Spam and Abuse
xspringeParticipantGot my second spam message as well. It seems to be affecting multiple BP installs so I think it should be a high priority to do something about it.
May 3, 2010 at 6:35 pm #76476In reply to: Private Message Spam and Abuse
5887735InactiveI’m getting these on my own site. These are spam bots and they found a way into BP. This should be a number one priority for BP. I’ve seen this stuff with phpbb and other CMS. It very easy for these people to bring down your site.
May 3, 2010 at 4:51 pm #76452bobs12Participant1.1.x (whatever it was) was great. I had an activity stream widget on the front page, so I could immediately see (well, once I’d deleted all the spam registrations) who’d been doing what and where, and I click to go and view the context and respond in the same place.
Now I get the feeling that BuddyPress is a platform for creating communities of BuddyPress users
Now there is no profile wire (I renamed it to ‘wall’ because nobody understood what a ‘wire’ is) – it was an absolutely fantastic way for me to greet new users and have a bit of open chat with them.
Now there is this @username nonsense which I don’t understand myself (I am not and never will be a twitter user) – where does that post go? It shows up as if it’s my (Facebook-style) status update. Someone can reply to it but I can’t reply to their reply. All continuity has been lost. I can see the advantage of AJAX replies in the activity stream, but not when it seems a random factor whether the post will appear only in the stream or whether it will appear at source..
The default theme is awful (1.1.x or whatever I had was beautiful, right out of the box) – It took me forever just to get the home page working with two widget columns (surely that wouldn’t have been hard to include in the release..?) but the profile page… ooooh no, it’s a disaster In 1.1.x I had no problems tweaking the profile page to make it do what I want… with 1.2 it defaults to the awful activity stream and I have to click through to profile on every user to see if he comes from xgGT54GRerju and works at Ox8iHghuf34 before I delete him as a spammer.
I started using BP because I needed to replace an ancient platform that I’d written myself ages ago, and I wanted something reliable and extensible because I just don’t have the free time to work on my site anymore. BP 1.1.x was exactly what I wanted (I tried Elgg and some other yucky, heaving nonsense before stumbling on the beautiful BP).
But now it’s just gone off on an utterly bizarre tangent and lost all its intuitive user- (and admin-)friendliness
I know it’s free and I know I’m moaning and not being productive but I really can’t write plugins or themes for BP (much as I would love to – I can’t even work out how to put the wire back) but I feel it’s very sad to see something so good (and so free) go so wrong
May 2, 2010 at 8:27 am #76329In reply to: Private Message Spam and Abuse
Kevin RymanParticipantYeah I just got two spam private messages in the last two days. Here is the latest one:
Please reply back with my email (anabel . awaza 01 @ yahoo . co . uk)
Dearest,
How are you over there?
I know that you would be excited for the fact that you do not know who is writing.
Actually my name is Mis. Anabel Awaza,Please my dear i will like us to hold a good long time relationship with real love.and I have something very important that I need to share with you. I am very serious; I shall tell you more about myself and send you my picture in my next mail.please reply back with my email address (anabel . awaza 01 @ yahoo . co . uk))
Hoping to hear from you soonest.
Yours Anabel.View Spammer’s BuddyPress profile:
https://buddypress.org/community/members/anabel4you/ -
AuthorSearch Results