Hi Paul and everyone,

It's finally happened: between Christmas Eve and Christmas Day, my hitherto spam-free miniBB-powered forum was hit hard by spam. :-(

Over 400 new threads--different topic names but same content packed with hyperlinks--had been posted consecutively, before the spammer was stopped.

Server logs reveal over 3,000 requests from IP 66.23.235.114, in a 12-hour period. Deleting all the messages in the pre-moderation queue was a manual affair--not fun!

I have put in an order for the official CAPTCHA plugin. It is hoped installing the plugin will help reduce automated spam and maybe even slow down manual spam.

I am of two minds about whether the spam attack was automated or not--maybe it was part manual and part automated: human to register and confirm registration; machine to do the posting.

Perhaps someone would not mind taking a look below, at a small sample of the pertinent server log entries (29 lines covering not quite 5 minutes of the spammer's activities, starting from the time of signing up), and tell me what he/she thinks.

Thanks and cheers -
marsbar

--
Log entries (just the first 29 out of 3000+ entries):

66.23.235.114 - - [24/Dec/2010:17:41:21 -0800] "GET /forums/index.php?action=registernew HTTP/1.1" 200 19301 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ru; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)"
66.23.235.114 - - [24/Dec/2010:17:41:21 -0800] "POST /forums/index.php? HTTP/1.1" 200 5542 "http://domain/forums/index.php?action=registernew" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ru; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)"
66.23.235.114 - - [24/Dec/2010:17:42:40 -0800] "GET /forums/index.php HTTP/1.1" 200 22793 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ru; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)"
66.23.235.114 - - [24/Dec/2010:17:42:40 -0800] "POST /forums/index.php? HTTP/1.1" 302 20424 "http://domain/forums/index.php?action=loginfrm" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ru; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)"
66.23.235.114 - - [24/Dec/2010:17:42:41 -0800] "GET /forums/index.php HTTP/1.1" 200 19893 "http://domain/forums/index.php?action=loginfrm" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ru; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)"
66.23.235.114 - - [24/Dec/2010:17:42:41 -0800] "GET /forums/index.php HTTP/1.1" 200 19893 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ru; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)"
66.23.235.114 - - [24/Dec/2010:17:42:41 -0800] "GET /forums/index.php?action=vtopic&forum=1 HTTP/1.1" 200 27763 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ru; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)"
66.23.235.114 - - [24/Dec/2010:17:42:42 -0800] "GET /forums/index.php?action=vtopic&forum=1 HTTP/1.1" 200 27763 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ru; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)"
66.23.235.114 - - [24/Dec/2010:17:42:47 -0800] "POST /forums/index.php? HTTP/1.1" 200 5565 "http://domain/forums/index.php?action=vtopic&forum=1" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ru; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)"
66.23.235.114 - - [24/Dec/2010:17:43:40 -0800] "GET /forums/index.php HTTP/1.1" 200 22890 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ru; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)"
66.23.235.114 - - [24/Dec/2010:17:43:40 -0800] "POST /forums/index.php? HTTP/1.1" 302 20375 "http://domain/forums/index.php?action=loginfrm" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ru; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)"
66.23.235.114 - - [24/Dec/2010:17:43:41 -0800] "GET /forums/index.php HTTP/1.1" 200 19844 "http://domain/forums/index.php?action=loginfrm" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ru; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)"
66.23.235.114 - - [24/Dec/2010:17:43:41 -0800] "GET /forums/index.php HTTP/1.1" 200 19844 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ru; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)"
66.23.235.114 - - [24/Dec/2010:17:43:41 -0800] "GET /forums/index.php?action=vtopic&forum=10 HTTP/1.1" 200 24422 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ru; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)"
66.23.235.114 - - [24/Dec/2010:17:43:42 -0800] "GET /forums/index.php?action=vtopic&forum=10 HTTP/1.1" 200 24422 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ru; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)"
66.23.235.114 - - [24/Dec/2010:17:43:47 -0800] "POST /forums/index.php? HTTP/1.1" 200 5565 "http://domain/forums/index.php?action=vtopic&forum=10" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ru; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)"
66.23.235.114 - - [24/Dec/2010:17:44:40 -0800] "GET /forums/index.php HTTP/1.1" 200 22826 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ru; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)"
66.23.235.114 - - [24/Dec/2010:17:44:40 -0800] "POST /forums/index.php? HTTP/1.1" 302 20395 "http://domain/forums/index.php?action=loginfrm" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ru; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)"
66.23.235.114 - - [24/Dec/2010:17:44:41 -0800] "GET /forums/index.php HTTP/1.1" 200 19864 "http://domain/forums/index.php?action=loginfrm" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ru; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)"
66.23.235.114 - - [24/Dec/2010:17:44:41 -0800] "GET /forums/index.php HTTP/1.1" 200 19864 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ru; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)"
66.23.235.114 - - [24/Dec/2010:17:44:41 -0800] "GET /forums/index.php?action=vtopic&forum=5 HTTP/1.1" 200 24384 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ru; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)"
66.23.235.114 - - [24/Dec/2010:17:44:42 -0800] "GET /forums/index.php?action=vtopic&forum=5 HTTP/1.1" 200 24384 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ru; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)"
66.23.235.114 - - [24/Dec/2010:17:44:47 -0800] "POST /forums/index.php? HTTP/1.1" 200 5565 "http://domain/forums/index.php?action=vtopic&forum=5" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ru; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)"
66.23.235.114 - - [24/Dec/2010:17:45:39 -0800] "GET /forums/index.php HTTP/1.1" 200 22789 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ru; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)"
66.23.235.114 - - [24/Dec/2010:17:45:39 -0800] "POST /forums/index.php? HTTP/1.1" 302 20378 "http://domain/forums/index.php?action=loginfrm" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ru; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)"
66.23.235.114 - - [24/Dec/2010:17:45:40 -0800] "GET /forums/index.php HTTP/1.1" 200 19847 "http://domain/forums/index.php?action=loginfrm" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ru; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)"
66.23.235.114 - - [24/Dec/2010:17:45:41 -0800] "GET /forums/index.php HTTP/1.1" 200 19847 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ru; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)"
66.23.235.114 - - [24/Dec/2010:17:45:41 -0800] "GET /forums/index.php?action=vtopic&forum=15 HTTP/1.1" 200 23738 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ru; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)"
66.23.235.114 - - [24/Dec/2010:17:45:42 -0800] "GET /forums/index.php?action=vtopic&forum=15 HTTP/1.1" 200 23738 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ru; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)"

These days captcha on the forum is a must, I wouldn't start a serious forum (or even a contact form) without it. The premium one is very good.

I tend to think it's a manual spam - because the IP at each post attempt is the same. Most auto spam generate a different IP each time.

And it's not a coincidence it happened during the holidays, spammers think websites don't have any administration during that time, watch for the New Years Eve too.

Hi tom322,

That is good to know! I ordered a copy yesterday; I hope to be granted access to the script soon.

I see! But ... 12 hours of continuous activity? Amazing.

Oh the scumbags think of everything, don't they! My colleagues and I will remain extra vigilant over the holiday season.

Thanks, tom322, for your helpful advice.
All the best -
marsbar

Our board was spammed a bit too these days.

If you don't have the Captcha enabled for members posting, it's quite possible to register manually and then program the script which will work automated way.

So enable Captcha also for members who did less than X posts (defined in settings), to prevent this issue.

If you have some other ways to prevent it, let us know.

Many thanks for your advice, Paul; I'll get busy to get CAPTCHA set up!

The sheer volume of messages left by the spammer last weekend caused quite a headache for those clearing the pre-moderation queue. The moderator who did most of the hard work provide me with some feedback on the pre-moderation plugin, which I will email you for your consideration.

Cheers -
marsbar

I suppose, the issue is not related to Premoderation queue or add-on, or the software itself. It's about server's security - if there is mass of bulk POST data coming from the same IP within few hours, the server SHOULD react on it internally. If it doesn't react, it's possible to flood it using any other software, not just miniBB. As I know, most latest Apache versions have this kind of flood protection.

I've got your suggestions. We should prevent the posting of the message itself, not build the premoderation queue some tricky way - it won't help. One of the solutions is to allow certain members (let's say new members) to not post more than X messages per day from the same IP.

I wouldn't agree with that - a unique IP-address is a rarity nowadays. Even if spammers may use different IP addresses, they would go for such move only having a highly profitable task known. Without making money, rotating IPs has no sense.

And I think, in this case there was just a "simple crime" involved - somebody INTENTIONALLY had a purpose to flood the forum, if it lasted for few hours.

Thank you, Paul, for your prompt and helpful reply.

I have reported the abuse to my web host. Instead of being alarmed, tech support's reply was simply to block the offender's IP. !!!! *O crystal ball, please tell me what IP I need to ban to prevent the next attack!*

You are right: we ought to concentrate on finding ways to prevent the message queue from being flooded in the first place.

Yes, my colleagues and I have been thinking along similar lines:
allow only x messages per day per ID (EVERY registered member, including the pre-moderated) - admin and moderators are exempt from the rule.

Which would make better sense and be more effective in getting the desired result? And would either rule be easy to implement - preferably without touching the core?

Cheers -
mb

I would use CAPTCHA and .htaccess together to block unwanted messages. In The Perishable Press blog there's a series of "Blacklists" which are created to block spammers etc.

Modern hosts are too *dumb* to provide you more human replies, because mostly they are build by automated solutions and machines ;-)

Blacklists won't help a lot, too. Specifically, in blacklists there are often listed "valid" sites. As I know, minibb.com is listed in many blacklists with no reason - may be just because of competitors requests.

Yes, it's possible to build on the add-on's level a limitation of posts per day from the certain IP. I see you have continued the similar thread, so let's bring our discussion over there.