Topic

site being hacked


Forum Posting

A Membership is required to post in the forums. Login or become a member to post in the member forums!

  • This topic is empty.
Viewing 25 posts - 26 through 50 (of 89 total)
  • Author
    Posts
  • #1921325
    drowning in spam
    Member

    @leaftye

    Locale: SoCal

    Archaic forum software

    A single moderator

    Handicaps placed on that single moderator

    Frankly, I'm surprised this site isn't more popular with spammers.

    #1921348
    Roger Caffin
    BPL Member

    @rcaffin

    Locale: Wollemi & Kosciusko NPs, Europe

    Hi all

    > I know its not this simple but block his user name or block his IP address!
    As soon as I am notified I block the poster from sending any more. That's simple.
    The problem is that sometimes they post while I am asleep – literally, as I live in Australia. Other times I am out working on the farm or something. So someitmes they have a window to work in.

    When it was just one or two postings I was able to delete them by hand. I imagine you will all understand that with a spam attack of this magnitude I simply don't have the hours in the day to delete each one separately. (In case you are wondering, I am not paid for this.) I have asked Ryan J to organise some way for me to 'delete all postings by X'. I have no idea whether this is even possible with the Forum SW we have.

    Moderation: well, that is tricky. What happens when I am away for a week in the bush? A new reader would have to wait till I come back. Is this acceptable?
    Even if we put that in place, all they have to do is register half a dozen names, wait until those names are approved, then let rip using one name after another.
    On low traffic sites new registrants have to have their first dozen postings 'approved'. But with the number of new registrations we get every day, that would become a full-time job (=$$$).

    Problems, problems…

    Cheers
    Roger Caffin

    #1921352
    John Donewar
    BPL Member

    @newton

    Locale: Southeastern Texas

    "On low traffic sites new registrants have to have their first dozen postings 'approved'. But with the number of new registrations we get every day, that would become a full-time job (=$$$)".

    "Problems, problems…"

    At a place where I used to be employed I heard it said that if you knew of a particular problem it was no longer a problem. It then became something you should either fix or go around. Which one are we doing here at BPL?


    @Roger
    ,

    Thank you for all that you do in regards to these SPAM attacks on our forum!


    @Ryan
    J,

    Roger said, "In case you are wondering, I am not paid for this".
    and "But with the number of new registrations we get every day…"

    You currently have "compensated" employment opportunities listed on the home page of BPL.

    BPL premium members and lifetime members have paid to support this forum. Unless I am sadly mistaken those irritating little adds that appear at the bottom of our posts also generate income for BPL.

    Please use some of these funds to offer a "compensated" position with BPL for a forum moderator(s) that can deal with these issues and or update the software. If even a quarter of those new registrations are paying members reinvest those funds into the software and / or a compensated moderator position.

    I always try to be positive, informative and helpful when I can on this forum. I apologize for the tone of this post. I know that this problem isn't easily fixed but it needs to have the proper tools put into place for the fix.

    Party On,

    Newton

    #1921366
    Ken Thompson
    BPL Member

    @here

    Locale: Right there

    @ John Remember RJ's letter to MLifer's? He said there will be no changes for the next long while. (can't give specifics here as RJ thinks it's top secret) I've volunteered for moderator a few times through the years. I'm here enough, could do something actually productive.

    #1921370
    Steve G
    Member

    @sgrobben

    Locale: Ohio

    Learn SQL and you can delete all posts from a single User (or any number of users) from your DB in less than a second. It is a trivially simple thing to do. You can also filter new posts containing certain keywords (I.e. "Tiffany") from "new" users and throw them into a moderation queue without much effort.

    Adding more moderators cleans up the mess, but why not solve the problem.

    #1921379
    Erik Basil
    BPL Member

    @ebasil

    Locale: Atzlan

    The proliferation of new spam attacks is directly related to the maintenance of the first wave of posts without deletion.

    It may be a PITA to delete posts, one by one, but I strongly suggest whoever has that capability being doing that in batches of time you can tolerate, immediately. Wait another week without action and the forums will be obliterated.

    BTW, I am aware of the shortcomings in the CMS and BBS software, but the point here is that — so are others. (In the event owner/admins read here, I renew my free offer from the mega thread about M…)

    #1921381
    Jerry Adams
    BPL Member

    @retiredjerry

    Locale: Oregon and Washington

    Since the messages remain, if the intention is to Optimize Serach Engine results, well, they've succeeded.

    Maybe Ryan could even get a volunteer to create a one click method to delete user and all their posts.

    #1921434
    Dena Kelley
    BPL Member

    @eagleriverdee

    Locale: Eagle River, Alaska

    Does BPL need some volunteer mods? I would volunteer. I am online most days for many hours and have time to delete some of these SPAM posts. I would agree to only address the SPAM posts and to relinquish moderator status after the spam attacks stop. If that would help. I do have experience as a moderator, I am an admin on another forum although I believe the software is somewhat different but probably has similar functions that I could learn quickly.

    #1921435
    Jerry Adams
    BPL Member

    @retiredjerry

    Locale: Oregon and Washington

    I'll volunteer to be a moderator.

    And delete any posts I disagree with : )

    #1921487
    Harald Hope
    Spectator

    @hhope

    Locale: East Bay

    bpl is getting hit by not running its own forum software. These are all fully automated attacks, it's useful to stop thinking of spammers as people, the stuff is done by tools running automatically through lists of targets, and other lists of targetted links and search phrases, with some customization possible. The spamming software tools used just saw a huge improvement in quality, far more robust than they used to be, Russians tend to be very good at this game.

    By allowing posts to remain, you are providing a high quality target in terms of seo (search engine optimization, aka, spammers) with high value pages, about the best they could hope for. You need to remove all spam postings as soon as you humanly can, deputize a few people if you need to, otherwise you going to have even worse problems. Remember, a spam posting is NEVER made by a real person, so the procedure should always be this: detect new spammer username, get list of all posts done by user, freeze user asap, but do not delete yet, then delete all postings by that user, then delete the user, tedious, but if you do it fast enough, not too bad usually. Also, they don't usually post too much until they think they can get away with it.

    I've pm'ed roger about some technical issues that don't benefit from public discussion, but if you don't get a handle on this quickly you may have bigger problems.

    Flagging postings etc does little good, though it can help find postings that the mods may have missed. Ignoring or leaving up spam postings, as bpl has been doing, is NOT one your options, unless you want to terminate this site and move on with life.

    #1921494
    Greg Mihalik
    Spectator

    @greg23

    Locale: Colorado

    Captcha, or "challenge-response", would do the trick…
    PITA, but so was last night.

    "Get a Free CAPTCHA For Your Site"

    "A free, secure and accessible CAPTCHA implementation is available from the reCAPTCHA project. Easy to install plugins and controls are available for WordPress, MediaWiki, PHP, ASP.NET, Perl, Python, Java, and many other environments. reCAPTCHA also comes with an audio test to ensure that blind users can freely navigate your site. reCAPTCHA is our officially recommended CAPTCHA implementation."

    CAPTCHA

    #1921496
    Harald Hope
    Spectator

    @hhope

    Locale: East Bay

    nothing you believe will work works, trust me on this. Captcha's make them laugh. Google did some very advanced ones and they had them cracked, full automation, within weeks, maybe days. That's why spammers like using automatically generated gmail accounts so much. Even when captchas did work, briefly, they just would pass it to a low paid drone somewhere to fill the stuff out, then pass it back, but they don't need to do that anymore. Most turing test type question/answer stuff also doesn't work anymore, though some does if done right, at least for automated attacks.

    The takeaway when dealing with spammer and virus authors and so on is to realize that they are really far ahead of you, always. That's because they do it for a living, and have more incentive to stay ahead.


    Yes, recaptcha was what was cracked in the latest versions of the spamming software, again, using those methods doesn't work. Hasn't for years. Might work until the next software update is released for new stuff, but recaptcha was specifically noted as a feature that was cracked.

    The ways that work, by the way, have also been known for years, and they don't include relying on captchas.

    #1921520
    David Thomas
    BPL Member

    @davidinkenai

    Locale: North Woods. Far North.

    I too, moderate on other forums and would be happy to have a "delete" button for these clear-cut cases. I DON'T want to police other issues, but as has been pointed out, there's sort of yeast-growth law to these attacks and there's much less clean-up the sooner you get started. Ideally you'd have people throughout the time zones – Roger is obviously up while most of us sleep. Here in Alaska, I'm often up when the forum has quieted down between 48-state and Aussie waking hours.

    #1921583
    Ken Helwig
    BPL Member

    @kennyhel77

    Locale: Scotts Valley CA via San Jose, CA

    So here's a question….if we were to have a few moderators and as moderators do, they police the site. If someone gets snippy or downright awfully rude…..And that person was a subscriber or a MLIFE person, and they had to be banned. How would that happen. Do you refund the person? Dunno I don't like the idea of others defining behavior on here. I feel we do a good enough job self policing. As for the spam? That is quite disheartening to see. But how often does this happen? Moderator? No

    #1921585
    drowning in spam
    Member

    @leaftye

    Locale: SoCal

    People have been recommending and volunteering for moderators for at least the past year. Most of the recommendations here have been recommended in other threads as well. Some of the recommendations may cost more or require more technical prowess than Ryan or Addie can provide. Extra moderation is free.

    For new guests and guests that were once paying members, how would you feel about paying for MLIFE membership on a site that won't even take easy free steps to keep it viable? With the payoff being 5 years, I can't see this site lasting that long regardless of membership.

    With this kind of response to spam, a malicious attack by an amateur may be all it takes to end this site permanently.

    The point is, the response to spam doesn't inspire confidence. It makes me regret that I paid BPL with a credit card in the past. I've since had to cancel that credit card. I'm not saying the fraudulent activity on my credit card was the fault of BPL due to lax security as I simply don't know, but it wouldn't surprise me if it was. There's no way I'm renewing my membership unless I can pay via Paypal or some other reputable intermediary.

    #1921590
    Roger Caffin
    BPL Member

    @rcaffin

    Locale: Wollemi & Kosciusko NPs, Europe

    Hi all

    We have a partial solution. I stress – only partial. Background (provided to me by a BPL reader with greater knowledge about the SoTA than me): the standard spamming SW has recently been upgraded so it can now attack Forums with greater 'skill'. (Who wrote that stuff? A dark alley is needed.)

    What this also means is that the spam is coming from a bot, not from a person. Interesting. That allows counter-measures.

    When you click on the Report Posting button I get an email pointing to the posting and the poster. It used to be that Addie also got the message, but Addie is on leave having a baby. When there are a lot of emails with the same heading close together, Gmail lumps them into one thread. I have a stack of email threads with over 60 emails in each thread, all re spam! No complaints mind you: those Reports are vital!

    So I get a pointer to the spammer registration. When I go to the page with registration details for the spammer, it lists all the postings for that registration. Doubtless many of you have looked at your own pages? Anyhow, some time ago we implemented a special button which allows me to 'mark as spammer', which blocks that person/registration from doing any more postings. Ben K has just now added a second button saying 'delete all postings by spammer'. So, the Forum threads are now nice and clean again. Just two button clicks per source.

    But what happens when the spammer SW gets updated to snow-storm us with registrations? Sigh.

    I said 'partial'. A full solution is to 'moderate' all new registrations, so that their first few postings have to be approved before they appear. If a spammer registered and then tried to spam-storm us, I would get an email about the first few postings before they appear. This would block the spammer, at the cost of just a small effort. Alternately we could set it up so the spammer has to reply to a 'random' Q from me about backpacking. That would also block bots.

    But it would mean that a newcomer would not be able to post anything until I had woken up, attended to my email, and approved the posting. We haven't done this YET, because of the frustration it would create. Will we need to? We don't know yet.

    Cheers

    #1921617
    Dena Kelley
    BPL Member

    @eagleriverdee

    Locale: Eagle River, Alaska

    Thanks Roger.

    #1921618
    Harald Hope
    Spectator

    @hhope

    Locale: East Bay

    Eugene, I want to make very clear, I'm not talking in any pro/anti bpl manner in this statement, only a purely technical response, but the issue of automated forum spamming is totally unrelated to credit card processing or site or member security. No hacking is involved, there is nothing at all connected. No server security is or was compromised, spamming of this type is NOT cracking or hacking. Millions, literally, of websites that feature automated member signups have this problem, and the problem has gotten much worse this year.

    Again, this is not related to bpl members/non-members happiness/unhappiness, that's a fine topic for chaff or whatever, but on a technical level, there is nothing at all risky about such spamming in terms of site and server security, absolutely nothing. Now, if you click on the links they post, well, then you're on your own, those links can lead to nasty things, so don't do it. Same as for email spam in that way. Hopefully you all know this, if not, now you do.

    bpl has just been spared the worst of this in the past, and they have responded quite well to this relatively new issue, so I don't fault them at all in this case, it's a weird world out there in the interweb, bpl was just sheltered from it. Dealing with these issues can be hard, so cut the guys some slack, this isn't the same as gear questions, it's a different part of the world.

    #1921619
    Anonymous
    Inactive

    "But it would mean that a newcomer would not be able to post anything until I had woken up, attended to my email, and approved the posting. We haven't done this YET, because of the frustration it would create."

    Sounds like an object lesson in delayed gratification, a novel concept I admit in this I WANT IT AND I WANT IT NOW age. Hopefully it won't come to that, but if it does I should think any reasonable person would be understanding.

    #1921622
    Eric Lundquist
    BPL Member

    @cobberman

    Locale: Northern Colorado

    Roger,

    Thank you for taking the time and explaining the process by which BPL moderators remove the spam posts. It's great that we are now able to delete their posts as well as just marking them as spam. I think that limiting a new user to wait for approval of their comments would jeopardize new followers. Instead of a backpacking question chosen by you and thereby approved by you, could we setup a few rotating backpacking questions (yes/no, multiple-choice) as part of the new user signup page instead?

    #1921626
    Mary D
    BPL Member

    @hikinggranny

    Locale: Gateway to Columbia River Gorge

    Roger, that's wonderful that you were able to get rid of the spam accumulation!

    The site I help moderate (backpacking.net) doesn't get the amount of traffic this one does, so it's easier to manage. So far, we haven't gotten nearly the volume of spam. Finally, we have ten moderators instead of one–all but one (the site owner) are volunteers who have been invited to participate by the site owner. All of us are frequent contributors who have been members for quite a few years and are on the site at least daily and usually several times a day. I generally check early in the morning (by which time any spam has usually been removed by those in an earlier time zone) and before going to bed (when I occasionally catch a few).

    Actually, we do not invariably check all new posters. Instead, when reading new posts on the forums (again, not as many as here), we watch for spammers and for those who make a number of inconsequential posts (such as "I like that" and "I agree") or posts in completely incomprehensible English ("There is a group that is by means of goats to keep the balds approximately Roan Mountain bald. They are consumption back the insidious variety that have infiltrated into the area."). (Yes, that's an actual recent sample!) The favorite tactic lately seems to be to post 10-15 such posts and then insert a spam link into them. When we look up the IPs for the latter, they are often from Asia. Of course we don't ban anyone on the basis of IP source and/or poor English–we enjoy having genuine contributors from overseas! We have a forum branch for moderators only where we communicate about such folks so everyone can keep an eye on them. We don't ban anyone until the actual spam appears. I've often used that branch to ask for consensus on a dubious post before deleting it or banning the poster.

    The forum has a rule about not allowing "for sale" ads until the member has made ten "approved" posts (meaning posts with some content). That's another reason we watch for inconsequential posts, to catch those trying to get to the 10 post mark only because they want to post a classified ad. The software doesn't allow posting in the classified ad branch for those with less than 10 posts. Exceptions can be made by the site owner. We have banned a few who have posted 10 inconsequential posts within a few days just to be able to post an ad.

    Our main defense against a wholesale attack such as the last two on BPL are alert members (which BPL also has) and enough moderators that at least one of us will find out within an hour. I haven't seen a mass delete feature; I suspect only the site owner can do that. I suspect there are other safeguards in the forum software (a standard bbs software package) that I don't know about.

    As far as BPL goes, I think having 20 or so volunteer moderators in various parts of the world would go quite far in halting spambot attacks like the two recent ones before they become overwhelming–which they certainly did last night! I don't know how BPL can possibly manage with only one or two moderators!

    #1921631
    Ken Helwig
    BPL Member

    @kennyhel77

    Locale: Scotts Valley CA via San Jose, CA

    Dead set against "volunteer moderators" why? Most on here have paid for a subscription, be it yearly or life. I don't want others telling me what to do on here or to play nice so to speak. Nope, totally against it. I paid for many years on here and do not need others how to conduct myself that are my peers.

    #1921637
    Mary D
    BPL Member

    @hikinggranny

    Locale: Gateway to Columbia River Gorge

    The alternative is continuing wholesale spam attacks like last night. Which would you rather have? Actually, this is completely up to Ryan, as the site owner. As mentioned earlier, I'm not volunteering for BPL because I already have responsibilities elsewhere. Also, I haven't been a member here that long. Ken, I'm quite sure you're not planning to spam this site!

    Maybe there's an easy and cheap software fix to block more than, say, 10-15 posts per hour. Or more than 5 posts per day from a new member (under 30 days). Might be something to look into! If it's not an easy and cheap fix, though, the site won't get it (per Ryan).

    #1921643
    Nick G
    Member

    @hermesul

    1. Maximum of two posts per new user (until approved). This wouldn't eliminate it, but it'd cut down the speed of the hacking dramatically.
    2. Volunteer "Registration Moderators" which ONLY have the power to approve new users, based on their response to a simple registration question, such as "Why are you interested in lightweight backpacking" or "What are the five most important items in your pack?". Questions that would be fun and easy for an interested user to answer, and could even be posted to the new user's profile to make it more interesting (I know mine is boring as heck). You could even open the power of approving new users to all paying and/or established users without consequence.

    I like the second option. Both options would eliminate the lapse time and human that comes with everyone having to stare at spam posts until Roger wakes up.

    #1921645
    Mary D
    BPL Member

    @hikinggranny

    Locale: Gateway to Columbia River Gorge

    I think it would be safe to limit the automatic limit or volunteer moderation to non-paying members only. If a spammer is willing to pay $25, let him/her spam! :-)

Viewing 25 posts - 26 through 50 (of 89 total)
  • You must be logged in to reply to this topic.
Forum Posting

A Membership is required to post in the forums. Login or become a member to post in the member forums!

Get the Newsletter

Get our free Handbook and Receive our weekly newsletter to see what's new at Backpacking Light!

Gear Research & Discovery Tools


Loading...