Fake Accounts and SPAM Posts

elvisimprsntr

Well seems some script kiddies have found another way to automatically create random fake accounts and post SPAM, making the forums unusable.

Seems like there needs to be additional barriers to creating fake accounts.

Gertjan

@elvisimprsntr

additional barriers

That's problematic, as the bots are getting more 'intelligent' as some of the human (may I call them bottom tiers ?) subscribers.
The forum was usable (for me) as the spammer(s) posted only here : Home > pfSense Software > General pfSense Questions

fireodo

@Gertjan said in Fake Accounts and SPAM Posts:

as the spammer(s) posted only here : Home > pfSense Software > General pfSense Questions

Not only there also in https://forum.netgate.com/category/76/tnsr-feedback and in other parts of the forum too ...

Popolou

Seeing a lot of this lately elsewhere too. Over here, they seemed to be posting every few seconds since last night. Need to beef up the security.

jwt

Was up at 3am local dealing with this.

We’re on it

mvikman

Looks like the bot spamming is still continuing, at slower pace now though

fireodo

@mvikman said in Fake Accounts and SPAM Posts:

Looks like the bot spamming is still continuing, at slower pace now though

That was a huge amount of SPAM&Damage so I guess the cleanup work continues ...

Popolou

@fireodo Perhaps just lockdown any new signups and the bot will get the message.

Patch

I don't understand where the profit is in doing this. The motivations I can think of are

1. forum filter companies justifying their value

2. denial of service attack by a product or country or political competitor.

3. advertising for service spamming.

4. the thrill of achieving a successful attack.

5. A bot error

6. An angry ex-customer

For discrete attacks 3. could deliver a useful return. Not for the recent one here. Seams unlikely in this case as the intrusion would be negative for every forum user

fireodo

@Patch said in Fake Accounts and SPAM Posts:

I don't understand where the profit is in doing this.

Neither do I ...

elvisimprsntr

Well the script kiddies are at it again this morning.

Gertjan

@Patch

All of that, or something else.
Someone wants it to happen, that's for sure.

For myself, I think, as we live in a world where it has become 'easy' to be known worldwide, they are out for the likes, the attention, the view hits. All this can help to sell advertisements on the sites - sell products, or get a product known. "Feeding the buzz beast".

It could be as simple as as "see If they can do it".

Spam forum posts today? Tagging with paint the concrete walls yesterday. Tomorrow, the 44K Starlink satellites will laser project our entire sky ?

edit : the spam scripts has been updated : now they are posting in every forum section.

elvisimprsntr

Are all the [redacted] fake accounts and SPAM posts coming from a particular CIDR blocks or TOR exit nodes?

Gertjan

@elvisimprsntr said in Fake Accounts and SPAM Posts:

from a particular CIDR blocks or TOR exit nodes?

I put my chances on "change particular for big variety".
I can see the poster's IP's but if it was a /24 or /16 (IPv4) or /56 or even /32 (IPv6 both ) then a one click acrion would block them all.
The thing is : it isn't as easy as it looks.

All torrent exit nodes, or VPN (Shark, Nord, Express and friends) exit nodes are already mostly known and IP listed. So easy to one-click ban them all, but this would also block all the other forum visitors that need to use a VPN (is this actually a thing ? ) to visit this forum.

As usual, the visiting diversity of IPs used look more like a soft DDOS attack : hundreds of posts on the forum coming from as much different IPs.

Btw : I hope to be wrong, of course ^^
@johnpoz ; You can see the IPs : any thoughts ?

Marc05

It seems more like targeted attack than random bots, but who knows...

johnpoz

@Gertjan yeah I can see the IPs - and lots of vpns on the ones I checked.. But not just 1 vpn, ie saw many of the major vpn players then my daily quota of checking ran out at the site I use. But also lots of IPs just from known spammer countries.. If me I would just block all those countries.. I mean I have asked a few times to run a analysis on known users from those countries - do we have even one valid user from them? All of the IPs were coming from either VPN, or vps providers from what I could tell.. Saw a few DO netblocks, which I blocked. Nothing good would ever come from DO..

But it does seem insane the amount of it coming in when it happens.. Either the spam filter was doing a way better job than I thought or yeah seemed like a targeted attack.. last night I clear up 46 different posts.. Normally we would see 1 or 2 posts from an account.. I saw 13 from one, 9 from another.. And while I was cleaning up those 4 more new accounts, etc. Previous round of flooding I saw one account with 18 posts in just a few minutes.

Something that was working, is for whatever reason not currently - maybe they found a way thru the spam filter? All of the posts have the exact same sort of format. And were all posting phone numbers of how you could do something, contact a real person, call some company for a problem.. Clearly trying to get their SEO up what it looked like to me.

Maybe the spam filter doesn't see phone numbers as possible spam and only links to websites?

Many of the posts had broken variables posted vs a value, like a script that fails - sure everyone has seen those in spam email they get, etc. But they were not your typical sort of spam where someone seems to answer a question in the thread with a link to where you could find more info on the subject matter, etc. Nobody in their right mind would see that post on the forum and think oh great I will call that number next time I have a problem with X company ;) They have to be a targeted way to get some seo up on these phone numbers when googling for where to call, etc.

In one way the seeing the amount of spam seems to indicate that the forums are popular, etc. And we make a good target for such shenanigans.. Maybe if not so popular we wouldn't get so much spam..

Antibiotic

@Gertjan said in Fake Accounts and SPAM Posts:

For myself, I think, as we live in a world where it has become 'easy' to be known worldwide

I'm from Moon.

Gertjan

@johnpoz said in Fake Accounts and SPAM Posts:

Normally we would see 1 or 2 posts from an account.. I saw 13 from one, 9 from another.. And while I was cleaning up those 4 more new accounts, etc. Previous round of flooding I saw one account with 18 posts in just a few minutes.

Is initial rate (== post) limiting possible ?
Like : new users can post 2 new forum posts in 24 hours, and this limit will go away after X days, or 5 upvotes, whatever comes first.

I mean : some (new) pfSense user decides to sign up and ask a - just one - question ? A legit person doesn't open 18 different post all over the place - and if he had 18 different questions, he would post them all in in the General Section, even of the majority of the questions are (for example) DNS related .... ;)

This one : if a user edits his post, then it surely must be a human !

What about : if the new forum user produces a valid ID (from these) :

Netgate 4100
Serial: 2014321874
Netgate Device ID: e57dfcd41dc5ad5afb223

then the "post rate limiting" is skipped right away as the new member is using a real pfSense.
I presume these are "IDs" are avaible somewhere within the same Netgate walls ^^

Anyway, just thinking out loud here.

@johnpoz said in Fake Accounts and SPAM Posts:

In one way the seeing the amount of spam seems to indicate that the forums are popular, etc. And we make a good target for such shenanigans.. Maybe if not so popular we wouldn't get so much spam..

About that : before, AFIAK, forum stats existed.
But I get it, showing that the forum has tens of thousands of forum members, and hundreds of thousands (a million soon) forum post ... that doesn't go unnoticed so I agree : don't show these stats (anymore).

johnpoz

@Gertjan I just did google for one of the phone numbers in just a new spam that popped in.. And you see that number on many a forum posts from all over the place in the last few days..

I mean a lot of different forums.. So clearly its not targeted at just pfsense forums.

Pippin

@johnpoz said in Fake Accounts and SPAM Posts:

maybe they found a way thru the spam filter?

Think so, OpenVPN forum has been hit also, close to 30000 posts the last few days.