Fake Accounts and SPAM Posts
-
@mvikman said in Fake Accounts and SPAM Posts:
Looks like the bot spamming is still continuing, at slower pace now though
That was a huge amount of SPAM&Damage so I guess the cleanup work continues ...
-
@fireodo Perhaps just lockdown any new signups and the bot will get the message.
-
I don't understand where the profit is in doing this. The motivations I can think of are
-
forum filter companies justifying their value
-
denial of service attack by a product or country or political competitor.
-
advertising for service spamming.
-
the thrill of achieving a successful attack.
-
A bot error
-
An angry ex-customer
For discrete attacks 3. could deliver a useful return. Not for the recent one here. Seams unlikely in this case as the intrusion would be negative for every forum user
-
-
@Patch said in Fake Accounts and SPAM Posts:
I don't understand where the profit is in doing this.
Neither do I ...
-
Well the script kiddies are at it again this morning.
-
All of that, or something else.
Someone wants it to happen, that's for sure.For myself, I think, as we live in a world where it has become 'easy' to be known worldwide, they are out for the likes, the attention, the view hits. All this can help to sell advertisements on the sites - sell products, or get a product known. "Feeding the buzz beast".
It could be as simple as as "see If they can do it".
Spam forum posts today? Tagging with paint the concrete walls yesterday. Tomorrow, the 44K Starlink satellites will laser project our entire sky ?
edit : the spam scripts has been updated : now they are posting in every forum section.
-
Are all the [redacted] fake accounts and SPAM posts coming from a particular CIDR blocks or TOR exit nodes?
-
@elvisimprsntr said in Fake Accounts and SPAM Posts:
from a particular CIDR blocks or TOR exit nodes?
I put my chances on "change particular for big variety".
I can see the poster's IP's but if it was a /24 or /16 (IPv4) or /56 or even /32 (IPv6 both ) then a one click acrion would block them all.
The thing is : it isn't as easy as it looks.All torrent exit nodes, or VPN (Shark, Nord, Express and friends) exit nodes are already mostly known and IP listed. So easy to one-click ban them all, but this would also block all the other forum visitors that need to use a VPN (is this actually a thing ? ) to visit this forum.
As usual, the visiting diversity of IPs used look more like a soft DDOS attack : hundreds of posts on the forum coming from as much different IPs.
Btw : I hope to be wrong, of course ^^
@johnpoz ; You can see the IPs : any thoughts ? -
It seems more like targeted attack than random bots, but who knows...
-
@Gertjan yeah I can see the IPs - and lots of vpns on the ones I checked.. But not just 1 vpn, ie saw many of the major vpn players then my daily quota of checking ran out at the site I use. But also lots of IPs just from known spammer countries.. If me I would just block all those countries.. I mean I have asked a few times to run a analysis on known users from those countries - do we have even one valid user from them? All of the IPs were coming from either VPN, or vps providers from what I could tell.. Saw a few DO netblocks, which I blocked. Nothing good would ever come from DO..
But it does seem insane the amount of it coming in when it happens.. Either the spam filter was doing a way better job than I thought or yeah seemed like a targeted attack.. last night I clear up 46 different posts.. Normally we would see 1 or 2 posts from an account.. I saw 13 from one, 9 from another.. And while I was cleaning up those 4 more new accounts, etc. Previous round of flooding I saw one account with 18 posts in just a few minutes.
Something that was working, is for whatever reason not currently - maybe they found a way thru the spam filter? All of the posts have the exact same sort of format. And were all posting phone numbers of how you could do something, contact a real person, call some company for a problem.. Clearly trying to get their SEO up what it looked like to me.
Maybe the spam filter doesn't see phone numbers as possible spam and only links to websites?
Many of the posts had broken variables posted vs a value, like a script that fails - sure everyone has seen those in spam email they get, etc. But they were not your typical sort of spam where someone seems to answer a question in the thread with a link to where you could find more info on the subject matter, etc. Nobody in their right mind would see that post on the forum and think oh great I will call that number next time I have a problem with X company ;) They have to be a targeted way to get some seo up on these phone numbers when googling for where to call, etc.
In one way the seeing the amount of spam seems to indicate that the forums are popular, etc. And we make a good target for such shenanigans.. Maybe if not so popular we wouldn't get so much spam..
-
@Gertjan said in Fake Accounts and SPAM Posts:
For myself, I think, as we live in a world where it has become 'easy' to be known worldwide
I'm from Moon.
-
@johnpoz said in Fake Accounts and SPAM Posts:
Normally we would see 1 or 2 posts from an account.. I saw 13 from one, 9 from another.. And while I was cleaning up those 4 more new accounts, etc. Previous round of flooding I saw one account with 18 posts in just a few minutes.
Is initial rate (== post) limiting possible ?
Like : new users can post 2 new forum posts in 24 hours, and this limit will go away after X days, or 5 upvotes, whatever comes first.I mean : some (new) pfSense user decides to sign up and ask a - just one - question ? A legit person doesn't open 18 different post all over the place - and if he had 18 different questions, he would post them all in in the General Section, even of the majority of the questions are (for example) DNS related .... ;)
This one : if a user edits his post, then it surely must be a human !
What about : if the new forum user produces a valid ID (from these) :
Netgate 4100 Serial: 2014321874 Netgate Device ID: e57dfcd41dc5ad5afb223
then the "post rate limiting" is skipped right away as the new member is using a real pfSense.
I presume these are "IDs" are avaible somewhere within the same Netgate walls ^^Anyway, just thinking out loud here.
@johnpoz said in Fake Accounts and SPAM Posts:
In one way the seeing the amount of spam seems to indicate that the forums are popular, etc. And we make a good target for such shenanigans.. Maybe if not so popular we wouldn't get so much spam..
About that : before, AFIAK, forum stats existed.
But I get it, showing that the forum has tens of thousands of forum members, and hundreds of thousands (a million soon) forum post ... that doesn't go unnoticed so I agree : don't show these stats (anymore). -
@Gertjan I just did google for one of the phone numbers in just a new spam that popped in.. And you see that number on many a forum posts from all over the place in the last few days..
I mean a lot of different forums.. So clearly its not targeted at just pfsense forums.
-
@johnpoz said in Fake Accounts and SPAM Posts:
maybe they found a way thru the spam filter?
Think so, OpenVPN forum has been hit also, close to 30000 posts the last few days.
-
@Pippin wow, that is a lot of posts.. I wonder how many we would have it allowed to run unchecked.. When the floods started new registrations were disabled while they tested the spam filtering.
I am still seeing some sneak through though.. uggghhh
one of the recent ones had the phone number with ~ vs - and the actual body of the post had an image with the number in it as well..
Not even sure how such nonsense would increase any sort of seo score??
-
Saw this earlier, but honestly it's not unique to these forums.
@jwt as consumers of the forum, what can we do to help when we see obvious bot/spam stuff?I've personally found that users doing what they can even if it's "report post" is orders of magnitude more helpful than simply "noting" the problem.
-
@johnpoz said in Fake Accounts and SPAM Posts:
Not even sure how such nonsense would increase any sort of seo score??
Maybe it's just the fallout of the new entry exam of Harvard science university : "write a script that post as much forum post possible on the top 500 forum in the world without being caught" ?
Oh .. wait, there is another one : entry exam of an0nym0us ? ^^edit :
They are having a hard time also :
-
@mer yeah reporting can help.. But those help more when they are weird ones where its like is this spam or not that sneak through.. Currently if they get through they are flooding, and they are not adding their spam to existing threads they are creating new ones that are much easier to spot..
-
@johnpoz and of course there are a bunch of new QuickBooks spam things that just popped up now
-
@mer the amount of spam the last few days has been insane.. I have never seen it like this before..