November 25, 2008Spammer Evolution
Today I decided to check in on my “honey pot” board that I have running. I haven’t been there in a week or so but things were still humming along last time I looked. This time when I logged in I got a warning from my pop-up blocker. My initial reaction? I’ve been hacked. 
PM Spammers
It turned out that the real answer was much more benign… it was the notification of new private messages popping up. Normally I deactivate (or remove) the PM system from my boards, but since this is supposed to be a standard phpBB2 install I left it in place. The PM spamming started on October 10th it seems. However, the initial attempts did not include the board administrator account. After the initial success there was another round on November 16th, the 19th, and again several days later. Altogether I have 329 spam PMs on the board now.
The PMs are from four different users from six different IP addresses. I checked and there are really only four locations associated with the IP address information: Moscow, The Ukraine, The Netherlands, and another hotbed of spammer activity, the state of Illinois. Someone with a Comcast high-speed internet connection is a zombie, it seems. I left the PM system enabled for now, just to see how far this goes.
Flood Interval Update
The real reason I logged in to the board today was I changed the posting flood interval. If you’re not familiar with it, the “flood” is a time limit for consecutive posts from a single user. It is designed to prevent a user from overwhelming your board with frequent posts. The default setting is fifteen seconds. Based on my analysis, bots seem to be programmed to run every 30-45 seconds. So I set the flood interval to 60 seconds earlier today.
It will be interesting to see how the bots react.
Checkbox Challenge Update
In other news…
I noticed on one of my regular (but fairly dormant) boards that there was a user named “vitamary” registered recently. I saw here on the phpBB Doctor blog (which is linked on the other site I mentioned) several spam comments caught by Akismet from a user [email protected]. Both the board and this blog have a variation of the Checkbox Challenge in place, and both have been victims of VitaMary.
I also saw another interesting blog comment that was not caught by Akismet but was in my approval queue. The complete context of the post was the single word “test” and the email address related to the comment was gmail. I posted recently about the abuses coming from gmail, so the two of these items combined made me just a bit suspicious. I looked up the IP address associated with the comment… and it was from Russia.
To be brutally honest here, I started to post and release the Checkbox Challenge MOD at phpbb.com but stopped. Why? Because I was being selfish. 
I wanted to keep the technique all to myself. If the technique became popular enough to attract the attention of the bot writers, then I would have to do something different. Now I believe I have at least some preliminary indications that someone, somewhere, has taken an interest in my little bits of code and is trying to make their bot just a bit smarter.
Oh, well, I can always fall back to a suggestion from the web comic at xkcd.com:
Comments (1)
Well don’t look at me, I haven’t had time yet to start on a bot for your checkbox thing >_>
Comment by DogCow — December 1, 2008 @ 1:53 pm