Moonbat
05-02-2008, 11:19 PM
We are getting a rather large wave of spam. It's been like this since early April. I have contacted D.Parker about the issue, mainly because many of these usernames are coming from the same IPs. There are usually 2-* usernames with each IP address, then a new one is used.
I am getting the feeling these spammers are controlled by a botnet. The symptoms seem to fit:
The same message(s) regardless of IP
We are being (as far as I know) specifically targeted, probably due to our popularity on search engines. I believe this because unlike most spam, which is "hit and run" usually *-2 messages, we've been getting hit for over a month now.
The names seem to be generated from a program that uses keywords related to the topic. For example, the IP 5*.*7*.***.47 has * accounts, tibiaking2008, tibiakings, and tibiagamegold. It seems like a program just generated usernames and registered the ones that worked
The IPs seem to be coming from similar ranges. For example, the users Lifetibia and lifetibiarlz have IPs 20*.*6.*07.**5 and 20*.*6.*04.*5* respectively. From this I can assume that some sort of bot server.exe program was spread to users of a certain region, in this case Latin America, and most likely to users of the same ISP. Also, the IP I posted in point * (5*.*7*.***.47) is on the same IP range as another spammer who registered two accounts under the IP 5*.*74.65.*55. Both come from the Asia Pacific region, and probably the same ISP.
I believe this is a botnet. So how do we stop it? First of all, I need to highlight a point:
We are not getting anywhere banning usernames
Multiple usernames under the same IP, using many IPs. If all we have in our arsenal is banning usernames, we will never stop this spam. We will stop the problem for a day, maybe two at the most. But it will not go away. It hasn't gone away since it started in early April, and I doubt it will go away now.
We have a few options.
We can get more moderators to continue banning usernames
The active moderators can get temporary admin powers to ban IPs or IP ranges
The existing admins can become more active and ban IPs
The existing admins can ban entire IP ranges
I have two nominations for moderators. JayT and gordo. JayT joined around August 2007 and has posted many informative posts in the Programming section, and seems to have enough maturity to be a mod. gordo has been around since April 2007 and has helped people a lot, and has a lot of patience. He is also mature enough in my eyes to be a mod. If the other mods/admins agree, I'd support JayT and gordo becoming moderators. If we can't ban IPs, the least we could do is get more mods to ban usernames
The second option is to endow the mods with temporary admin powers so we can ban IPs. This option is here because many of the people with admin powers aren't very active, and I can understand that. So this would make life easier if we could ban IPs. I know some admins will look at this and think that I just want admin status just to have power, but that isn't the case. Notice I said 'temporary'. I just want to stop this problem of spam. I would gladly give up admin status after the problem goes away. This option would be good, not sure how effective it will be, but I can guarantee that the spam will decrease a lot more if we can ban IPs.
The third option is for the admins to become more active and ban IPs. I doubt this strategy will work because I'm sure that the admins are preoccupied with real life work/other and cannot be as active. I am not trying to bad-mouth or disrespect any admins due to their lack of activity; I just want to be realistic. We can't depend on admins such as Elias or Admin who haven't logged on since 2004 to help us stop this spam problem. D.Parker is the most active out of the admins, and even he can't always login every day.
If by chance we decide to take the third option and the admins become more active, we have another option in addition to IP banning. We can ban whole IP ranges. I personally don't think this is a good idea because you'll be cutting off access to many legitimate users, but if the problem gets worse we'll have no choice but to block entire ranges.
So the point of this thread is to do two things:
a) Decide whether or not this is a botnet
b)Pick one of the options from above
My choice is a mixture of * and *. I want JayT and gordo to become mods. We mods will ban usernames and assemble lists of IPs who are spammers. Once a week or so, the admins will login and we will give them the lists. They will ban the IPs. We will continue as such.
I'm sure the admins can take one day out of the week to log in to ban a list of IPs that we mods will make. This seems like a practical idea.
Anyway, discuss.
I am getting the feeling these spammers are controlled by a botnet. The symptoms seem to fit:
The same message(s) regardless of IP
We are being (as far as I know) specifically targeted, probably due to our popularity on search engines. I believe this because unlike most spam, which is "hit and run" usually *-2 messages, we've been getting hit for over a month now.
The names seem to be generated from a program that uses keywords related to the topic. For example, the IP 5*.*7*.***.47 has * accounts, tibiaking2008, tibiakings, and tibiagamegold. It seems like a program just generated usernames and registered the ones that worked
The IPs seem to be coming from similar ranges. For example, the users Lifetibia and lifetibiarlz have IPs 20*.*6.*07.**5 and 20*.*6.*04.*5* respectively. From this I can assume that some sort of bot server.exe program was spread to users of a certain region, in this case Latin America, and most likely to users of the same ISP. Also, the IP I posted in point * (5*.*7*.***.47) is on the same IP range as another spammer who registered two accounts under the IP 5*.*74.65.*55. Both come from the Asia Pacific region, and probably the same ISP.
I believe this is a botnet. So how do we stop it? First of all, I need to highlight a point:
We are not getting anywhere banning usernames
Multiple usernames under the same IP, using many IPs. If all we have in our arsenal is banning usernames, we will never stop this spam. We will stop the problem for a day, maybe two at the most. But it will not go away. It hasn't gone away since it started in early April, and I doubt it will go away now.
We have a few options.
We can get more moderators to continue banning usernames
The active moderators can get temporary admin powers to ban IPs or IP ranges
The existing admins can become more active and ban IPs
The existing admins can ban entire IP ranges
I have two nominations for moderators. JayT and gordo. JayT joined around August 2007 and has posted many informative posts in the Programming section, and seems to have enough maturity to be a mod. gordo has been around since April 2007 and has helped people a lot, and has a lot of patience. He is also mature enough in my eyes to be a mod. If the other mods/admins agree, I'd support JayT and gordo becoming moderators. If we can't ban IPs, the least we could do is get more mods to ban usernames
The second option is to endow the mods with temporary admin powers so we can ban IPs. This option is here because many of the people with admin powers aren't very active, and I can understand that. So this would make life easier if we could ban IPs. I know some admins will look at this and think that I just want admin status just to have power, but that isn't the case. Notice I said 'temporary'. I just want to stop this problem of spam. I would gladly give up admin status after the problem goes away. This option would be good, not sure how effective it will be, but I can guarantee that the spam will decrease a lot more if we can ban IPs.
The third option is for the admins to become more active and ban IPs. I doubt this strategy will work because I'm sure that the admins are preoccupied with real life work/other and cannot be as active. I am not trying to bad-mouth or disrespect any admins due to their lack of activity; I just want to be realistic. We can't depend on admins such as Elias or Admin who haven't logged on since 2004 to help us stop this spam problem. D.Parker is the most active out of the admins, and even he can't always login every day.
If by chance we decide to take the third option and the admins become more active, we have another option in addition to IP banning. We can ban whole IP ranges. I personally don't think this is a good idea because you'll be cutting off access to many legitimate users, but if the problem gets worse we'll have no choice but to block entire ranges.
So the point of this thread is to do two things:
a) Decide whether or not this is a botnet
b)Pick one of the options from above
My choice is a mixture of * and *. I want JayT and gordo to become mods. We mods will ban usernames and assemble lists of IPs who are spammers. Once a week or so, the admins will login and we will give them the lists. They will ban the IPs. We will continue as such.
I'm sure the admins can take one day out of the week to log in to ban a list of IPs that we mods will make. This seems like a practical idea.
Anyway, discuss.