Forum Spammers
After setting up a
Simple Machines Forum
(SMF) site, I found a
spammer registered from a Ukrainian IP address before I even registered
the administrator account for the forum. I changed the forum configuration
so that new members must be approved by the administrator and then installed
themes for the
forum. When I had completed installing themes, I noticed an attempt to
register on the forum by five other spammers.
| ID | username | Email Address | IP Address |
|---|
| 5 | boersmaizc |
solanonicole120@gmail.com |
193.201.224.158 |
| 6 | gjssknua | ehdazusmm@gmail.com |
46.151.52.63 |
| 7 | KennethFERM |
sepetriw@yandex.com |
193.201.224.171 |
| 3 | vsrvrzune |
ybficpefo@gmail.com |
46.151.52.35 |
| 4 | yadiragoldieu1a |
andarytsq@outlook.com |
142.54.185.122 |
When I searched the Stop Forum
Spam site, I didn't find the username boersmaizc listed, but
I did find the email address listed with many entries from the IP address
193.201.224.158 listed. The IP address is assigned to OpaTelecom in
Ukraine. There were many
instances of the solarnicole email address being used by the spammer from
the 193.201.224.158 address, but also instances of that email address being
associated with IP addresses in Argentina (190.221.23.158), China
(119.253.252.22, 112.20.190.20, 117.185.124.73, 115.28.39.12, 120.198.245.36,
117.177.243.43, and 122.89.138.111), Finland (109.70.176.1),
France (212.129.21.28), Hong Kong (182.239.127.140), Kahzakhstan
(82.200.245.107), Russia (78.25.98.250), Thailand (203.190.251.116), and
the United States (209.66.200.64) -
PDF.
The IP address in France was marked as "Toxic IP address or "bad" email domain".
There was another Ukrainian IP address in the list, 193.201.224.171, in the
same block of IP addresses,
193.201.224.0 - 193.201.227.255.
Another Ukrainian IP address on the list was 46.151.52.63. A search
at the Réseaux IP Européens
website revealed that IP address was assigned to PE Radashevsky Sergiy
Oleksandrovich (ISP ReedLan). RIPE is the
regional
internet registry for Europe, Russia, the Middle East, and Central Asia.
Another Ukrainian IP address, 46.151.52.35, from the same
46.151.48.0 - 46.151.55.255 block of addresses was in the list.
The remaining IP address was 142.54.185.122, which the
American Registry for Internet Numbers (ARIN), a RIR, linked to Zhou
Pizhong in North Kansas City, Missouri.
A Stop Forum Spam search
showed many entries for that IP address, which it associated with the
United States, for August 22 with many prior entries as well.
All of the entries were awaiting membership approval; I deleted all of them.
When I did so, I noticed another attempt to register from a
Ukrainian IP address, 46.151.52.37. I deleted that one as well.
[/network/web/forums/smf]
permanent link
Ukrainian forum spammer at 46.151.52.64
I set up a
Simple Machines Forum (SMF)
forum today using SMF 2.0.10, the latest supported release of the
software. When I logged into the forum immediately after setting it up
there was already one spam posting, which was a long block of text with
many spam links within it.
When I viewed the member information for the spammer, I saw the following:
| Username: | uwzedekzk |
| Website: | http://www.true-religion.us.org/ |
| ICQ: |
http://www.icq.com/whitepages/about_me.php?uin=510521626 |
| MSN: | http://members.msn.com/prtazkixe@gmail.com |
In the spam posting, I found a link to the website from "true religion jeans
outlet" along with a lot of other links.
When I checked the spammer's profile information, I saw the following:
| Username: | uwzedekzk |
| Posts: | 1 (N/A per day) |
| Email: | jyhnjknmo@gmail.com |
| Gender: | Male |
| Age: | 31 |
| Location: | Brazil |
|
| Date Registered: | Today at 08:32:47 AM |
| IP: | 46.151.52.64 |
| Hostname: | |
| Local Time: | August 22, 2015, 09:44:49 AM |
| Last Active: | Today at 08:32:52 AM |
The signature the spammer had on his profile was "oakley glasses" which
was a link to http://www.oakley-sunglass.us.org/. The registration time for
the spammer was listed as 8:32:47 AM. When I checked the registration time
for the administrator account I created when setting up the forum, it was
08:34:58 AM, so the spammer posted two minutes prior even to the registration
of the administrator account.
The 2.1 version of SMF allows one to restrict registrations during the
installation process to require admin approval, but that isn't part of the
installation procedure for 2.0 versions. Instead, you need to log into the
forum as an administrator after installing the software and change the
registration option so that members can't register immediately. I did
change the setting immediately after logging in as the administrator to
Admin Approval by clicking on Admin, selecting Features
and Options, then Members , then Registration, then
Settings. The choices for registration are as follows:
- Immediate Registration
- Email Activation
- Admin Approval
- Registration Approval
With "Immediate Registration" as the default option when the forum software
is installed, spammers can post spam if you don't act quickly to change the
option. But even though I logged in as the administrator immediately after
completing the installation and changed the option, I was still too late
to prevent this particular spammer from posting spam.
On the profile page for the spammer, I selected Actions
and then Ban this user. I then selected an expiration period
of Never for a full ban for the spammer. For Triggers,
I left "Ban on Email Address (e.g. *@badsite.com)" selected with the
email address he used and also left "Ban on Username" selected with his
username, uwzedekzk. I also selected "Ban on IP (e.g., 192.168.10-20.*)"
selected for his IP address, which was 46.151.52.64. Then from his
profile page, I again selected Actions and then chose "Delete
this account".
When I performed a Stop Forum
Spam site search, I didn't find the spammer's username nor email address
listed, but I found a large number of entries for the IP address for August
22, 2015. The spammer used many usernames where the names were just random
strings of characters and the email addresses likewise used random strings
of characters, but all using "@gmail.com". The Stop Forum Spam
Contry Check - Ukraine
page currently shows "7775469 entries in our database from Ukraine
(20.31 percent of total)", i.e., about 1/5 of forum spam is originating from
Ukrainian spammers. The
Spam sources by country page currently shows that their statistics for
the last year show spam originating from Ukrainian IP address space in 51.7%
of the spam reports (PDF).
Since the spammer uses random email addresses and usernames,
I removed the email check from the SMF spammer check, leaving just
the IP address check by selecting Members and then Ban
list. The Stop Forum Spam site search reported "Found 1000 entries
for "46.151.52.64". I saw a prior incident with a Ukraninian forum spammer
r little over 5 years ago, in July of 2010, when a
Ukrainian spammer
manged to post spam to one of my wife's forums.
[/network/web/forums/smf]
permanent link
