Spam/bot network creating hundreds of phoney accounts

Spam/bot network creating hundreds of phoney accounts

by willem stempvoort -
Number of replies: 9
Hi,

Since last week we have "something out there" which is creating new accounts in a considerable speed.
Every day in a few minutes hundreds of new accounts are created.

they have this format:
Aan Zds pleqqtcngvjz@i-pod.info Dxnkmdmzpn Oost Timor
Name , city and country differ; they al have the same mail domain name: i-pod.info
I now see the point of other sites asking to fill in some numbers from an image while registering.

For the moment I disabled the option to create a new account totally.
In which way can i allow the students to create an account without this burden of ghost accounts

any advice would be welcome,
In the meantime I will the hosting provider if they can do anything

TIA

Willem
Average of ratings: -
In reply to willem stempvoort

Re: Spam/bot network creating hundreds of phoney accounts

by Satish Talim -
Check this thread for a practical solution -
http://moodle.org/mod/forum/discuss.php?d=87155

Average of ratings: -
In reply to Satish Talim

Re: Spam/bot network creating hundreds of phoney accounts

by willem stempvoort -
Thanks a lot
it seems to work and its good to know that i'm not the only one with this problem

Willem
Average of ratings: -
In reply to willem stempvoort

Re: Spam/bot network creating hundreds of phoney accounts

by Beck Sullivan -
We have also had this spammer problem from i-pod.info. At about the same time we were also hit with several mailinator.com accounts. These mailinator accounts did actually confirm themselves in our environment. They were all from the same USA town of "Vasiliytown" and easy to spot. The names of the people were lovely, a mix of mundane, 'ethnic,' and a few that sounded like really smart people. We deleted them all.

I also connect to this 'annonymous' views of our site-looking at the profiles of people in the system, blogs, etc. Is this a correct connection to make or is that another invasion?

We have since turned off e-mail authentication and self enrollment--got rid of the button and everything. We don't really need either of these features at present. I don't know what we'll do when we do feel that we need them.

Average of ratings: -
In reply to Beck Sullivan

Re: Spam/bot network creating hundreds of phoney accounts

by Mauno Korpelainen -

Beck, your connections may be right - I wrote some comments to http://tracker.moodle.org/browse/MDL-12738 some days ago and found about hundred moodle sites that have been attacked the same way since Christmas. It is also possible that mailinator.com itself is not sending spam but some fake users are using mailinator.com to send spam bots - http://en.wikipedia.org/wiki/Mailinator tells that Mailinator is a disposable e-mail address service created in 2003 by Paul Tyma, a software engineer at Google. It accepts mail for any e-mail address within the mailinator.com domain, and allows anyone to read it without having to create an account or enter a password. It is intended to provide users with an anonymous and temporary e-mail address to help the reduction of Inbox spam....quick search with google and words "mailinator" and "user/view.php" shows some of the attacked & spammed sites & some accounts used for spam in guestbooks and forums.

All moodle admins should really consider stricter site politics - no anonymous guests, no self enrolment (or at least keys for courses)...after mailnator there will come a long queue of new spam (bot) servers or paid spammers (human). Those spam links are not only nasty - some of them lead to pages that have trojan viruses and may infect unprotected home PCs or servers or create new spam so DO NOT CLICK THOSE SPAM LINKS. User profile pages should not contain any "traps" unless students have been allowed to add scripts to html content (by default it is not possible).

Edit: It is still posible that those accounts were created by bot but confirmed by a human spammer who possibly changes user info at the same time as he/she adds content to user profile. If a bot can do this it's really alarming.

Average of ratings: Useful (1)
In reply to Mauno Korpelainen

Re: Spam/bot network creating hundreds of phoney accounts

by Helen Foster -
Picture of Core developers Picture of Documentation writers Picture of Moodle HQ Picture of Particularly helpful Moodlers Picture of Plugin developers Picture of Testers Picture of Translators
Hi,

Here on moodle.org we've found adding mailinator and alternates as denied email domains (in Administration > Users > Authentication > Manage authentication) works well in the fight against spam. Reducing spam in Moodle lists further suggestions.
Average of ratings: -
In reply to Helen Foster

Re: Spam/bot network creating hundreds of phoney accounts

by Mauno Korpelainen -

Hi Helen,

I wrote that reply on January and many things have changed since that. For example the latest versions of XRumer can not only crack/pass Captchas but also create fake email addresses to gmail or hotmail addresses http://www.avertlabs.com/research/blog/index.php/2008/10/10/cracking-captcha-as-a-business/ 

We can easily deny addresses like mailinator.com or mail.ru (see attached file) but we can't deny addresses like hotmail.com or gmail.com

Thanks to Peter default setting of forceloginforprofiles and some other security settings were changed on July and current spam problem is mostly causing trouble for old non upgraded sites ... and a minor number of new sites that have turned off most security settings.

Russian spammers have not yet used programs like Xrumer to direct forum/blog spam on moodle sites as far as I know (only a small number of human spammers...) and it is very likely that when most old moodle sites have updated their settings (user profiles no more visible) and other cms/forum/blog programs have done some updates too to reduce forum/comment/blog spam spammers will search new arsenal and space.

The best thing to happen during the last year is that those millions of moodle administrators have woken up to check their sites, logs and settings. smile

Average of ratings: Useful (1)
In reply to Mauno Korpelainen

Re: Spam/bot network creating hundreds of phoney accounts

by J B -
Increasingly I suspect that the spammers are as interested in the fact of generating accounts as what they can do with them: "force login for profiles" is set, but the nuisance value and undesirable risk of exposing our users to potentially offensive account spam mean that these accounts need to be deleted promptly. I do use the "prohibit accounts from these domains" but the problem here is that the bot accounts are coming from more or less random subdomains, so aren't picked up as that only matches everything after the @, plus of course I am reluctant to ban gmail etc.

Currently I automatically run the following shell script and then query the database with the output:

sqlstr=UPDATE\ mdl_user\ SET\ username\=\'`date +%s`\.\'\ \|\|\ email,\ email\=\'\',\ password\=\'xxx\',\ firstname\=\'xxx\',\ lastname\=\'xxx\',\ description\ \=\ \'\',\ deleted\ \=\ 1\ WHERE\ description\ LIKE\ \'\%blackboard\%\'\

for spam in cheap\ online fornss.com etc
do
sqlstr=$sqlstr\ OR\ description\ LIKE\ \'\%$spam\%\'
done

for spam in .co.cc etc
do
sqlstr=$sqlstr\ OR\ email\ LIKE\ \'\%$spam\'
done

sqlstr=$sqlstr\;\

Average of ratings: -