Discussion about spammer

SnDPhoenix · Post by **SnDPhoenix** » Tue May 10, 2011 4:33 am

Why would I trust a product that needs to be spammed on others forums?
Plus I tried BZ before (back in 2005-2006), it sucked!

tzuk · Post by **tzuk** » Tue May 10, 2011 6:32 am

I don't think any (censored) people are doing this. In fact I don't think the spammer cares about (censored) at all. He just wants to be harrass us for some unknown reason. It's the same guy that made a thousand posts to free downloads links for version 3.46, what was it, a year ago?

The interesting this is this spammer has access to a very large number of hacked computers worldwide, and is spamming from a different IP address every time. (Also because I block each IP address he uses.) I can't imagine that some random bored guy has access to more than two compromised systems. This guy has used maybe 50 computers spamming here already, and probably has a thousand more zombie systems ready for use. So it must be a professional hacker.

So who is the professional hacker that has nothing better to do than harrass this forum? I wonder.

SnDPhoenix · Post by **SnDPhoenix** » Tue May 10, 2011 7:58 am

tzuk wrote:I don't think any (censored) people are doing this. In fact I don't think the spammer cares about (censored) at all. He just wants to be harrass us for some unknown reason. It's the same guy that made a thousand posts to free downloads links for version 3.46, what was it, a year ago?

I think that was right before I came back, because I don't remember the 1000 posts

tzuk wrote:The interesting this is this spammer has access to a very large number of hacked computers worldwide, and is spamming from a different IP address every time. (Also because I block each IP address he uses.) I can't imagine that some random bored guy has access to more than two compromised systems. This guy has used maybe 50 computers spamming here already, and probably has a thousand more zombie systems ready for use. So it must be a professional hacker.

Are you sure he is using many compromised computers? To me it just seems like he was using some auto-mated spamming tool, like Xrumer or something similar? The different IP's could just be him using a proxy list (if the software he was using supports it).
Either way, were you suggesting he has grabbed some RAT/panel from a public forum, built a server/bot with it and deployed it on many peoples computers (using spread methods)? This way he had himself a nice botnet he can use anytime he wants to do anything en masse (such as DDoS)? If so, you call him a professional hacker, I call him a skiddie!

tzuk wrote:So who is the professional hacker that has nothing better to do than harrass this forum? I wonder.

What I found weird, was that he was only spamming the (censored) product in his posts, so therefore I assumed he is/was an employee of (censored)? Why else would he spam their product?
Also before anyone says it, no his posts did not contain any referral links or anything like that which would allow him to profit (if you clicked the link) so that rules out any monetary gains...

Also this is off topic, but did someone send me a PM sometime in the last 3.5 hours? I had an alert when I logged in that I had 1 new PM, but when I went to my box there was no new PM...

Spysnake · Post by **Spysnake** » Tue May 10, 2011 8:10 am

The PM was done by the bot also. Same text entirely as in the forum posts.

D1G1T@L · Post by **D1G1T@L** » Tue May 10, 2011 3:17 pm

It could be someone who has hired a cyberbot network to spam this forum instead of doing this themselves directly. Tzuk where are most of the spammer IPs based? That could be a clue as to who is doing it if most IPs are from a specific region.

Don't forget to censor the thread title.

tzuk · Post by **tzuk** » Tue May 10, 2011 5:00 pm

SnDPhoenix wrote:
tzuk wrote:I don't think any (censored) people are doing this. In fact I don't think the spammer cares about (censored) at all. He just wants to be harrass us for some unknown reason. It's the same guy that made a thousand posts to free downloads links for version 3.46, what was it, a year ago?
I think that was right before I came back, because I don't remember the 1000 posts

Well maybe not thousands. Also I was mistaken, he did not post links then, he posted reg keys for version 3.46. But the point is that one day I opened the forum and had to clean up hundreds of malicious posts.

SnD wrote:Are you sure he is using many compromised computers? To me it just seems like he was using some auto-mated spamming tool, like Xrumer or something similar? The different IP's could just be him using a proxy list (if the software he was using supports it).

No, he is regularly using IP addresses from commercial blocks, typically hosting services. Which is to say he probably has some "exploit scanner" slowly scanning the net and "collecting" vulnerable computers as he finds them. And I think he uses these computers to act as a proxy/relay while he is manually wasting his time posting nonsense here.

SnD wrote:What I found weird, was that he was only spamming the (censored) product in his posts, so therefore I assumed he is/was an employee of (censored)? Why else would he spam their product?

As I said, he was harrasing here long before he came up with the BZ twist. That's a recent change.

tzuk · Post by **tzuk** » Tue May 10, 2011 5:06 pm

Spysnake wrote:The PM was done by the bot also. Same text entirely as in the forum posts.

It could be pasting the same copy text again and again.

D1G1T@L wrote:It could be someone who has hired a cyberbot network to spam this forum instead of doing this themselves directly. Tzuk where are most of the spammer IPs based? That could be a clue as to who is doing it if most IPs are from a specific region.

Don't forget to censor the thread title.

The IPs are from all over the world, there were addresses in Europe, in the Americas, and in the far east, and others.

SnDPhoenix · Post by **SnDPhoenix** » Tue May 10, 2011 9:28 pm

I don't think he hired a cyberbot network as D1G1T@L suspects. Who in the world would pay someone else who has their own botnet, to spam someones forum about another companies product? Unless he just has a major grudge against Sandboxie...

He either has his own little botnet (of unwilling victims around the world) that he uses to spam forums, he is using an auto-mated spamming program or maybe he is actually doing it all by hand?
I have to admit, I have been logged in while he was logged in and I've watched him post these spam messages, and trust me, he doesn't post very fast... He'll post maybe 3-4 messages and then log out, with about a 2-5 minute delay on average between each post.
The different IPs could be explained by him simply using TOR to access this site?

I think the easiest way to stop most/all spammers on this forum, might be to require registered users to also have to enter a captcha. It may be annoying for people who are logged in and used to being able to just post their messages, but it should only take a few seconds for you to type in the captcha, but it hopefully might save the forum from being spammed, at least through auto-mated means.

Anyone else have any ideas?

Spysnake · Post by **Spysnake** » Wed May 11, 2011 4:28 am

I don't remember email confirmation on registration, maybe it could be added?

tzuk · Post by **tzuk** » Wed May 11, 2011 4:38 am

Spysnake I think you're right.

Mike · Post by **Mike** » Wed May 11, 2011 8:40 am

SnDPhoenix wrote:I think the easiest way to stop most/all spammers on this forum, might be to require registered users to also have to enter a captcha. ... Anyone else have any ideas?

If email confirmation isn't discouragement enough - and it might not be for the prankster(s) mentioned in this thread - then I think that could be worth a try. But I would exempt users from CAPTCHAs if they have at least N number of posts and have been registered for at least X amount of time. The bar could be set pretty low, since spammer accounts only seem to get a small number of posts in before they're banned here.

tzuk · Post by **tzuk** » Thu Aug 11, 2011 6:53 am

During the past week or so there has been a marked increase in the number of times per day the spammer visits this forum. So I had to enable mandatory account activation for anyone who subscribes to the forum. This doesn't affect guest posting, but people who sign up will have to give the correct email address so they can activate their forum account.

As usual in the world, everyone has to suffer because of a few anti-social criminal jerks.

I would like to know if anyone experiences any problems due to this new email activation thing. Post here if you see any issues.

SnDPhoenix · Post by **SnDPhoenix** » Thu Aug 11, 2011 8:41 am

I know what you mean, I've seen the posts and they're always the same thing, something about a "show" I think?
Maybe this is a good time to discuss ways (or better ways) of curbing the spammers?
Email activation is a good start.

However, something that is a major issue that might help would be to upgrade phpBB?
I know this forum is running phpBB v2, I just don't remember the exact version number, but I believe it is v2.0.15, or at least somewhere around that version?
If so, that puts the age of this phpBB software at 6 years old! If it is somewhere around v2.0.20, that's still 5 years old!
Even if it is the last v2 release which was v2.0.23 released on February 17, 2008, that still makes it exactly 3.5 years old (in 6 days)!

And of course, support for phpBB2 ended, which means no newer versions or patches released since then.

Therefore, considering it's at least 3.5 years old it obviously isn't very secure! I imagine - no wait, I know there are a lot of vulnerabilities that exist in this forum, some which spammers may or may not be using to their advantage. Such as RFI vulnerabilities for things like getting this site to run a remote shell (like C99) or a remote script (likely a spam script), LFI vulnerabilities for getting the server to hand over local files, like passwd, maybe even SQL vulnerabilities which they might use for things like creating an account without using the registration form, or to inject spam posts into the DB without needing to fill out captcha as they wouldn't be using the "posting.php" form, and etc..

We're damn lucky someone hasn't decided to exploit one of these vulnerabilities yet and then delete every thing on the server, leaving behind only an index.php file telling us "You've been 0wn3d!".

tzuk · Post by **tzuk** » Thu Aug 11, 2011 10:52 am

This forum uses the latest version of phpBB 2 which is 2.0.23. As I told you before, I don't see a good reason to make the time investment to change the forum software, just for the sake of changing it. If you know of any specific vulnerabilities with the forum software, I would appreciate specific details rather than vague warnings, so I can fix the problems.

SnD wrote:I know what you mean, I've seen the posts and they're always the same thing, something about a "show" I think?

No ...

A forum account called footprints has been spamming about some show, but that's not what I meant. I am referring to the insane anti-social person who has been the subject of this topic from the start.

Buster · Post by **Buster** » Thu Aug 11, 2011 11:23 am

footprints is the Abdullah show guy. I don´t see any spam in that messages, that´s why I still wonder why he keeps posting that.

He talks about the guy that pretends to make publicity of other software product.

Sandboxie Support

Discussion about spammer

Discussion about spammer

Who is online