I have been getting hit my this spam on two of my XOOPS site, on one of them were the news comments were switched on they hit big time.
They all seem to be random IP from around the globe.
There registration is getting around the form some how because my requirement for age and place are not filled in and when i got to edit them i have to add that info my self before it will re save them.

Does your set-up allow for anonymous comments, either within the system istelf or within an individual module?

[bad english]hi,i've got the same problem too(still) but inactive
well actually there is somebot that register on XOOPS sites and they spam the news mod comment .
solution :
install protector 3.X
there is an option that doesnt allow users to post more then X urls per post change it and it will work .
[/bad English]

cheers

Quote:

Good advice - I'd assumed that this had already been done

Do this (enabling the RBL filtering as per the instructions) and ban anonymous comments from your site and your problems will be much reduced (maybe even eliminated)

Google search on "peak xoops" and you'll find GIJoe's site, the download for Protector 3.04 and MadFish's excellent installation instructions.

Both DuGris and phppp's CAPTCHA have demonstrated to be effective tools for stopping SPAM in my sites. Highly recommended.

Well,

He has spammed my site a few times now, I have removed the spam and tried to backtrack him for abuse reports...

He think he spammed me from 72.36.233.67 although he masks his spam from many different IP's, I see some strange behaviour from another IP in the apache log.

this is an excerpt from ONE spam post...


basically you see him accessing the article from 72.36.233.67 and then posting two comments from 61.232.61.43 which is a fake address...

His ISP has left no comment...

this pattern repeats for every spam on my site btw, access from .67 post from a fake a few seconds after

The user was registred as zxc10109 with email zxc10109@felissilvestriscatus.info and weburl same as mentioned before

added info...
He has already tried to access my site a few times since the block... I hope I havent blocked an innocent user, but such is luck...

.67 and .69 used for GET and POST logins from .70
all posts from random addresses...

Hi,
Quote:

Actually there are some more patterns as well. However the best form of protection you can have is what I described here:

http://sourceforge.net/forum/forum.php?thread_id=1756756&forum_id=347994

Do the following:

1. Change the configuration of comments so that they are not given free automatically and only registered users could pot them.

2. Wait and watch for the spammers. See the ip addresses and block the entire ip address block through your protector.

3. Keep on changing the login/signup/register php script names to any other you prefer.

Heres something for you to ponder on.

Ive been testing something out on 2 of my sites.

Site 1:

Has Captcha on registration
Has not banned the list of email addresses from abuser
Has RBL plugin for protector running

Site 2:

Doesnt not have captcha
Has banned the list of email addresses from abuser
RBL plugin for protector disabled



The abuser we have all been talking about has managed to sign up to Site 2 even with all the email address banned.

So here is a list of things I would apply (this is only my opinion tho, what you do is up to you).

1. Install Protector
2. Enable RBL plugin for protector (may slow site down, if its impairs your site performance the simply disable)
3. Install Captcha on registration (Also have a form available that people with Visual Impairement can fill in to sign up)
4. If a Spammer signs up, check the IP address of the sender in the email you get when a user signs up and ban the IP block using .htaccess file. In the case we have been talking about the senders IP address always matches the main IP used to spam and not the multiple addresses.
5. You may want to consider using .htaccess to ban ip adresses instead of protector as protector uses your MySQL database (dont know if it uses it when checking banned IP's, can someone confirm). You may not want unwanted IP's to make queries to your database especially if they are bots.

Quote:

I thought that Protector 3.0x uses the "badip" file in the "trust-path" configs directory?

Perhaps enquiries should be made of GIJoe to ask how it works (by someone who know more about it than me )?

aye, but when the bot/spammer comes to the site they are access your XOOPS site and queries are being made already.

with .htaccess file the bot/spammer is blocked before XOOPS is is even accessed thus not using XOOPS and making queries.

Less usage of the database from bots is much better in my opinion.