I too have had problems with this spammer, and seems to use the same MO and names on different sites, if you search, there are a number of options to block, Protector does well, combine it with
"do not allow user to change email" (prevents spammers from registering under one email, getting the activation email and then changing to a non-existant email),

never allow comments to be always approved with admin review,

and I save the protector logs, then look at IP addresses used most frequently, you will find IP from Czech republic, Uraguay, Russia, Korea to be the source of 99% of spam - I then just block those ranges entirely..net result seems to be virtual 100% elimination of posted/visible spam.

The spammers seem to be just posting URLs - my take is that they are trying to boost the Google rankings of certain sites by posting their URL on many other sites.

Sounds to me as if the spammer has created his own program based on xoops.

There are some changes that can be made to prevent the spammer access to the systems but due to the nature of what it appears the spammer has taken to writing code compatible to the database etc.

Any core changes to the names of modules etc would only be a temporary fix. Even if you added a seed value or figured out a way to encrypt the names of the modules they can still be spoofed relatively easily if the names of the modules are kept static once installed.

I have had the idea before but never really panned out but it almost sounds like we would be best off having a security module that can be placed in the system that will allow a nightly connection to a server database somewhere that will list the spammer information and allow automatic updating of this information and from there the system can automate banning the ips, the urls or whatever else is there. Think of it as a sort of antivirus program for web sites with active updating. Like Kaspersky or AVG etc. Until we can build an interactive utility like that then spammers will be an issue. Kind of like car stereo thieves.. How do you stop them? Make someone else an easier target.

I am sure we could also do something with the modules so that the actual modules doing the authentication of the information are protected in the "trusted" directory and are not common module names so that a bot could not actually try to jump around those programs. IF those are considered to be at risk.

I am assuming this spammer has written software that will interact with the server in a manner similar to how XOOPS does. Obviously there is limited information available for him to poll but I am sure if we make wholesale changes they will figure them out and get around them.

My spammer is using 43343 in every username. 4 instances in 1 site, so far easy to manage. Have applied the recommended I.P. addresses with follow other advice as well.

Quote:

Xortify! Read about it here.