9 replies to this topic

[petri]

I tried to make it hard for spammers to access my forum but it didn't work. Whatever I tried the SPAM kept coming in, so finally I decided to take the forum off line. Immediately after I started to get hits to the main page (a web page with a link to the forum) from China. All referrals comes from the same place but the IP-addresses and locations are all different. The web page and the forum were all in Swedish, so I'm a bit suspicious about this sudden interest from China. The SPAM I used to find on the forum pages were mostly in Russian or with Russian addresses.

What could all this mean?

[Jill]

You can block all the ips at the server level through an .htaccess file if you'd like. There are lists online you can use to add to your .htaccess.

[Randy]

It means there are a lot of hacked PC's from those two places. Most of the time the PC owner doesn't even know their PC has become owned and controlled by someone else --whom may be down the block and on the same cable loop, or halfway around the world.

If the forum were still active, most of those come with built in spam protection that would allow you to restrict access to users by their IP number or IP range. And as she said, there are lists out there you can use to seed your blocking rules. As a general rule you can usually mass block entire IP ranges if you want to block off certain countries.

Or you may also want to look into what your server does when a user hits a page that doesn't exist. It's entirely possible that it's configured to send Not Found requests to your home page automatically. Which could be why you're seeing the traffic show up there now. This would also be evident if you were to look through your raw log files and traced back the original hits from those IP numbers.

If that's the case, you could tweak your 404 Not Found error handling to silently drop the connections from these IP ranges. Or simply put up a single page that says the forum is gone and redirect all requests for forum pages to this new page.

Or if you control the entire server you could also set up some block rules at the firewall itself. Though that's probably overkill if they're not actively trying to hack your site.

Lots of ways one can deal with this sort of thing.

FWIW, most people would be amazed at the number of hacked PC's out there. It's a huge number. I see it more in how I have my mail servers set up, because most of those hacked machine are set up to be mail spam bots but don't use an legitimate mail server when trying to send their spam. A significant amount of mail sent to me never makes it to me because it is being sent by these hacked PC's.

[petri]

Thanks for the answers.

I tried to understand all the different possibilities I had as an admin, and tested everything I thought might help. There was an option to use black lists and I tried it. I tried to put reasonable obstacles to user registration and finally I closed the possibility to register altogether. But the spam kept coming in. Finally I thought I would erase all the users, but I didn't know how to do it. The forum wasn't very active and I didn't want to be a part in spreading spam, so I erased all the files from the server.

I probably shouldn't assume that only because I'm working on a Mac I'm almost immune to viruses? Maybe I could google for free checking services, but then again, how can I know it's not some kind of dirty site that installs malware instead of removing it? Any suggestions where to go?

All the technicalities of computer security is past my knowledge, as you might have guest. I still (wrongly?) trust my Mac

[Randy]

Not sure what the Mac part has to do with your forum getting hacked and/or spammed. You're not saying your server was a Mac are you? If that's the case it would be an extremely unusual situation. Not because Mac's are bad computers, but because the things Macs really excel at are not the same things servers need to excel at.

That said I'll tell you plainly that any computer that doesn't have anti-virus and spyware protection is going to get hacked. It's just a matter of time. And I don't care what make, model, type or anything else it is.

[petri]

Not sure what the Mac part has to do with your forum getting hacked and/or spammed.

It was a comment to "FWIW, most people would be amazed at the number of hacked PC's out there. It's a huge number."

[Scottie]

The hacked PC's refer to PC zombies that are being used to distribute hacks and spam and other malware unbeknownst to their owners, not to your preference of personal computer! Those are what are potentially attacking your server and you need to be aware of them, even if you personally use a Mac.

[Mooro]

You can block all the ips at the server level through an .htaccess file if you'd like. There are lists online you can use to add to your .htaccess.

That is not an optimal option, each line in htaccess takes resources, a firewall level ban would be better.

[Michael Martinez]

That is not an optimal option, each line in htaccess takes resources, a firewall level ban would be better.

And not everyone has that option, unfortunately. But a Swedish forum with little to no appeal to Chinese visitors can easily block IP addresses by "A" or "B" blocks.

I have resorted to doing that with my VBulletin forum. It has cut down on spam registrations significantly, although not completely. There are still a few hand jobs coming in but we can easily moderate or delete those.

[chrishirst]

"hand jobs" being a fairly accurate way to describe forum spammers as well!