February 22, 2007Domain Survey (Spammer List)
Comments (12) In the interest of researching my idea of rejecting registrations from “new” domains I did some research. I am quite happy to say that while there are some issues, the idea does seem to have some promise. And I have a request.
My largest board currently has over 23K members, and we get about 40 registrations a day. I captured registration data going back 60 days. I then extracted a unique set of domain names used to register. The data ran up through (I think) February 20th or so. I then used a version of my “whois” script to capture the creation date for each of these domains.
First statistic: about 20% of the domains failed. Some of those were my fault because I didn’t properly handle subdomains like us.ibm.com and so on. But some registrars just don’t store or report the domain creation date. So that’s something to factor into the MOD design.
Second statistic: of the domains that were registered between January 1, 2007 and the day I ran the stats… every single one was a spammer! I think that’s significant. Now here’s where you, both of my blog readers 
, can help. I’ve posted a list of the domains used for spam registrations. I would be very curious to see how many of you have registrations from these same domains on your boards. Why do I ask?
Because there are a few domains on this list that as I first reviewed them seemed to be okay. There was only one registration, and it seemed like a legitimate username. Nothing like freepillshere@genericpharma.org or anything like that. But then I started comparing the registration data from my big board to other smaller boards that I also run. And there was the same registration.
Register for two boards, could be legitimate. Register for three boards? Now you’re a spammer. And I found several of those on this list.
So out of curiousity, I would be interested to see how many of you have (or got, if you have deleted and/or banned them) registrations from the following list:
+------------------------------+ | email_domain | +------------------------------+ | afdoih30hg30h.org | | albendazole.org | | aldactone.org | | allchicagocharity.org | | anotherstupeddomain4bots.org | | aphthasol.org | | baycip.org | | bigsearcher.org | | caors.com | | civilsrude.com | | cotrimoxazole.org | | dosgh2840g4re.org | | dwhg0284gerr.org | | esgic.org | | fetunklodila.com | | filmssdvd.com | | finance-4you.org | | g2hg29hgsdg.org | | genericpharmacydrug.com | | gh208hsd8gh.org | | goa-info.org | | hf280hfds0hf.org | | hg02h0g2h.org | | mbsexo.net | | mrors.com | | newyourkchurch14.org | | nysplace.com | | orbad.com | | ordiv.com | | phpbbbugz.org | | pizza24online.org | | rhg208gg4g4g.org | | riors.com | | schicklberger.net | | smithandjack.org | | somadrug.org | | teors.com | | urlor.com | | voltaren.org | | whazzzup.org | | xm1.biz | | youngteensnetwork.com | | znahov.org | +------------------------------+ 43 rows in set (0.00 sec)
I have to say that “anotherstupeddomain4bots.org” gets points for originality. 
They certainly were not trying to hide what they are, so give them credit for that.
Then ban ‘em anyway. 
Comments (12)
Do you have the query you ran to produce that? Save me some time
Comment by Esmond Poynton — February 23, 2007 @ 6:05 am
I tested a few of those domains, but was unable to find any matches. We’ve had many “nonsense” domain names from spammers though. Perhaps i could get a list of spammers domains and when they registered – for your reserch
Comment by eviL3 — February 23, 2007 @ 11:14 am
I have determined a lot more spammer domains. I will post them, and see if I can provide some SQL to make it easier for folks to check. I assume that you’re savy enough to replace phpbb_ with the proper prefix if you’ve used something different.
Comment by dave.rathbun — February 23, 2007 @ 5:10 pm
Here you go:
How do I decide these are spammers? There are a couple of symptoms I look for. First, there are users that come in right after each other from the same domain. For example, this:
That’s a sample of output from the prior query. These users all came in at nearly the same time. And when you look at the domain name, it seems obvious that they’re not interested in my board content. So that’s one symptom.
Next… I run a number of boards on a dedicated server. There are some user domains in the list above that seem rather benign. They look like actual domain names, and the usernames appear to be legitimate. So what I do is log into my server as “root” so that I have access to every single database on the server and run a query that looks like this:
And so on. In this case, phpbb1, phpbb2, and phpbb3 are database names, all of which are stored on my server, and all of which have dramatically different content. In other words, the odds of someone being interested in the different content without posting is very slim. I emphasize the “without posting” because obviously if a user registers, logs in, and posts a legitimate on-topic post then they have validated themself. Here’s the result from one of the other domains on my list above:
So as you can see, there is only one user registering from this specific domain. As an individual board owner, I might not recognize or categorize them as spam. But since they have registered on multiple boards and never posted on any of them, I consider them as spammers as well.
It is this principal that is behind the bbProtection service started recently.
Now I picked the example above because it’s a .com address. I am much more suspicious of .biz, .info, and .org domains at this time. For example, in running the same query against another user I’ve classified as a spammer I get this:
And I have already removed some other registrations from this domain.
You might notice I have not taken any steps to protect their email addresses as posted here. Hopefully the spammer bots will come by and collect ‘em.
Comment by dave.rathbun — February 23, 2007 @ 5:26 pm
I have the same problem.. Someone spamming my site.. How can I stop it..>??
I tried everything to stop him but no use…
1) all the time he use differerent usernames, one username post 20 virus post
2) Banned his IP, username, email but still he access…
3) Mothod of new usersignup is “user activation” via email.. Checked his email, all the
time he have different email domains which is him@dfgh02gh24hg.info or him@afdoih30hg30h.org
4) See below for sites which his email account referance … really wierd….
[Edit - removed all of the sites you listed. Dave]
Is there anything to stop him..?? pleaseeee help….
Comment by rackmont — March 12, 2007 @ 11:49 am
Hi, rackmont, thanks for your comment. As to how to stop stuff like this, well, there are a number of different MODs posted at phpbb.com that can help. I have a few of my own there too. Board spammers are getting more and more sophisticated. Some of them will use tools that automatically sign up for email accounts so they can get the activation emails, click them, then visit your board to post their spam.
There are no easy solutions.
Comment by dave.rathbun — March 12, 2007 @ 9:38 pm
I’ve just had somebody from anotherspamdomain.org join, lol…
Comment by eviL3 — March 14, 2007 @ 3:19 pm
Ban ‘em. Ban ‘em now, otherwise you’ll be victimized by a posting bot in the next few days.
Comment by dave.rathbun — March 14, 2007 @ 8:27 pm
There is an hack for ipb board for import/export a ban list.
And this list is updated permanently here :
http://www.invisionfuse.com/forums/index.php?showtopic=272
And I gave your ban list too update the list on this forum
http://www.invisionfuse.com/forums/index.php?showtopic=272&st=140&gopid=4720&#entry4720
Best regards
Degas
Comment by eMule France : site Francais pour eMule — May 1, 2007 @ 12:49 am
Glad to help out fellow board owners, even IPB boards.
Comment by dave.rathbun — May 1, 2007 @ 8:31 am
I had over 5,000 people using all those Domains they posted Porn urls on my forum everyday until I figured out there plans to use single domain name as email.
I banned the email domain and delete all accounts that releate to those email domains.
Comment by Johne — August 3, 2007 @ 11:53 am
thanks for the list btw I didnt know some of the domain now I do and delete all acounts from these domain emails
Comment by Johne — August 3, 2007 @ 11:54 am