A few weeks ago I posted about increasing the flood interval on my honey pot board. My theory was that since bots seem to have a fairly regular posting process I could cut down on the number of spam posts simply by changing the flood interval.

It didn’t seem to work.

More…

Today I decided to check in on my “honey pot” board that I have running. I haven’t been there in a week or so but things were still humming along last time I looked. This time when I logged in I got a warning from my pop-up blocker. My initial reaction? I’ve been hacked.

PM Spammers

It turned out that the real answer was much more benign… it was the notification of new private messages popping up. More…

Today I got my first spam that successfully navigated the Checkbox Challenge. It was caught by Akismet, which shows the power of a layered defense. On phpBB2 boards we have seen an increase in manual spam. Manual spam is really hard to defeat because it’s done by humans. On the other hand, it’s more expensive for the spammers too. I will be watching this closely to see how things trend over the next few months.

Google has a big challenge. Their blogger service is overrun with splogs. (And they don’t make it very easy to report them either.) Their web site search results have become polluted with people playing keyword and page rank games. And now their gmail service is being used to register spam accounts on phpBB boards. As of last month gmail is in second place for spammer registrations blocked by my Checkbox Challenge on one particular board. If I use only 2008 data gmail is essentially in a tie with mail.ru for most spam registration attempts.

More…

In the first post in this series I showed some data from my phpbb2 honey pot board that has been collecting spammers for several months now. One of the most interesting observations (as far as I am concerned) is the posting frequency. The posting bot would log on, post, wait 25 seconds, post a second time, wait 25 seconds, post a third post, and then log off for several hours. This behavior would repeat throughout the day with the same user account coming in from different IP addresses around the Earth.

I suggested that this behavior was an indication of “zombie computers” and since today is Halloween it seems a good time to finish the topic.

More…

I will start this post with a brief recap for new visitors or for those that have not been following my phpBB2 honey pot experiment. Several months ago (August) I set up an unprotected phpBB2 board. By “unprotected” I mean I did not install any MODs to keep spammers from registering or posting on the board. I did make a few code changes:

• Log IP address on registration
• Added “nofollow” to all links
• Created a cron (scheduled) job to move all posts into a hidden forum every ten minutes

Other than those changes, the board was completely unmodified. Note that the changes made were either to capture more information (IP address on registration) or protect my domain. I posted some statistics after about a month of activity and they weren’t pretty. I posted a few bits of information about patterns that I observed in the registration data a bit later.

Where am I going next? I am going to compare the IP addresses used to register with the IP addresses used to post. There are some interesting patterns that I can share, plus I will get to talk about zombies for a bit. That’s always fun.

More…

I’ve been running a “honey pot” board for almost 60 days now. Tonight I took my first action against some of the spammers that are attacking. I used the iptables command to revoke access to an entire range of IP addresses… from Panama.

This range of IP addresses is responsible for:

• 105 user registrations
• 10,312 posts

That’s almost 6% of my users, and over 55% of my posts. Where are these Panamanian spammers coming from? What sort of patterns (or “tells”) are they exhibiting? More…

I was over at the Google Adsense blog and forum earlier doing some research for one of my upcoming posts when I got a good laugh. Why?

A picture says it all…

If you have ever watched poker (or other games that involve bluffing) then you might have heard people talk about “tells” from other players. A “tell” is simply something that the person does – perhaps without even being aware of it – that gives away certain information. Spammers do the same thing. If I can find their tells then I can use that information against them, just like I could use that information to my advantage in a poker game.

Here are some “tells” that I have identified after analyzing my phpBB2 honey pot board with one month of spammer data.

More…

Have you ever received an email with an advertisement for something unsavory followed by a paragraph of seemingly nonsense text? The reason for the extra text was the spammer was trying to get past one of the more common email spam filters known as Bayesian Spam Filtering. The process of adding text is called “poisoning” the filter, and it’s yet another tactic in the ongoing war between legitimate content providers and spammers. I was asked at Londonvasion 2008 whether I felt that there would ever be an effective way of dealing with human spammers. My comment at the time was that the best defense against spammer posts (human or otherwise) is an active and effective moderator team. Could this sort of algorithm be adoped as an anti-spam technique for board posts? Yes, I believe it could. To the best of my knowledge nobody has yet tried to do that for phpBB2 (my google-fu may have failed me, but I did look). I would be very interested to hear of such a project if it exists.

The problem with this and other anti-spam techniques is that it’s based on words rather than content. This may seem like splitting hairs… after all, isn’t my content made up of words? Yes, yes it is. And that’s the problem. Confused yet? I hope so, because it gets worse from here.

More…