PDA

Click to See Complete Forum and Search --> : Am I being attacked?

balsa8
08-06-2009, 10:34 AM
Hi-

I have a little phpBB3 forum. I also seem to have an on-going battle with Russian porno spambots and it seems to be escalating. The numbers for the past few days in order of:

Day
Number of visits
Pages
Hits
Bandwidth

01 Aug 2009, 116, 1813, 2077, 25.05 MB
02 Aug 2009, 113, 1581, 1740, 20.69 MB
03 Aug 2009, 118, 2707, 3004, 37.26 MB
04 Aug 2009, 278, 3513, 3808, 45.46 MB
05 Aug 2009, 481, 5224, 5491, 68.44 MB

If it goes on doubling each day, I may run out of memory since I have minimal service with Bluehost, about 400 gbytes monthly bandwidth service.

Seems like a lot of it is coming from two IP addresses: 89.149.244.218 and 89.149.227.124.

I complained to Bluehost about one of the addresses. They said it is shared by 800 accounts and there was little they could do.

What should I do if it keeps doubling every day?
skilled1
08-06-2009, 11:23 AM
ban the ip's from accessing your website.
balsa8
08-06-2009, 12:24 PM
Oh yeah. That's one thing I forgot to mention.

By banning, do you mean going into the phpBB admin page and banning the member name. I tried that. In some cases, it was the last I saw of them. But, the most persistent member has been banned, but there seems to be a way around the phpBB ban. I haven't actually tried that on this new crop, but I suspect it may be true for them as well.
balsa8
08-06-2009, 07:58 PM
Hi,

Looking at the control panel more carefully, I think I am confusing "banning" the IP with "excluding " the IP. Maybe if I actually ban the IP's, that will stem the tide.

Thanks
balsa8
08-07-2009, 11:01 AM
No, on second thought, I can see several instances where they continue to post even after the IP address was banned. Banning about 20 IP addresses as slowed them down a lot though. Do all forums have this much trouble with span bots?
balsa8
08-09-2009, 08:43 AM
I can see that they definitely continue to post even after the IP address is banned. It seems like maybe agents on two separate IP addresses work together to submit repeated requests for the some page in such a way that it exploits a lapse in synchronization on phpBB3. Maybe somewhere in the phpBB code, a semaphore function should be used, or a semaphore is being used but not quite correctly (which I think may be really easy to do). Identifying the principle IP is easy, but identifying the shadow IP requires careful analysis of the raw logs.

This morning, I disapproved 180 topics, all prono, all usernames were long and weird like BioroeloutWit. I ask the question again, Is somebody trying to shut me down?
balsa8
08-11-2009, 10:22 AM
They finally stopped posting. Two days now and no porno posts. It seems like they would register on one IP and then post on another. I spent all of Sunday banning usernames and IP addresses. Probably should have aggressively banned them from the beginning. Once they get started, it seems like they multiply like kokroaches.
JunkMale
08-13-2009, 11:31 AM
ALSO....

Check your web host has not got some tool for this already available via the control panel for your web site.
thewebhostingdi
08-20-2009, 02:59 AM
Hi,

If you can not locate an option to block the IP from the hosting control panel then you can add it in the htaccess file of your domain with this code:

deny from 89.149.244.218
deny from 89.149.227.124

And save that file.