Reporting the following node as spam: https://www.drupal.org/node/2434085
Created by user abam1383.
Others from abam1382, abam1381...

Comments

dman’s picture

Priority: Normal » Major
Status: Active » Needs review

This is an automated (or at least mechanical turk-like) attack.

In the last 3 hours I've hit at least 50 individual accounts and posts, all spamming Korean.

2 (but only two) managed to do multi-posts, 39, and 16 spam posts in a matter of minutes.

Most of the rest an hour later were one user, one post.
All (as above) just using usernames abam1355+++ etc

I've kept https://www.drupal.org/user/3167861/admin-nodes up blocked and unpublished for forensics if anyone would like to see why it's been getting through the flood controls.

I have blocked LOTS that I've seen so far, but I'm elevating this importance a little, as it seems like a pattern that existing mechanisms are not throttling.

dman’s picture

.. I probably should have kept the multi-post one up for examination, but at the time it was just "go away" and I didn't see it was part of a pattern until after.. :-{
I did note it was not a vetted user and was less than 2 hours old though

dddave’s picture

dman’s picture

Title: Spam Report » Spam Report : Korean "BAM WAR" flood
Status: Needs review » Active

Yeah, they are still at it. Dozens more this hour.
Renaming this as the top issue to hold these reports.

dman’s picture

Killed another 20 single accounts, single posts.
Different username pattern now.

dman’s picture

I just killed another HUNDRED accounts and posts by hand, found in the user list.
HOWEVER, they have now changed the account name pattern, and over half of the gmail account signups in the last 12 hours are from this spammer.

knoboid’s picture

Fascinating. I assume they're all being posted from different IP addresses.

So is this a botnet that registers gmail accounts in order to do its dirty-work?

joshuami’s picture

It looks like Mollom is catching the content now, but the accounts are still getting created at a pretty good clip. We'll look at those settings and see if we can dial them in a bit more. In general Mollom has been successful at catching this sort of forum spam of late, but it was slow to pick this up for about a day.

dman’s picture

At first I was bulk-deleting them through admin nodes, but then I found that using the 'delete' action took me through the 'report this content' confirmation screen, so I started using that and 'reported' a gross of them. Maybe that has trained up mollom adequately.

Interesting that they are using hundreds of gmail accounts. Those are usually are pretty trustworthy with their signup criteria so there is some new-ish exploit happening there I guess.

dman’s picture

Also, as of right now, I see another 30 nodes added in the last 20 minutes at least, so it's still a pretty active threat.

dddave’s picture

I've already deleted a bunch of these https://www.drupal.org/user/3168935/admin-nodes but left the rest unpublished in case we want to investigate how the user was able to post that much content.

dddave’s picture

https://www.drupal.org/user/3168953/admin-nodes found that one already blocked.

tvn’s picture

Looking through recent Mollom logs, seems like it's been correctly marking most of this type posts as spam in the last 24 hours. I think 'reporting as spam' to Mollom definitely helped to teach it. Note that we run 'relaxed' settings, so often Mollom would mark form submission as spam, accept it, but keep unpublished. Only webmasters and admins can see those posts.

dman’s picture

Status: Active » Fixed

This seems to have quieted.
Marking fixed. Refer to it again if a similar pattern re-appears.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.