Early Bird Registration for DrupalCon Portland 2024 is open! Register by 23:59 PST on 31 March 2024, to get $100 off your ticket.
Reporting the following node as spam: https://www.drupal.org/node/2434085
Created by user abam1383.
Others from abam1382, abam1381...
Comments
Comment #1
dman CreditAttribution: dman commentedThis is an automated (or at least mechanical turk-like) attack.
In the last 3 hours I've hit at least 50 individual accounts and posts, all spamming Korean.
2 (but only two) managed to do multi-posts, 39, and 16 spam posts in a matter of minutes.
Most of the rest an hour later were one user, one post.
All (as above) just using usernames abam1355+++ etc
I've kept https://www.drupal.org/user/3167861/admin-nodes up blocked and unpublished for forensics if anyone would like to see why it's been getting through the flood controls.
I have blocked LOTS that I've seen so far, but I'm elevating this importance a little, as it seems like a pattern that existing mechanisms are not throttling.
Comment #2
dman CreditAttribution: dman commented.. I probably should have kept the multi-post one up for examination, but at the time it was just "go away" and I didn't see it was part of a pattern until after.. :-{
I did note it was not a vetted user and was less than 2 hours old though
Comment #3
dddave CreditAttribution: dddave commentedMultiple posts: https://www.drupal.org/u/qjdkakela-oje971
Comment #4
dman CreditAttribution: dman commentedYeah, they are still at it. Dozens more this hour.
Renaming this as the top issue to hold these reports.
Comment #5
dman CreditAttribution: dman commentedKilled another 20 single accounts, single posts.
Different username pattern now.
Comment #6
dman CreditAttribution: dman commentedI just killed another HUNDRED accounts and posts by hand, found in the user list.
HOWEVER, they have now changed the account name pattern, and over half of the gmail account signups in the last 12 hours are from this spammer.
Comment #7
knoboid CreditAttribution: knoboid commentedFascinating. I assume they're all being posted from different IP addresses.
So is this a botnet that registers gmail accounts in order to do its dirty-work?
Comment #8
joshuamiIt looks like Mollom is catching the content now, but the accounts are still getting created at a pretty good clip. We'll look at those settings and see if we can dial them in a bit more. In general Mollom has been successful at catching this sort of forum spam of late, but it was slow to pick this up for about a day.
Comment #9
dman CreditAttribution: dman commentedAt first I was bulk-deleting them through admin nodes, but then I found that using the 'delete' action took me through the 'report this content' confirmation screen, so I started using that and 'reported' a gross of them. Maybe that has trained up mollom adequately.
Interesting that they are using hundreds of gmail accounts. Those are usually are pretty trustworthy with their signup criteria so there is some new-ish exploit happening there I guess.
Comment #10
dman CreditAttribution: dman commentedAlso, as of right now, I see another 30 nodes added in the last 20 minutes at least, so it's still a pretty active threat.
Comment #11
dddave CreditAttribution: dddave commentedI've already deleted a bunch of these https://www.drupal.org/user/3168935/admin-nodes but left the rest unpublished in case we want to investigate how the user was able to post that much content.
Comment #12
dddave CreditAttribution: dddave commentedhttps://www.drupal.org/user/3168953/admin-nodes found that one already blocked.
Comment #13
tvn CreditAttribution: tvn commentedLooking through recent Mollom logs, seems like it's been correctly marking most of this type posts as spam in the last 24 hours. I think 'reporting as spam' to Mollom definitely helped to teach it. Note that we run 'relaxed' settings, so often Mollom would mark form submission as spam, accept it, but keep unpublished. Only webmasters and admins can see those posts.
Comment #14
dman CreditAttribution: dman commentedThis seems to have quieted.
Marking fixed. Refer to it again if a similar pattern re-appears.