What's going on!?

Folks,

I'm hosting a couple of Web Sites with CrystalTech. I recently got an e-mail from them telling their customers that they had been subjected to a DDoS attack.

My own site is not too dissimilar to EE in the sense that it allows people to sign up and sends out a notification with a Verification link that they need to click on to activate the account.

In the last couple of weeks, I have a consistent trickle of two to four signups a day. Every time, they use an e-mail address as their login (something we strongly discourage as we, just like EE, do never display the actual e-mail address entered in the appropriate box, but of course if you use an e-mail address as your username, what can one do, eh?)

The e-mail address is typically somedork@yahoo.com or somemoron@aol.com and so on.

None of them ever bother to activate their accounts. So I delete them again.

But what I'm wondering is, what might be happening here? What are they, or what is "it", trying to achieve by signing up like this all the time!? It or they obviously never participate.

A friend of mine, also hosting with CrystalTech, was using a catch-all e-mail account. Yesterday he had to disable this as his SPAM exploded to about 1,000 mails per minute.

Anybody got any news on something out there that has recently started causing havoc?
LVL 4
WernerVonBraunAsked:
Who is Participating?
 
jakoConnect With a Mentor sysadminCommented:
it puzzles me for if you're not using something popular off_the_shelf forum software, why would their script think it would be successful in harvesting your site.
0
 
jakosysadminCommented:
I suspect that these are the signs of growing trend of programmatic bulletin board spamming. Include the Captcha (http://en.wikipedia.org/wiki/Captcha) into the registration and you won't see them (until they figure out how to OCR these or pay some poor moron to aid them with the OCR. Captchas without the distortion on them have already fallen victim to some OCR specialist leechers http://captcha.megaleecher.net/ :)
0
 
WernerVonBraunAuthor Commented:
Hm. Ok. Well so far they haven't succeeded for the simple fact that they never validate their accounts.

I'll ask CrystalTech whether they have resources for CAPTCHAs that I could use.
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
WernerVonBraunAuthor Commented:
Whoever it is, they're not very smart. They always use an e-mail address as their username. It's the same e-mail address as the one they use for registering. I'm now blocking the option to enter a username with an "@" symbol in it. Every time someone tries, I send myself a notification. This is the last one I got:

Subject: Some Wanker Is Trying It Again


Wanker: gonitmile@yahoo.com

Using Password: ndfpvkyp

Using E-mail Address: gonitmile@yahoo.com


There are three small textboxes on that form. The above three bits of information are *all* that is entered; I HTMLEncode them before sending them on to myself. It is obvious that they cannot succeed in using the form itself for any mass-mailing purpose. But they keep coming back. What is it about my site that keeps attracting this "bot" or whatnot?!
0
 
jakosysadminCommented:
It is an attempt most probably tied to spam. Either to harvest e-mail addresses off the user profiles (since a non-member wouldn't get to see them) or, if e-mail harvesting doesn't work,  possibly spread it's spam right there on the forum.
0
 
WernerVonBraunAuthor Commented:
Ah well. Good luck to 'em. No user ever gets to see any e-mail address other than their own, and in order to spread any spam the very least they should do is follow the instruction in the verification mail because otherwise their login won't be activated. Anyhoo. I now reject these new IDs out of hand. At least they're consistently stupid....
0
 
jakosysadminCommented:
... stupid or their bot generates too much failures so that to go through all of them manually, tweaking the script for higher success rate doesn't pay off and they are happy with address lists that they do get.
0
 
jakosysadminCommented:
btw, whatever forum scripts you run, don't forget to check for updates and patches. regularly.
0
 
WernerVonBraunAuthor Commented:
> btw, whatever forum scripts you run, don't forget to check for updates and patches. regularly.

Huh? That one went over my head, I'm afraid.

Oh. I think I see. You mean updates and patches to the forum software? I don't need to. Dumbo here wrote the lot himself.... <g>
0
 
WernerVonBraunAuthor Commented:
Beats me. Maybe it looks similar enough to something off-the-shelf to fool something into believing it is. Judge for yourself: www.carobit.com

a bit of history: back in the year dot it looked for a while like EE might go under. I created Carobit back then so that if the worst happened, the community could find a new home. It never did, but Carobit is still around. I eventually got rid of its point system - no pun intended but.... it was a bit pointless - and re-focused Carobit on having a bit of fun outside the daily grind. You'll find there is a small core of dedicated friends still hanging around the Lounge there :-)
0
 
WernerVonBraunAuthor Commented:
They're still trying. It's obviously a 'bot. A human would have copped on by now.
0
 
WernerVonBraunAuthor Commented:
<shrug>

Frequency has gone down a bit. They're still trying, but I gather they're starting to process the feedback telling them it's goin' nowhere.
0
 
jakosysadminCommented:
thank you for the closure (even though the users scanning for answers to their similar problems might find previous postings of mine more relevant and therefore I advise them to read the whole thread from the beginning http://www-new.experts-exchange.com/Security/Vulnerabilities/Q_22077586.html#18047698 )

and stay secure ;)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.