Hello.

Last night my site http://www.conservative-truths.com/ was hit with comment spam.  The weird thing is that the captcha process appears to be working correctly, but this was definitely an automated attack.  A different porn-site comment was posted to each of the 80+ entries within the span of one hour (2AM to 3AM) and I just cannot see someone entering a different comment to each posting in that amount of time using the captcha process.

My site is hosted on PowWeb and the server changed on Wednesday.  Is there any way that the server change could have allowed this?

I have deleted all of the spam comments from all of the entries except this one:  http://www.conservative-truths.com/comments.php?id=97_0_1_0_C This is the posting about the server change so I have decided to keep the spam comment on this entry while I look into how this could have happened.

Has this ever happened to anyone else?  Is there any way to make sure that this doesn’t happen again?

Thanks.

-Derek

This just happened last night on my other pMachine Pro blog.  The entry can be found here: http://www.liberal-truths.com/comments.php?id=92_0_1_2_C

As with the other site, the captcha process is working.  This site’s server change happened on August 10, 2006 so I don’t believe the server change could have allowed this to happen since it happened a few weeks ago, whereas the other site had changed servers within a couple of days of the attack.

Last night’s attack came from the same IP address as the previous attack and that IP address has been banned on both sites, but I would still like to know how this could have even happened in the first place since the captcha process is working.

Does anyone have any ideas?

Same happened to me today! In one minute I got 8-10 spams into my comments, totally 100 or so, deleted all by hand. Captcha is on and working. .... so it must be an automated attack.

Still I have version EE 1.2.1.

@ derekcbart - was this attack one-time? Or did the spammer come again?

What can we do? Any Idea?

FWIW - I had ~85 comment spams added the other day (my site is still on pMPro 2.4, and yes with CAPTCHA enabled).  They all appeared to come from the same IP address, blocked it and so far so good. 

I’m planning a move to EE soon, though, so if it continues I’ll just disable comments altogether until after the move.

I have two sites running pMPro 2.4.  Each site was attacked once.  The IP address of the attacker is 62.233.222.146.  It was the same address for both attacks.  Is this the same address for your attacks?

Chacharon, if your site is on EE then this type of attack is not limited to a possible flaw in pMPro.  Someone must have come up with a way to defeat captcha itself.

It would really be nice to hear from an engineer and find out what they think about this.

@derekcbart - YES! It is the same IP address! And his E-Mail ‘golik22@op.pl’
I’m flabbergasted.

... to defeat captcha ... how is this possible?

For now I blocked this IP. Hope it works.
But I suppose, it’s only a matter of time before someone else is doing such attacks or another IP is in use.
I think the same like you: It would really be nice to hear from an engineer.

So - I searched the IP by the RIPE Database - found this:

netname:      Insite-NET
descr:        Connected through Futuro Poland
country:      PL
admin-c:      SL2058-RIPE
tech-c:      MM6454-RIPE
tech-c:      PF722-RIPE
status:      ASSIGNED PA “status:“ definitions
mnt-by:      FUTURO-MNT
mnt-lower:    FUTURO-MNT
mnt-routes:    FUTURO-MNT
source:      RIPE # Filtered

role:        Futuro - Polish Internet Provider
address:      PRO FUTURO S.A.
address:      ul. Nowogrodzka 47a
address:      00-695 Warszawa
address:      POLAND
phone:        +48 22 338 9999
fax-no:      +48 22 338 9900
admin-c:      PK2632-RIPE
tech-c:      PK2632-RIPE
nic-hdl:      PF722-RIPE
remarks:      trouble:    DNS trouble:    dns@pro-futuro.com
remarks:      trouble:    Abuse trouble:  abuse@pro-futuro.com
remarks:      trouble:    Others:      trouble@pro-futuro.com
remarks:      -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
remarks:      In case of abuse (intrusion attempts, hacking,
remarks:      spamming or other unaccepted behavior) from
remarks:      Futuro addresses space, please contact:
remarks:      abuse@pro-futuro.com.
remarks:      Direct contact in case of abuse: +48 81 7187380
remarks:      -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
abuse-mailbox:  abuse@pro-futuro.com
mnt-by:      FUTURO-OBJ-MNT
source:      RIPE # Filtered

person:      Sebastian Lukaszczyk
address:      Insite
address:      ul. 6-go Sierpnia 1/3
address:      90-606 Lodz
address:      Poland
phone:        +48426300201
fax-no:      +48426300201
nic-hdl:      SL2058-RIPE
mnt-by:      FUTURO-OBJ-MNT
source:      RIPE # Filtered

person:      Mateusz Motlawski
address:      Insite
address:      ul. 6-go Sierpnia 1/3
address:      90-606 Lodz
address:      Poland
phone:        +48426300201
fax-no:      +48426300201
nic-hdl:      MM6454-RIPE
mnt-by:      FUTURO-OBJ-MNT
source:      RIPE # Filtered

% Information related to ‘62.233.128.0/17AS15833’

route:        62.233.128.0/17
descr:        Futuro Route
origin:      AS15833
remarks:      removed cross-nfy:  GM2964-RIPE
remarks:      removed cross-mnt:  FUTURO-MNT
mnt-by:      FUTURO-MNT
mnt-lower:    FUTURO-MNT
mnt-routes:    FUTURO-MNT
source:      RIPE # Filtered

Can we do something? I mean something efficient?

Same thing happened to me. IP 219.238.134.69.

Do you folks user the Throttling Configuration in Preferences? That can be set to slow down the automated entries, and you can set the lockout time, too.

UPDATE: There’s also the Comment Re-Submission Time Interval in Weblog Management. Set that to the number of seconds before the same user can submit another comment.

Ronnie and RailHead - this thread is for pMachine PRO 2.4, not EE.

Hi there.

This just started happening again on my sites.  There is no ability to limit the number of replies to posts in pMachinePro as far as I can tell.  I did limit the number of days that replies can be made to a posting.  It was set to 0 and now it is set to 60.  I only publish once per week, so 60 days would basically be two months which should be enough time for anyone to make a legitimate post.

I still find it disconcerting that the protection that CAPTCHA is supposed to be providing isn’t working.

-Derek

pMachine PRO is no longer a supported product. It hasn’t been for a few years now. As far as CAPTCHA problems go, I wouldn’t know where to start troubleshooting. Boyink a year or more ago didn’t have an answer either. He’s moved his site over to EE.

There are certainly better options for comments in EE, if at all possible I suggest you upgrade.

Sue Crocker - 28 March 2007 03:07 PM

pMachine PRO is no longer a supported product. It hasn’t been for a few years now. As far as CAPTCHA problems go, I wouldn’t know where to start troubleshooting. Boyink a year or more ago didn’t have an answer either. He’s moved his site over to EE.

There are certainly better options for comments in EE, if at all possible I suggest you upgrade.

Hello Sue.

Actually, EE was not a viable choice for my blogs.  I don’t know if it is better now, but other than this occassional comment spam my sites do all that I want them to.  Also, even if I did convert to EE is there any guarantee that CAPTCHA would work there since it isn’t working with pMPro?

No, there isn’t any guarantee. But you could still download the EECore free version and see how it works for CAPTCHAs. That’s what I suggest trying.