PDA

View Full Version : Be on the look out



kingkenny
-18th May 2004, 09:09
Hi if anyone sees any new members with web links to places on the internet of "ill repute" can you let me know so I can delete them.

Mantis
-18th May 2004, 09:13
You mean like rival equipment suppliers? :grin:

Seriously though, I'll keep an eye out.

KayJay
-18th May 2004, 09:59
Can you send me a copy before you delete them??? :grin:

kingkenny
-18th May 2004, 10:08
I would have to make sure the site was suitable with a very thorough search. :grin:

Neo
-18th May 2004, 14:54
they're also noticeable by the name (I have the same problem on other forums) usually surrounded by -'s (for instance -aerol-). I delted 6 or so on openlaw UK site, and another 3 reg'd the next day. However, I don't think they're actually spamvertising dodgy sites, since all the links seem to be dead, rather seems to be more "type in some dodgy sounding url".

A quick search on google reveals similar names have registered on other boards lately with similar characteristics (multiple registrations with similar names, dodgy URL's, no posts). You may also notice returned mails (as the mails used are fake/full) I've seen that too.

I originally thought they were script kiddies trying to exploit phpBB (forum software running on openlaw) but then phpBB isn't running here. Having said that, message boards are a popular target for script kiddies (partly due to the usual proliferation of exploits available) so you might want to keep your eye out for any patches released.

Also, from the ones I've seen, they all seem to be coming from german ips which (as far I can establish) don't appear to be insecure proxies.

Update: quick check on OpenLaw there, they also appear to use !'s around names as well (!aaa!) I'm guessing the reason for this is so they appear at the beginning of member lists.

Ulrika
-18th May 2004, 19:19
(Why do I feel the urge to spell your nick "Kilkenny"...???) :tongue:

Have a look and decide what to do... (http://fencingforum.com/forum/showthread.php?s=&postid=44900#post44900)

uk_45
-18th May 2004, 21:16
Hmm I will keep a very close eye out;)

gbm
-18th May 2004, 21:57
dave_binns

gbm
-18th May 2004, 21:58
- aamdas -

uk_45
-18th May 2004, 21:59
What???

gbm
-18th May 2004, 22:00
mulatica

Not sure about this one, the web site selling something but the avatar and biography seem like a fencer.

gbm
-18th May 2004, 22:01
Users that have dodgy looking home pages.

uk_45
-18th May 2004, 22:06
yeah shall we just add neo to the list any way!

gbm
-18th May 2004, 22:08
This one has a funny name and no information or posts:
d30sj0
Watch it carefully...

uk_45
-18th May 2004, 22:09
Going into the realms spam of etc why dont you make a list in word lol

gbm
-18th May 2004, 22:14
I'd get less post counts then. :grin:

gbm
-18th May 2004, 22:17
I do suggest you lose 'dave_binns' and '- aamdas -' ASAP though. One of the links doesn't seem to work, but the other is definitely 'of "ill repute"' to quote Kingkenny.

Neo
-18th May 2004, 23:15
none of them match the pattern tho (I'm sure there are a lot of legitimate users who have no posts and possibly selling something on their websites)

A sample of the urls...

http://zfetish.org
http://boys4fun.org
http://ebonyz.net
http://oralsatisfaction.net
http://zadultsingles.net

all of the above are dead URLs, but with dubious sexual connotations

- aamdas - is definitely one ( http://www.openlaw.org.uk/profile.php?mode=viewprofile&u=10 - can be seen here also)

gbm
-19th May 2004, 08:23
Have you got any idea what they are up to yet?

kingkenny
-19th May 2004, 09:36
Ok 5 kicked out. Its me against Spam in some kind of crazy war. :o

Mantis
-19th May 2004, 09:44
Spambo?

:rambo:

Neo
-19th May 2004, 10:36
If they are spambots, then they're kind of dumb spambots since all the URL's are non-existent.

It could be a person/group with way too much time on their hands. Next time u see one, punch it into google - you'll see a lot of registrations on various sites - rather a lot of registrations to be a real person, which leads me to the conclusion that they're some kind of bot. However I suspect they'll actually be some kind of exploit bot.

Mantis
-19th May 2004, 10:48
Originally posted by Neo
If they are spambots, then they're kind of dumb spambots since all the URL's are non-existent.

Maybe the URL's don't exist yet, but the owner wants them to be registered on search engines when they appear for, probably, just a few days. Or some sort of proof of concept. Or an old spambot somewhere that is still running long after its use-by-date, possibly set up by a virus and still running unnoticed (no, I don't know if there are viruses that do this sort of thing). Just thinking out loud.

Neo
-19th May 2004, 10:51
the only search engine which relies on other people linking is google and it won't list it anyways if its dead.

uk_45
-19th May 2004, 21:27
Originally posted by Kingkenny
Ok 5 kicked out. Its me against Spam in some kind of crazy war. :o

And yet we see your latest topic.

Only kidding with ya man. You rock (or summin like that)

Neo
-19th May 2004, 21:38
Originally posted by uk_45
And yet we see your latest topic.

That's not spam...

spam ( P ) Pronunciation Key (spm)
n.
Unsolicited e-mail, often of a commercial nature, sent indiscriminately to multiple mailing lists, individuals, or newsgroups; junk e-mail.

uk_45
-19th May 2004, 21:39
Show off!

Neo
-19th May 2004, 21:42
it's not. (though a common mis-usage). Similar to the common mis-usage of the word 'hacker'.

Cross-posting perhaps, but not spam. In any event he's the webmaster and thus nothing he posts here could be regarded as spam (the key word in the definition being 'unsolicited')

gbm
-20th May 2004, 17:50
I'd like to make a suggestion:
When new users are signing on, tell them that they must post within a week or PM a mod to explain why they are not posting. Direct them to the New Member Introductions. That way it would be easier to differentiate between genuine members and spambots.

Neo
-20th May 2004, 17:55
Originally posted by goodbadandme
I'd like to make a suggestion:
When new users are signing on, tell them that they must post within a week or PM a mod to explain why they are not posting. Direct them to the New Member Introductions. That way it would be easier to differentiate between genuine members and spambots.

and watch the memberlist decrease dramatically in size.

This is an isolated problem btw, I pointed it out to Gav when I noticed the same registrations here as on other forums. The registrations all follow similar patterns and are this easy to spot. (and I suspect will disappear in time)

gbm
-20th May 2004, 18:01
Well ask them to then. Don't force it, but why do people sign on then never post?

Neo
-20th May 2004, 18:47
They may want for instance to follow (and subscribe) to a thread, but don't feel they have anything to contribute to it.

gbm
-20th May 2004, 18:51
I haven't used that feature yet!

Neo
-20th May 2004, 18:54
You're automatically subscribed when u post to a thread, but I think u can manually subscribe too

Neo
-20th May 2004, 18:57
As a former exploiter, I've gotten to know quit a bit about the ins and outs of common exploits, especially on forum systems (an example is referred to in http://www.dnbscene.com/about.php ). The most popular one being phpBB. Most forum systems have at least one exploit released every so often (some more than others). Potentially anyone bored enough to pore through the source code could find more.

However, since nowadays I actually want to practise law when I graudate I have to resist the boredom :P (Also, nowadays I'm more interested in the other side - keeping the bad people out :P)

uk_45
-21st May 2004, 17:26
What's so great about having a large amount of people on member list if they dont post?

Rdb811
-21st May 2004, 23:56
They might read; they may have been put off by a bunch of kids trying to up their number of posts :tongue: , they take up some disk space, they may have nothing to say - so what ?

Neo
-22nd May 2004, 00:19
Also it would be unwise to alienate someone who has taken the time to register for the site by deleting that registration.

uk_45
-22nd May 2004, 13:17
Ok point taken

gbm
-23rd May 2004, 12:25
We have a new one!
!!!accert!!!
http://fencingforum.com/forum/member.php?s=&action=getinfo&userid=882
Same pattern as Neo has already said with regard to web page.

gbm
-23rd May 2004, 12:28
Why do they not appear in the member's list?

gbm
-23rd May 2004, 12:30
And they don't come up when you search for the name, either. I just spotted it on the "Welcome to our newest member" thing on the home page...

Neo
-23rd May 2004, 13:07
yep that's one alright.

http://fencingforum.com/forum/member.php?s=&action=getinfo&userid=882

gbm
-23rd May 2004, 13:09
Have you got any idea why !!!accert!!! does not appear in the member list yet? Does it take 24 hours or something to filter through? Or is there something more malicious here?

Neo
-23rd May 2004, 13:16
dunno, I'm guessing the memberlist may be filtered (so that these don't show) or one of the mods has already deleted em.

gbm
-23rd May 2004, 13:19
!!!accert!!! is brand new. And as far as I can tell, !!!accert!!! never appeared on the member list. So I doubt a mod has got to it yet.

gbm
-23rd May 2004, 13:36
I think Kingkenny has got him now. That should show those pesky... umm... whatever-it-is-they-are-doing doers!

uk_45
-23rd May 2004, 21:33
I was looking at the birthday list and realised i hav't seen 3/4s of the people on it post

gbm
-23rd May 2004, 21:55
Lots of people seem to sign up, do one thing (like send a PM), then disappear forever...

uk_45
-23rd May 2004, 21:57
yeah the average post seems to be 4

gbm
-23rd May 2004, 22:17
Well I have the highest post-per-day rate on the forum as far as I can tell!

gbm
-24th May 2004, 07:49
Another one...
!! abhar !!
http://fencingforum.com/forum/member.php?s=&action=getinfo&userid=887
Go get 'em, Kingkenny!

wingnutLP
-24th May 2004, 09:29
I have banned all usernames that have either !! or -- in them which should stop the whatever it is that is registering them!

gbm
-24th May 2004, 09:35
Good move.

wingnutLP
-24th May 2004, 10:00
I thought so too ;)

Neo
-24th May 2004, 13:18
Originally posted by wingnut
I thought so too ;)

hahaha. the word a s s wouldn't happen to be on the censor list would it? hint: take a look at your signature ;)

gbm
-4th June 2004, 19:14
Another one, registered today!

! asoliu !
http://fencingforum.com/forum/member.php?s=&action=getinfo&userid=914

I'm good...

Ban all new usernames with ! characters in, if you can.

wingnutLP
-7th June 2004, 10:12
will do

gbm
-7th June 2004, 13:59
I think Kingkenny might have beaten you to it...

Ulrika
-14th June 2004, 11:35
Yet another one (http://fencingforum.com/forum/member.php?s=&action=getinfo&userid=932)...

wingnutLP
-14th June 2004, 11:36
Deleted, Thanks

Ulrika
-14th June 2004, 11:38
Wheew, that was quick!

Winwaloe
-14th June 2004, 16:53
Can someone explain what you are all talking about?

Neo
-14th June 2004, 18:42
Originally posted by Winwaloe
Can someone explain what you are all talking about?

lesbians with double dildos...

uk_45
-14th June 2004, 19:22
Erm well members whom have x-rated sites as there URLs

Neo
-14th June 2004, 19:37
they're not real members, as noted previously I suspect they're some kind of automated exploit.

gbm
-14th June 2004, 21:47
Still haven't figured out what they are up to though, have you...

Neo
-14th June 2004, 21:54
Originally posted by goodbadandme
Still haven't figured out what they are up to though, have you...

I wouldn't worry about it. My server logs show various sorts of attempted exploits/attacks on a daily basis - provided the software is up to date just ignore em (or in this case delete as necessary)

Now if I can just get udev to work before my syslog explodes, I'll be happy :P

Winwaloe
-15th June 2004, 07:22
Phew, that's OK then. For a nasty moment I thought someone had been promoting the Outer Mongolian Fencing Equipment Supply Company!

Steve
-15th June 2004, 07:33
New member called !-absios-!, sounds dodgy... think his web page might have given him away too! :tongue:

Steve
-16th June 2004, 07:25
And another one - ! ferty !

Same thing as above!

uk_45
-16th June 2004, 11:06
(!ferary!) and ! avare !

Looks like you should ban user name starting with ! and (

Steve
-16th June 2004, 12:42
User names starting with ! aren't displayed on the member list so it probably doesn't affect the forum much... seeing as these accounts aren't used for posting.

Anybody know why someone would bother to signup like this?

gbm
-16th June 2004, 14:52
fencing101.com has some of the same usernames, as do some other forums. Neo thinks they are an automated exploit; without further knowledge the best thing is simply to delete them.

Rdb811
-18th June 2004, 23:48
There's now another one ! arax !

uk_45
-19th June 2004, 12:40
yes and this one seems to appear on the member list when some others didn't

pincushion
-20th June 2004, 20:33
Here's another one for you...

- asaber -

He/she/it is online now, 9.30pm.

uk_45
-20th June 2004, 20:36
Would it be possible to block all name that don't start with a letter or number

EDIT: forget that just looked at the member list that would rule out some real members

gbm
-20th June 2004, 20:38
Probably, but I thought Kingkenny et al had already done something like that?

uk_45
-20th June 2004, 20:38
See above edit

uk_45
-20th June 2004, 20:40
This could just be coincidence but this latest one has a fencing related term in his name 'saber' all be it splet the american way.

gbm
-20th June 2004, 20:49
Just block new members, not old ones.
And I bet its a coincidence.

wingnutLP
-21st June 2004, 08:15
I have blocked -- and !! but if I block ! and - then some users will be removed.

I can't seem to set it to just ban new users with these characers.

gbm
-21st June 2004, 11:25
There are only two proper users with ! in the names, 'Ces't Moi!', who has never posted, and 'NoT V gOOd!', who has posted 21 times. Perhaps if you were to ask them, they would not mind changing their username slightly?
Possibly this is a bit extreme when these spurious users as yet do not appear to have done anything (except hugely inflate my post count - surely I couldn't have posted that much! :tongue:), but it will only get harder in the future if more valid users join with ! in the names, and for some reason it becomes necessary to prevent this.

uk_45
-21st June 2004, 12:36
Ok I've got my head screwed on now so could you try blocking '! ' so you block names that have a question mark followed by a space.

uk_45
-21st June 2004, 12:48
! arax ! still appears on the list by the way

gbm
-21st June 2004, 12:50
Ok I've got my head screwed on now so could you try blocking '! ' so you block names that have a question mark followed by a space.

Clever idea! :tongue:

uk_45
-21st June 2004, 12:56
Although it isn't a question mark, it's a exclamation mark, but you get the idea.

wingnutLP
-21st June 2004, 14:32
I will take a look.

thanks for the suggestion.

Steve
-22nd June 2004, 06:58
Originally posted by uk_45
Ok I've got my head screwed on now so could you try blocking '! ' so you block names that have a question mark followed by a space.

This wouldn't work for the new one : !ambios!

It's like they're always one step ahead!

uk_45
-22nd June 2004, 09:56
Yeah that has just hit me. Sould do with closing this thread to non-members.

bufc99
-22nd June 2004, 11:04
new one ! arax !

uk_45
-22nd June 2004, 11:22
That ones been around for a while.

pincushion
-27th June 2004, 13:22
"nobhead 2004" ...now there's a name for you!!!

check out his ID :rolleyes:

Neo
-28th June 2004, 00:47
Originally posted by pincushion
"nobhead 2004" ...now there's a name for you!!!

check out his ID :rolleyes:

heh. Didn't know roger had registered twice :grin:

Rdb811
-28th June 2004, 01:08
Thanks for being volunteered to wash the club kit.:)

Neo
-28th June 2004, 12:19
Originally posted by Rdb811
Thanks for being volunteered to wash the club kit.:)

lmao

(I was gonna say Nick, but you're the only one here to defend yourself :P)

Steve
-6th July 2004, 12:34
Just spotted this one: ! arax !

Beam him up Scotty (Kenny!) :transport

Steve
-6th July 2004, 12:36
Ok, just read back and saw that uk_45 pointed him out a while ago. I thought he had been removed, but now he appears to be back anyway:wazup:

uk_45
-6th July 2004, 12:37
yeah he's been on the member list for about a month ish now

gbm
-23rd July 2004, 21:12
Tarmac on this (http://fencingforum.com/forum/showthread.php?s=&postid=55066#post55066) thread has pointed this (http://fencingforum.com/forum/member.php?s=&action=getinfo&userid=1021) user out.

Tarmac
-23rd July 2004, 21:19
never let it be said that my anal retentive attention to detail never yielded positive results.

uk_45
-24th July 2004, 08:24
Black adder by any chance. or is it red dwarf its to early for me

Robert
-24th July 2004, 10:32
Originally posted by Tarmac
never let it be said that my anal retentive attention to detail never yielded positive results.

UK_45,

The original is '... that your anal retentive attention...' and it is the film Dogma.

Robert

break_charmer
-24th July 2004, 10:40
While we are on the subject Id just like to point out that the page Im using as a homepage is: www.f1sting.co.uk - its NOT porn its Formula 1. Just in case any moderators think this is porn spam-its just a bit of a joke really.

Neo
-24th July 2004, 10:56
dude, that's a seriously dodgy url!

any chance of lending a subdomain? I'm sure a few of my customers might like that as a vhost :P

break_charmer
-26th July 2004, 12:04
Originally posted by Neo
dude, that's a seriously dodgy url!

any chance of lending a subdomain? I'm sure a few of my customers might like that as a vhost :P

Dude, Im a seriously dodgy bloke! :)

What sort of business are you in wanting a sub domain like mine?
:dizzy: :dizzy: :dizzy: :dizzy:

Mr Flea
-26th July 2004, 12:53
Originally posted by break_charmer
[B]Dude, Im a seriously dodgy bloke! :)



sadly, i can vouch that...;) lol

[he's not that dodgy really - well, i've met worse ] :)

uk_45
-26th July 2004, 13:29
I'm sure he can't be as bad as neo!

break_charmer
-26th July 2004, 13:39
Originally posted by Mr Flea
sadly, i can vouch that...;) lol

[he's not that dodgy really - well, i've met worse ] :)

thanks flea,

I think

gbm
-27th July 2004, 19:46
http://fencingforum.com/forum/member.php?s=&action=getinfo&userid=1026

The link for this user could be dodgy.

Steve
-28th July 2004, 07:15
Doesn't seem likely as there's alot of fencing related detail filled into the form and he/she has posted a few times

gbm
-28th July 2004, 11:13
Yeah, but try their web address...

kingkenny
-28th July 2004, 11:35
removed the URL

gbm
-28th July 2004, 11:42
Sorted! Could you fix the eyes on your avatar, though - they scare me (they move too much!)

uk_45
-23rd August 2004, 15:53
Ok new one

'abergut'

Same pattern with the URL mind

Neo
-23rd August 2004, 17:48
Originally posted by break_charmer
Dude, Im a seriously dodgy bloke! :)

What sort of business are you in wanting a sub domain like mine?
:dizzy: :dizzy: :dizzy: :dizzy:

I sell webhosting, irc shells etc - I'm sure a few customers would like that as a vhost for use on irc :P

gbm
-27th August 2004, 15:51
http://fencingforum.com/forum/member.php?s=&action=getinfo&userid=1094

rpryer
-2nd September 2004, 12:32
Another one (http://fencingforum.com/forum/member.php?s=&action=getinfo&userid=1117), looking at the web address.

rpryer
-5th September 2004, 00:21
Another one (http://fencingforum.com/forum/member.php?s=&action=getinfo&userid=1121) with the same web address as the last one.

gbm
-5th September 2004, 14:28
Where are you Kingkenny!

uk_45
-26th September 2004, 09:20
Another one, I'd guess clearly advertising and a bot.

Member- 'PRBot.Com'

Glue Boy
-26th September 2004, 17:22
Tigger's homepage looks dodgy!

it got a weird looing dude on the front page! ;)

Rdb811
-26th September 2004, 17:34
Originally posted by uk_45
Another one, I'd guess clearly advertising and a bot.

Member- 'PRBot.Com'

Posted a proper post in Chit Chat.

uk_45
-26th September 2004, 17:44
yeah but if you had seen the signiture it was loads of advertisng. and the post could have just been from a advanced bot

Rdb811
-26th September 2004, 18:40
Ah - I don't have the sigs on.

Anyway quite a lot of the posts could be advanced bots.:confused:

gbm
-26th September 2004, 18:43
[bot code 140 - reply to supposed existence of bot]
Replies posted by bots! What a ridiculous idea!
[change-subject]
[bot code 170 - off-topic advert - find topic by common word search... word found - FENCING]
Wow, I do like a chain link fence! I use Chain-Link Industrial, because they're the best!

Dave Hillier
-4th October 2004, 13:03
and another one


afilius

Andy
-12th October 2004, 02:33
Maybe have a look at ' peachblossom ' - Looks like they are trying to get us to install an auto dialler... (Maybe not, but take a look)

A.

uk_45
-4th November 2004, 16:22
'KINGNM' looks dodgy, link is related to marketing etc.

Neo
-8th November 2004, 23:41
As I noted previously, I have similar problem on another forum. Someone just suggested why... these are automated registrations by bots, when google indexes this page it finds the link and thus bumps it up higher in the listings.

One suitable suggestion - add members.php (or whatever the display member info page is) to robots.txt so that google will ignore and not index it, making the whole exercise pointless. Though given that the process is automated, I suspect it probably won't solve the problem, merely make the end desired impossible.

Neo
-8th November 2004, 23:42
Originally posted by Rdb811
Ah - I don't have the sigs on.

Anyway quite a lot of the posts could be advanced bots.:confused:

Personally I think ur all cyborgs...

oddball
-24th November 2004, 10:25
AAAAAAAAAGGGGGGGHRRR!!!!!! Cyborgs!:grin:

Dave Hillier
-6th December 2004, 10:25
lammymessb

not porn but doesn't look like a fencer

Dave Hillier
-6th December 2004, 18:11
sammybo04

and another one

bufc99
-8th December 2004, 00:10
Looks like another one.

!!babe02

Neo
-8th December 2004, 12:32
mmm babes...

madfencer
-7th January 2005, 11:47
NEO!!!! sorry i know this is an old thread but i had to say that!!

i will keep an eye out for dodgey names n url's.

Tarmac
-7th January 2005, 12:01
yuo can give him a slap too if ya like...
but he might like it...:confused:

kingkenny
-7th January 2005, 13:09
babe gone bye bye! :grin:

Dave Hillier
-24th February 2005, 00:11
another one

aafinort

rpryer
-24th February 2005, 06:45
And another

aagaf (http://fencingforum.com/forum/member.php?s=&action=getinfo&userid=1526)

Tarmac
-25th February 2005, 12:14
apoiro
that website sounds.. well...dodgy as gherkin and peanut butter sandwich

Tubby
-25th February 2005, 16:43
http://fencingforum.com/forum/showthread.php?s=&postid=84563#post84563

someone has attached some porn onto the site.

uk_45
-25th February 2005, 16:44
Five times!

Neo
-25th February 2005, 16:54
wasn's this thread originally about the bot things appearing? :tongue:

Tubby
-25th February 2005, 16:58
Probably, but I couldn't find a moderator then discovered the "report post" link.

Tubby
-25th February 2005, 16:59
Just looked at the first post - thread was on dodgy sites being linked from the forum through members pages.

Neo
-25th February 2005, 17:12
Originally posted by Tubby
Just looked at the first post - thread was on dodgy sites being linked from the forum through members pages.

ah indeed. I think I oreviously mentioned the phenomena though (they link via profiles to gain google juice) - I had identical ghoulies on the openlaw forum.

Tarmac
-18th March 2005, 15:38
nicholas813

automated responce?

rpryer
-30th March 2005, 18:48
Another one for the list !charlene555 (http://fencingforum.com/forum/member.php?s=&action=getinfo&userid=1630)