One of my websites gets a ton of registration spam. I have a Captcha and a math question on the registration form but it doesn't seem to help much. Am I likely experiencing manual spammers or are my prevention mechanisms not good enough?
The registration form is here:
http://peaksoverpoverty.org/wp-signup.php
Update
I've been tracking behavior a bit closer over the past week and this is what a typical request looks like in the access logs:
174.132.130.194 - - [18/Jan/2011:07:24:55 -0600] "GET / HTTP/1.1" 302 20 "http://peaksoverpoverty.org/wp-signup.php" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET CLR 3.0.04506; Media Center PC 5.0; SLCC1; Tablet PC 2.0)"
After poking around a bit, the user agent string doesn't necessarily look malicious - this tool was able to explain the entire string. Then again, I haven't ever really stared at user agent strings for a long time. I know they can easily be spoofed, but this is what the spammers are sending.
Also this is a list of offending IP addresses I have gathered over the past week and blocked:
174.120.203.66
174.120.245.194
174.122.107.138
174.122.175.162
174.123.101.98
174.132.130.194
174.142.241.137
175.41.168.169
184.154.74.21
187.63.208.241
195.56.42.131
199.16.130.53
200.17.56.7
201.22.130.66
201.59.175.2
201.59.175.29
205.186.184.10
208.100.27.143
208.100.27.154
208.100.27.159
208.100.27.186
208.101.30.165
208.43.73.29
209.151.224.235
209.151.224.240
212.227.119.47
213.251.189.204
213.251.189.205
216.108.225.220
216.108.225.242
220.181.94.212
222.237.79.242
24.252.62.57
62.215.5.66
64.22.89.70
66.172.42.11
66.232.112.144
66.232.112.168
66.249.71.217
66.96.219.38
67.109.124.170
67.18.19.194
67.18.5.2
67.18.72.2
67.225.184.5
69.117.20.174
69.117.22.237
69.117.24.21
69.117.26.195
69.147.240.90
69.147.249.161
69.147.249.22
69.147.249.99
69.167.175.27
69.28.58.35
69.56.228.130
69.89.31.240
71.208.210.208
72.18.157.147
74.220.215.68
74.53.28.2
74.54.131.82
74.54.95.210
77.235.37.41
79.125.33.136
79.172.242.144
80.252.171.68
82.80.235.146
84.16.243.243
85.17.199.46
85.214.92.15
85.92.83.164
86.196.41.15
86.208.68.211
88.191.126.212
88.208.33.130
90.18.14.167
90.47.218.215
90.59.74.139
91.121.203.226
91.184.49.210
91.207.254.234
93.174.95.153
94.125.27.20
95.133.38.238
It seems like the attackers are providing fairly dynamic IP addresses. Any further thoughts would be great. I'm really starting to think these are manual attacks but still not 100% sure because I've never dealt with a spam issue this bad.
Related
I recently got myself a new PC(Predator Helios 300) and I wanted to start using aws there but when I try to perform amplify init I get the error below even though I already did all the other steps such as configuration.
× Root stack creation failed
init failed
{ SignatureDoesNotMatch: Signature expired: 20190427T235724Z is now earlier than 20190428T094952Z (20190428T095452Z - 5 min.)
at Request.extractError (C:\Users\sahve\AppData\Roaming\npm\node_modules\#aws-amplify\cli\node_modules\aws-sdk\lib\protocol\query.js:50:29)
at Request.callListeners (C:\Users\sahve\AppData\Roaming\npm\node_modules\#aws-amplify\cli\node_modules\aws-sdk\lib\sequential_executor.js:106:20)
at Request.emit (C:\Users\sahve\AppData\Roaming\npm\node_modules\#aws-amplify\cli\node_modules\aws-sdk\lib\sequential_executor.js:78:10)
at Request.emit (C:\Users\sahve\AppData\Roaming\npm\node_modules\#aws-amplify\cli\node_modules\aws-sdk\lib\request.js:683:14)
at Request.transition (C:\Users\sahve\AppData\Roaming\npm\node_modules\#aws-amplify\cli\node_modules\aws-sdk\lib\request.js:22:10)
at AcceptorStateMachine.runTo (C:\Users\sahve\AppData\Roaming\npm\node_modules\#aws-amplify\cli\node_modules\aws-sdk\lib\state_machine.js:14:12)
at C:\Users\sahve\AppData\Roaming\npm\node_modules\#aws-amplify\cli\node_modules\aws-sdk\lib\state_machine.js:26:10
at Request.<anonymous> (C:\Users\sahve\AppData\Roaming\npm\node_modules\#aws-amplify\cli\node_modules\aws-sdk\lib\request.js:38:9)
at Request.<anonymous> (C:\Users\sahve\AppData\Roaming\npm\node_modules\#aws-amplify\cli\node_modules\aws-sdk\lib\request.js:685:12)
at Request.callListeners (C:\Users\sahve\AppData\Roaming\npm\node_modules\#aws-amplify\cli\node_modules\aws-sdk\lib\sequential_executor.js:116:18)
message:
'Signature expired: 20190427T235724Z is now earlier than 20190428T094952Z (20190428T095452Z - 5 min.)',
code: 'SignatureDoesNotMatch',
time: 2019-04-27T23:57:24.753Z,
requestId: 'ab179ef3-699b-11e9-bfe3-4ddc7ceb66ee',
statusCode: 403,
retryable: true }
After doing some research It seems to be a verification problem. Does anyone has experience with this or knows how to resolve this issue. Thanks a lot!
Any time you see an error like "is now earlier than" around some numbers that look like timestamps (20190427T235724Z -> 2019-04-27 23:57:24 UTC), that's an indicator that the error is time related. Time matters for cryptography in order to validate certificates (so that an attacker cannot break a certificate and use it after its expiration, among other reasons) [1]. In this case, either your clock or the remote server clock is wrongly set. Since the remote server in this case is AWS, it is highly unlikely that they have any significant clock drift, leaving you as the possible outlier.
Given that you mentioned a new computer, it is even more likely that this is due to an incorrectly set system clock.
Reset/synchronize your system clock and the error should disappear.
Reference [1]: https://security.stackexchange.com/q/72866/47422
Here are my email related dev_appserver options:
--smtp_host=smtp.gmail.com --smtp_port=25 --smtp_user=me#mydomain.com --smtp_password="password"
Now, this still doesn't work and every time Google release a new dev_appserver I have to edit api/mail_stub.py to get things to work locally as per this S/O answer.
However, even this workaround has now stopped working. I get the following exception:
SMTPSenderRefused: (555, '5.5.2 Syntax error. mw9sm14633203wib.0 - gsmtp', <email.header.Header instance at 0x10c9c9248>)
Does anyone smarter than me know how to fix it?
UPDATE
I was able to get email to send on dev_appserver by using email addresses (eg. for sender and recipient) in their 'plain' format of a simple string (name#domain.com) rather than using the angle bracket style (Name <name#domain.com>). This is not a problem in production: recipients and sender email addresses can use angle brackets in the mail.send_mail call. I raised a ticket about this divergent behaviour between dev_appserver and production: https://code.google.com/p/googleappengine/issues/detail?id=10211&thanks=10211&ts=1383140754
Looks like it's because the 'sender' is now stored as a "email.header.Header" instance in the dev server instead of a string (since SDK 1.8.3 I think).
From my testing, when a 'From' string like "Name " is passed into smtplib.SMTP.sendmail, it parses the string to find the part within angle brackets, if any, to use as the SMTP sender, giving "". However, if this parameter is an "email.header.Header", then is just converts to string and uses it without further parsing, giving ">", thus causing the problem we're seeing.
Here's the patch I just posted on the issue tracker to google/appengine/api/mail_stub.py to convert this parameter back to a string (works for me):
--- google/appengine/api/mail_stub-orig.py 2014-12-12 20:04:53.612070031 +0000
+++ google/appengine/api/mail_stub.py 2014-12-12 20:05:07.532294605 +0000
## -215,7 +215,7 ##
tos = [mime_message[to] for to in ['To', 'Cc', 'Bcc'] if mime_message[to]]
- smtp.sendmail(mime_message['From'], tos, mime_message.as_string())
+ smtp.sendmail(str(mime_message['From']), tos, mime_message.as_string())
finally:
smtp.quit()
Another alternative is to patch the SMTP server that you use for testing the app engine mail functionality in your dev environment (instead of patching mail_stub.py).
For example, I'm using subethasmtp Wiser and was able to work around this issue by patching org.subethamail.smtp.util.EmailUtils.extractEmailAddress to accept nested angle brackets (details posted here).
We are having Silverlight application which shows live data from the service onto the client.
Over a period of time we see that application gets hung and on refresh the IE crashes with with the error message saying internet has stopped working.\
On taking the dump and analyzing it using debugdiag we found that the callstack of it shows,
0x00000000
npctrl!ComAutomationCheckCrossApartmentAccess+d079
mshtml!ReleaseInterface+a
mshtml!CAttrArray::FreeSpecial2+e4
mshtml!CMarkup::BreakAASpecial+f
mshtml!CMarkup::BreakCircularMemoryReferences+eb
mshtml!CMarkup::UnloadContents+36f
mshtml!CMarkup::TearDownMarkupHelper+53
mshtml!CMarkup::TearDownMarkup+54
mshtml!COmWindowProxy::SwitchMarkup+5c5
mshtml!CMarkup::SetInteractiveInternal+134
mshtml!CMarkup::RequestReadystateInteractive+6c
mshtml!CMarkup::BlockScriptExecutionHelper+162
mshtml!CHtmPost::Exec+418
mshtml!CHtmPost::Run+15
mshtml!PostManExecute+1fd
mshtml!PostManResume+f8
mshtml!CHtmPost::OnDwnChanCallback+10
mshtml!CDwnChan::OnMethodCall+19
mshtml!GlobalWndOnMethodCall+104
mshtml!GlobalWndProc+183
user32!InternalCallWinProc+28
user32!UserCallWinProcCheckWow+150
user32!DispatchMessageWorker+306
user32!DispatchMessageW+f
ieframe!CTabWindow::_TabWindowThreadProc+54c
ieframe!LCIETab_ThreadProc+2c1
iertutil!CIsoScope::RegisterThread+ab
kernel32!BaseThreadStart+37
We are not able to analyze this any further as it does not give a meaningful analysis.
What is npctrl.dll and why it? Why is it giving ComAutomationCheckCrossApartmentAccess error?
Hello everyone and thanks up front for your time,
I am working on a java-based GAE web application and now and then I get ApiProxy.ApplicationExceptions.
In the current case they appear randomly and come with the applicationError 108 when I open a write channel to a blob using the (yes I know, still experimental) FileStore API. Although the API is still in an experimental state, I'd like to handle the thrown exception correctly. Thus my question:
Where can I find a list of possible application errors including their descriptions?
As of right now it is not possible for me to figure out where the problem resides since the thrown exception does not contain something like a message, hint or reason phrase but only the error ID 108:
Caused by: com.google.apphosting.api.ApiProxy$ApplicationException: ApplicationError: 108:
at java.lang.Thread.getStackTrace(Thread.java:1495)
at com.google.apphosting.runtime.ApiProxyImpl.doSyncCall(ApiProxyImpl.java:240)
at com.google.apphosting.runtime.ApiProxyImpl.access$000(ApiProxyImpl.java:66)
at com.google.apphosting.runtime.ApiProxyImpl$1.run(ApiProxyImpl.java:183)
at com.google.apphosting.runtime.ApiProxyImpl$1.run(ApiProxyImpl.java:180)
at java.security.AccessController.doPrivileged(Native Method)
at com.google.apphosting.runtime.ApiProxyImpl.makeSyncCall(ApiProxyImpl.java:180)
at com.google.apphosting.runtime.ApiProxyImpl.makeSyncCall(ApiProxyImpl.java:66)
at com.googlecode.objectify.cache.TriggerFutureHook.makeSyncCall(TriggerFutureHook.java:154)
at com.google.apphosting.api.ApiProxy.makeSyncCall(ApiProxy.java:107)
at com.google.apphosting.api.ApiProxy.makeSyncCall(ApiProxy.java:56)
at com.google.appengine.api.files.FileServiceImpl.makeSyncCall(FileServiceImpl.java:584)
... 65 more
Also, the corresponding javadoc is quite conservative with giving information: https://developers.google.com/appengine/docs/java/javadoc/com/google/apphosting/api/ApiProxy.ApplicationException
Currently I bluntly cancel these requests with a 500, but since I am not sure what has happened I should probably do something else/more.
Thanksalot!
the best information I could get is from the Python source code :
http://code.google.com/p/googleappengine/source/browse/trunk/python/google/appengine/api/files/file_service_pb.py
I am trying to adopt databasedotcom gem, but couldn't get beyond the authentication. Here is what I did (after installing databasedotcom gem):
rails c (or irb then require 'databasedotcom')
client=Databasedotcom::Client.new :client_id => 'foo', :client_secret=>'bar'
client.ca_file = '/Users/tjiang/missioncontrol/tmp/ca-bundle.crt'
client.verify_mode = OpenSSL::SSL::VERIFY_PEER
client.authenticate :username=>'myusername', :password=>'mypassword'
All credentials are copy-and-pasted in the process so no mistake there; the certificate was downloaded here: http://certifie.com/ca-bundle/ca-bundle.crt.txt
I tried Ruby 187 and 193 as well as inside and outside Rails, repeatedly, but always got this error message:
Databasedotcom::SalesForceError: authentication failure from /Library/Ruby/Gems/1.8/gems/databasedotcom-1.3.0/lib/databasedotcom/client.rb:112:in `authenticate'
I wonder what I have missed here? Particularly, I am concerned about the Callback URL I used when creating a Remote Access in Salesforce (I tried 'oob', 'http://localhost:3000', and 'https://www.salesforce.com', but none made any difference).
It turns out this is due to a bug in databasedotcom. When you use username and password to authenticate, it puts them into an url query string WITHOUT encoding and POST a request with that url. As a result, the plus sign in my username will be interpreted as a blank space.
Solution: CGI::escape() both your username and password.