Automated cross-forum email confirmation spam attacks

GrapheneOS · 2023-12-20 2:49 pm

We host the discussion forum for our open source project with Flarum. There's a substantial ongoing attack targeting our forum based on creating accounts with randomized usernames and other people's email addresses. The goal of the attack appears to be targeting many thousands of people by sending them many email confirmations from a bunch of forums. These are some example usernames:

VPK67Z6, PHYDZZ5, OLBW1R3, 8P5E0SB, VYYMZT8, EGKIV9J, Z5SVVOO

If you use Flarum, you should look through your users list from the administration panel for similar randomized usernames. None of the accounts gets activated since their goal appears to be sending people unwanted email confirmation emails. We noticed many emails tied to EU, US and NATO government and intergovernmental organizations. It's a very strange attack. We initially believed someone was trying to specifically harm us by hurting our email reputation, but then we found other people being targeted with the same attack through searching for it.

We expect they target nearly all forums using Flarum. The attack is clearly automated and we found several ways to detect it automatically and block the registrations without any false positives since normal requests made through a browser can never look like theirs.

Every single one of these accounts is created by an IP address from AS35048.

organisation: ORG-BGL29-RIPE
org-name: Biterika Grupp LLC
org-type: OTHER
address: Zelenograd, korp. 1822, 1-III-3
address: 124489 Moscow
address: Russian Federation
phone: +7 495 7773552
abuse-c: BGL23-RIPE

We've searched for this online and have found other Flarum forums being attacked in the same way. We're curious if other types of forum software is also being targeted. I think it would be nice if other people could confirm this is also happening to them and then Stop Forum Spam could add all of the IP ranges for AS35048 to the toxic list. We've never seen any legitimate traffic from there. We can provide more details privately if that would be helpful. We're not currently reporting these one by one because it's a systemic automated attack and they don't post any spam. None of the accounts is ever activated.

We don't know if Biterika Grupp LLC is involved in the attacks themselves or simply providing hosting that's being used for this. However, it should not be an issue to completely block their AS because they aren't a residential/commercial ISP but rather a hosting provider seemingly mainly used for abuse, unlike a provider like OVH which is mainly used for legitimate content but is used for lots of abuse due to their cheap pricing.

pedigree · 2023-12-21 11:53 pm

some xenforo forums have been attacked as well. I'm seeing reports coming in from those

There has been a sudden spike in reports from that ASN as well

https://www.stopforumspam.com/asn/35048

thanks for not reporting them as we require email addresses to be validated to stop abuse

I'm going to look at asn35048 and see what should be done here. It certainly smells bad to me

GrapheneOS · 2023-12-22 1:48 pm

Those reports look more like regular spam. We expect most people aren't going to notice the attack we're seeing since they don't make any posts. You might not be getting any reports about it, but if people look at their user list they'll likely find it if they use one of the forum types being attacked.

The attack we're seeing involves them creating an account and then trying to send more emails via repeating email confirmation and using forgot password. We thought it was a targeted attempt to harm our email reputation but we found what looks like similar attacks being discussed elsewhere. It seems more like abusing many different kinds of sites to send people email confirmation and forgot password spam. They may also sign them up for a bunch of mailing lists. It's very strange.

We don't know if they're attacking more than Flarum forums, but they probably are. We blocked the whole AS and also blocked two different quirks from how they create the accounts so it's solved for now, for us, but the requests keep pouring in so they must be creating many thousands of accounts elsewhere.

GrapheneOS · 2023-12-22 1:53 pm

There are many emails of prominent European politicians, organizations, etc. mixed in with what they use. That makes us think it's something more nefarious. They're even using a bunch of emails from NATO. The emails seem to be real, and most of them clearly not belonging to them. Unclear why they would be doing this. It's a whole lot of effort just to mildly annoy people. Most of the people receiving these are probably classifying them as spam. It hurt the email reputation for our forum quite a lot and is likely hurting others. That's why we initially believed it was an attempt to harm our email reputation, and they definitely did do that. It's unfortunate that many others will have not noticed the attack yet and will be having their emails gradually become non-deliverable because of this.

Visman · 2023-12-23 6:52 am

@GrapheneOS, Why don’t you somehow protect the registration form from spam bots? There should be a lot of plugins/extensions for Flarum that are easy to install.

Maikuolan · 2023-12-23 7:43 am

In the signatures that I maintain for both CIDRAM and ZB Block, I've been blocking AS35048 since a while back now, for these exact kinds of reasons, plus due to various other kinds of unwanted traffic seen from that network and related networks. For their network, this kind of behaviour is nothing new and nothing unexpected, and I would definitely recommend blocking them outright at as high a level as possible. Maybe at the hardware firewall level, or server firewall level, or failing any of that, you could consider giving CIDRAM a try.

In any case, seeing these kinds of discussions appear is useful, because if anyone was to ever question my decision to include signatures for that ASN in my signature files, discussions such as these can serve as supporting testimony: I can link back to these kinds of discussions, and write to the person questioning the decision, "See? It's not just something decided arbitrarily, and not just making stuff up. These people have encountered the same thing. Read what they wrote. That's why that ASN has been included in the signature files."

So, although not new information to me personally, I appreciate it being shared here. :-)

if Biterika Grupp LLC is involved in the attacks themselves or simply providing hosting that's being used for this

Not entirely sure about that part myself, either. Though, whether they're directly responsible or merely complicit in someone else's ill-intent, it doesn't ultimately make a great deal of difference at our side, IMO. From the perspective of protecting one's own website, forums, etc, the implication is the same: Traffic from their network is problematic and undesirable.

GrapheneOS · 2023-12-24 7:30 am

@Visman: We can't use most approaches due to being a privacy focused project. We can't use the Stop Forum Spam API since it would go against our privacy policy to query an external server. We download the 30 day data daily and the 1 day data hourly which gets merged together with Tor exit nodes filtered out to permit using Tor since we can tolerate the amount of spam coming via Tor in order to permit using it. Some users run into some of their VPN IPs being blocked which is unfortunate but we can't really do anything about that. We don't currently use the username or email data but we could integrate that too, at least for emails, since it seems to help. We're handling the automated account creation spam with our own filtering to detect it in 3 redundant ways with zero false positives.

We'd like to have a simple unique challenge question at registration and we're waiting for Flarum's new anti-spam module to add it:

https://github.com/FriendsOfFlarum/anti-spam/pull/6

If we had a captcha, it would need to be self-hosted rather than a service. Deterring the spam and other attacks while meeting the privacy expectations of our users is a challenge. It would certainly be easier simply having our web services behind Cloudflare and adding hCaptcha for registration but we can't do that.

BlueEyed Zebra · 2023-12-24 3:46 pm

All anti-something projects live from submissions.If people wont get hit by something, then it wont be submitted, bbut the next one gets hit, wven if "protected" by this data (that do not contain that incident).

It is a little bit of work (aggregation is for me 1 day if I really sit on it, else 3 days with times off: do you know the fireHOL lists? They collect data from other blacklists and bundle them into one place. The biggest data are the own anonymizer and proxy one, more than 20 MB each. Look up for them, go through the list, download, aggregate and I hope, you are able to use ipset/iptables, because the amount of bad IPs could slow down anything a bit on server level (directory, worse would be htaccess) and PHP level.

I'm using Zaps old zb block with the new updates from James, anything smacked down and accelerated for me, there are a lot of hostnames, that should not be used for human browsing. As regex in directory it is pretty fast.

Then you might get a little bit more protection. Only problem: All data are outdated every 15 minutes. It is not that much, but you should rewrite anything not later than 2 months.

,,,^..^(")

#1 2023-12-20 2:49 pm

Automated cross-forum email confirmation spam attacks

#2 2023-12-21 11:53 pm

Re: Automated cross-forum email confirmation spam attacks

#3 2023-12-22 1:48 pm

Re: Automated cross-forum email confirmation spam attacks

#4 2023-12-22 1:53 pm

Re: Automated cross-forum email confirmation spam attacks

#5 2023-12-23 6:52 am

Re: Automated cross-forum email confirmation spam attacks

#6 2023-12-23 7:43 am

Re: Automated cross-forum email confirmation spam attacks

#7 2023-12-24 7:30 am

Re: Automated cross-forum email confirmation spam attacks

#8 2023-12-24 3:46 pm

Re: Automated cross-forum email confirmation spam attacks

Board footer