homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / WebmasterWorld / Webmaster General
Forum Library, Charter, Moderators: phranque

Webmaster General Forum

spammer issues - multiple IP addresses

 5:42 am on Jan 31, 2010 (gmt 0)

I am curious if anyone can help answer a question related to a spammer on our site who continues to change his IP address. I cannot understand how this person can so quickly change his/her IP address. For example, he creates an account (i can spot it as a spammer based on the username chosen), I ban the account, within a couple of minutes, he's back, creating a new account, this time with a completely different IP address. In the last 24hrs. he has created 15 accounts, all with different IP addresses from around the US on different hosts. How is this possible and are their any solutions?

I am using PHP $REMOTE_ADDR for the IP.




 8:17 am on Jan 31, 2010 (gmt 0)

How do you know it is the same person opening the accounts? I get hundreds of bogus account creation attempts on my forums per day from IPs all over the world. Most are by automated bots which use infected PCs around the globe.


 9:23 am on Jan 31, 2010 (gmt 0)

Use a captcha to verify that accounts are being created by a human being. Email a confirmation link that requires clicking before they can post.

You will never stop human spammers creating new accounts but yous should be able to filter out the bots.

Creating multiple accounts through different IPs is easy enough. I am sitting in a friend's house in London and, in a few minutes, As well as using my friend's broadband connection I could also use my own mobile connection and two unprotected wireless connections within range.


 7:18 pm on Jan 31, 2010 (gmt 0)

First . . . define "on our site." Message board, contact form, account registration form?

A basic premise: spammers always want something. If you can figure out what those motivations are, and take away the motivations, they will move on to greener pastures, which is the best we can hope for.What I mean by this will become apparent.

IME a Captcha only provides temporary relief, and they **can** be broken by bots, I've seen it happen in a vBulletin install. If it's a message board, by all means, use the captcha, but you should also be able to add a custom field. Second, like it or not, moderate signups.

In a message board environment, they want to get in and start dropping spam links. If you moderate, spammers will figure you're too much trouble and will delete their posts anyway.

If it's **anything else** - a contact form, account registration form **any** input form, especially if it results in an email being sent - it gets easier.

Most of these attacks have a certain "flavor" to them - they want to link drop. They will use standard links, encoded links, BBcode style links, but you can identify it easily. Step 1 is to log all input coming from your forms. Open a test file in a private location, write the raw input to it, review it often. This is required to get the exact pattern of what they are up to.

Step two is to accept only what you want, throw everything else away, then build a list of common patterns to trigger an exit if those patterns are found. On exit, just a simple message: "invalid input found, no email was sent. Action logged."

This simple method will stop most of them; they will give up and realize they are wasting time on you.

I have never had to resort to a Captcha, creating a barrier for your users should be an absolute last resort.

Two cents on IP's: for spammers, they are likely compromised computers/servers, but for many legitimate users, their ISP dynamically changes the IP as needed.


 4:50 pm on Feb 1, 2010 (gmt 0)

The site is used to sell vehicles. The spammer in question used a stolen credit card to list phony vehicles for sale in hopes of securing a deposit to hold a vehicle he/she doesnít own.

I know it was the same spammer because each time they used the same credit card to pay for the transaction. Yet each account created used a different email address and each account had a different IP.

There is no doubt a tool must exist that these spammers are using to mask their IP. Maybe it is hush-hush, and of course for good reason, but as more and more of them use this method it increases the work-load on us site-admins to authenticate TRUSTED users....


 6:03 pm on Feb 1, 2010 (gmt 0)

If they are not using "always on" dsl ..all they have to do to get a new Ip asigned by their ISP is to switch off their router for between 20 seconds and two minutes and then switch it back on again ..the disconnect ( at their ISP ) will trigger allocation of a new IP to their router or modem..

Nothing "hush hush" there :)

..Just basic old school netcraft ( frequently used as a way around download sites that limit how many times one can connect and download from the same IP ) ..

If the "target site" drops a "timed" cookie then they just flush cookies as their IP gets re-assigned ..

If you know the card is stolen ..tell the law enforcement service where you are ..they or you can log the IP's ..and then they can find from the ISP who and where the logins are coming from ..and "visit" :)

The fact that you say you "know" the card is stolen means you may even get into some trouble yourself if you didn't tell the law ..CYA


 6:15 pm on Feb 1, 2010 (gmt 0)

each time they used the same credit card to pay for the transaction.

BANG. You got 'em. Ban the credit card number on submit, this would be far more reliable than banning by IP, which may cut out a lot of legitimate users.

a tool must exist that these spammers are using to mask their IP.

Or a set of them . . . as said, compromised servers or compromised computers. They'll never do this if there's the slightest chance they could be tracked, when you ban a spammer's IP, you're banning Joe Schmoe who doesn't even know he's been hacked.


 7:25 pm on Feb 1, 2010 (gmt 0)

Just basic old school netcraft

Actually I have observed from the available wifi connections that my PC finds that a lot of people unplug their routers when the PC is not in use, so seldom the same IP.

I suspect that there is no fancy stuff with compromised machines, just a handful of dodgy sim cards and a mobile connection.


 8:00 pm on Feb 1, 2010 (gmt 0)

I greatly appreciate all the responses! Our site gets no end of the fraud. Itís unfortunate that even our local PD will not take some time to help track down these crooks, we have tried to convince them!

I have written down 15 different IP addresses from this spammer. I ran them all through DNSSTUFF.com and to my amazement they ALL come back to different hosts/isp's ALL in different parts of the country. No 2 are the same.

I know itís hard to believe that this spammer is the same person but itís not the first time we have dealt with him/her either. This spammer has the same MO or traits, vehicles, prices, time of day, etc...

He is good at staying hidden but even the best leave a small trail to follow....


 8:37 pm on Feb 1, 2010 (gmt 0)

I have written down 15 different IP addresses from this spammer. I ran them all through DNSSTUFF.com and to my amazement they ALL come back to different hosts/isp's ALL in different parts of the country. No 2 are the same.

So he's using public or private proxies or TOR ..

You are going to have to use rocknbils "block the card" approach ..or multi stage account approvals as suggested in other posts above ..

You could also use flash cookies ..he may not know how to sanitize his machine in relation to them ..Presumably he always uses the same OS and the same browser / machine combo ?


 11:02 am on Mar 1, 2010 (gmt 0)

I have the same problem. Do have captcha and think that the spammer is doing this by hand. What is a flash cookie? Is this a blackhat thing?


 1:34 pm on Mar 1, 2010 (gmt 0)

Flash cookies are cookies from the Flash Player. They are stored in a different location than your default cookies and are therefore often overlooked when cleaning the cookies in your Internet cache.

Technically spoken they are not a blackhat thing and are used by many reputable websites. But there are discussions going on about them regarding privacy issues, because there is no straightforward method in mainstream browsers to easily show, block, accept or remove them.


 9:00 pm on Mar 1, 2010 (gmt 0)

We have a problem with a "reputation management" spammer. He is posting AGAINST rep management companies. He changes his IP daily. We decided to just block his town for now via Geo-ip tools. So far so good, but unfortunately no one else from his town can use our site.

Considering how much of our time and resources he was wasting, we'll take that hit.

Global Options:
 top home search open messages active posts  

Home / Forums Index / WebmasterWorld / Webmaster General
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved