[SAC] more spammer accounts

New list of spammers, hitting mainly ossim:

+('8004392949'),
+('karmmsee25885'),
+('mozillaeight'),
+('mozillasix'),
+('skyp'),
+('maahicool'),

What happened to the old list ?
Were the accounts blocked at the LDAP side ?

I could improve the fail2ban spam regexp but any change requires
a reload and a reload unbans all already-banned IPs. If you know
how to reload a jail w/out loosing the bans I'll be more aggressive
on banning.

--strk;

And:

+('8004392949'),
+('andrusmith4'),
+('chromenine'),
+('chrometen'),
+('forprabhat4'),
+('googleone'),
+('googletwo'),
+('karmmsee25885'),
+('mozillafour'),

--strk;

On Fri, May 06, 2016 at 08:35:19PM +0200, Sandro Santilli wrote:

New list of spammers, hitting mainly ossim:

+('8004392949'),
+('karmmsee25885'),
+('mozillaeight'),
+('mozillasix'),
+('skyp'),
+('maahicool'),

What happened to the old list ?
Were the accounts blocked at the LDAP side ?

I could improve the fail2ban spam regexp but any change requires
a reload and a reload unbans all already-banned IPs. If you know
how to reload a jail w/out loosing the bans I'll be more aggressive
on banning.

--strk;

On Fri, May 06, 2016 at 08:35:19PM +0200, Sandro Santilli wrote:

New list of spammers, hitting mainly ossim:

Disabled.

What happened to the old list ?

Disabled last night - shortly before I fell asleep.

Cheers,
  Martin.
--
Unix _IS_ user friendly - it's just selective about who its friends are !
--------------------------------------------------------------------------

On May 6, 2016 8:48 PM, “Martin Spott” <Martin.Spott@mgras.net> wrote:

On Fri, May 06, 2016 at 08:35:19PM +0200, Sandro Santilli wrote:
…

Disabled last night - shortly before I fell asleep.

How about writing the account names into a text file on a server and read from there via Cron job? Then remove the processed text file?

Markus

On Fri, May 06, 2016 at 09:10:23PM +0200, Markus Neteler wrote:

How about writing the account names into a text file on a server and read
from there via Cron job? Then remove the processed text file?

Automagically writing into a file sounds good to me.
Unattended manipulation of our LDAP directory .... mmmh, that's pretty
sensitive, something I'd prefer to avoid.

Cheers,
  Martin.
--
Unix _IS_ user friendly - it's just selective about who its friends are !
--------------------------------------------------------------------------

On Fri, May 06, 2016 at 09:25:21PM +0200, Martin Spott wrote:

On Fri, May 06, 2016 at 09:10:23PM +0200, Markus Neteler wrote:

> How about writing the account names into a text file on a server and read
> from there via Cron job? Then remove the processed text file?

Automagically writing into a file sounds good to me.

At the moment, all trac spammer accounts are being stored
in /osgeo/tools/trac/emergency_clean.sql and can be extracted
with this command:

grep '^(' /osgeo/tools/trac/emergency_clean.sql |
  sed -e "s/^('\(.*\)').*/\1/"

Unattended manipulation of our LDAP directory .... mmmh, that's pretty
sensitive, something I'd prefer to avoid.

How about only allowing a very specific manipulation ?
A script could extract that list, remove any name from
a known list (SAC members) and set the accounts disabled
in a lossless way (in a way that's easy to re-enable withouth
having to change the password).

--strk;

More spammers:

+('dheeru54'),
+('dinesh03'),
+('gmail6'),
+('gorimsee'),
+('kunjk'),
+('mozillafive'),
+('saurav109'),
+('sunajeeeebur'),

And I'm not sure the one below was also cleaned.
Finally, another name which is still available is here:
https://trac.osgeo.org/osgeo/ticket/1121#comment:8

--strk;

On Fri, May 06, 2016 at 08:47:40PM +0200, Sandro Santilli wrote:

And:

+('8004392949'),
+('andrusmith4'),
+('chromenine'),
+('chrometen'),
+('forprabhat4'),
+('googleone'),
+('googletwo'),
+('karmmsee25885'),
+('mozillafour'),

--strk;

On Fri, May 06, 2016 at 08:35:19PM +0200, Sandro Santilli wrote:
> New list of spammers, hitting mainly ossim:
>
> +('8004392949'),
> +('karmmsee25885'),
> +('mozillaeight'),
> +('mozillasix'),
> +('skyp'),
> +('maahicool'),
>
> What happened to the old list ?
> Were the accounts blocked at the LDAP side ?
>
> I could improve the fail2ban spam regexp but any change requires
> a reload and a reload unbans all already-banned IPs. If you know
> how to reload a jail w/out loosing the bans I'll be more aggressive
> on banning.
>
> --strk;

--

  () Free GIS & Flash consultant/developer
  /\ strk's services

And:

+('manishpalle'),

On Sat, May 07, 2016 at 09:31:59AM +0200, Sandro Santilli wrote:

More spammers:

+('dheeru54'),
+('dinesh03'),
+('gmail6'),
+('gorimsee'),
+('kunjk'),
+('mozillafive'),
+('saurav109'),
+('sunajeeeebur'),

And I'm not sure the one below was also cleaned.
Finally, another name which is still available is here:
#1121 (Spam on GeoNetwork WIKI in trac - please block user) – OSGeo

--strk;

On Fri, May 06, 2016 at 08:47:40PM +0200, Sandro Santilli wrote:
> And:
>
> +('8004392949'),
> +('andrusmith4'),
> +('chromenine'),
> +('chrometen'),
> +('forprabhat4'),
> +('googleone'),
> +('googletwo'),
> +('karmmsee25885'),
> +('mozillafour'),
>
> --strk;
>
> On Fri, May 06, 2016 at 08:35:19PM +0200, Sandro Santilli wrote:
> > New list of spammers, hitting mainly ossim:
> >
> > +('8004392949'),
> > +('karmmsee25885'),
> > +('mozillaeight'),
> > +('mozillasix'),
> > +('skyp'),
> > +('maahicool'),
> >
> > What happened to the old list ?
> > Were the accounts blocked at the LDAP side ?
> >
> > I could improve the fail2ban spam regexp but any change requires
> > a reload and a reload unbans all already-banned IPs. If you know
> > how to reload a jail w/out loosing the bans I'll be more aggressive
> > on banning.
> >
> > --strk;

--

  () Free GIS & Flash consultant/developer
  /\ strk's services

And:

+('gmail7'),
+('gmail8'),

How's the email confirmed registration work going on ?

--strk;

On Sat, May 07, 2016 at 07:15:24PM +0200, Sandro Santilli wrote:

And:

+('manishpalle'),

On Sat, May 07, 2016 at 09:31:59AM +0200, Sandro Santilli wrote:
> More spammers:
>
> +('dheeru54'),
> +('dinesh03'),
> +('gmail6'),
> +('gorimsee'),
> +('kunjk'),
> +('mozillafive'),
> +('saurav109'),
> +('sunajeeeebur'),
>
> And I'm not sure the one below was also cleaned.
> Finally, another name which is still available is here:
> #1121 (Spam on GeoNetwork WIKI in trac - please block user) – OSGeo
>
> --strk;
>
> On Fri, May 06, 2016 at 08:47:40PM +0200, Sandro Santilli wrote:
> > And:
> >
> > +('8004392949'),
> > +('andrusmith4'),
> > +('chromenine'),
> > +('chrometen'),
> > +('forprabhat4'),
> > +('googleone'),
> > +('googletwo'),
> > +('karmmsee25885'),
> > +('mozillafour'),
> >
> > --strk;
> >
> > On Fri, May 06, 2016 at 08:35:19PM +0200, Sandro Santilli wrote:
> > > New list of spammers, hitting mainly ossim:
> > >
> > > +('8004392949'),
> > > +('karmmsee25885'),
> > > +('mozillaeight'),
> > > +('mozillasix'),
> > > +('skyp'),
> > > +('maahicool'),
> > >
> > > What happened to the old list ?
> > > Were the accounts blocked at the LDAP side ?
> > >
> > > I could improve the fail2ban spam regexp but any change requires
> > > a reload and a reload unbans all already-banned IPs. If you know
> > > how to reload a jail w/out loosing the bans I'll be more aggressive
> > > on banning.
> > >
> > > --strk;
>
> --
>
> () Free GIS & Flash consultant/developer
> /\ strk's services

Hi Martin

(it would be great to enable a second person to quickly remove
spammers, currently trac is being bombed with spam!
See for example: https://trac.osgeo.org/grass/timeline )

I use this funny syntax which I found in previous emails:

+('amit932810085'),
+('dheeru55'),
+('dhiman'),
+('harsh145'),
+('keshav'),
+('kumartinkusingh08'),
+('kunjkn'),

PLEASE drop these spammers from our system!

thanks,
Markus

Moggeeen !

On Wed, May 11, 2016 at 07:20:49PM +0200, Markus Neteler wrote:

(it would be great to enable a second person to quickly remove
spammers,

Every primary admin can do.

PLEASE drop these spammers from our system!

Done.

BTW, there are still 20175 user accounts on OSGeo LDAP and I'd guess
that approx. 95 % are dummy/spam accounts. By removing accouns ins
small chunks of 5 to 20 I doubt that we'll be able to silence this
spamming within a reasonable time frame.

Instead I'd recommend to announce setting random passwords onto *all*
OSGeo LDAP accounts - except those whose owners explicitly ask for an
exception. And those who don't within 9 months will get removed
entirely.

Just an idea, feel free to object - but, those who do, please suggest a
viable alternative, don't just let others suffer from your principles.

Cheers,
  Martin.
--
Unix _IS_ user friendly - it's just selective about who its friends are !
--------------------------------------------------------------------------

On Wed, May 11, 2016 at 07:39:44PM +0200, Martin Spott wrote:

Moggeeen !

On Wed, May 11, 2016 at 07:20:49PM +0200, Markus Neteler wrote:

> (it would be great to enable a second person to quickly remove
> spammers,

Every primary admin can do.

I just found out anyone with sudo powers on the "web" host can also do it.

Markus, are you in that team ? Instructions to delete a user:
https://wiki.osgeo.org/wiki/SAC:LDAP#Editing_the_LDAP_database

BTW, there are still 20175 user accounts on OSGeo LDAP and I'd guess
that approx. 95 % are dummy/spam accounts. By removing accouns ins
small chunks of 5 to 20 I doubt that we'll be able to silence this
spamming within a reasonable time frame.

Agreed.

Instead I'd recommend to announce setting random passwords onto *all*
OSGeo LDAP accounts - except those whose owners explicitly ask for an
exception. And those who don't within 9 months will get removed
entirely.

Sending the new password to the registered email ?
Were those email addresses ever confirmed at registration time ?
If they weren't, I guess we should be asking for confirmation
shall we contact them all. Something like: click on this link
within X days or your accout will get blocked. Could something like
this be set in place ?

--strk;

On Wed, May 11, 2016 at 07:20:49PM +0200, Markus Neteler wrote:

spammers, currently trac is being bombed with spam!
See for example: Timeline – GRASS GIS )

I noticed you're still keeping score of authenticated users to 20:
https://trac.osgeo.org/grass/admin/spamfilter/config

I reduced it to 0 now, so authenticated users are not considered
any special, as well as "SessionFilterStrategy".

I hope it'll be better now.

(and I removed lots of spam)

--strk;

On 05/11/2016 10:56 AM, Sandro Santilli wrote:

On Wed, May 11, 2016 at 07:39:44PM +0200, Martin Spott wrote:

Moggeeen !

On Wed, May 11, 2016 at 07:20:49PM +0200, Markus Neteler wrote:

(it would be great to enable a second person to quickly remove
spammers,

Every primary admin can do.

I just found out anyone with sudo powers on the "web" host can also do it.

Markus, are you in that team ? Instructions to delete a user:
https://wiki.osgeo.org/wiki/SAC:LDAP#Editing_the_LDAP_database

BTW, there are still 20175 user accounts on OSGeo LDAP and I'd guess
that approx. 95 % are dummy/spam accounts. By removing accouns ins
small chunks of 5 to 20 I doubt that we'll be able to silence this
spamming within a reasonable time frame.

Agreed.

Instead I'd recommend to announce setting random passwords onto *all*
OSGeo LDAP accounts - except those whose owners explicitly ask for an
exception. And those who don't within 9 months will get removed
entirely.

Sending the new password to the registered email ?
Were those email addresses ever confirmed at registration time ?
If they weren't, I guess we should be asking for confirmation
shall we contact them all. Something like: click on this link
within X days or your accout will get blocked. Could something like
this be set in place ?

--strk;

They were never confirmed, but once we create an email confirmation
flow, yes we could ask all existing users to confirm their accounts. I
do not want to bulk reset everyone before that mechanism exists
(hesitant to do so anyways).

Was the user registration re-enabled?

Thanks,
Alex

On Wed, May 11, 2016 at 07:39:44PM +0200, Martin Spott wrote:

Also:

+('kunjkn'),
+('gmail10'),
+('gmail11'),
+('gmail9'),

--strk;

On Wed, May 11, 2016 at 11:40:52AM -0700, Alex M wrote:

On 05/11/2016 10:56 AM, Sandro Santilli wrote:

> Were those email addresses ever confirmed at registration time ?

They were never confirmed, but once we create an email confirmation
flow, yes we could ask all existing users to confirm their accounts. I
do not want to bulk reset everyone before that mechanism exists
(hesitant to do so anyways).

+1 -- so we need the email confirmation. What's the plan ?
Shall we set a bounty ?

Was the user registration re-enabled?

Not to my knowledge, no. You can check it here:

  https://www.osgeo.org/cgi-bin/ldap_create_user.py

The recent spam storm came from these guys (with creation timestamp):

  gmail10: 20160430221817Z
  gmail11: 20160430221921Z
  gmail9: 20160430221726Z

--strk;

On Wed, May 11, 2016 at 8:36 PM, Sandro Santilli <strk@keybit.net> wrote:

On Wed, May 11, 2016 at 07:20:49PM +0200, Markus Neteler wrote:

spammers, currently trac is being bombed with spam!
See for example: https://trac.osgeo.org/grass/timeline )

I noticed you're still keeping score of authenticated users to 20:
https://trac.osgeo.org/grass/admin/spamfilter/config

oh ops. I didn't have time to study these parameters... life is
intensive here at time.

I reduced it to 0 now, so authenticated users are not considered
any special, as well as "SessionFilterStrategy".

Super.

I hope it'll be better now.

(and I removed lots of spam)

Wonderful, excellent!!

thanks for that,
Markus

On Wed, May 11, 2016 at 7:39 PM, Martin Spott <Martin.Spott@mgras.net> wrote:

On Wed, May 11, 2016 at 07:20:49PM +0200, Markus Neteler wrote:
BTW, there are still 20175 user accounts on OSGeo LDAP and I'd guess
that approx. 95 % are dummy/spam accounts. By removing accouns ins
small chunks of 5 to 20 I doubt that we'll be able to silence this
spamming within a reasonable time frame.

Instead I'd recommend to announce setting random passwords onto *all*
OSGeo LDAP accounts - except those whose owners explicitly ask for an
exception. And those who don't within 9 months will get removed
entirely.

Yes please.
Because the current method will drive me away from SAC soon while I am
only able to do a fraction of what you guys do at time!

I'm sure that the real users will understand this counter measure.

It does not make sense to continue with the polluted LDAP DB like this.

cheers
Markus

On Wed, May 11, 2016 at 8:41 PM, Sandro Santilli <strk@keybit.net> wrote:

On Wed, May 11, 2016 at 07:39:44PM +0200, Martin Spott wrote:

Also:

+('kunjkn'),
+('gmail10'),
+('gmail11'),
+('gmail9'),

Better all gmail[numbers]

In addition;

+('somsnjkeeese'),
+('anonymous'),

Markus

On Wed, May 11, 2016 at 10:56:40PM +0200, Markus Neteler wrote:

On Wed, May 11, 2016 at 8:41 PM, Sandro Santilli <strk@keybit.net> wrote:
> On Wed, May 11, 2016 at 07:39:44PM +0200, Martin Spott wrote:
>
> Also:
>
> +('kunjkn'),
> +('gmail10'),
> +('gmail11'),
> +('gmail9'),

Better all gmail[numbers]

Yes, up to gmail36 do exist.

In addition;

+('somsnjkeeese'),

This was known already

+('anonymous'),

This one does not exist in LDAP, could be an attempt
from a non-authenticated TRAC user to create a wiki page.
Maybe spam-filter also considers those attempts...

--strk;