SOLVED:inability to log into forum-false positives vs blacklisted: on security

[vjeko]

i just somehow knew you were going say that

note that my means of access to web are directly related to windows use only, and that generates one type of logs and one range of IP addresses.

never mind, let us make me statistic case 1, and not act on it.

im sure the statistic cases will grow in time

imagine what happens when a complete linux newcomer comes here to explore, manages to get in and gets blown to bits, having access denied and having done nothing wrong?

id scratch and make a (non allowed in here) objection, and most probably would head for mac shop, to say the least

[Neal ManBear]

i just somehow knew you were going say that

note that my means of access to web are directly related to windows use only, and that generates one type of logs and one range of IP addresses.

"....related to windows use only....." That's the thing, as I've already said.

never mind, let us make me statistic case 1, and not act on it.

im sure the statistic cases will grow in time

imagine what happens when a complete linux newcomer comes here to explore, manages to get in and gets blown to bits, having access denied and having done nothing wrong?

id scratch and make a (non allowed in here) objection, and most probably would head for mac shop, to say the least

Your logic is flawed. You assume that failures with your windows box means failures from all users on all OSes. Drawing conclusions from your assumptions, you postulate a situation where new users fail to log in. The evidence available does not support your claims.

[Texstar]

We use http://www.stopforumspam.com/ and http://www.projecthoneypot.org/search_ip.php You may wish to check your ip address against those sites and notify your provider so they can take action if listed. I'm really sorry to hear you are having problems. We had problems too with spammers attacking our site, getting finally getting into the server and using it to scan other computers. There isn't an easy solution for either one of us at this time especially with your ip address bouncing around through various numbers according to our login logs.

[Old-Polack]

question for you:
how do i ask my ISP to get me a specific non spammers IP numerous times in a row on daily basis (on each new dial in i get new IP and they re all spammers?) since
i cant get a static IP (i can but no point in paying for that)

what is your reference of "spammers" IP addresses, where do you get those, is it inhouse (like fail2ban stuff with quite a big timeout) generated list or something else?

the logs show what theyre set to show/activate an action, but the interpretation of results (cause and effect) is not necessarily easy/straightforward.

btw, i have no power of setting my IP to a specific address, and youre aware of the address range of a single ISP.

denial of access happens only while using windows, firefox as web browser, and only if the browser/system crashes, not earlier.

id be grateful if i got to know the reason of this (dont think its the windows thing, clearing the cache, rebooting windows, acquiring new IP, trying to connection gives ACCESS DENIED)

thanks

Maybe your Windows installation is compromised, and part of a bot net. Your Windows system could be the spammer screwing up all your ISP's IP addresses. That is a very distinct possibility, and one more reason the bans are set the way they are, and will stay that way.

We have hundreds of people having no problem registering and logging in daily. We have one individual trying to log in using known spammer addresses, of a sufficient quantity to be a burden to him. That's you.

If you have a static IP, you are responsible for your own actions while on line. If you don't misbehave, your IP address stays clean, doesn't appear on any spam lists and you don't get blocked. There is your obvious solution, but you see no point in paying for that. Under those circumstances you will just have to put up with the situation as is.

[vjeko]

thanks tex, that was a charm, will bring it to a higher level here local.

the only reason i dont use the 3g stick with linux is that i dont trust the ISP with the billing scheme, thus using the ISP provided application, as "embedded" on the stick- i know of the linux tools, scripts, AT settings but choose not to use it cause any experimenting going wrong would prove rather expensive.

both links bookmarked

i shall mark this thread as PARTIALLY SOLVED, since random overlap of reported IP addresses against a legitimate user randomly having been assigned his IP by user's ISP is whats raising the flags.

partially since i still have no explanation why i had "V, you were BANNED from using this forum" this morning, and im still here, so it must have been automatic and someone has checked on my behalf (thank you) that it was a false auto ban , to clarify even more, ive checked the IP of my posts, as logged by the forum as of this morning against the forum spammers list, and havent found anything- no reference of previous offence recorded, but ive been using the proxy, but am really puzzled why the system generated auto ban after roughly an hour of me browsing the forum.

thanks all


edit: i shall double check that im not part of the bot (not intentional, at least, thanks for accusing ), and i shall try the second fresh win install, which was never used on line.

im aware that who wants trouble will get trouble, i certainly dont want it

[Neal ManBear]

.....have no explanation why i had "V, you were BANNED from using this forum" this morning....

Using a banned IP would do that. The response would be generated using the name you were trying to log in with.

[vjeko]

there is one small thing, though.

i checked using the link provided by tex few of the IPs which were logged by this forum from my previous posts/profile while using the 3g stick under windows, what i noticed is that (of course), there was overlapping with the OP's IP logs saying spammer:

but not with the same result



2xx.15.1xx.1xx came clean from "stop forum spam", while pclos forum server reported it as spammer

any ideas?

(i hope the pic went thru, never attached any before, sorry)

thanks

[Old-Polack]

there is one small thing, though.

i checked using the link provided by tex few of the IPs which were logged by this forum from my previous posts/profile while using the 3g stick under windows, what i noticed is that (of course), there was overlapping with the OP's IP logs saying spammer:

but not with the same result



212.15.173.188 came clean from "stop forum spam", while pclos forum server reported it as spammer

any ideas?

(i hope the pic went thru, never attached any before, sorry)

thanks

212.15.173.188 [Spam Server]

The Project Honey Pot system has detected behavior from the IP address consistent with that of a mail server.

Geographic Location   Croatia
First Received From    approximately 1 month, 3 weeks ago
Last Received From    within 1 month, 3 weeks

[genomega]

there is one small thing, though.

i checked using the link provided by tex few of the IPs which were logged by this forum from my previous posts/profile while using the 3g stick under windows, what i noticed is that (of course), there was overlapping with the OP's IP logs saying spammer:

but not with the same result



212.15.173.188 came clean from "stop forum spam", while pclos forum server reported it as spammer

any ideas?

(i hope the pic went thru, never attached any before, sorry)

thanks

212.15.173.188 [Spam Server]

The Project Honey Pot system has detected behavior from the IP address consistent with that of a mail server.

Geographic Location   Croatia
First Received From    approximately 1 month, 3 weeks ago
Last Received From    within 1 month, 3 weeks

I use this site for managing my server blacklist. It furnishes a lot of details.

http://www.mxtoolbox.com/SuperTool.aspx?action=blacklist%3a212.15.173.188

[vjeko]

was looking at the project honey pot when you posted that (remembered later on that i never crosschecked):

there were 2 (two) mails with strange users with T-COM.HR domain, which is completely DIFFERENT ISP than the 3g ISP im using, namely VIPNET/VODAFONE HR.

those two mails were reported as spam mails within a period of month and a half...


do i need to elaborate more?


for example, if pclos forums were placed into spam folder in ones mailbox, yahoo, gmail, aol, whichever, pclos forum would get on the same list, so i hope you see that still false positives are possible.

its true that its the ISP who has to systematically prevent that happening, but we need to adjust, if possible or find a workaround.

registration links for the ISP in case (T-COM.HR):

https://komunikator.tportal.hr/komunikator/

https://exchange.t-com.hr/Exchweb/bin/auth/owalogon.asp?url=https://exchange.t-com.hr/Exchange/&reason=0

http://www.t-com.hr/privatni/internet/dodatneusluge/

http://www.forum.hr/showthread.php?t=210518

you can use translator to get the meaning, since the links show that all precautions are taken in order to prevent bots, human registration check, in system spam and virus detection, so its quite a low stats imho

the above gets me to a conclusion that most probably there were computers infected and thru mail program (outlook, etc) mail reported as spam were sent.


@genomega: even better report, thanks

i shall most definitely report to them, bringing it to higher level, since this is a systematic trouble and can affect many users

[Old-Polack]

was looking at the project honey pot when you posted that (remembered later on that i never crosschecked):

there were 2 (two) mails with strange users with T-COM.HR domain, which is completely DIFFERENT ISP than the 3g ISP im using, namely VIPNET/VODAFONE HR.

those two mails were reported as spam mails within a period of month and a half...


do i need to elaborate more?


the above gets me to a conclusion that most probably there were computers infected and thru mail program (outlook, etc) mail reported as spam were sent.

This may come as a surprise to you, but we know what a spam server is. You are chasing smoke. The only fact that is relevant is that identifiable spam has been sent from this IP address, recently enough that it's considered an active spam server. Whether it has sent 1 or 1000 or more spam mailings is also not relevant. Those are the ones sent to a specific honeypot. There is no way of knowing what else was sent to other addresses, but that also doesn't matter, for our purposes, The equation is very simple;

spam server = banned

Try this, for understanding;

A machine gun is firing from a window, you are hit in the leg, and take cover.

What is not important:

Brand of machine gun used, place of manufacture, supplier of bullets, cost of gun, cost of bullets, size of bullets, how many bullets have been fired in the past, what other windows have been fired from in the past, what other buildings have been fired from in the past, how many bullets missed you and struck somewhere else, the names of the shooter, his wife, and their children.

What is important:

You are being shot at, and have been struck, from this particular window, now.

Solution:

Remove yourself from the line of fire.

[vjeko]

well understood, but i thought there would have been a larger level/number of spam sent out from any specific place till its marked as spam server.

ive been checking around to broaden my view of it, and found out the following info/ideas:

any given dynamic ip could and most probably will be blacklisted in near future

it is computer owner/operators duty to secure it, but ISPs to stop the propagation of any possible spam resulting of machine owners security breach

machine owner will be blacklisted for indefinite amount of time since, at one point in time there was another (most probably in case of dynamic ip) machine which was involved in sending spam

being blacklisted with no firm grounds is a bit unfair, so what can we do about it? security has to be tight, but legitimate access should not be denied, right

http://www.uceprotect.net/en/rblcheck.php   has given not reported spam for my present ip, and before i tried logging in to forum (am working using windows now), i checked my ip to see if it was listed. there was insignificant amount of reports, out of few dozen of spam blacklist databases, only a few were tagged. i tried logging in and got in trouble free.

i hope i dont get bsod during time on line, but if i do, i ll repeat the procedure, just to make sure, and without clearing the cookies, try logging in and see what happens- session will be set to 6 hrs for the sake of test.

in case i fail, i ll try using the proxy as i did the other day, but what really bothers me is how come i got the banned note, not a warning that id be banned, but banned straight away. now, that flow of things id like to get to know a bit better, SAFELY, of course, so i dont remain locked outside the building- (just in case it happens so someone can come and save me).

op, i know the security is a complex matter, thanks for giving me lively example, but was thinking that it took bombs and not light breeze to set some up, even though, logically and statistically youre right, but what dont add up is the overall effect. if it were all static IPs, then and only then it would make sense and would work all the way; the way it is set now is a drive by shooting many innocent folks getting scratched and more...

seems i ll have to implement a procedure of my own till this gets sorted out really, just to avoid the inconvenience.

thanks

[Neal ManBear]

I've already explained the ban message to you.

[vjeko]

message received neal, thank you

(until i make sure, im quite sceptical, you know the assumption is a mother of all screw ups)

[Old-Polack]

V:

We do not control which IP addresses get blacklisted; that is handled as a cooperative effort of all the reporting forums using the software. When a forum is spammed, and the spammer is banned, that information is relayed to the main database. From there, that IP is automatically banned on all forums that are part of the cooperating network. As other forums join in the effort more IP addresses get added to the database. We get spammed from bot networks, so we fight back with forum security networks.

With the honeypots, it's much the same. Each spam item received is logged into the database, and the IP tagged. Experience shows that the bots spamming forums and email are connected. What shows up in one database, will eventually show up in the other.

This is serious business for those who run these forums. We do not wait to see how much damage a single spammer can cause, before making a decision. The order of the day is shoot on sight. It takes exactly one reported spamming incident to be placed in the database, and hopefully that one will be the last. If it's not, we tighten the noose any way possible.

Like any war, there will be collateral damage, and that's unfortunate, but can't be helped. The alternative is to give up, let the spammers win, and have no forum at all. That's not going to happen on my watch.  

Accept that this is the situation you are caught up in. It is not personal, it's just how things are. All the arguing in the world won't change it.