Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Component/s: moodle.org
    • Labels:
      None

      Description

      In order to try and reduce the influx of spammers, i've raised the cloudflare security level up from its usual level of 'low' to high.

        Gliffy Diagrams

          Activity

          Hide
          poltawski Dan Poltawski added a comment -

          After discussing with Helen, I raised the cloudflare security level to its highest level "I'm under attack"

          Show
          poltawski Dan Poltawski added a comment - After discussing with Helen, I raised the cloudflare security level to its highest level "I'm under attack"
          Hide
          poltawski Dan Poltawski added a comment -

          Changed it back to high, after to Eloy's complaints

          Show
          poltawski Dan Poltawski added a comment - Changed it back to high, after to Eloy's complaints
          Hide
          stronk7 Eloy Lafuente (stronk7) added a comment - - edited

          note: setting it to the "i'm under attack" level caused all phpunit tests to stop working (coz we have some fixture files @ download.moodle.org) and the change was affecting that host too.

          note2: it also broke WS calls from download.moodle.org to moodle.org to get add-ons information for the updates API.

          Show
          stronk7 Eloy Lafuente (stronk7) added a comment - - edited note: setting it to the "i'm under attack" level caused all phpunit tests to stop working (coz we have some fixture files @ download.moodle.org) and the change was affecting that host too. note2: it also broke WS calls from download.moodle.org to moodle.org to get add-ons information for the updates API.
          Hide
          mspurrier Matthew Spurrier added a comment - - edited

          The 'I'm under attack' setting really shouldn't be used, spammers should be blocked using the application firewall, not shutting down the site.

          I've made a series of adjustments to cloudflare's settings, both to increase performance, and to provide increased security, please let me know if there are any issues.

          (Should probably also note, the web application file has now been changed from off to low, please don't change it to high, it will cause more trouble than it's worth )

          Oh, and for general awesomeness, I've made a change to our error messages, so we don't have standard cloudflare errors anymore, they're all moodle pages

          Show
          mspurrier Matthew Spurrier added a comment - - edited The 'I'm under attack' setting really shouldn't be used, spammers should be blocked using the application firewall, not shutting down the site. I've made a series of adjustments to cloudflare's settings, both to increase performance, and to provide increased security, please let me know if there are any issues. (Should probably also note, the web application file has now been changed from off to low, please don't change it to high, it will cause more trouble than it's worth ) Oh, and for general awesomeness, I've made a change to our error messages, so we don't have standard cloudflare errors anymore, they're all moodle pages
          Hide
          tsala Helen Foster added a comment -

          Matthew, thanks for your efforts. The custom error message pages sound good, though I've not seen them yet!

          Unfortunately however the spam problem remains really bad - new accounts created every few hours, and although people are reporting the spam forum posts, it's usually after the forum post notifications have gone out.

          Show
          tsala Helen Foster added a comment - Matthew, thanks for your efforts. The custom error message pages sound good, though I've not seen them yet! Unfortunately however the spam problem remains really bad - new accounts created every few hours, and although people are reporting the spam forum posts, it's usually after the forum post notifications have gone out.
          Hide
          mspurrier Matthew Spurrier added a comment -

          The easiest solution to this would to be start blocking people doing it, have we got any documentation on the IP's associated with these automated spam accounts?

          I could potentially increase the web application firewall, but not sure whether that would have a detrimental effect to the rest of the site, and unfortunately you can only set the level on a per site basis and on or off for page rules, which is silly... but oh well...

          Show
          mspurrier Matthew Spurrier added a comment - The easiest solution to this would to be start blocking people doing it, have we got any documentation on the IP's associated with these automated spam accounts? I could potentially increase the web application firewall, but not sure whether that would have a detrimental effect to the rest of the site, and unfortunately you can only set the level on a per site basis and on or off for page rules, which is silly... but oh well...
          Hide
          tsala Helen Foster added a comment -

          We looked into doing something with IP addresses previously (MDLSITE-2032). I can keep a record of spammer IP addresses for 24 hours to see whether anything can be done with it.

          Show
          tsala Helen Foster added a comment - We looked into doing something with IP addresses previously ( MDLSITE-2032 ). I can keep a record of spammer IP addresses for 24 hours to see whether anything can be done with it.
          Hide
          tsala Helen Foster added a comment -

          Forum spammers in past 48 hours:
          71.232.177.241
          103.28.87.19
          182.177.174.173
          41.141.29.125
          182.185.196.92
          14.98.36.193
          14.98.1.131
          81.171.52.55
          24.218.72.184
          50.117.127.251
          24.218.75.12
          24.218.75.125
          41.143.31.105
          182.178.219.179
          115.42.75.167
          72.52.108.211 then 125.86.31.173

          Profile spammers:
          203.118.242.187
          92.83.121.86
          92.83.121.117
          92.83.112.189
          92.83.124.193
          80.255.4.196 then 5.9.255.90
          94.242.211.61
          94.242.211.61
          80.255.4.94

          Show
          tsala Helen Foster added a comment - Forum spammers in past 48 hours: 71.232.177.241 103.28.87.19 182.177.174.173 41.141.29.125 182.185.196.92 14.98.36.193 14.98.1.131 81.171.52.55 24.218.72.184 50.117.127.251 24.218.75.12 24.218.75.125 41.143.31.105 182.178.219.179 115.42.75.167 72.52.108.211 then 125.86.31.173 Profile spammers: 203.118.242.187 92.83.121.86 92.83.121.117 92.83.112.189 92.83.124.193 80.255.4.196 then 5.9.255.90 94.242.211.61 94.242.211.61 80.255.4.94
          Hide
          graham.stone Graham Stone added a comment -

          Hi,

          I have just had a strange thing happen to me when trying to post in the 'General Help' Forum, I was directed to another screen where I was required to input the usual annoying mixture of letters but after doing that I received a 502 Gateway Error. Looks like the Spam filter has been set a bit too high and is very anoying as after I got the 502 error not only did my post not get posted but it also lost it meaning that I've now got to go back and re-write it which considering it was quite a long post has resulted in my slight annoyance.

          I understand the problem the Moodle community is currently having with spammers blighting us but IMHO this new protection layer is not suitable and is going to put people off posting if they have to go through it every time and then end up looseing their posts becasue of 502 errors!!

          Show
          graham.stone Graham Stone added a comment - Hi, I have just had a strange thing happen to me when trying to post in the 'General Help' Forum, I was directed to another screen where I was required to input the usual annoying mixture of letters but after doing that I received a 502 Gateway Error. Looks like the Spam filter has been set a bit too high and is very anoying as after I got the 502 error not only did my post not get posted but it also lost it meaning that I've now got to go back and re-write it which considering it was quite a long post has resulted in my slight annoyance. I understand the problem the Moodle community is currently having with spammers blighting us but IMHO this new protection layer is not suitable and is going to put people off posting if they have to go through it every time and then end up looseing their posts becasue of 502 errors!!
          Hide
          tsala Helen Foster added a comment -

          Graham, sorry to hear of you losing your post due to a 502 error. I notice from the discussion thread https://moodle.org/mod/forum/discuss.php?d=223566 that you're not the only one.

          I'm reassigning this issue to Matthew and hoping he can look into things soon.

          Show
          tsala Helen Foster added a comment - Graham, sorry to hear of you losing your post due to a 502 error. I notice from the discussion thread https://moodle.org/mod/forum/discuss.php?d=223566 that you're not the only one. I'm reassigning this issue to Matthew and hoping he can look into things soon.
          Hide
          graham.stone Graham Stone added a comment -

          Thanks Helen, I've just voted for the issue here so hopefully a solution will be found soon

          Show
          graham.stone Graham Stone added a comment - Thanks Helen, I've just voted for the issue here so hopefully a solution will be found soon
          Hide
          mspurrier Matthew Spurrier added a comment -

          Okay, I've set the security level to medium (from high), and set the application firewall to low to see how that goes.

          Show
          mspurrier Matthew Spurrier added a comment - Okay, I've set the security level to medium (from high), and set the application firewall to low to see how that goes.
          Hide
          mspurrier Matthew Spurrier added a comment -

          Marking resolved from long long ago in a galaxy far far away

          Show
          mspurrier Matthew Spurrier added a comment - Marking resolved from long long ago in a galaxy far far away
          Hide
          james.mclean James McLean added a comment -

          I'm not able to access most of moodle.org via Chrome; I receive the "Something seems to be wrong with the Internet. Sorry for the inconvenience! If it continues, try #moodleorg on twitter." error every time I try and access anything that's not on the front page. Usually I am able to get to the login page, fill in my details (via LastPass), then submit will take me to that page.

          From the source of the page it lists some further information (html stripped)

          The owner of this website (tracker.moodle.org) has banned your access based on your browser's signature (a25192e4d5004ce-mh5).</p>

          Ray ID: a25192e4d5004ce
          Timestamp: Fri, 23-Aug-13 04:35:50 GMT
          Your IP address: 130.220.71.25
          Requested URL: tracker.moodle.org/browse/MDL-28449
          Error reference number: 1010
          Server ID: FL_26F5
          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.95 Safari/537.36

          Not an IP ban, Firefox works OK on the same PC. Changing the UserAgent in Chrome doesn't change it either.
          Has been a continual issue for the past month. Occasionally, very very occasionally, it will allow me through on a refresh. But, that's worked probably twice, out of hundreds of attempts.

          Show
          james.mclean James McLean added a comment - I'm not able to access most of moodle.org via Chrome; I receive the "Something seems to be wrong with the Internet. Sorry for the inconvenience! If it continues, try #moodleorg on twitter." error every time I try and access anything that's not on the front page. Usually I am able to get to the login page, fill in my details (via LastPass), then submit will take me to that page. From the source of the page it lists some further information (html stripped) The owner of this website (tracker.moodle.org) has banned your access based on your browser's signature (a25192e4d5004ce-mh5).</p> Ray ID: a25192e4d5004ce Timestamp: Fri, 23-Aug-13 04:35:50 GMT Your IP address: 130.220.71.25 Requested URL: tracker.moodle.org/browse/ MDL-28449 Error reference number: 1010 Server ID: FL_26F5 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.95 Safari/537.36 Not an IP ban, Firefox works OK on the same PC. Changing the UserAgent in Chrome doesn't change it either. Has been a continual issue for the past month. Occasionally, very very occasionally, it will allow me through on a refresh. But, that's worked probably twice, out of hundreds of attempts.
          Hide
          mspurrier Matthew Spurrier added a comment -

          This is a security mechanism in cloudflare based on your browser signature, it effectively detects your signature and bans as required.

          see https://support.cloudflare.com/entries/22041862-Access-Denied-The-owner-of-this-website-has-banned-your-access-based-on-your-browser-s-signature

          I believe it's there to fight bots, malware, etc.
          So it may be a plugin on your browser that's interfering with the signature enough to register a potential threat.

          >>
          Site visitor:
          A plugin or extension in your browser may be throwing a false positive. Try visiting the site with a different browser as an alternative way of accessing the site.
          <<

          I'd check to ensure your browser is up to date, and check the plugins/extensions installed on your browser.

          It may well be that the plugin you're using to change your user agent is what's failing the checks.

          Matt

          Show
          mspurrier Matthew Spurrier added a comment - This is a security mechanism in cloudflare based on your browser signature, it effectively detects your signature and bans as required. see https://support.cloudflare.com/entries/22041862-Access-Denied-The-owner-of-this-website-has-banned-your-access-based-on-your-browser-s-signature I believe it's there to fight bots, malware, etc. So it may be a plugin on your browser that's interfering with the signature enough to register a potential threat. >> Site visitor: A plugin or extension in your browser may be throwing a false positive. Try visiting the site with a different browser as an alternative way of accessing the site. << I'd check to ensure your browser is up to date, and check the plugins/extensions installed on your browser. It may well be that the plugin you're using to change your user agent is what's failing the checks. Matt
          Hide
          james.mclean James McLean added a comment -

          Chrome is the latest version, as are all my plugins. I didn't use a plugin to change the UA, I tested it with the Developer Tools included in Chrome - only for that one session. Closing developer tools reverts the UA.

          I've just disabled a few plugins I don't use - ForecastFox, Chrome to Phone, YSlow and a Regex testing plugin - but I still have the same issue. I had a Chrome update available, so I've installed that now and there was no change. Some others I won't disable, because I shouldn't have to - LastPass, Adblock Plus, Disconnect, Dev HTTP Client, Google Docs.

          I'm accessing Moodle.org from a large Australian University network.

          How exactly is the browser signature generated? It seems like a very flaky method of determining weather someone should be accessing a site or not, when no plugin information is sent to the remote site with a request anyway.

          Show
          james.mclean James McLean added a comment - Chrome is the latest version, as are all my plugins. I didn't use a plugin to change the UA, I tested it with the Developer Tools included in Chrome - only for that one session. Closing developer tools reverts the UA. I've just disabled a few plugins I don't use - ForecastFox, Chrome to Phone, YSlow and a Regex testing plugin - but I still have the same issue. I had a Chrome update available, so I've installed that now and there was no change. Some others I won't disable, because I shouldn't have to - LastPass, Adblock Plus, Disconnect, Dev HTTP Client, Google Docs. I'm accessing Moodle.org from a large Australian University network. How exactly is the browser signature generated? It seems like a very flaky method of determining weather someone should be accessing a site or not, when no plugin information is sent to the remote site with a request anyway.
          Hide
          mspurrier Matthew Spurrier added a comment -

          "CloudFlare's Browser Integrity Check is similar to Bad Behavior and looks for common HTTP headers abused most commonly by spammers and denies access to your page. It will also challenge visitors that do not have a user agent or a non standard user agent (also commonly used by abuse bots, crawlers or visitors)."

          I've turned it off for now.

          Show
          mspurrier Matthew Spurrier added a comment - "CloudFlare's Browser Integrity Check is similar to Bad Behavior and looks for common HTTP headers abused most commonly by spammers and denies access to your page. It will also challenge visitors that do not have a user agent or a non standard user agent (also commonly used by abuse bots, crawlers or visitors)." I've turned it off for now.

            People

            • Votes:
              1 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development