Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Component/s: moodle.org
    • Labels:
      None

      Description

      In order to try and reduce the influx of spammers, i've raised the cloudflare security level up from its usual level of 'low' to high.

        Gliffy Diagrams

          Attachments

            Activity

            Hide
            poltawski Dan Poltawski added a comment -

            After discussing with Helen, I raised the cloudflare security level to its highest level "I'm under attack"

            Show
            poltawski Dan Poltawski added a comment - After discussing with Helen, I raised the cloudflare security level to its highest level "I'm under attack"
            Hide
            poltawski Dan Poltawski added a comment -

            Changed it back to high, after to Eloy's complaints

            Show
            poltawski Dan Poltawski added a comment - Changed it back to high, after to Eloy's complaints
            Hide
            stronk7 Eloy Lafuente (stronk7) added a comment - - edited

            note: setting it to the "i'm under attack" level caused all phpunit tests to stop working (coz we have some fixture files @ download.moodle.org) and the change was affecting that host too.

            note2: it also broke WS calls from download.moodle.org to moodle.org to get add-ons information for the updates API.

            Show
            stronk7 Eloy Lafuente (stronk7) added a comment - - edited note: setting it to the "i'm under attack" level caused all phpunit tests to stop working (coz we have some fixture files @ download.moodle.org) and the change was affecting that host too. note2: it also broke WS calls from download.moodle.org to moodle.org to get add-ons information for the updates API.
            Hide
            mspurrier Matthew Spurrier added a comment - - edited

            The 'I'm under attack' setting really shouldn't be used, spammers should be blocked using the application firewall, not shutting down the site.

            I've made a series of adjustments to cloudflare's settings, both to increase performance, and to provide increased security, please let me know if there are any issues.

            (Should probably also note, the web application file has now been changed from off to low, please don't change it to high, it will cause more trouble than it's worth )

            Oh, and for general awesomeness, I've made a change to our error messages, so we don't have standard cloudflare errors anymore, they're all moodle pages

            Show
            mspurrier Matthew Spurrier added a comment - - edited The 'I'm under attack' setting really shouldn't be used, spammers should be blocked using the application firewall, not shutting down the site. I've made a series of adjustments to cloudflare's settings, both to increase performance, and to provide increased security, please let me know if there are any issues. (Should probably also note, the web application file has now been changed from off to low, please don't change it to high, it will cause more trouble than it's worth ) Oh, and for general awesomeness, I've made a change to our error messages, so we don't have standard cloudflare errors anymore, they're all moodle pages
            Hide
            tsala Helen Foster added a comment -

            Matthew, thanks for your efforts. The custom error message pages sound good, though I've not seen them yet!

            Unfortunately however the spam problem remains really bad - new accounts created every few hours, and although people are reporting the spam forum posts, it's usually after the forum post notifications have gone out.

            Show
            tsala Helen Foster added a comment - Matthew, thanks for your efforts. The custom error message pages sound good, though I've not seen them yet! Unfortunately however the spam problem remains really bad - new accounts created every few hours, and although people are reporting the spam forum posts, it's usually after the forum post notifications have gone out.
            Hide
            mspurrier Matthew Spurrier added a comment -

            The easiest solution to this would to be start blocking people doing it, have we got any documentation on the IP's associated with these automated spam accounts?

            I could potentially increase the web application firewall, but not sure whether that would have a detrimental effect to the rest of the site, and unfortunately you can only set the level on a per site basis and on or off for page rules, which is silly... but oh well...

            Show
            mspurrier Matthew Spurrier added a comment - The easiest solution to this would to be start blocking people doing it, have we got any documentation on the IP's associated with these automated spam accounts? I could potentially increase the web application firewall, but not sure whether that would have a detrimental effect to the rest of the site, and unfortunately you can only set the level on a per site basis and on or off for page rules, which is silly... but oh well...
            Hide
            tsala Helen Foster added a comment -

            We looked into doing something with IP addresses previously (MDLSITE-2032). I can keep a record of spammer IP addresses for 24 hours to see whether anything can be done with it.

            Show
            tsala Helen Foster added a comment - We looked into doing something with IP addresses previously ( MDLSITE-2032 ). I can keep a record of spammer IP addresses for 24 hours to see whether anything can be done with it.
            Hide
            tsala Helen Foster added a comment -

            Forum spammers in past 48 hours:
            71.232.177.241
            103.28.87.19
            182.177.174.173
            41.141.29.125
            182.185.196.92
            14.98.36.193
            14.98.1.131
            81.171.52.55
            24.218.72.184
            50.117.127.251
            24.218.75.12
            24.218.75.125
            41.143.31.105
            182.178.219.179
            115.42.75.167
            72.52.108.211 then 125.86.31.173

            Profile spammers:
            203.118.242.187
            92.83.121.86
            92.83.121.117
            92.83.112.189
            92.83.124.193
            80.255.4.196 then 5.9.255.90
            94.242.211.61
            94.242.211.61
            80.255.4.94

            Show
            tsala Helen Foster added a comment - Forum spammers in past 48 hours: 71.232.177.241 103.28.87.19 182.177.174.173 41.141.29.125 182.185.196.92 14.98.36.193 14.98.1.131 81.171.52.55 24.218.72.184 50.117.127.251 24.218.75.12 24.218.75.125 41.143.31.105 182.178.219.179 115.42.75.167 72.52.108.211 then 125.86.31.173 Profile spammers: 203.118.242.187 92.83.121.86 92.83.121.117 92.83.112.189 92.83.124.193 80.255.4.196 then 5.9.255.90 94.242.211.61 94.242.211.61 80.255.4.94
            Hide
            graham.stone Graham Stone added a comment -

            Hi,

            I have just had a strange thing happen to me when trying to post in the 'General Help' Forum, I was directed to another screen where I was required to input the usual annoying mixture of letters but after doing that I received a 502 Gateway Error. Looks like the Spam filter has been set a bit too high and is very anoying as after I got the 502 error not only did my post not get posted but it also lost it meaning that I've now got to go back and re-write it which considering it was quite a long post has resulted in my slight annoyance.

            I understand the problem the Moodle community is currently having with spammers blighting us but IMHO this new protection layer is not suitable and is going to put people off posting if they have to go through it every time and then end up looseing their posts becasue of 502 errors!!

            Show
            graham.stone Graham Stone added a comment - Hi, I have just had a strange thing happen to me when trying to post in the 'General Help' Forum, I was directed to another screen where I was required to input the usual annoying mixture of letters but after doing that I received a 502 Gateway Error. Looks like the Spam filter has been set a bit too high and is very anoying as after I got the 502 error not only did my post not get posted but it also lost it meaning that I've now got to go back and re-write it which considering it was quite a long post has resulted in my slight annoyance. I understand the problem the Moodle community is currently having with spammers blighting us but IMHO this new protection layer is not suitable and is going to put people off posting if they have to go through it every time and then end up looseing their posts becasue of 502 errors!!
            Hide
            tsala Helen Foster added a comment -

            Graham, sorry to hear of you losing your post due to a 502 error. I notice from the discussion thread https://moodle.org/mod/forum/discuss.php?d=223566 that you're not the only one.

            I'm reassigning this issue to Matthew and hoping he can look into things soon.

            Show
            tsala Helen Foster added a comment - Graham, sorry to hear of you losing your post due to a 502 error. I notice from the discussion thread https://moodle.org/mod/forum/discuss.php?d=223566 that you're not the only one. I'm reassigning this issue to Matthew and hoping he can look into things soon.
            Hide
            graham.stone Graham Stone added a comment -

            Thanks Helen, I've just voted for the issue here so hopefully a solution will be found soon

            Show
            graham.stone Graham Stone added a comment - Thanks Helen, I've just voted for the issue here so hopefully a solution will be found soon
            Hide
            mspurrier Matthew Spurrier added a comment -

            Okay, I've set the security level to medium (from high), and set the application firewall to low to see how that goes.

            Show
            mspurrier Matthew Spurrier added a comment - Okay, I've set the security level to medium (from high), and set the application firewall to low to see how that goes.
            Hide
            mspurrier Matthew Spurrier added a comment -

            Marking resolved from long long ago in a galaxy far far away

            Show
            mspurrier Matthew Spurrier added a comment - Marking resolved from long long ago in a galaxy far far away
            Hide
            james.mclean James McLean added a comment -

            I'm not able to access most of moodle.org via Chrome; I receive the "Something seems to be wrong with the Internet. Sorry for the inconvenience! If it continues, try #moodleorg on twitter." error every time I try and access anything that's not on the front page. Usually I am able to get to the login page, fill in my details (via LastPass), then submit will take me to that page.

            From the source of the page it lists some further information (html stripped)

            The owner of this website (tracker.moodle.org) has banned your access based on your browser's signature (a25192e4d5004ce-mh5).</p>

            Ray ID: a25192e4d5004ce
            Timestamp: Fri, 23-Aug-13 04:35:50 GMT
            Your IP address: 130.220.71.25
            Requested URL: tracker.moodle.org/browse/MDL-28449
            Error reference number: 1010
            Server ID: FL_26F5
            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.95 Safari/537.36

            Not an IP ban, Firefox works OK on the same PC. Changing the UserAgent in Chrome doesn't change it either.
            Has been a continual issue for the past month. Occasionally, very very occasionally, it will allow me through on a refresh. But, that's worked probably twice, out of hundreds of attempts.

            Show
            james.mclean James McLean added a comment - I'm not able to access most of moodle.org via Chrome; I receive the "Something seems to be wrong with the Internet. Sorry for the inconvenience! If it continues, try #moodleorg on twitter." error every time I try and access anything that's not on the front page. Usually I am able to get to the login page, fill in my details (via LastPass), then submit will take me to that page. From the source of the page it lists some further information (html stripped) The owner of this website (tracker.moodle.org) has banned your access based on your browser's signature (a25192e4d5004ce-mh5).</p> Ray ID: a25192e4d5004ce Timestamp: Fri, 23-Aug-13 04:35:50 GMT Your IP address: 130.220.71.25 Requested URL: tracker.moodle.org/browse/ MDL-28449 Error reference number: 1010 Server ID: FL_26F5 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.95 Safari/537.36 Not an IP ban, Firefox works OK on the same PC. Changing the UserAgent in Chrome doesn't change it either. Has been a continual issue for the past month. Occasionally, very very occasionally, it will allow me through on a refresh. But, that's worked probably twice, out of hundreds of attempts.
            Hide
            mspurrier Matthew Spurrier added a comment -

            This is a security mechanism in cloudflare based on your browser signature, it effectively detects your signature and bans as required.

            see https://support.cloudflare.com/entries/22041862-Access-Denied-The-owner-of-this-website-has-banned-your-access-based-on-your-browser-s-signature

            I believe it's there to fight bots, malware, etc.
            So it may be a plugin on your browser that's interfering with the signature enough to register a potential threat.

            >>
            Site visitor:
            A plugin or extension in your browser may be throwing a false positive. Try visiting the site with a different browser as an alternative way of accessing the site.
            <<

            I'd check to ensure your browser is up to date, and check the plugins/extensions installed on your browser.

            It may well be that the plugin you're using to change your user agent is what's failing the checks.

            Matt

            Show
            mspurrier Matthew Spurrier added a comment - This is a security mechanism in cloudflare based on your browser signature, it effectively detects your signature and bans as required. see https://support.cloudflare.com/entries/22041862-Access-Denied-The-owner-of-this-website-has-banned-your-access-based-on-your-browser-s-signature I believe it's there to fight bots, malware, etc. So it may be a plugin on your browser that's interfering with the signature enough to register a potential threat. >> Site visitor: A plugin or extension in your browser may be throwing a false positive. Try visiting the site with a different browser as an alternative way of accessing the site. << I'd check to ensure your browser is up to date, and check the plugins/extensions installed on your browser. It may well be that the plugin you're using to change your user agent is what's failing the checks. Matt
            Hide
            james.mclean James McLean added a comment -

            Chrome is the latest version, as are all my plugins. I didn't use a plugin to change the UA, I tested it with the Developer Tools included in Chrome - only for that one session. Closing developer tools reverts the UA.

            I've just disabled a few plugins I don't use - ForecastFox, Chrome to Phone, YSlow and a Regex testing plugin - but I still have the same issue. I had a Chrome update available, so I've installed that now and there was no change. Some others I won't disable, because I shouldn't have to - LastPass, Adblock Plus, Disconnect, Dev HTTP Client, Google Docs.

            I'm accessing Moodle.org from a large Australian University network.

            How exactly is the browser signature generated? It seems like a very flaky method of determining weather someone should be accessing a site or not, when no plugin information is sent to the remote site with a request anyway.

            Show
            james.mclean James McLean added a comment - Chrome is the latest version, as are all my plugins. I didn't use a plugin to change the UA, I tested it with the Developer Tools included in Chrome - only for that one session. Closing developer tools reverts the UA. I've just disabled a few plugins I don't use - ForecastFox, Chrome to Phone, YSlow and a Regex testing plugin - but I still have the same issue. I had a Chrome update available, so I've installed that now and there was no change. Some others I won't disable, because I shouldn't have to - LastPass, Adblock Plus, Disconnect, Dev HTTP Client, Google Docs. I'm accessing Moodle.org from a large Australian University network. How exactly is the browser signature generated? It seems like a very flaky method of determining weather someone should be accessing a site or not, when no plugin information is sent to the remote site with a request anyway.
            Hide
            mspurrier Matthew Spurrier added a comment -

            "CloudFlare's Browser Integrity Check is similar to Bad Behavior and looks for common HTTP headers abused most commonly by spammers and denies access to your page. It will also challenge visitors that do not have a user agent or a non standard user agent (also commonly used by abuse bots, crawlers or visitors)."

            I've turned it off for now.

            Show
            mspurrier Matthew Spurrier added a comment - "CloudFlare's Browser Integrity Check is similar to Bad Behavior and looks for common HTTP headers abused most commonly by spammers and denies access to your page. It will also challenge visitors that do not have a user agent or a non standard user agent (also commonly used by abuse bots, crawlers or visitors)." I've turned it off for now.

              People

              • Votes:
                1 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: