Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Component/s: moodle.org
    • Labels:
      None
    • Rank:
      48152

      Description

      In order to try and reduce the influx of spammers, i've raised the cloudflare security level up from its usual level of 'low' to high.

        Activity

        Hide
        Dan Poltawski added a comment -

        After discussing with Helen, I raised the cloudflare security level to its highest level "I'm under attack"

        Show
        Dan Poltawski added a comment - After discussing with Helen, I raised the cloudflare security level to its highest level "I'm under attack"
        Hide
        Dan Poltawski added a comment -

        Changed it back to high, after to Eloy's complaints

        Show
        Dan Poltawski added a comment - Changed it back to high, after to Eloy's complaints
        Hide
        Eloy Lafuente (stronk7) added a comment - - edited

        note: setting it to the "i'm under attack" level caused all phpunit tests to stop working (coz we have some fixture files @ download.moodle.org) and the change was affecting that host too.

        note2: it also broke WS calls from download.moodle.org to moodle.org to get add-ons information for the updates API.

        Show
        Eloy Lafuente (stronk7) added a comment - - edited note: setting it to the "i'm under attack" level caused all phpunit tests to stop working (coz we have some fixture files @ download.moodle.org) and the change was affecting that host too. note2: it also broke WS calls from download.moodle.org to moodle.org to get add-ons information for the updates API.
        Hide
        Matthew Spurrier added a comment - - edited

        The 'I'm under attack' setting really shouldn't be used, spammers should be blocked using the application firewall, not shutting down the site.

        I've made a series of adjustments to cloudflare's settings, both to increase performance, and to provide increased security, please let me know if there are any issues.

        (Should probably also note, the web application file has now been changed from off to low, please don't change it to high, it will cause more trouble than it's worth )

        Oh, and for general awesomeness, I've made a change to our error messages, so we don't have standard cloudflare errors anymore, they're all moodle pages

        Show
        Matthew Spurrier added a comment - - edited The 'I'm under attack' setting really shouldn't be used, spammers should be blocked using the application firewall, not shutting down the site. I've made a series of adjustments to cloudflare's settings, both to increase performance, and to provide increased security, please let me know if there are any issues. (Should probably also note, the web application file has now been changed from off to low, please don't change it to high, it will cause more trouble than it's worth ) Oh, and for general awesomeness, I've made a change to our error messages, so we don't have standard cloudflare errors anymore, they're all moodle pages
        Hide
        Helen Foster added a comment -

        Matthew, thanks for your efforts. The custom error message pages sound good, though I've not seen them yet!

        Unfortunately however the spam problem remains really bad - new accounts created every few hours, and although people are reporting the spam forum posts, it's usually after the forum post notifications have gone out.

        Show
        Helen Foster added a comment - Matthew, thanks for your efforts. The custom error message pages sound good, though I've not seen them yet! Unfortunately however the spam problem remains really bad - new accounts created every few hours, and although people are reporting the spam forum posts, it's usually after the forum post notifications have gone out.
        Hide
        Matthew Spurrier added a comment -

        The easiest solution to this would to be start blocking people doing it, have we got any documentation on the IP's associated with these automated spam accounts?

        I could potentially increase the web application firewall, but not sure whether that would have a detrimental effect to the rest of the site, and unfortunately you can only set the level on a per site basis and on or off for page rules, which is silly... but oh well...

        Show
        Matthew Spurrier added a comment - The easiest solution to this would to be start blocking people doing it, have we got any documentation on the IP's associated with these automated spam accounts? I could potentially increase the web application firewall, but not sure whether that would have a detrimental effect to the rest of the site, and unfortunately you can only set the level on a per site basis and on or off for page rules, which is silly... but oh well...
        Hide
        Helen Foster added a comment -

        We looked into doing something with IP addresses previously (MDLSITE-2032). I can keep a record of spammer IP addresses for 24 hours to see whether anything can be done with it.

        Show
        Helen Foster added a comment - We looked into doing something with IP addresses previously ( MDLSITE-2032 ). I can keep a record of spammer IP addresses for 24 hours to see whether anything can be done with it.
        Hide
        Helen Foster added a comment -

        Forum spammers in past 48 hours:
        71.232.177.241
        103.28.87.19
        182.177.174.173
        41.141.29.125
        182.185.196.92
        14.98.36.193
        14.98.1.131
        81.171.52.55
        24.218.72.184
        50.117.127.251
        24.218.75.12
        24.218.75.125
        41.143.31.105
        182.178.219.179
        115.42.75.167
        72.52.108.211 then 125.86.31.173

        Profile spammers:
        203.118.242.187
        92.83.121.86
        92.83.121.117
        92.83.112.189
        92.83.124.193
        80.255.4.196 then 5.9.255.90
        94.242.211.61
        94.242.211.61
        80.255.4.94

        Show
        Helen Foster added a comment - Forum spammers in past 48 hours: 71.232.177.241 103.28.87.19 182.177.174.173 41.141.29.125 182.185.196.92 14.98.36.193 14.98.1.131 81.171.52.55 24.218.72.184 50.117.127.251 24.218.75.12 24.218.75.125 41.143.31.105 182.178.219.179 115.42.75.167 72.52.108.211 then 125.86.31.173 Profile spammers: 203.118.242.187 92.83.121.86 92.83.121.117 92.83.112.189 92.83.124.193 80.255.4.196 then 5.9.255.90 94.242.211.61 94.242.211.61 80.255.4.94
        Hide
        Graham Stone added a comment -

        Hi,

        I have just had a strange thing happen to me when trying to post in the 'General Help' Forum, I was directed to another screen where I was required to input the usual annoying mixture of letters but after doing that I received a 502 Gateway Error. Looks like the Spam filter has been set a bit too high and is very anoying as after I got the 502 error not only did my post not get posted but it also lost it meaning that I've now got to go back and re-write it which considering it was quite a long post has resulted in my slight annoyance.

        I understand the problem the Moodle community is currently having with spammers blighting us but IMHO this new protection layer is not suitable and is going to put people off posting if they have to go through it every time and then end up looseing their posts becasue of 502 errors!!

        Show
        Graham Stone added a comment - Hi, I have just had a strange thing happen to me when trying to post in the 'General Help' Forum, I was directed to another screen where I was required to input the usual annoying mixture of letters but after doing that I received a 502 Gateway Error. Looks like the Spam filter has been set a bit too high and is very anoying as after I got the 502 error not only did my post not get posted but it also lost it meaning that I've now got to go back and re-write it which considering it was quite a long post has resulted in my slight annoyance. I understand the problem the Moodle community is currently having with spammers blighting us but IMHO this new protection layer is not suitable and is going to put people off posting if they have to go through it every time and then end up looseing their posts becasue of 502 errors!!
        Hide
        Helen Foster added a comment -

        Graham, sorry to hear of you losing your post due to a 502 error. I notice from the discussion thread https://moodle.org/mod/forum/discuss.php?d=223566 that you're not the only one.

        I'm reassigning this issue to Matthew and hoping he can look into things soon.

        Show
        Helen Foster added a comment - Graham, sorry to hear of you losing your post due to a 502 error. I notice from the discussion thread https://moodle.org/mod/forum/discuss.php?d=223566 that you're not the only one. I'm reassigning this issue to Matthew and hoping he can look into things soon.
        Hide
        Graham Stone added a comment -

        Thanks Helen, I've just voted for the issue here so hopefully a solution will be found soon

        Show
        Graham Stone added a comment - Thanks Helen, I've just voted for the issue here so hopefully a solution will be found soon
        Hide
        Matthew Spurrier added a comment -

        Okay, I've set the security level to medium (from high), and set the application firewall to low to see how that goes.

        Show
        Matthew Spurrier added a comment - Okay, I've set the security level to medium (from high), and set the application firewall to low to see how that goes.
        Hide
        Matthew Spurrier added a comment -

        Marking resolved from long long ago in a galaxy far far away

        Show
        Matthew Spurrier added a comment - Marking resolved from long long ago in a galaxy far far away
        Hide
        James McLean added a comment -

        I'm not able to access most of moodle.org via Chrome; I receive the "Something seems to be wrong with the Internet. Sorry for the inconvenience! If it continues, try #moodleorg on twitter." error every time I try and access anything that's not on the front page. Usually I am able to get to the login page, fill in my details (via LastPass), then submit will take me to that page.

        From the source of the page it lists some further information (html stripped)

        The owner of this website (tracker.moodle.org) has banned your access based on your browser's signature (a25192e4d5004ce-mh5).</p>

        Ray ID: a25192e4d5004ce
        Timestamp: Fri, 23-Aug-13 04:35:50 GMT
        Your IP address: 130.220.71.25
        Requested URL: tracker.moodle.org/browse/MDL-28449
        Error reference number: 1010
        Server ID: FL_26F5
        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.95 Safari/537.36

        Not an IP ban, Firefox works OK on the same PC. Changing the UserAgent in Chrome doesn't change it either.
        Has been a continual issue for the past month. Occasionally, very very occasionally, it will allow me through on a refresh. But, that's worked probably twice, out of hundreds of attempts.

        Show
        James McLean added a comment - I'm not able to access most of moodle.org via Chrome; I receive the "Something seems to be wrong with the Internet. Sorry for the inconvenience! If it continues, try #moodleorg on twitter." error every time I try and access anything that's not on the front page. Usually I am able to get to the login page, fill in my details (via LastPass), then submit will take me to that page. From the source of the page it lists some further information (html stripped) The owner of this website (tracker.moodle.org) has banned your access based on your browser's signature (a25192e4d5004ce-mh5).</p> Ray ID: a25192e4d5004ce Timestamp: Fri, 23-Aug-13 04:35:50 GMT Your IP address: 130.220.71.25 Requested URL: tracker.moodle.org/browse/ MDL-28449 Error reference number: 1010 Server ID: FL_26F5 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.95 Safari/537.36 Not an IP ban, Firefox works OK on the same PC. Changing the UserAgent in Chrome doesn't change it either. Has been a continual issue for the past month. Occasionally, very very occasionally, it will allow me through on a refresh. But, that's worked probably twice, out of hundreds of attempts.
        Hide
        Matthew Spurrier added a comment -

        This is a security mechanism in cloudflare based on your browser signature, it effectively detects your signature and bans as required.

        see https://support.cloudflare.com/entries/22041862-Access-Denied-The-owner-of-this-website-has-banned-your-access-based-on-your-browser-s-signature

        I believe it's there to fight bots, malware, etc.
        So it may be a plugin on your browser that's interfering with the signature enough to register a potential threat.

        >>
        Site visitor:
        A plugin or extension in your browser may be throwing a false positive. Try visiting the site with a different browser as an alternative way of accessing the site.
        <<

        I'd check to ensure your browser is up to date, and check the plugins/extensions installed on your browser.

        It may well be that the plugin you're using to change your user agent is what's failing the checks.

        Matt

        Show
        Matthew Spurrier added a comment - This is a security mechanism in cloudflare based on your browser signature, it effectively detects your signature and bans as required. see https://support.cloudflare.com/entries/22041862-Access-Denied-The-owner-of-this-website-has-banned-your-access-based-on-your-browser-s-signature I believe it's there to fight bots, malware, etc. So it may be a plugin on your browser that's interfering with the signature enough to register a potential threat. >> Site visitor: A plugin or extension in your browser may be throwing a false positive. Try visiting the site with a different browser as an alternative way of accessing the site. << I'd check to ensure your browser is up to date, and check the plugins/extensions installed on your browser. It may well be that the plugin you're using to change your user agent is what's failing the checks. Matt
        Hide
        James McLean added a comment -

        Chrome is the latest version, as are all my plugins. I didn't use a plugin to change the UA, I tested it with the Developer Tools included in Chrome - only for that one session. Closing developer tools reverts the UA.

        I've just disabled a few plugins I don't use - ForecastFox, Chrome to Phone, YSlow and a Regex testing plugin - but I still have the same issue. I had a Chrome update available, so I've installed that now and there was no change. Some others I won't disable, because I shouldn't have to - LastPass, Adblock Plus, Disconnect, Dev HTTP Client, Google Docs.

        I'm accessing Moodle.org from a large Australian University network.

        How exactly is the browser signature generated? It seems like a very flaky method of determining weather someone should be accessing a site or not, when no plugin information is sent to the remote site with a request anyway.

        Show
        James McLean added a comment - Chrome is the latest version, as are all my plugins. I didn't use a plugin to change the UA, I tested it with the Developer Tools included in Chrome - only for that one session. Closing developer tools reverts the UA. I've just disabled a few plugins I don't use - ForecastFox, Chrome to Phone, YSlow and a Regex testing plugin - but I still have the same issue. I had a Chrome update available, so I've installed that now and there was no change. Some others I won't disable, because I shouldn't have to - LastPass, Adblock Plus, Disconnect, Dev HTTP Client, Google Docs. I'm accessing Moodle.org from a large Australian University network. How exactly is the browser signature generated? It seems like a very flaky method of determining weather someone should be accessing a site or not, when no plugin information is sent to the remote site with a request anyway.
        Hide
        Matthew Spurrier added a comment -

        "CloudFlare's Browser Integrity Check is similar to Bad Behavior and looks for common HTTP headers abused most commonly by spammers and denies access to your page. It will also challenge visitors that do not have a user agent or a non standard user agent (also commonly used by abuse bots, crawlers or visitors)."

        I've turned it off for now.

        Show
        Matthew Spurrier added a comment - "CloudFlare's Browser Integrity Check is similar to Bad Behavior and looks for common HTTP headers abused most commonly by spammers and denies access to your page. It will also challenge visitors that do not have a user agent or a non standard user agent (also commonly used by abuse bots, crawlers or visitors)." I've turned it off for now.

          People

          • Votes:
            1 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development