Help with Chinese Language

[amirm]

Meh it would be best if some fellow Chinese would actually talk to him and ask him politely to stop what ever he thinks he is doing and explain to him how he fails the purpose anyway as nobody understands it and it gets quickly removed. That's a best bet to make him stop permanently.

??? He is getting paid for every post he creates. He is just a worker, not the person paying for it.

 

[JSmith]

It's not likely to be a person IMO, rather a spam bot with a specific set of instructions... hard to know for sure.

@amirm, this may be of assistance;

FSpamlist - Forum Spam List

FSpamlist - Forum Spam - Forum Ban List - For identifying and blocking forum spam bots.

fspamlist.com

Welcome to FSpamlist.com; a.k.a. the Forum Spam List. This site is dedicated to the prevention of forum spam. If you are tired of spam on your forums, you're in the right place!

We provide the following services:

• forum ban lists
• spammer identification / information
• spam bot prevention tools
• ... and much more!

JSmith

 

[amirm]

@amirm, this may be of assistance;

Oh we use a service like that. The ones that get through avoid all the triggers by creating fresh email aliases every time and otherwise valid IP addresses. This forum would be nothing but spam if our automated systems were not in place!

 

[Beave]

It's not likely to be a person IMO, rather a spam bot with a specific set of instructions... hard to know for sure.

@amirm, this may be of assistance;

FSpamlist - Forum Spam List

FSpamlist - Forum Spam - Forum Ban List - For identifying and blocking forum spam bots.

fspamlist.com

JSmith

It's not a spam bot.

How do I know? I private messaged him and wrote that he was bringing shame upon his family.

He replied with a Chinese character indicating that I'm a d!ck.

 

[GeekyBastard]

Got his phone number, I'm going to text him to stop, if he doesn't, time to report him to his ISP (might be China Unicom 中国联通, since many broadband plans were sold with mobile data plans in China).

 

[mSpot]

It's not a spam bot.

How do I know? I private messaged him and wrote that he was bringing shame upon his family.

He replied with a Chinese character indicating that I'm a d!ck.

There is definitely automation involved. If you Google the text, the spam is going to many forums ("About 22,100 results")

KSU美国文凭堪萨斯州立大学毕业证书毕业信Q/微993398773原版毕业证成绩单KSU教育部认证留信认证使馆认证KSU修改GPA成绩KSU - Google Search

 

[Beave]

A health-related forum I visit used to get hit with it every night. This was probably 6 or 8 years ago.

There are probably many spammers all doing the same thing.

 

[Nonick]

Safest way is to prevent this is the following:
1. Block HTTP Headers based on keywords > add block refferer rule to nginx.conf

## Deny referers
## case insensitive
if ($http_referer ~* (spamword1|spamword2|spamword3|spamkeyword4|keyword5|otherphrase))
{  return 403;   }

*(replace values with 仿真毕业证|认证本科毕业证|otherphrase|otherphraseetc|

2. Setup fail2ban for CentOS
modify jail.local file for Xenforo so the fail2ban monitors nginx-access.log and nginx-error.log
Create fail2ban xenforo.conf with regex filter to match "problematic" spammers and keywords:
for example:

failregex = (?i)^<HOST> -.*"(GET|POST|HEAD|PUT).*证使馆认证*认证本科毕业证*$

 

[Urvile]

I'm starting to think that the filters are not working because some of these posts are in different character encodings. Example being CJK and
Unicode CJK Unified Ideographs, and Guobiao ... Sigh this is a complicated problem.

 

[Nonick]

It's solved with regex :
Header matches regex "(charset="gb(k|2312|18030)"|=\?GB(K|2312|18030)\?)" OR Header matches regex "(charset="big5"|=\?Big5\?)

 

[Urvile]

It's solved with regex :
Header matches regex "(charset="gb(k|2312|18030)"|=\?GB(K|2312|18030)\?)" OR Header matches regex "(charset="big5"|=\?Big5\?)

That blocks all , think they are trying to be more selective.

 

[Nonick]

It's obvious that above mentioned regex should be combined with previous, because it's a general rule, so i don't need to emphasize that..
As with log encoding setting.
Use encoding and then decode chinese spam words by character, create regex
i.e. '\u3007' # Ideographic number zero
'\u4E00-\u9FFF' # CJK Unified Ideographs
'\u3400-\u4DBF' # CJK Unified Ideographs Extension A
'\uF900-\uFAFF' etc.

 

[threni]

Got his phone number, I'm going to text him to stop, if he doesn't, time to report him to his ISP (might be China Unicom 中国联通, since many broadband plans were sold with mobile data plans in China).
View attachment 203302

I mean, it might be his phone number, but it reminds me of a friend who runs a website who used to get all these angry emails from people accusing him of spamming them. He used to patiently explain that he didn't send the emails; that it's trivial to spoof email addresses and could have been anyone including competitors; that he had a legitimate website entirely unconnected with whatever the spam was trying to promote but they just kept on complaining like HE was the idiot. In the end he just stopped responding and blocked all the complaints.

 

[amirm]

FYI he came back last night. None of the previous filters caught him. So I put in the wild card suggested earlier by @Nonick to catch all instances of this language. Let's see if this traps him.

 

[Keened]

FYI he came back last night. None of the previous filters caught him. So I put in the wild card suggested earlier by @Nonick to catch all instances of this language. Let's see if this traps him.

Some people, when confronted with a problem, think "I know, I'll use regular expressions." Now they have two problems. -Jamie Zawinski

 

[Propheticus]

FYI he came back last night. None of the previous filters caught him. So I put in the wild card suggested earlier by @Nonick to catch all instances of this language. Let's see if this traps him.

Does the filter work on post edits? I noticed they first post with codes like "g4" which are later edited to the Chinese spam.

I wonder why brand new accounts with no thread replies are allowed to create so many threads on day one by the way. Can't you limit this until someone is vetted by having at least some replies and several days of forum activity? And/or have first threads by new accounts held pending until validated by an admin.

 

[RayDunzl]

FYI he came back last night. None of the previous filters caught him. So I put in the wild card suggested earlier by @Nonick to catch all instances of this language. Let's see if this traps him.

Game On!

 

[amirm]

Some people, when confronted with a problem, think "I know, I'll use regular expressions." Now they have two problems. -Jamie Zawinski

Well, I don't think he had finished middle school while I was professionally working on Unix OS where regexp is everything! Yes, you get burned from time. But it is a super powerful tool when you need it.

 

[GeekyBastard]

I mean, it might be his phone number, but it reminds me of a friend who runs a website who used to get all these angry emails from people accusing him of spamming them. He used to patiently explain that he didn't send the emails; that it's trivial to spoof email addresses and could have been anyone including competitors; that he had a legitimate website entirely unconnected with whatever the spam was trying to promote but they just kept on complaining like HE was the idiot. In the end he just stopped responding and blocked all the complaints.

I got that number from a leaked database (not entirely legal), which links to his QICQ numbers, nowadays QICQ bounded mobile number in China must be registered with real name, so I'm pretty sure that's his own number, even the phone number's region corresponds to his QICQ profile, I could dig deeper and reveal his true identity, but that might be too much, also extremely illegal in my own country.

 

[voodooless]

Looks like the countermeasures are not working anymore