Salta al contenuto principale

#Gitea #spam

25 more spam users have been created today on my Gitea instance.

Again, same patterns - GMail email addresses, spammy links in the description, most of them about services in India (ranging from tours in Ooty or Agra, to help with programming assignments, to escort services in Pune). I've noticed that some of them also started created empty repos.

This is in spite of the block to direct registrations I've put on the website - it's now only possible to register/sign-in through a 3rd-party.

The solution for now has been to run again my script for spam accounts deletion, and to disable logins through the Google OAuth2.

It seems quite clear to me, however, that there are real humans behind these campaigns, even if the registration patterns seem to concentrate around certain times of the day. Me and other Gitea admins reported that even CAPTCHAs couldn't stop them. In my case, with direct registrations disabled on the server, it means that some real humans with some real Google accounts were clicking on the "Sign in with Google" button and signing in. Now if they want to sign in they have to go through some extra steps (having a Twitter, Mastodon or Github account), and I hope that this at least frustrates their efforts a bit. The reason why real humans would spend so much effort targeting a Gitea instance with just about 100 users is still unclear to me though.

@codeberg do other instances report similar patterns as well? Anything we can do to mitigate this flood?

reshared this

in reply to Fabio Manganiello

Fabio Manganiello
Fabio Manganiello

one more spam account got created just while I posted this. So the absence of a "Sign in with Google" button doesn't discourage them. Proceeding with setting `REGISTER_MANUAL_CONFIRM=true`.

Can you confirm if these are indeed humans trying their best to spam their links, or scripts that are leveraging some issues with the #Gitea authentication process? I'd be quite puzzled by the existence of human beings who go through so much effort to spam their content...

#gitea
in reply to Fabio Manganiello

censored for “transphobia”
censored for “transphobia”
IIUC, the spam is not intended to create a nuissance. Though it is a nuissance, the intent is likely command & control, no? So they use spam to signal to their botnet. In principle the best justice would be to learn the language of the spam & use it to control the botnet yourself.
in reply to censored for “transphobia”

censored for “transphobia”
censored for “transphobia”
What drives my comment was that a Mastodon admin discovered that his instance was blacklisted as malicious. He did some deep investigation & found out that fake accts were being created on his instance and used just to signal commands to a botnet.
in reply to censored for “transphobia”

Fabio Manganiello
Fabio Manganiello

that's indeed been the case for my instance as well: social.platypush.tech/web/@gra….

I haven't noticed a peak of spam users on my Mastodon instance, but my Gitea instance also runs on the same IP.

At first I thought that MalwareBytes reported my instance because of an episode that occurred a couple of months ago (Gitea was misconfigured for a couple of hours, leaving ssh access open for git, and some crawlers managed to install some port scanning malware that I promptly removed). But I'm now starting to believe that the report was caused by these fake accounts used to signal botnets.


anime graf mays 🛰️🪐 (@graf)

@blacklight@social.platypush.tech I'm writing to you on our misskey instance because you have poa.st blocked your domain is marked as compromised by malwarebytes.
Pisskey.io
in reply to Fabio Manganiello

censored for “transphobia”
censored for “transphobia”
What’s unfortunate w/the Mastodon case was that someone inspected some malware & determined that a Mastodon node was being used to control the botnet, but then they simply blacklisted the node. Didn’t bother to tell the node admin, who discovered on his own that his host was on a blacklist & had to investigate why. Seems like an asshole move on the part of the security analyst.
in reply to censored for “transphobia”

Fabio Manganiello
Fabio Manganiello

I know that industry quite well and I know how the lack of best-practices and transparency is a huge problem.

The same occurred to me yesterday. I knew that MalwareBytes had blacklisted my instance's IP because somebody reported that any of my posts on their timelines were triggering alerts.

I received no warning about the blacklist (despite I provided a webmaster email address on the whois record) and, what's worse, I've found that there is NO WAY of querying blacklisted IPs or domains through any web interface or API. The only way, unless you run their software on your machine, is first to ask ops on their forum to flag it as a false positive, and then ask somebody that has MalwareBytes installed if everything works after the block is lifted.

in reply to Fabio Manganiello

Fabio Manganiello
Fabio Manganiello

after a bit of investigation, I've noticed that the latest spam account was created by signing in through the Platypush SSO (my own Keycloak server), which still allowed signins through Google.

I've disabled that as well, but this confirms two things:

1. These are real humans - there's no way that a bot could have noticed so quickly that the Google signin option was removed from #Gitea, and notice that there was a Keycloak signin, and notice that Google was still allowed there.

2. They are really going to great lengths to create these accounts on low-traffic Gitea servers, for some reason.

#gitea