friendica - Link to source

spam?

!Friendica Support

Is this good for me? Don't feel like.


> select count(*) from gserver where url LIKE '%troll.cf%';
+----------+
| count(*) |
+----------+
| 13837755 |
+----------+
1 row in set (1 min 20.495 sec)


| 172846 | 30m1uebec.activitypub-troll.cf | 30m1uebec.activitypub-troll.cf | | | | 0 | 0 | | | unkn | | 0 | | 2022-12-03 19:51:17 | 0001-01-01 00:00:00 | 2023-01-03 20:01:25 | 0001-01-01 00:00:00 | 0 | 0 | 0 | 2023-02-03 20:01:25 | NULL | NULL | NULL | NULL | NULL | NULL |

| 172847 | 1ml1up799.activitypub-troll.cf | 1ml1up799.activitypub-troll.cf | | | | 0 | 0 | | | unkn | | 0 | | 2022-12-03 19:51:18 | 0001-01-01 00:00:00 | 2023-01-03 20:01:26 | 0001-01-01 00:00:00 | 0 | 0 | 0 | 2023-02-03 20:01:26 | NULL | NULL | NULL | NULL | NULL | NULL |

| 172848 | 2ckkegfqs.activitypub-troll.cf | 2ckkegfqs.activitypub-troll.cf | | | | 0 | 0 | | | unkn | | 0 | | 2022-12-03 19:51:20 | 0001-01-01 00:00:00 | 2023-01-03 20:01:28 | 0001-01-01 00:00:00 | 0 | 0 | 0 | 2023-02-03 20:01:28 | NULL | NULL | NULL | NULL | NULL | NULL |

| 172849 | q2g4bs0i.activitypub-troll.cf | q2g4bs0i.activitypub-troll.cf | | | | 0 | 0 | | | unkn | | 0 | | 2022-12-03 19:51:21 | 0001-01-01 00:00:00 | 2023-01-03 20:01:28 | 0001-01-01 00:00:00 | 0 | 0 | 0 | 2023-02-03 20:01:28 | NULL | NULL | NULL | NULL | NULL | NULL |

!Friendica Support
in reply to grin

friendica - Link to source

grin

I have banned and purged sbcloud.cc from everywhere, based on this

2023-01-29T10:27:59Z worker [INFO]: Server peer update start {"url":"https://fed.sbcloud.cc","worker_id":"85e31dd","worker_cmd":"UpdateServerPeers"} - {"file":"UpdateServerPeers.php","line":54,"function":"execute","uid":"a33038","process_id":295381}
2023-01-29T10:27:59Z worker [INFO]: Server is unknown. Start discovery. {"Server":"https://1chs090ty.activitypub-troll.cf","worker_id":"85e31dd","worker_cmd":"UpdateServerPeers"} - {"file":"GServer.php","line":358,"function":"check","uid":"a33038","process_id":295381}

Since then worker doesn't pull in spambots again.

Now, it would be neat to know:
1. What exatly happened (I don't know the protocol that deeply)
2. Who did what
3. How to prevent that from happening in the future (both network-wise and locally)

#spambot #spam

#spam #spambot
in reply to grin

friendica - Link to source

grin

@Roland Häder @Lorenz !Friendica Support The toot this one replies to would have been shared to the people mentioned here, but I cannot seem to have a way to edit it accordingly; editing doesn't expand name references, nor can seem to be able to tag people... I hope they can see the parent toot of this....
I am not sure I'll ever grok how this is supposed to work, who gets notified when and who see what where how.
@Roland Häder🇩🇪 @Lorenz !Friendica Support
in reply to grin

friendica - Link to source

Roland Häder🇩🇪

@grin sbcloud.cc looks very legitimate to me, no sign of spam/scam. Please take a look at this:
$ host sbcloud.cc
sbcloud.cc has address 172.67.182.3
sbcloud.cc has address 104.21.59.174
sbcloud.cc has IPv6 address 2606:4700:3037::ac43:b603
sbcloud.cc has IPv6 address 2606:4700:3030::6815:3bae
$ host 1chs090ty.activitypub-troll.cf
Host 1chs090ty.activitypub-troll.cf not found: 3(NXDOMAIN)
$ host activitypub-troll.cf
Host activitypub-troll.cf not found: 3(NXDOMAIN)
$

So Even the domain activitypub-troll.cf doesn't exist, but sbcloud.cc does. I see no relation between these two domains as they share nothing in common.
@grin
in reply to Roland Häder🇩🇪

friendica - Link to source

grin

Why? You think that having dns is proof that no bad traffic comes from there? Especially since you seem to realise that the spammed addresses were fakes, yet you seem to expect "blocking" a non-existent server. You based your opinion on about zero amount of facts, but you seem to be quite assured that you are, somehow, right.

But anyway, stopped spam for me, you're free to do whatever you deem proper, including looking at the dns when the AP networks get abused. :shrug:

I wish there were useful logs: those would be better for abuse management than... dns.

in reply to grin

friendica - Link to source

Lorenz

Even after I have blocked these servers more than two weeks ago, the gserver table had more than 8GB! Now I run the same delete command again, and the table now has 10GB. What happened? Somebody knows what to do? Weird stuff.

MariaDB [friendicadb]> DELETE FROM `gserver` WHERE `url` LIKE '%activitypub-troll.cf%' OR `url` LIKE '%gab.best%';
Query OK, 37499832 rows affected (5 hours 46 min 51.045 sec)

UPDATE: I run OPTIMIZE TABLE gserver; - and now, wow! the table is nearly empty, just 31 MB, and now it seems I did not have to upgrade my VPS!

in reply to Lorenz

friendica - Link to source

Roland Häder🇩🇪

@Lorenz @grin We need to add this to the purge worker job to have it automatically done for you. Or maybe optimize all tables? Just a SHOW TABLES FROM `friendica`; and exlude all views? A query on mysql schema is to much "vendor-specific" and the script already "knows" which are views and which are tables.

PS: Your both avatars are not showing up here, even after a "Refetch contact data".

@grin @Lorenz
This entry was edited (2 years ago)
in reply to Lorenz

friendica - Link to source

Roland Häder🇩🇪

@Lorenz @grin Do you have access to your server through SSH? Then try: $ screen -dmS mysql mysql -p -u <user> <database> And insert your data. Please don't include your password in the parameter list as this is visible with ps -ax. Then you can let the optimization run. You can access it with screen -r mysql and leave it with ALT+AD (exact order!) without quitting it.
@grin @Lorenz
in reply to Lorenz

friendica - Link to source

Roland Häder🇩🇪

@Lorenz After some attempts they both suddenly loaded and show up here. Edit: Only yours is showing. Maybe this error is related to:
2023-02-13T20:26:39Z worker [ERROR]: Uncaught exception in worker execution {"class":"Friendica\\Core\\Storage\\Exception\\StorageException","message":"Database storage failed to update ","code":500,"file":"/var/www/.../src/Core/Storage/Type/Database.php:94","trace":"#0 /var/www/.../src/Model/Photo.php(449): Friendica\\Core\\Storage\\Type\\Database->put()\n#1 /var/www/.../src/Model/Photo.php(636): Friendica\\Model\\Photo::store()\n#2 /var/www/.../src/Model/Contact.php(2307): Friendica\\Model\\Photo::importProfilePhoto()\n#3 /var/www/.../src/Model/Contact.php(2792): Friendica\\Model\\Contact::updateAvatar()\n#4 /var/www/.../src/Model/Contact.php(2585): Friendica\\Model\\Contact::updateFromProbeArray()\n#5 /var/www/.../src/Worker/UpdateContact.php(47): Friendica\\Model\\Contact::updateFromProbe()\n#6 [internal function]: Friendica\\Worker\\UpdateContact::execute()\n#7 /var/www/.../src/Core/Worker.php(572): call_user_func_array()\n#8 /var/www/.../src/Core/Worker.php(386): Friendica\\Core\\Worker::execFunction()\n#9 /var/www/.../src/Core/Worker.php(121): Friendica\\Core\\Worker::execute()\n#10 /var/www/.../bin/worker.php(83): Friendica\\Core\\Worker::processQueue()\n#11 {main}","previous":"Exception: Got a packet bigger than 'max_allowed_packet' bytes in /var/www/.../src/Core/Storage/Type/Database.php:94\nStack trace:\n#0 /var/www/.../src/Model/Photo.php(449): Friendica\\Core\\Storage\\Type\\Database->put()\n#1 /var/www/.../src/Model/Photo.php(636): Friendica\\Model\\Photo::store()\n#2 /var/www/.../src/Model/Contact.php(2307): Friendica\\Model\\Photo::importProfilePhoto()\n#3 /var/www/.../src/Model/Contact.php(2792): Friendica\\Model\\Contact::updateAvatar()\n#4 /var/www/.../src/Model/Contact.php(2585): Friendica\\Model\\Contact::updateFromProbeArray()\n#5 /var/www/.../src/Worker/UpdateContact.php(47): Friendica\\Model\\Contact::updateFromProbe()\n#6 [internal function]: Friendica\\Worker\\UpdateContact::execute()\n#7 /var/www/.../src/Core/Worker.php(572): call_user_func_array()\n#8 /var/www/.../src/Core/Worker.php(386): Friendica\\Core\\Worker::execFunction()\n#9 /var/www/.../src/Core/Worker.php(121): Friendica\\Core\\Worker::execute()\n#10 /var/www/.../bin/worker.php(83): Friendica\\Core\\Worker::processQueue()\n#11 {main}","worker_id":"cec5e9a","worker_cmd":"UpdateContact"} - {"file":"Worker.php","line":577,"function":"execFunction","request-id":"63ea9ba037f4d","uid":"a61a92","process_id":21743}
@Lorenz
This entry was edited (2 years ago)
in reply to grin

friendica - Link to source

Raroun

Running 2023-03-rc on the last commit.
86k server from *.gab.best.

select count(*) from gserver where url LIKE '%troll.cf%' OR `url` LIKE '%gab.best%';
+----------+
| 86378 |
+----------+
DELETE FROM `gserver` WHERE `url` LIKE '%activitypub-troll.cf%' OR `url` LIKE '%gab.best%';
Query OK, 86378 rows affected (1.143 sec)

Changed Block pattern from gab.best to *.gab.best.
Obiviously i missed the wildcard.