I switched it back on. I’ll update if anything interesting happens.

After spending some time analyzing the botnet flood, it seems to be composed of 2 different strategies.

1] phpBB forums are attracting IA crawlers like honey

LLMs need "fresh, human, organic" data to avoid re-hashing IA-generated stuff and quickly jump into hallucinations.
Websites flagged as old, maintained, text forum are the ideal targets for resource-intensive scraping.

Long threads here: What is going on? Is this some kind of widespread attack? (phpbb.com)

Some webmasters just block entire countries when attacks start mounting (China, Vietnam, Brazil, etc.) but doing this also block honest people, it's too wide.

Others (like myself, initially), tried to block static lists of "bad" IPs (https://billauer.se/blog/2025/05/phpbb-attack-bots-ip-addresses/) but the profile of a "bad" IP changed over time. It used to be the source of an attack/crawl, now with the residential proxy botnets, it could be anyone coming from any IP.

So profiling/challenging is needed and the solution for all these forums was to use CloudFlare or Anubis.


2] Spawning scam shopping websites by leveraging contents, page ranking, then DDOs'ing the original website

This is more speculative as I have found no research/analysis/security paper fully documenting this behavior yet.

I setup a Google Alert for "Laserdisc Database" a long time ago.
It would initially trigger on the website's or forum's URLs.

But over time, it would find very, very weird websites offering LDDB's LaserDisc or Hardware entry pages to Google.

Recent ones -- last few days:

• Siouxsie & The Banshees /レーザーディスク LaserDisc Database on jordanianschoolqatar.com - takes you to sebdi.lcbyfgnt.club
• LaserDisc Database - Hardware - Denon - DCD-1650AE on cardioser.com.br - takes you to lues.tradese.shop
• LaserDisc Database - Hardware - Sony - HIL-C2EX on cartecadeaupf.com - takes you to janty.kiloar.hair
• LaserDisc Database Hardware Sony MDP-V7 on tomek-vyroba.cz - takes you to blikeuhij.click
• LaserDisc Database - Hardware - CLD-A100 on nstitutoorange.com.br -- website has been disarmed
• Etc.

You get the picture. Obviously something is off.

I think this is how the scam works:

1. Hack a website (preferred target being badly maintained/configured WordPress sites) - Site A
2. Harvest legit contents like LD or Hardware from LDDb - Site B
3. Allow Google known IPs to retrieve Site B's contents as if it was just a clone website (Google will understand that) on Site A
4. Site A's scam URLs get added to Google search/IA leaning base, maybe even leveraging the Page Ranking from Site B
5. When a visitor comes a specific country (by IP), redirect them over the scam website - Site C
6. When a visitor comes from an un-handled country, just show an empty page.
7. Use a cheap residential proxy server to try to DDOS the original Site B to bring it down and make Site C look more legit to Google.

The scam websites are looking like a typical eCommerce website with KILLER prices, many ways to pay, and leverage contents found on eBay, Yahoo Auction, etc. to populate their fake inventories. The domains are very recently registered for cheap and probably existing in thousands, with disposable subdomains.

I'm sure your payment will be gladly accepted... and nothing delivered.
Or the credit card data will be immediately used for something else, or sold to another scam team as "fresh".

One more reason to block bots from harvesting LDDb.com!

and...

3] Automated forum account creation + SPAM posting

Because of the way LDDb forum is organized as sub-section or LDDb and automatically creates/syncs forum accounts with your LDDb account, we are not subject to this kind of attack. You simply cannot create a separate forum account.

Some poor countries (Bangladesh, Cambodia, India, etc.) sometimes take the time and effort to manually setup a LDDb accoun just to be able to post a few SPAM links but we usually detect them quickly and the post/accounts are promptly deleted.

It's a minor nuisance compared to the botnets.


Julien

It is really sad, the levels of complexity that disgusting people will go to, to damage or ruin the experiences of people worldwide in sleazy attempts to steal from even a tiny percentage of them. I just cannot understand the complete lack of basic human decency such people have. How do these people "sleep with their own knowledge at night"? No matter how hungry, or how "poor", or how jealous anyone is, their parent(s) must have taught them better behavior, most of us would think.

Julien, I have a new, higher level of respect and appreciation of everything you do to keep this site and community going. You (and your assistants/partners, if you have any) are a wonderful "antidote" to the knowledge that the people I mentioned above exist. --Thank you!--

and... the botnets found a way to pass through Anubis and hammer the forum again :-/

This is the global traffic on the forum (humans + bots):



And previously Anubis was filtering 99.5% of the traffic... not anymore, the logs starting filling up almost immediately after I restart Anubis to force re-challenge...



It's never-ending.

Julien

I couldn’t figure out how to implement Anubis on my forum, but I did enable hot attack mode on Cloudflare for my site and traffic went and has stayed down. The “click to make sure you’re not a bot” is annoying, but it works.

Hello Guys and Gals,

How is everyone

I received a couple of emails conveying that there had been issues with Singapore server problems etc.
I assume that this problem has now been rectified.

Kind Regards

Mark UK

An update on Apple’s Private Relay: It was causing issues at avclub.com and possibly two other sites with forums so I switched it off and will probably never use it again.

Singapore server??

Julien

I was more or less right on what happened after the "successful demise of IPIDEA" announced by Google.
It only lasted 2 days.

https://www.bleepingcomputer.com/news/security/residential-proxies-evaded-ip-reputation-checks-in-78-percent-of-4b-sessions/
https://www.greynoise.io/resources/invisible-army-residential-proxy-abuse-report

All these "free game", "free VPN", "free ads blocker" you install on your phone, tablet or computer...

Most of them are NOT free, YOU are the product.

Julien

I reported one or two of those posts. I know what it’s like to fight spammers and bots on a forum, especially Phpbb. PM me if you consider adding moderators. I know there’s a lot of trust that associated with that. Otherwise, let me know which is the best way to report them.

I implemented a 3 post minimum requiring admin approval to prevent spammer messages from being seen. It stops the ones who break through the registration challenges or are actually humans in India paid to post that garbage. It’s annoying for new members, but I’ve managed to keep up.

The good news is that the aggressive botnets slowed down to a reasonable level in the past few weeks.
That's a relief.

We are only blocking ~140K IPs on average from the usual suspicious probes/scans/hits.

The (soon-to-be) bad news is that the test Forum on the news server was only up for a few weeks before being put offline...

But we are already getting constants hits from botnets to harvest everything under the sun they can take from the forum.
Since the forum is offline, I block these obviously impossible hits on non-existing URLs with impossible referrer URLs.

And we are already blocking ~300K IPs even though there is *nothing* to harvest there anymore!

I guess any website identified as a phpBB3 forum will be put on the "archive it all" botnet list

Julien