chipmunk.land/misc
2
0
Fork 1
Code Issues 8 Pull requests Projects Releases Packages Wiki Activity Actions

Gambling spam bots on forgejo #9

New issue
Closed
opened 2026-03-28 12:15:02 -04:00 by Ghost · 7 comments
Ghost commented 2026-03-28 12:15:02 -04:00
Copy link

There are several bots on forgejo, mostly using mailmenot.io emails (except for one i've seen), creating various spam repositories related to a specific gambling site. This site will not be named here, there appear to be several urls.

  • They seem to use AI-generated biographies to seem like legitimate users.
  • They link to a random site, sometimes through Google to a notepad site, sometimes directly to the scam site.
  • Some accounts from that domain don't create repositories.

Forgejo has an option EMAIL_DOMAIN_BLOCKLIST to block domains, but I am unsure if the bots will just use another domain. I would also send a PR to block it but, due to your setup to publish this, it would likely be difficult to add back to the configuration.

There are several bots on forgejo, mostly using mailmenot.io emails (except for one i've seen), creating various spam repositories related to a specific gambling site. This site will not be named here, there appear to be several urls. - They seem to use AI-generated biographies to seem like legitimate users. - They link to a random site, sometimes through Google to a notepad site, sometimes directly to the scam site. - Some accounts from that domain don't create repositories. Forgejo has an option `EMAIL_DOMAIN_BLOCKLIST` to block domains, but I am unsure if the bots will just use another domain. I would also send a PR to block it but, due to your setup to publish this, it would likely be difficult to add back to the configuration.
chipmunkmc commented 2026-03-28 15:12:09 -04:00
Owner
Copy link

I tried adding a blocklist entry, we'll see what happens.

I tried adding a blocklist entry, we'll see what happens.
Ghost commented 2026-03-31 04:59:53 -04:00
Copy link

There seems to be more now, mostly for sites in southeast Asia. Is there some kind of captcha to block them?

There seems to be more now, mostly for sites in southeast Asia. Is there some kind of captcha to block them?
chipmunkmc commented 2026-05-16 00:52:55 -04:00
Owner
Copy link

The image captcha provided in Forgejo seems to be ineffective in stopping these.

The image captcha provided in Forgejo seems to be ineffective in stopping these.
chipmunkmc commented 2026-05-16 02:22:35 -04:00
Owner
Copy link

Some heuristics for the spammers:

  • Accounts often have emails from the same domain, but these rotate often.
  • Likely a common username scheme but I forgot it. (edit, forgot this originally)
  • Accounts have a FirstName LastName display name scheme, description advertising a service, and website link.
  • Either no repos, or an empty repo with a singular wiki page.
  • Most accounts are probably only signed into and used once.
  • Headless browsers are most likely in use, as JS challenges seem solvable to them (we should avoid these, though for registration it's not a big deal).

Things I've neglected to find:

  • Headers, if any are interesting.
  • In-use browser(s).
  • In-use IP addresses and ranges.
  • Passwords used by the spambots - now that I think about it, these could help a lot (especially if I can just craft a regex to catch them all lmfao).

Ideally I won't have a captcha at all, though a simple text one could suffice. Of course, captchas relying on external services, especially also proprietary scripts, are a no-no.

Some heuristics for the spammers: * Accounts often have emails from the same domain, but these rotate often. * Likely a common username scheme but I forgot it. (edit, forgot this originally) * Accounts have a `FirstName LastName` display name scheme, description advertising a service, and website link. * Either no repos, or an empty repo with a singular wiki page. * Most accounts are probably only signed into and used once. * Headless browsers are most likely in use, as JS challenges seem solvable to them (we should avoid these, though for registration it's not a big deal). Things I've neglected to find: * Headers, if any are interesting. * In-use browser(s). * In-use IP addresses and ranges. * Passwords used by the spambots - now that I think about it, these could help a lot (especially if I can just craft a regex to catch them all lmfao). Ideally I won't have a captcha at all, though a simple text one could suffice. Of course, captchas relying on external services, especially also proprietary scripts, are a no-no.
chipmunkmc commented 2026-05-18 18:00:49 -04:00
Owner
Copy link

The usernames and passwords are both quite predictable. Also note that sometimes they register login separately, they set a location too but sometimes forget to set any info, but I don't use this info so far.
Anyway I added an experimental filter, let's see if it works!

The usernames and passwords are both quite predictable. Also note that sometimes they register login separately, they set a location too but sometimes forget to set *any* info, but I don't use this info so far. Anyway I added an experimental filter, let's see if it works!
chipmunkmc commented 2026-05-18 18:17:39 -04:00
Owner
Copy link

I think the outlier char is always one of *:!_.-+ though I could be wrong.

I think the outlier char is always one of `*:!_.-+` though I could be wrong.
chipmunkmc commented 2026-05-18 21:39:54 -04:00
Owner
Copy link

I suppose this can be closed for now.

I suppose this can be closed for now.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
No results found.
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
chipmunk.land/misc#9
No description provided.