chipmunk.land/misc
2
0
Fork 1
Code Issues 13 Pull requests Projects Releases Packages Wiki Activity Actions

Forgejo spammers/spambots #9

New issue
Open
opened 2026-03-28 12:15:02 -04:00 by Ghost · 8 comments
Ghost commented 2026-03-28 12:15:02 -04:00
Copy link

There are several bots on forgejo, mostly using mailmenot.io emails (except for one i've seen), creating various spam repositories related to a specific gambling site. This site will not be named here, there appear to be several urls.

  • They seem to use AI-generated biographies to seem like legitimate users.
  • They link to a random site, sometimes through Google to a notepad site, sometimes directly to the scam site.
  • Some accounts from that domain don't create repositories.

Forgejo has an option EMAIL_DOMAIN_BLOCKLIST to block domains, but I am unsure if the bots will just use another domain. I would also send a PR to block it but, due to your setup to publish this, it would likely be difficult to add back to the configuration.

There are several bots on forgejo, mostly using mailmenot.io emails (except for one i've seen), creating various spam repositories related to a specific gambling site. This site will not be named here, there appear to be several urls. - They seem to use AI-generated biographies to seem like legitimate users. - They link to a random site, sometimes through Google to a notepad site, sometimes directly to the scam site. - Some accounts from that domain don't create repositories. Forgejo has an option `EMAIL_DOMAIN_BLOCKLIST` to block domains, but I am unsure if the bots will just use another domain. I would also send a PR to block it but, due to your setup to publish this, it would likely be difficult to add back to the configuration.
chipmunkmc commented 2026-03-28 15:12:09 -04:00
Owner
Copy link

I tried adding a blocklist entry, we'll see what happens.

I tried adding a blocklist entry, we'll see what happens.
Ghost commented 2026-03-31 04:59:53 -04:00
Copy link

There seems to be more now, mostly for sites in southeast Asia. Is there some kind of captcha to block them?

There seems to be more now, mostly for sites in southeast Asia. Is there some kind of captcha to block them?
chipmunkmc commented 2026-05-16 00:52:55 -04:00
Owner
Copy link

The image captcha provided in Forgejo seems to be ineffective in stopping these.

The image captcha provided in Forgejo seems to be ineffective in stopping these.
chipmunkmc commented 2026-05-16 02:22:35 -04:00
Owner
Copy link

Some heuristics for the spammers:

  • Accounts often have emails from the same domain, but these rotate often.
  • Likely a common username scheme but I forgot it. (edit, forgot this originally)
  • Accounts have a FirstName LastName display name scheme, description advertising a service, and website link.
  • Either no repos, or an empty repo with a singular wiki page.
  • Most accounts are probably only signed into and used once.
  • Headless browsers are most likely in use, as JS challenges seem solvable to them (we should avoid these, though for registration it's not a big deal).

Things I've neglected to find:

  • Headers, if any are interesting.
  • In-use browser(s).
  • In-use IP addresses and ranges.
  • Passwords used by the spambots - now that I think about it, these could help a lot (especially if I can just craft a regex to catch them all lmfao).

Ideally I won't have a captcha at all, though a simple text one could suffice. Of course, captchas relying on external services, especially also proprietary scripts, are a no-no.

Some heuristics for the spammers: * Accounts often have emails from the same domain, but these rotate often. * Likely a common username scheme but I forgot it. (edit, forgot this originally) * Accounts have a `FirstName LastName` display name scheme, description advertising a service, and website link. * Either no repos, or an empty repo with a singular wiki page. * Most accounts are probably only signed into and used once. * Headless browsers are most likely in use, as JS challenges seem solvable to them (we should avoid these, though for registration it's not a big deal). Things I've neglected to find: * Headers, if any are interesting. * In-use browser(s). * In-use IP addresses and ranges. * Passwords used by the spambots - now that I think about it, these could help a lot (especially if I can just craft a regex to catch them all lmfao). Ideally I won't have a captcha at all, though a simple text one could suffice. Of course, captchas relying on external services, especially also proprietary scripts, are a no-no.
chipmunkmc commented 2026-05-18 18:00:49 -04:00
Owner
Copy link

The usernames and passwords are both quite predictable. Also note that sometimes they register login separately, they set a location too but sometimes forget to set any info, but I don't use this info so far.
Anyway I added an experimental filter, let's see if it works!

The usernames and passwords are both quite predictable. Also note that sometimes they register login separately, they set a location too but sometimes forget to set *any* info, but I don't use this info so far. Anyway I added an experimental filter, let's see if it works!
chipmunkmc commented 2026-05-18 18:17:39 -04:00
Owner
Copy link

I think the outlier char is always one of *:!_.-+ though I could be wrong.

I think the outlier char is always one of `*:!_.-+` though I could be wrong.
chipmunkmc commented 2026-05-18 21:39:54 -04:00
Owner
Copy link

I suppose this can be closed for now.

I suppose this can be closed for now.
chipmunkmc commented 2026-05-31 02:40:22 -04:00
Owner
Copy link

Reopened for tracking.
Also I did see some spam accounts appear a while ago, but after I deleted them they didn't come back. The site certainly stopped getting crapflooded after I implemented my fairly basic filter, yay!
I've seen Forgejo instances with multiple different captcha types get spammed more than this (captcha-less) one right now. Sort of funny how that works.
I also want to say I want to follow the KISS principle when writing the filters for chipmunk.land. Adding filters when the problem has already been solved often just adds false positives, and challenges/captchas/etc are just annoyances that also make the site unusable under some setups. And the simplest filters are often the best (the current ones are only a few lines long).

Reopened for tracking. Also I did see some spam accounts appear a while ago, but after I deleted them they didn't come back. The site certainly stopped getting crapflooded after I implemented my fairly basic filter, yay! I've seen Forgejo instances with multiple different captcha types get spammed more than this (captcha-less) one right now. Sort of funny how that works. I also want to say I want to follow the KISS principle when writing the filters for chipmunk.land. Adding filters when the problem has already been solved often just adds false positives, and challenges/captchas/etc are just annoyances that also make the site unusable under some setups. And the simplest filters are often the best (the current ones are only a few lines long).
chipmunkmc changed title from Gambling spam bots on forgejo to Forgejo spammers/spambots 2026-05-31 02:44:46 -04:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
No results found.
Labels
Clear labels   
bug
Something is not working

  
duplicate
This issue or pull request already exists

  
enhancement
New feature

  
filters

   
help wanted
Need some help

  
invalid
Something is wrong

  
question
More information is needed

  
tracking

   
wontfix
This won't be fixed

No labels
bug
duplicate
enhancement
filters
help wanted
invalid
question
tracking
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
chipmunk.land/misc#9
No description provided.