Setting up spam protection

Hello Forum
I wanted to ask what mechanisms Teamspeak 3 offers to make life difficult for spammers.
So far I have set up that you have to set yourself in a role and only then you can fully interact with others - but unfortunately this is not enough.

I have been fighting on my own server and on some servers I support for months against spammers who claim the server is getting a new IP. To give the lie even more weight, we are usually experiencing a Denial of Service Attack afterwards, for which our provider was so pleased that we now have a deadline to get the problem under control, otherwise we will be kicked out.

Primarily I was looking for other server admins doing to block spammers - or are we alone with the problem and this is a targeted attack against us only*, or is this currently a problem that other server admins are facing?

If there are any questions to me, the servers etc., just ask - I will try my best to answer them.

*In this case I also ask for feedback. We are considering to file a criminal report with one of the servers, because in Germany a Denial of Service attack is a criminal offence and can be prosecuted. According to WHOIS the IPs that attacked us are all from the EU zone.

Hi, I feel these problems as a server admin too.

Make sure that the default server group doesn’t allow to send text messages, so the spammer cannot share their server IP addresses.

In this case; your provider is not prepared for DDoS attacks. My suggestion is to switch to another primary server hosting provider, who does also fully support anti DDoS options. (e.g. OVH is very strong)

You (as a customer) cannot avoid these DDoS attacks, and also you can’t kick the attackers out, because you don’t know who’s attacking your server.

I had much experience with this in the past 8 months. Suddenly, you can report the IP addresses of course, but you cannot find out who’s basically the real attacker. Since the DOS attack is distributed, there are too many computers connected to your network & for sure… trying to hit your server down.

The DDoS attackers doesn’t give a single damn about an “criminal report”. And also, the probability that this will solve all your DDoS problems is very low. You trully need to protect your server, by an good hosting provider and a configured firewall… and don’t forget some applications like “Fail2Ban”, they could also be useful.


How I blocked the spammer on my servers? Well honestly, I need to say that even during all my actions, the server still isn’t 100% safe but some properties could help you…

  • Disable text messaging on default server groups
  • Disable channel text chat in general
  • Ban usernames like “Admin”, “A.D.M.I.N.”, “Owner” or “NEW SERVER…”
  • Don’t mess with DDoS attackers! They could be very dangerous.
  • (Pull yourself a bit back from these peoples)

Note: DDoS attackres have no respect from all the work which the server admin did, who made this server how it is! They just wanna destroy your work and that’s it, they don’t care about anything else.

And it could also be great when TeamSpeak will finally remove this awful IP2Location database.
See this: Please remove IP2Location from your GEO location Database

Hope I could help ya so far

2 Likes

Thank you very much first of all for this detailed answer, I am a little relieved that we are not the only ones.

Short side note about the provider: There is a DDOS protection in place but according to the provider: 1-2 attacks per month are normal, we are already achieved around 20 attacks just in May. But I have no idea in this area, is that a lot or not?

The provider or the agent of the customer service probably also assumes that the incoming attacks take place because we have annoyed somebody - I will definitely try to talk to them again, we are very satisfied there so far and I have little desire to move a ton of game servers because of a voice server…

Nothing else expected, we will probably still take legal action if the provider wants the Snake Oil.
Firewall is in place but I just ordered a collegue to review its settings closely asap. For Fail2Ban its same - I will get back to the thread as soon as I get a response of him :slight_smile:

I think, setting up a control bot is not a bad idea. I’ll take a look at it tomorrow, get it all on.
I’ve got plenty of samples for usernames.

I’ve often heard that there are IP lists and plugins that recognize when an request comes from a VPN or proxy or from an address that is well known for spamming / DDoS. Do you think it makes sense to use such lists or do I rather shoot myself in the foot as I might exclude legitimate visitors?
Thanks again for the comprehensive response!

1 Like

Well on my server… we’re getting like 50 DDoS attacks every month on the primary server, and there are also other proxy servers from us which are getting DDoS attacked like 3-5 times on a day.

But that’s only because we’re popular somehow in other regions, also that we’re an international network can take place in that. (+75’000 unique user’s were registered)

So you had like 1 or 2 DDoS attacks in a month and it suddenly switched to 20? Well that’s an high difference. Well for you, it could be much but no idea if your server can deal it with these attacks.

And when your hoster said that they’re gonna kick you out due heavy DDoS attacks, that means that they cannot handle these attacks anymore. They usually cause a big damage too.

Yeah… guess you should urgently talk with them once again.

Maybe it can help you way more to get these providers into an legal process, to reduce it^^
And of course, it would be a good idea to check your firewall by other peoples, maybe they can improve it too.

To fully block a name, you need to stick to this format:

grafik

As example to block “Admin” in ALL ways, use this format: .*[Aa][Dd][mM][iI][nN].*

…and don’t forget to set it as an Regular Expression. ^^

It does matter a lot from where your User’s come from. Do you lead an international community or is it only in your country? When you block proxy addresses then it cannot cause a big damage, because legit user’s will not be marked for proxy detections.

Also, you need to stay careful when you try to block whole countries - legit user’s can also get affected from it, but hopefully not so.

Maybe a little kind of risk, otherwise it’s a good list.

DDoS attackers will never stop easily, when they HATE you directly. You can only protect yourself from them, since long experience I’ve just figured out that they’ve no grace.

1 Like

Thank you for this tip - I wasn’t aware that its possible to ban regex terms in first place. I thought I have to setup an external control bot first but this is a really clean solution without extra containers to care about.

Our servers are located in netherlands (due to lower costs) but users are mainly from EU-Zone but we regularily have users from all over the world. Nah, I think a list would do more harm than good.

Thanks for your tips so far, everything is still open with the upper things, but I think nothing will happen before Monday.
I’m going to set up some regex rules and see what happens.

Thank you very much, I’ve added both tips; IP and the domains - thank you very much again.

Had a nice phone call with the provider today, the support passed the ticket on to the head of support and he explained to me that they don’t have such a good DDoS protection and it would be better for both sides if we change the provider.

However, due to the circumstances, I am able to get out of the contract faster and also get assistance with the move, so that the downtime doesn’t last for too long time.

I will have a look at other providers, I think and hope that everything will be better with the change, a better DDoS Protection, the new ban rules and the changed group rights.
So far I have received only positive feedback from the users.

Thanks again to @MCG for the extensive help and @FakE for the regex rules - they helped a lot!

3 Likes