homepage Welcome to WebmasterWorld Guest from 54.227.40.166
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Subscribe to WebmasterWorld
Home / Forums Index / WebmasterWorld / Community Building and User Generated Content
Forum Library, Charter, Moderators: rogerd

Community Building and User Generated Content Forum

This 37 message thread spans 2 pages: 37 ( [1] 2 > >     
Huge increase in spammers lately
phpBB accounts
buksida




msg:3095571
 5:49 am on Sep 25, 2006 (gmt 0)

Anyone else noticed a massive increase in automated spammers on phpBB lately? I run two unrelated forums and the same accounts are appearing in both, many don't even have a URL just stupid stuff in the interests, location etc fields such as "work" or "student", location is mostly "USA".

I now have to spend at least an hour a day deleting these poxy things, i have taken a few measures to stop bots such as removing memberlist.php, removing the website field in the registration form, enabling captcha etc but still they come. Anymore ways to stop them? At this rate there are 8-12 per day in six months it will be a fulltime job deleting them!

 

martinibuster




msg:3095596
 6:29 am on Sep 25, 2006 (gmt 0)

Use a wildcard to ban certain domains used for registering as their email address.

Although some spammers use proxies, not all of them do. Ban entire ranges from certain countries. For instance, if you see an IP from an inept spammer, don't just ban that IP, ban the entire ISP range listed in the whois.

Every day visit your Admin Panel Userlist and sort it by active. The inactives will show up first. Note suspicious email boxes and wildcard ban them. Delete all the suspicious ones that are non-active.

I think I've made a dent by doing the above. The war is not won, however. Probably a more sophisticated method for banning bad bots would work.

AlexK




msg:3096571
 9:29 pm on Sep 25, 2006 (gmt 0)

The following is a little long, but may help:
#!/usr/bin/php
<?php
/* remove_not_activated_forum_users.php
* cron-job to rid phpBB2 board of users that are not activated.
*
* Assumptions:
* 1 An include file that collects all the connection details together:
* eg:
$dbms= 'mysql4';
$dbhost= 'localhost';
$dbname= 'phpBB_name';
$dbuser= 'phpBB_user';
$dbpasswd= 'phpBB_password';
*
* (ps put a `require_once()' into \config.php referring to this file)
* ( to get all sensitive info out of the public web space )
*
* 2 a $HOME/.my.cnf file, which contains (at minimum):
[client]
password=mysql_root_user_password
*
* Make read-only user-only (chmod 400 .my.cnf)
*
* 3 The board is set up to require both non-anonymous posts + activation
* 4 This utility is cron-tabbed for daily activation
* (on redhat systems, in /etc/cron.daily/)
*/
;
require_once( '/server/path/to/connection/include.file' );
;
$CNX = @mysql_connect( $dbhost, $dbuser, $dbpasswd )
or die( '<p>Cannot connect to the Database-server at this time.</p><p>Try again later.</p>' );
@mysql_select_db( $dbname, $CNX )
or die( '<p>We have a problem, Houston.<br />Database-server connection was established, but not to the database itself.</p>' );
;
// obtain user-id of non-activated users over 3 days old
$sql= "SELECT user_id
FROM `users`
WHERE user_active < 1 AND
username!= 'Anonymous' AND
TO_DAYS(NOW()) - TO_DAYS(FROM_UNIXTIME(user_regdate)) >= 3";
;
if(!( $result = mysql_query( $sql, $CNX ))) {// sanity check
die( "Database failure; SQL=$sql" );
} else while( list( $user_id ) = mysql_fetch_row( $result )) {
// obtain group_id
$sql= "SELECT g.group_id
FROM `user_group` ug, `groups` g
WHERE ug.user_id = $user_id
AND g.group_id = ug.group_id
AND g.group_single_user = 1
LIMIT 1";
;
$group_id = mysql_result( mysql_query( $sql, $CNX ), 0 );
if(!$group_id ) {// sanity check
die( "Database failure; SQL=$sql" );
}
;
$sql = "DELETE FROM `users`
WHERE user_id = $user_id";
if(!( mysql_query( $sql, $CNX ))) {// sanity check
die( "Database failure; SQL=$sql" );
}
;
$sql = "DELETE FROM `user_group`
WHERE user_id = $user_id";
if(!( mysql_query( $sql, $CNX ))) {// sanity check
die( "Database failure; SQL=$sql" );
}
;
$sql = "DELETE FROM `groups`
WHERE group_id = $group_id";
if(!( mysql_query( $sql, $CNX ))) {// sanity check
die( "Database failure; SQL=$sql" );
}
;
$sql = "DELETE FROM `sessions`
WHERE session_user_id = $user_id";
if(!( mysql_query( $sql, $CNX ))) {// sanity check
die( "Database failure; SQL=$sql" );
}
;
$sql = "DELETE FROM `sessions_keys`
WHERE user_id = $user_id";
if(!( mysql_query( $sql, $CNX ))) {// sanity check
die( "Database failure; SQL=$sql" );
}
}// while( $row = $db->sql_fetchrow( $result )) (user_id)
?>

Note: `;' (semi-colons) have been inserted into empty lines to prevent this board from changing the text-size.

My site uses the above utility daily.

martinibuster




msg:3096631
 10:11 pm on Sep 25, 2006 (gmt 0)

The problem with automatically removing non-active members is that some of them, especially AOL users, never received their activation email because it was spam blocked.

So sending them a second note usually brings them back in. Happens with Hotmail and Yahoo email, too.

The other issue is with spam blockers that email you back asking to click a link.

AlexK




msg:3097186
 9:09 am on Sep 26, 2006 (gmt 0)

The problem with automatically removing non-active members ...

All true. Also, my root email fills up with bounced email notices (from PostFix) from those that cannot spell their own email address, and thus never receive the activation email.

The basic issue is, as the Board maintainer, do you insist on activation before an account can be used? If the answer is "Yes" (and for me it's a no-brainer, with all the spam around) then the routine is useful. If "No", then it is not.

PS
The one problem with the script is that, by default, PHP always sends a Content-type header, so there is always unnecessary output. There is a means to switch this off, though I'm not sure how. That needs adding to the script.

moishe




msg:3098285
 10:09 pm on Sep 26, 2006 (gmt 0)

I am thinking the best solution in my case would be to just remove "web site" from the memberlist and profile, I have already dis-allowed signatures.

Anyone know how to do this?

It is sad that I am considering dumping my little forum just because I am sick of deleting 20 signups a day.

Another cool feature would be if I could remove multiple users at once:)

buksida




msg:3098765
 9:35 am on Sep 27, 2006 (gmt 0)

I am thinking the best solution in my case would be to just remove "web site" from the memberlist and profile,

I have already done this, it makes no difference becuase they are bot signups, some get round it and add the website anyway. Most annoying.

martinibuster




msg:3100008
 4:11 am on Sep 28, 2006 (gmt 0)

Yes, I've removed the entire signature field, and removed the website field entirely from every section that it appears in, including the registration page to the posting page.

It's simple to do. Take a look at the page the field exists on, then find the corresponding .tpl file and edit out the html (sometimes take out a <tr> or else a <td> - Whichever way you wish.). It's like editing a webpage. The files can be found here:

templates > subSilver >

For instance, if you want to edit the Profile page, the file in the address bar says, profile.php?mode=viewprofile. So in this case open up the corresponding file which is: profile_view_body.tpl

In the case of the individual posts, the file name is viewtopic.php. So you look for the file named, viewtopic_body.tpl and edit away like it's a regular html page.

You then scan through the code looking for the appropriate fields to delete. Do this for every page there is an instance of a web link you want to eliminate. You can even remove the entire website column from the memberlist page. It's easier to do than you think.

This isn't going to stop your spam problem but it will at least eliminate the chance that your forum may get penalized for linking to bad neighborhoods. ;)

AlexK




msg:3100338
 12:00 pm on Sep 28, 2006 (gmt 0)

For the sake of future updates, it is a very good idea to place a unique piece of comment above/below the edit, which can be searched for at a later time.

To example, I use:
<!-- Mod by AK 2006-08-05 -->
<!-- Add Google Adsense + Casale Media SkyScrapers on lhs -->
-- (the changes) --
<!-- End Add Google Adsense SkyScraper on lhs -->

The 'unique comment' is "Mod by AK", which can be searched on to find all changes. As phpBB2 makes continual updates, I can do a diff between the new pages and the old, and quickly see which are my changes, and which are phpBB2's changes.

moishe




msg:3100525
 3:07 pm on Sep 28, 2006 (gmt 0)

Thank you martinibuster, that is exactly what I needed.

androidtech




msg:3109152
 4:47 am on Oct 5, 2006 (gmt 0)

I've had to resort to coding to fight the link spammers on my phpBB boards; regular expression checks on various member profile fields. Now I get one or two per day at most.

My next tactic will be to add my own custom question to the sign up like "type this (randomly picked) word in the box below". I'm betting that will be enough to disrupt the bots.

I'm guessing the spammers are buying there own servers now because for the first time I'm seeing waves of gobbledygook domain names like "rxy38.com", etc.

Anybody know how they are getting around the CAPTCHA (visual confirmation) check?

linear




msg:3109715
 4:11 pm on Oct 5, 2006 (gmt 0)

I suspect they are using people to register, and the people are supported by some kind of script that identifies and enqueues sites. It may still be scripts posting.

I have a thread in here where I changed the URIs of the registration pages to non-standard values, and the pace of spam signups did not slacken at all. I had already used email confirms (you must provide a valid email account, then visit the confirmation url in the message the board sends to that account before you can post), so I'm pretty convinced we are not dealing with purely automation here.

I discovered a few IP addresses coming from well-known hosting centers, and denied these blocks, figuring I'd lose no genuine users by doing so. Interestingly, this seems to have been the most effective countermeasure for me. I think you are right about the move toward registering domains and buying hosting for the express purpose of supporting the registration process for forum spamming accounts.

Meaningless stats:
out of my last 152 registrations, 34 were genuine (which requires some judgement on my part, but the number of non-posting genuines included here is 2). That's 22%. I was at 5% genuine for a while before installing some countermeasures though. So that suggests countermeasures may have succeeded in blocking as many as 562 spammer registrations (34/0.05 - (152 - 34)). Hard to tell what it really means though.

buksida




msg:3110570
 5:49 am on Oct 6, 2006 (gmt 0)

I've just spent the last hour and a half deleting these accounts, anything now with a website gets deleted (since I've removed it from the registration form I can conclude these are bots).

We get the occasional one that actually posts something but thats quite rare, besides the mods are vigilant with this.

Its the others that have no URL, no valid email account and just crap in the location, sig and interests fields. There are loads of these null accounts that are skewing the board stats, I cant really claim we've got 2,000 members if 60% of them are spam accounts.

Is there anyway or script to automatically delete an account after say a week if the activation hasnt occurred?

maccas




msg:3110624
 7:33 am on Oct 6, 2006 (gmt 0)

There is also a hack to add a extra field and to also make this required, I use this and add a check box and name it something like xyz and change the name every so often.

AlexK




msg:3110958
 1:49 pm on Oct 6, 2006 (gmt 0)

buksida:
Is there anyway or script to automatically delete an account after say a week if the activation hasnt occurred?

Don't you read previous messages?

Msg 3 (2 down from your OP).

camweh




msg:3111805
 4:35 am on Oct 7, 2006 (gmt 0)

FWIW: Some time ago I changed my phpbb forum's default style to another which had visual confirmation at sign-up. I kept the original popular style (with no VC) available and selectable after registration was activated.

Auto registering spammers somehow were able to select that older style at sign-up and by-passed the visual confirmation on the default style. They were the only ones who selected that style at sign-up. For that and many other reasons they were easy to spot. They languished in nothingness till I booted them - the MODs I have in place ensures they don't appear to anyone except me.

So perhaps anyone who has a few styles on their phpbb forums should make sure they all have Visual Confirmation.

incrediBILL




msg:3111864
 6:54 am on Oct 7, 2006 (gmt 0)

For starters, phpBB is a pile of weakly coded garbage being abused in every way possible as stopping some of these problems aren't terribly difficult yet it continues unabated. I'd recommend switching to vBulletin as many have, but that's another thread.

Martinibuster's patch is OK, but here's a simpler solution without hacking up your site and removing features:

Modify your robots.txt and put a link condom on the profile page:
User-agent: *
Disallow: /profile.php

Putting a link condom on that page keeps the SE's out, so the spamming of the members page has ZERO VALUE, yet members can still see each others links. Next, I would doubly make sure and stick NOFOLLOW on all the links in profile.php, and then it's safe to run that pile of junk without giving member profiles, especially spamming members, any PR leakage.

Then I would run AlexK's script on a cron job daily to purge the jerks.

Enjoy.

[edited by: incrediBILL at 6:59 am (utc) on Oct. 7, 2006]

AlexK




msg:3112590
 12:59 am on Oct 8, 2006 (gmt 0)

incrediBILL:
For starters, phpBB is a pile of weakly coded garbage being abused in every way possible

I like it precisely because it gets tested by every spammer under the moon. Untested code is unsafe code.

(Notice how I glossed over the "weakly coded garbage")

kpaul




msg:3112593
 1:02 am on Oct 8, 2006 (gmt 0)

heh. cool site idea - a place webmasters could share their email ban lists...

rogerd




msg:3114054
 1:48 pm on Oct 9, 2006 (gmt 0)

"Nofollow" as a link attribute may reduce or eliminate the value of the link to spammers, but that doesn't mean that they won't keep making spam registrations or posts. Unfortunately, it's easier for them to shotgun every site they find than to try to distinguish which links are actually good ones. Nevertheless, it's a good idea to use this attribute as it does prevent any gains by spammers and also (presumably) reduces your "bad neighborhood" risk.

nathanso




msg:3115076
 4:32 am on Oct 10, 2006 (gmt 0)

I've been automatically adding nofollow to all links on my forums and the spam still comes. I added a captcha and it still comes.

I'm convinced it's scripted with human-assist i.e. the script pre-fills all fields except the captcha; then the boiler room monkey enters the captcha, clicks submit, and earns 1/10th of a cent.

Perhaps this work qualifies as an entry-level IT job in parts of Asia?

incrediBILL




msg:3115124
 5:42 am on Oct 10, 2006 (gmt 0)

Have you tried embedding the captcha in obfuscated javascript document.write()'s yet?

That slows 'em down quite a bit as the spambots don't tend to use javascript so they won't even render the page with a captcha or know what in the heck is going wrong.

Then you'll find out just how much hand spam you're really getting.

LostOne




msg:3115369
 12:08 pm on Oct 10, 2006 (gmt 0)

How are these darned bots are finding phpbb boards? I have the same problem. Wouldn't it help if you just remove all signs that it's a Phpbb board?

linear




msg:3115399
 12:58 pm on Oct 10, 2006 (gmt 0)

I'm convinced it's scripted with human-assist

I completely agree. Why waste time scripting to break the CAPTCHA when you can just hire the work cheaply. It has the effect of negating the CAPTCHA no matter how elegant or obfuscated you make it.

incrediBILL




msg:3115713
 5:43 pm on Oct 10, 2006 (gmt 0)

It has the effect of negating the CAPTCHA no matter how elegant or obfuscated you make it.

I think you missed the point that if it's just human assist, the spambot won't know there's a captcha for that human to assist if the captcha isn't visible to the spambot.

You can modify things to easily confuse these bots because they work on the premise that you're running some common software with common anti-spam options and it's not so hard to code around things that everyone is using.

Requiring javascript enabled has been one of the best show stoppers I ever implemented because HUMAN ASSIST means a human has to do the whole thing, the spambot is useless.

incrediBILL




msg:3115749
 6:08 pm on Oct 10, 2006 (gmt 0)

FWIW, here's my layers of security keeping the spam out at the moment:

1. POST vs GET, if it's a GET we toss it

2. REFERER, submissions with no referrer get tossed

3. JAVASCRIPT, if you don't have the cookie set by our javascript, buh bye

4. MORE JAVASCRIPT, forms and other things are hidden from spambots in scripts the bot can't read, oopsie, later bot...

5. CAPTCHA, stops lame spambots and confuses the rest that might blow thru why their spam still doesn't show up, oh wah!

6. NEGATIVE FILTER, take your pills, gambling and hypnotherapy elsewhere, ta ta

7. NO HTML and URLs, if you're a new member ( < 20 posts? ) anything with HTML or URLs in the post is rejected or moderated automatically. No spam is allowed as spam requires links, no links, no spam.

8. OFF TOPIC FILTER, if the post doesn't contain typical topic words used on the site or the original post in a reply, and you're a new member, it gets moderated. This appears to stop most, if not all, of the human assisted hand spam at least to the point that it's moderated and nobody ever sees it.

That's it, I look to see what's in moderation once a day, which is usually less that 5 things as #7, rejecting newbie posts with HTML/URL, stops virtually 100% of all spam.

What a simple concept, no links, no spam, because without links the spam has no value.

Try it, you'll like it!

Way more effective than all the other crazy anti-spam stuff as it takes the teeth out of the spam.

linear




msg:3116005
 9:12 pm on Oct 10, 2006 (gmt 0)

I think you missed the point that if it's just human assist, the spambot won't know there's a captcha for that human to assist if the captcha isn't visible to the spambot.

Not exactly, I just disagree with the premise. Why wouldn't the assist script just render the page with the CAPTCHA in a frame, and let the human parse it?

The spambot doesn't have to "know" anything, just set up the queue of registration pages and present them in a browser to the human one at a time.

incrediBILL




msg:3116105
 10:54 pm on Oct 10, 2006 (gmt 0)

Your premise is possible but highly unlikely as I get hundreds of spam hits a day and they get zapped, they aren't getting through whatsoever.

We can open this issue again when I start getting spam past all my traps ;)

moishe




msg:3139289
 1:05 am on Oct 30, 2006 (gmt 0)

After removing the website field I was still getting about 20 bot signups a day so I started digging for something better...

On the forum for PHPBB, I found out how to add a non-standard item to the registration page, it is a simple question, "are you a human", failure to answer yes causes the registration to fail. I did the update a couple days ago and thus far have seen no more bot signups...

M

moishe




msg:3144120
 8:44 pm on Nov 2, 2006 (gmt 0)

Update:
Still no bot signups, one obvious human spammer deleted.

This 37 message thread spans 2 pages: 37 ( [1] 2 > >
Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Community Building and User Generated Content
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved