[ABD] ConfusaBOT lite

espicom · Post by **espicom** » Mon May 22, 2006 7:40 pm

Note: This MOD is not a particularly effective deterrent against spam registrations anymore. The spam bots have gotten smarter since it was developed, and it is not worth installing anymore.

This MOD gives you control over several HTML variables used by the PHPBB registration process, to confuse many (but not all) spam registration bots. It is a "light weight" version of a similar MOD, submitted to the MOD DB, that puts this control into the admin control panel (AC). This one does it through lines in the includes/constants.php script.

Purpose is to change "agreed" and "coppa" HTML variables, so that a bot has to at least fetch your COPPA page to find out how to register on your site. Most will attempt to bypass all of this, and directly POST a request to registration, with the "known" values for all variables. In combination with the Instant Ban MOD, you can stop more than 80% of the spam registrations from working on your board.

It is intended for installation on 2.0.20 or later of PHPBB, although it has been tested with versions as early as 2.0.18.

Code: Select all

##############################################################
## MOD Title: ConfusaBOT
## MOD Author: espicom <[email protected]> Jeff Brenton
## MOD Description: Change "agreed" and "coppa" variables to confuse bots
## MOD Version: 1.0.0
##
## Installation Level: Easy
## Installation Time: ~2 Minutes
## Files To Edit: admin/admin_users.php, 
##                includes/usercp_avatar.php,
##                includes/usercp_register.php, 
##                includes/constants.php
## Included Files: n/a
##############################################################
##############################################################
## Author Notes:
## This MOD makes the "agreed" and "coppa" variables used in the registration screen more 
## easily adjustable, by making them constants defined in includes/constants.php.
##############################################################
## MOD History:
##
##   2005-05-11 - Version 1.0.0
##      - mod created
##############################################################
## Before Adding This MOD To Your Forum, You Should Back Up All Files Related To This MOD
##############################################################
#
#-----[ OPEN ]------------------------------------------
#
admin/admin_users.php
#
#-----[ FIND ]------------------------------------------
# Partial line match. Actual line is much longer.
#
			$s_hidden_fields = '<input type="hidden" name="mode"
#
#-----[ IN-LINE FIND ]------------------------------------------
#
<input type="hidden" name="agreed" value="true" /><input type="hidden" name="coppa"
#
#-----[ IN-LINE REPLACE WITH ]---------------------------------------------
#
<input type="hidden" name="'.AGREED_VAR.'" value="'.AGREED_VAL.'" /><input type="hidden" name="'.COPPA_VAR.'"
#
#-----[ FIND ]------------------------------------------
# Partial line match. Actual line is much longer.
#
		$s_hidden_fields = '<input type="hidden" name="mode" value="save"
#
#-----[ IN-LINE FIND ]------------------------------------------
#
<input type="hidden" name="agreed" value="true" /><input type="hidden" name="coppa"
#
#-----[ IN-LINE REPLACE WITH ]---------------------------------------------
#
<input type="hidden" name="'.AGREED_VAR.'" value="'.AGREED_VAL.'" /><input type="hidden" name="'.COPPA_VAR.'"
#
#-----[ OPEN ]------------------------------------------
#
includes/usercp_avatar.php
#
#-----[ FIND ]------------------------------------------
# Partial line match. Actual line is much longer.
#
	$s_hidden_vars = '<input type="hidden" name="sid"
#
#-----[ IN-LINE FIND ]------------------------------------------
#
<input type="hidden" name="agreed" value="true" />
#
#-----[ IN-LINE REPLACE WITH ]---------------------------------------------
#
<input type="hidden" name="'.AGREED_VAR.'" value="'.AGREED_VAL.'" />
#
#-----[ OPEN ]------------------------------------------
#
includes/usercp_register.php
#
#-----[ FIND ]------------------------------------------
# Partial line match. Actual line is much longer.
#
		"U_AGREE_OVER13" =>
#
#-----[ IN-LINE FIND ]------------------------------------------
#
&agreed=true"
#
#-----[ IN-LINE REPLACE WITH ]---------------------------------------------
#
&". AGREED_VAR ."=".AGREED_VAL
#
#-----[ FIND ]------------------------------------------
# Partial line match. Actual line is much longer.
#
		"U_AGREE_UNDER13" =>
#
#-----[ IN-LINE FIND ]------------------------------------------
#
&agreed=true&coppa=true"
#
#-----[ IN-LINE REPLACE WITH ]---------------------------------------------
#
&". AGREED_VAR ."=". AGREED_VAL ."&".COPPA_VAR."=true"
#
#-----[ FIND ]------------------------------------------
#
$error_msg = '';
#
#-----[ AFTER, ADD ]------------------------------------------
#

// change to test for new setting of agreed
if ( isset($HTTP_POST_VARS[AGREED_VAR]))
{
	if ($HTTP_POST_VARS[AGREED_VAR] != AGREED_VAL)
		unset($HTTP_POST_VARS['AGREED_VAR']);
}
if ( isset($HTTP_GET_VARS[AGREED_VAR]))
{
	if ($HTTP_GET_VARS[AGREED_VAR] != AGREED_VAL)
		unset($HTTP_GET_VARS[AGREED_VAR]);
}

#
#-----[ FIND ]------------------------------------------
#
if ( $mode == 'register' && !isset($HTTP_POST_VARS['agreed']) && !isset($HTTP_GET_VARS['agreed']) )
#
#-----[ REPLACE WITH ]---------------------------------------------
#
if ( $mode == 'register' && !isset($HTTP_POST_VARS[AGREED_VAR]) && !isset($HTTP_GET_VARS[AGREED_VAR]) )
#
#-----[ FIND ]------------------------------------------
#
$coppa = ( empty($HTTP_POST_VARS['coppa']) && empty($HTTP_GET_VARS['coppa']) ) ? 0 : TRUE;
#
#-----[ REPLACE WITH ]---------------------------------------------
#
$coppa = ( empty($HTTP_POST_VARS[COPPA_VAR]) && empty($HTTP_GET_VARS[COPPA_VAR]) ) ? 0 : TRUE;
#
#-----[ FIND ]------------------------------------------
# Partial line match. Actual line is much longer.
#
	$s_hidden_fields = '<input type="hidden" name="mode" value="
#
#-----[ IN-LINE FIND ]------------------------------------------
#
<input type="hidden" name="agreed" value="true" /><input type="hidden" name="coppa"
#
#-----[ IN-LINE REPLACE WITH ]---------------------------------------------
#
<input type="hidden" name="'.AGREED_VAR.'" value="'.AGREED_VAL.'" /><input type="hidden" name="'.COPPA_VAR.'"
#
#-----[ OPEN ]------------------------------------------
#
includes/constants.php
#
#-----[ FIND ]------------------------------------------
#
// Table names
#
#-----[ BEFORE, ADD ]------------------------------------------
#
// Bot confusion variables
// Customize replacement text for your board!
define('AGREED_VAR', "IAmInAgreement");
define('AGREED_VAL', "Yes");
define('COPPA_VAR', "Under13");

#
#-----[ SAVE/CLOSE ALL FILES ]------------------------------------------
#
# EoM

espicom · Post by **espicom** » Mon May 22, 2006 7:46 pm

witchfinder_general wrote:
espicom wrote:What version of PHPBB are you adding this to?

I think it's 2.0.18. I have now inserted the script beneath the "}" which ends function show_coppa() but I must have *beep* something up. Although the registration page appears correctly from the Agreement Terms page, after completing the details and clicking submit, the user is simply returned to the Agreement Terms page and the registration does not go through. I guess that's one way of stopping spam registrations I'll have another look at the files I amended but do you already know what is wrong from this description?

After this modification, lines 46 through 89 of a fresh 2.0.20 copy of usercp_register.php look like this:

Code: Select all

// ---------------------------------------
// Load agreement template since user has not yet
// agreed to registration conditions/coppa
//
function show_coppa()
{
	global $userdata, $template, $lang, $phpbb_root_path, $phpEx;

	$template->set_filenames(array(
		'body' => 'agreement.tpl')
	);

	$template->assign_vars(array(
		'REGISTRATION' => $lang['Registration'],
		'AGREEMENT' => $lang['Reg_agreement'],
		"AGREE_OVER_13" => $lang['Agree_over_13'],
		"AGREE_UNDER_13" => $lang['Agree_under_13'],
		'DO_NOT_AGREE' => $lang['Agree_not'],

		"U_AGREE_OVER13" => append_sid("profile.$phpEx?mode=register&". AGREED_VAR ."=".AGREED_VAL),
		"U_AGREE_UNDER13" => append_sid("profile.$phpEx?mode=register&". AGREED_VAR ."=". AGREED_VAL ."&".COPPA_VAR."=true"))
	);

	$template->pparse('body');

}
//
// ---------------------------------------

$error = FALSE;
$error_msg = '';

// change to test for new setting of agreed
if ( isset($HTTP_POST_VARS[AGREED_VAR]))
{
	if ($HTTP_POST_VARS[AGREED_VAR] != AGREED_VAL)
		unset($HTTP_POST_VARS['AGREED_VAR']);
}
if ( isset($HTTP_GET_VARS[AGREED_VAR]))
{
	if ($HTTP_GET_VARS[AGREED_VAR] != AGREED_VAL)
		unset($HTTP_GET_VARS[AGREED_VAR]);
}

I checked my copy of 2.0.18's usercp_register.php, and it looks the same, so I would guess that there has been another MOD made to the file previously that removed the $error_msg line.

witchfinder_general · Post by **witchfinder_general** » Mon May 22, 2006 8:56 pm

I have checked your script against mine and all looks fine but it still does exactly the same thing I described before. Any thoughts?

espicom · Post by **espicom** » Mon May 22, 2006 9:14 pm

Exactly what errors is it giving you?

camaro92 · Post by **camaro92** » Tue May 23, 2006 1:08 am

anyone verify this will in fact HELP prevent them?

erinspice · Post by **erinspice** » Tue May 23, 2006 1:38 am

camaro92 wrote: anyone verify this will in fact HELP prevent them?

Not all at least. I installed the mod today, and not 3 hours later, here I am back looking for another solution because I have more spam.

camaro92 · Post by **camaro92** » Tue May 23, 2006 1:41 am

ah geez.. just installed it myself.. Guess I have nothing to look forward to.. perhaps I should just restore the files I backed up that it changed?

EXreaction · Post by **EXreaction** » Tue May 23, 2006 1:57 am

erinspice wrote:
camaro92 wrote:anyone verify this will in fact HELP prevent them?

Not all at least. I installed the mod today, and not 3 hours later, here I am back looking for another solution because I have more spam.

There is a good chance that it could be from a guy adding the spam by hand...nothing will stop them.

Anyways...if your actually still getting true spam bots, this mod works well against them also:
http://www.phpbb.com/phpBB/viewtopic.php?t=373695

espicom · Post by **espicom** » Tue May 23, 2006 3:28 am

I can only type from my experience, looking at what my modified boards log. As this change has spread, it has dropped in effectiveness. In January 2005, it was 100% effective in blocking spam bots, because they'd never seen it before. This month, it's running about 60%. That is, 4 out of 6 spam registration attempts have the correct (for my board) information, meaning that they've checked the COPPA display page, at the very least. The other 60% try blowing right through.

Of those 40%, about half blow it by sending "agreed=true" in the POST of their registration...

I've installed the beta-test Instant Ban MOD, and it will ban any IP that attempts to put in a website or signature, prior to when my board allows that sort of thing. I have also added additional conditions to it, including attempting to use "agreed" in either a GET or a POST to the board. It has tripped on well over 80% of the registration attempts by bots, either because of the website, signature, or "agreed", even today.

80% of the registration attempts do not even try to put in a guess at the visual confirmation image. They just hope there isn't one, I guess. I've installed the beta-test FREECAP MOD from here, so the 20% who do try it blow it - they usually think it has 8 characters.

None of the above-mentioned steps is better than 80% effective. The combination has been over 99% effective. In 16 months, only two spam registrations have made it through to any of my boards, and they appear to have been done by hand, according to the logs. They passed all the tests, just like a regular user... They just posted spam messages when they finished, though, and got banned manually.

The key to all of this is to make your board different from as many others as you can; different means more work for spam bots. One method is to add something specific to your forum - a recent example was a regional site that has a pull-down menu for which state the board was located in, which stopped spammers dead in their tracks.

Additional things to discourage them include hiding website links from the search bots - that's what they're after, page rankings by being linked to by other sites. My board won't show their links to GOOGLE, even if the register as legitimate users and participate normally in the board. While others report a climbing rate of bot registrations, mine's been pretty steady, if declining, over the past few months, at a couple thousand attempts per month.

Bots are adjusting to all these methods, though. Over the last week, the spambots (still being banned) are moving to using the location and occupation fields for spam links. My boards now remove the contents of those fields if they contain a link... which (because they're required on my boards) means the rest of the registration fails.

This is a layer. It should not be your only anti-spammer layer.

Oh, and I forgot - if you have any forum that allows guest posting, all bets are off. At the very least, you need to use Enable Visual Confirmation for Guest Posting!

witchfinder_general · Post by **witchfinder_general** » Tue May 23, 2006 6:52 am

espicom wrote: Exactly what errors is it giving you?

The registration page appears correctly after clicking the links on the Agreement Terms page. However, after completing the details and clicking submit, the user is simply returned to the Agreement Terms page and the registration does not go through.

espicom wrote: Oh, and I forgot - if you have any forum that allows guest posting, all bets are off. At the very least, you need to use Enable Visual Confirmation for Guest Posting!

I'm pretty sure I need to do this as well but I cannot find the option in my Control Panel. I'm using an alternative theme (I believe it is called Aeolus) and I suspect that the option is not available with this theme. Can I revert to the standard theme to enable the option and then change back? Also, what exactly does the visual confirmation option do?

Just noticed the following error when trying to access Control Panel:

Parse error: parse error, unexpected '<' in /homepages/21/d70126371/htdocs/bx16v/forum/admin/admin_users.php on line 881

I have replaced the modified files with the originals again and the error is still there. HELP!

Cheers

Ptirhiik · Post by **Ptirhiik** » Tue May 23, 2006 9:02 am

Something I don't get : most of the bots takes advantages of the data retrieved from the url to jump over the coppa/agreement screen : why don't you simply force the agreed/coppa var to come from $_POST only, with replacing the links with buttons or radio check box, or whatever but in-form ?

espicom · Post by **espicom** » Tue May 23, 2006 2:27 pm

Guest posting is set in the individual forums. Under advanced options, the POST and REPLY options should be set to REG or higher. More info in the Forum Admin section of the PHPBB users guide. Any theme that hides these from you is incomplete...

parse error, unexpected '<' in /homepages/21/d70126371/htdocs/bx16v/forum/admin/admin_users.php on line 881

That line is 20 lines above where the first change to that file for ConfusaBOT, so I think it is a separate issue.

The registration page appears correctly after clicking the links on the Agreement Terms page. However, after completing the details and clicking submit, the user is simply returned to the Agreement Terms page and the registration does not go through.

This sounds like one edit was missed, and it's responding as it show with an incorrect variable being set. On your COPPA page, check the links; the first two should match the settings you've made in the constants.php file. Something like:

Code: Select all

<a href="profile.php?mode=register&IAmInAgreement=Maybe&sid=XXXX" class="genmed">

Go to the registration page, and find the hidden input fields. The line should contain something like this:

Code: Select all

<input type="hidden" name="mode" value="register" /><input type="hidden" name="IAmInAgreement" value="Maybe" /><input type="hidden" name="Under13" value="0" />

If the variable names do not match what you've set in constants.php, it means the edits in includes/usercp_register.php aren't correct.

Ptirhiik wrote: Something I don't get : most of the bots takes advantages of the data retrieved from the url to jump over the coppa/agreement screen : why don't you simply force the agreed/coppa var to come from $_POST only, with replacing the links with buttons or radio check box, or whatever but in-form ?

An excellent idea, except that it is a bit more involved than this MOD was originally intended to be. It involves changing the COPPA template to use a <form>, as well as making sure to unset any $_GET variables that might be set in the URL.

RevMark · Post by **RevMark** » Thu May 25, 2006 1:13 pm

I am no security expert, not even a novice for that matter, but what about using some sort of encryption so that the spammers will never "see" what is actually getting POST'ed or GET'ed? So that they could not bypass the coppa/agreed with the correct string.

And what is the phpBB2 Forums doing to stop the spammers? This also seems t me to be a security issue that they should be fixing, no?

espicom · Post by **espicom** » Thu May 25, 2006 1:45 pm

Encryption in what way? Making your site a secure (as in SSL, accessed via HTTPS instead of HTTP) will kill a lot of it, because the spam scripts don't normally do SSL... at the expense of requiring the purchase of a certificate, compatible hosting, and the overhead of encrypting everything. And that works until they decide, "Oh, I should activate the SSL module for that site."

Writing a replacement for the registration process, which uses AJAX technology to step through registration in pieces, would make the system different enough to deflect the spammers, until it got wide-spread enough to justify learning how to cheat at it.

There has been a bit of talk of inserting Javascript to "build" a hidden variable that is required. But what about legitimate users who routinely disable JS, as I do? (it isn't safe to have any scripting enabled when you run Internet Exploder) I found a very nice JS routine to calculate MD4, MD5 and SHA1 hashes.... Sending a random phrase and some JS to the browser to combine it with one of the variable fields and returned as a hash, which is then compared at the server end with a hash done the same way, would only prove that something at the client end knew how to read and execute JS. But, for a month or two, it would confuse the existing bots!

In all cases, it's making your site different than others that makes a difference. The same attacks that work against PHPBB for spamming work for other boards, because they're imitating normal user input. None of these things are "security issues", because they're not bypassing anything you would not expect a legitimate user to do. Things like Instant Ban and the checks added here for the variables enforce that.

RevMark · Post by **RevMark** » Thu May 25, 2006 1:55 pm

Isnt there some kind of server side for folks that have modules for, say Mambo/Joomla etc that protects the source? I remember looking at a commercial Mambo component one time that required it.

Or how about having 2 tables in the phpbb db. One is a pointer with the number of entries in the 2nd table. The 2nd is a table of keywords for the post constants. Have the reg scripts generate a psuedo random number seeded from the first table. The use that as a pointer to select the "word" of the week/day/hour/registration for the post statement. You could have thousands of words in the 2nd table. Every couple of weeks or months repopulate the 2nd table with new words. But the key would be that the words would not be dictionary words to protect from a dictionary attact (sort of). They would be what would be considered good password type words. You know: K8i9(uhjJty&^78mhpwksuh#.