Membership Exploit Attack Prevention

A place for MOD Authors to post and receive feedback on MODs still in development. No MODs within this forum should be used within a live environment! No new topics are allowed in this forum.
Forum rules
READ: phpBB.com Board-Wide Rules and Regulations

IMPORTANT: MOD Development Forum rules

On February 1, 2009 this forum will be set to read only as part of retiring of phpBB2.
Locked
LrdSatyr8
Registered User
Posts: 41
Joined: Sat Oct 18, 2003 11:42 pm
Location: Oxford, NC
Contact:

Membership Exploit Attack Prevention

Post by LrdSatyr8 »

Ok all... I don't know about you but there's been an exploit of my forums that I've finally figured out how to put a stop to it. The problem is this... I don't know if you've noticed a bunch of users that register on your forum and never post anything, however they have email addresses and post a website in their profile that points to something like poker777.boom.ru or nakedpost.net... well... I've discovered there is a bunch of spammers out there that feel that if they can get their links posted on every phpBB site whether they activate their account or not, their link is always listed in the membership listing. And what does that do you may ask? Well... when googlebot and yahoobot go to spider your site, all of those spam accounts are still listed on your forum whether they are activated or not. So if Joe Blow wants to make sure they google knows about his site at http://dumbspam.com all he has to do is make a new user account, place his "website" in his profile and viola... he's got more traffic for his site. And the beauty of it is is that he don't even have to activate his account to be listed in the membership at all! So he can give you any email address whatsoever and he's listed!

Well I put a stop to that and I hope that in future releases or patches or phpBB that this matter will be addressed. If you don't want to give up your site for spammers... then what you have to do is turn off the listing of accounts in your Membership listing of non-activated members. Here's what I did:

In your MEMBERLIST.PHP file... look for:

WHERE user_id <> " . ANONYMOUS . "

Change it to:

WHERE user_id <> " . ANONYMOUS . " AND user_active <> 0

Then find the lines:

$sql = "SELECT count(*) AS total
FROM " . USERS_TABLE . "
WHERE user_id <> " . ANONYMOUS;

And change that to:

$sql = "SELECT count(*) AS total
FROM " . USERS_TABLE . "
WHERE user_id <> " . ANONYMOUS . " AND user_active <> 0";

And VIOLA... no more non-activated users will be listed in your membership listing and it will make the spammers reconsider a new tactic. It would be nice if the BANNED list wouldn't even create a user account at all. but it still does... even if you ban a specific email address it still creates the record in the database and it is still listed if you don't make the changes above. Just thought you all would like this little bit of helpful info.

-=> Jim! <=-
Check out DavisWorks at http://davisworks.net

phantomk
Registered User
Posts: 1039
Joined: Wed Apr 14, 2004 5:32 am
Location: Canada Eh?
Name: Daniel Lee
Contact:

Post by phantomk »

Nothing new, but repitition is the key to success :)

User avatar
TurtleX
Registered User
Posts: 245
Joined: Sat Apr 24, 2004 9:19 pm

Post by TurtleX »

Yes, I had this problem too. I got spammed like mad. I turned on visual confirmation and *poof it stopped. Bots can't read the image.

Rapid Dr3am
Registered User
Posts: 198
Joined: Sun Jul 13, 2003 4:14 pm
Location: Incommunicado
Contact:

Post by Rapid Dr3am »

TurtleX wrote: Yes, I had this problem too. I got spammed like mad. I turned on visual confirmation and *poof it stopped. Bots can't read the image.


Bots can read the image, it's not that hard really. ;)

This solution posted above is good, I mean you'll still get registrations but you won't be linking to them. It's a temporary fix. Does it also cover the newest registered user on index.php? ;)

LrdSatyr8
Registered User
Posts: 41
Joined: Sat Oct 18, 2003 11:42 pm
Location: Oxford, NC
Contact:

Post by LrdSatyr8 »

Rapid Dr3am wrote: This solution posted above is good, I mean you'll still get registrations but you won't be linking to them. It's a temporary fix. Does it also cover the newest registered user on index.php? ;)


Yes because the INDEX.PHP only displays newest activated members... non-activated members aren't shown.

-=> Jim! <=-
Check out DavisWorks at http://davisworks.net

skeath
Registered User
Posts: 1
Joined: Fri Oct 28, 2005 2:28 pm
Location: Texas

Stop spam registrations

Post by skeath »

A better way is to stop them from registering. In the file
usercp_register.php above line 372 I added this line:

if (stristr($email, "boom.ru")) {echo "F*** off"; exit;}

TexasBlake
Registered User
Posts: 59
Joined: Thu Feb 06, 2003 4:05 am
Location: Houston, Texas
Contact:

Re: Stop spam registrations

Post by TexasBlake »

skeath wrote: A better way is to stop them from registering. In the file
usercp_register.php above line 372 I added this line:

if (stristr($email, "boom.ru")) {echo "F*** off"; exit;}


You are a genius. I'm tired of having to delete 10 people a day from three forums. I hope you don't mind if I borrow that code.

markus_petrux
Former Team Member
Posts: 1887
Joined: Wed Apr 23, 2003 7:11 am
Location: Girona, Catalunya (Spain)
Contact:

Post by markus_petrux »

@LrdSatyr8: this is not a place to release final MODs. If you plan to continue development here, please PM a MOD Team member to ask them to unlock this topic for you. Thanks


locked
EasyMOD Standards | MOD Template Actions | MODs in Development Rules
Useful information for MOD Authors | MOD Queue Stats | Search MODs
Write SQL/DDL portable to all SQL servers supported by phpBB!
Get EasyMOD 0.3.0! | Suport al phpBB en Català!
8)

Locked

Return to “[2.0.x] MODs in Development”