Page 2 of 11

Posted: Thu Jun 08, 2006 6:08 pm
by M.O.B.
keimo wrote: ahh thanks for that info man. I'm of the opinion that I don't want these asses even being able to get anywhere NEAR my forum again is a good thing so the autoban is something that appeals to me. I may stick the code in for a while then take it back out just to watch my ip ban's go up...

It's the little things in life that make it worthwhile ya' know :wink:

Please let us know how this works for you. Just to make sure the code is working great.

Posted: Thu Jun 08, 2006 6:12 pm
by M.O.B.
objectman wrote: The only common element in all my (tens of) spambot emails is the

Code: Select all

http://www.nwtools.com/default.asp?prog=express&host=
bit. Instead of IP addresses is it possible to ban an IP lookup like this one? Surely it would be a simple line of code?

I am not sure if I follow you, but you wish to not get the link of nwtools.com to be able to determine where the "spammer" IP is coming from? If you notice the spammer's IP address is always at the end of that URL link so you can click on it and be able to read more info on where that IP is from. It's the cream of the pie of how this mod works. If this is the case, I am not sure if you really want that. Please advice. I had trouble understanding your wishlist.

Posted: Thu Jun 08, 2006 6:24 pm
by EXreaction
Hmm, I am really liking your version of this mod(I made basically the same thing except it doesnt email you).

Are you planning on uploading this to the mods database? If you are, I would be willing to help make a second version(you could keep the lite version and the version with an adminCP) of this that has options in the AdminCP(like the email address to display, to turn it off or on, to ban IP's, to disable the website and or signature sections(and possibly more).

If you guys would like me to work on something like that with you I would be happy to. :D

Posted: Thu Jun 08, 2006 6:46 pm
by RevJim
objectman wrote: The only common element in all my (tens of) spambot emails is the

Code: Select all

http://www.nwtools.com/default.asp?prog=express&host=
bit. Instead of IP addresses is it possible to ban an IP lookup like this one? Surely it would be a simple line of code?[/code]


Hi objectman,

That nwtools.com link is NOT something the spammer is submitting. It's a link that this MOD creates and sends in the e-mail to make it easier to figure out who the spammer is (or might be). If you click it you will see a whole bunch of juicy information about the IP address that the spammer was using when he tried to register on your board. Don't worry, it's perfectly safe to click. :) In fact, there's a similar link in the standard phpBB administration panel -- click the IP address of a currently logged-in user on your board and you will go to the same site (although a slightly different version).

If you really don't want to see that link, you can delete this line of code from the MOD:

Code: Select all

$emailMessage  .= "IP Lookup = http://www.nwtools.com/default.asp?prog=express&host=" . $spammerIPAddress . "\n";
But there really is no need to delete it -- it's a perfectly harmless tool that you can use to research your spammers.

-RJ

Posted: Thu Jun 08, 2006 7:33 pm
by M.O.B.
RevJim, Do you think it would be possible to switch nwtools.com to http://whois.domaintools.com ? I prefer using that IP checker. Unless you can school me why nwtools give better info? Thanks in advance.

Posted: Thu Jun 08, 2006 8:39 pm
by EXreaction
Would someone mind replying to my last post(you guys see it?)? :?

Posted: Thu Jun 08, 2006 9:58 pm
by RevJim
EXreaction wrote: Hmm, I am really liking your version of this mod(I made basically the same thing except it doesnt email you).

Are you planning on uploading this to the mods database? If you are, I would be willing to help make a second version(you could keep the lite version and the version with an adminCP) of this that has options in the AdminCP(like the email address to display, to turn it off or on, to ban IP's, to disable the website and or signature sections(and possibly more).

If you guys would like me to work on something like that with you I would be happy to. :D


EXreaction:

Sorry for the slow reply, I started typing it this morning and keep getting interrupted. :)

Yeah, my feeling is that the goal of pretty much any MOD should be to 1) get stable and 2) get promoted to "released" status through the mods DB. Since this is something of a community-built MOD I guess it's pretty much up to us (you, me, Andre, Raiden, and anyone else who has anything to contribute) to decide what needs to be done prior to submission.

Here's my list: (everyone is welcome to add more, or point out why my ideas stink) :)
  • 1. The e-mail subject line should start out with the IP address of the spammer, so you can easily sort your e-mails by IP address, and see which IP addresses are the most common (ie, the worst spammers). This is obviously a 1-minute change, I just haven't gotten around to it. ;)

    2. I like your idea of adding an administrative interface to the adminCP. Master on/off, send e-mail (yes/no), set e-mail address, include e-mail address in Die message (yes/no), and number of posts before users are allowed to edit their URL/sig fields should be in there.

    3. Ideally, there should probably be a checklist to pick which fields we're restricting. The current code just looks for URL/sig (because those are the fields that can contain hyperlinks to a website). However, since I've been running this code for a while, I've started to get bots that are putting URLs into other (non-hyperlinked) fields. There's no search engine benefit to this, I think they're just doing it for eyeball traffic. So the admin could just go check/uncheck fields that are accessible after the required number of posts.
I haven't written for the adminCP before, so feel free to take the first crack at it. :) It seems like a great idea to me.

-RJ

Posted: Thu Jun 08, 2006 10:16 pm
by RevJim
DJ Andre wrote: RevJim, Do you think it would be possible to switch nwtools.com to http://whois.domaintools.com ? I prefer using that IP checker. Unless you can school me why nwtools give better info? Thanks in advance.


The reason I went with nwtools.com is because the built-in phpBB administrator panel uses http://network-tools.com/. If you go to that URL there's a note at the top that says something like "newer, cooler beta tools are available at nwtools.com, and the current tools will stop being supported sooner or later" (yes, I'm paraphrasing here).

I don't know why the phpBB Gods chose networks-tools.com, but it kinda seems like the "official" code should stay with them unless we have a reason to switch. If you want to change your copy to use domaintools.com, here's the switch:

Code: Select all

$emailMessage  .= "IP Lookup = http://www.nwtools.com/default.asp?prog=express&host=" . $spammerIPAddress . "\n";
Changes to:

Code: Select all

$emailMessage  .= "IP Lookup = http://whois.domaintools.com/" . $spammerIPAddress . "\n";
-RJ

Posted: Fri Jun 09, 2006 3:47 am
by EXreaction
RevJim wrote: I haven't written for the adminCP before, so feel free to take the first crack at it. :) It seems like a great idea to me.

-RJ


I haven't really either(started modding the template once, but I never added MySQL tables). :oops:
But I am sure I could get it working great if I look at how other mods did it. 8)

I can look at getting the adminCP part started this weekend. I am a little busy now(the Vista Beta 2 just went public, so its my turn to play with it) but by this weekend either I will have Vista setup so I can start modding, or if I can't get sound drivers I will be back on XP. :)


BTW, do you have an IM? Like MSN or Yahoo? We could work together a bit then. 8)

Posted: Fri Jun 09, 2006 4:51 am
by RevJim
EXreaction wrote: I haven't really either(started modding the template once, but I never added MySQL tables). :oops:
But I am sure I could get it working great if I look at how other mods did it. 8)

I can look at getting the adminCP part started this weekend. I am a little busy now(the Vista Beta 2 just went public, so its my turn to play with it) but by this weekend either I will have Vista setup so I can start modding, or if I can't get sound drivers I will be back on XP. :)


BTW, do you have an IM? Like MSN or Yahoo? We could work together a bit then. 8)


I'm on Skype and MSN. However, I only work 2-4 days a month, and this weekend I'm working. :) It'll take me a day or two to recover from doing actual work, so I'll be availabe next week some time... If you haven't figured it out by then drop me a PM and we'll get together to try and solve things. :)

BTW, if we're going to add an administrative control panel interface, maybe we should put an option in for the automatic IP bans? I don't think they are a good idea, but if they're optional, I shouldn't stand in anyone's way..... thoughts (anyone)?

-RJ

Posted: Fri Jun 09, 2006 5:31 am
by espicom
Adding an ACP interface is not difficult - check the MODs I've done (link to one in my signature) for a "template" for doing them, complete with language file changes. The only time it gets to be a bit more difficult is if you want to add a separate applet for doing it, rather than attaching to the existing admin_board.php script.

The important thing to remember is that any text displayed MUST be done through the language file interface, or your MOD isn't going to survive submission. No hard-coded English text allowed, except for certain hard errors that this sort of MOD shouldn't encounter. And template changes need to be as generic as possible (searching for template variables, for example, rather than whole lines), so that they can be installed in non-subSilver templates.

First candidates for an ACP interface: $cut_off, email Y/N.

Posted: Fri Jun 09, 2006 7:43 am
by Code3TJ
Personally, I like http://www.dnsstuff.com/ a bit better than network tools, but that's just my thing. Something else to possibly include (since a lot of the spammers seem to use it also) is the ICQ field.

Posted: Fri Jun 09, 2006 5:49 pm
by EXreaction
RevJim wrote: I'm on Skype and MSN. However, I only work 2-4 days a month, and this weekend I'm working. Smile It'll take me a day or two to recover from doing actual work, so I'll be availabe next week some time... If you haven't figured it out by then drop me a PM and we'll get together to try and solve things. Smile

BTW, if we're going to add an administrative control panel interface, maybe we should put an option in for the automatic IP bans? I don't think they are a good idea, but if they're optional, I shouldn't stand in anyone's way..... thoughts (anyone)?

-RJ


Ok, I will look for you this week(you can add me in msn, my profile has my address). :D

Code3TJ wrote: Personally, I like http://www.dnsstuff.com/ a bit better than network tools, but that's just my thing. Something else to possibly include (since a lot of the spammers seem to use it also) is the ICQ field.


Mabey the guys could have it send you both links in the email? That would be good, then you could pick which ever one you want. :)

Ya, mabey in the adminCP version we could have options to turn everything off except for the sections that are only needed for registering(username/password/email/captcha).
espicom wrote: Adding an ACP interface is not difficult - check the MODs I've done (link to one in my signature) for a "template" for doing them, complete with language file changes. The only time it gets to be a bit more difficult is if you want to add a separate applet for doing it, rather than attaching to the existing admin_board.php script.

The important thing to remember is that any text displayed MUST be done through the language file interface, or your MOD isn't going to survive submission. No hard-coded English text allowed, except for certain hard errors that this sort of MOD shouldn't encounter. And template changes need to be as generic as possible (searching for template variables, for example, rather than whole lines), so that they can be installed in non-subSilver templates.

First candidates for an ACP interface: $cut_off, email Y/N.

Posted: Tue Jun 13, 2006 5:49 am
by jimnms
I installed this last night on my forum. Afterwards I removed the bans on all email addresses that I had collected from previous spammer registrations.

I went to bed, and woke up early this morning like a kid on Christmas. I checked the email I forwarded the registrations to and was sad to see it was empty. I checked the forum and found 3 new spambot registrations. There was no signature or URL in the web page field though.

I tripple checked the install and it's all correct. I did was set the $cut_off value to "0" because I don't want to limit new users to not being able to fill out the website field after registering. Would that still allow the bots to register? I just changed it to "1" so I'll see tomorow if I have any mails.

Now, for a suggestion. What about just removing the whole "Profile Information" portion from the registration form, and only allowing that information to be filled out after the account has been activated?

Posted: Tue Jun 13, 2006 12:14 pm
by Remix_88
RevJim wrote: 3. Ideally, there should probably be a checklist to pick which fields we're restricting. The current code just looks for URL/sig (because those are the fields that can contain hyperlinks to a website). However, since I've been running this code for a while, I've started to get bots that are putting URLs into other (non-hyperlinked) fields. There's no search engine benefit to this, I think they're just doing it for eyeball traffic. So the admin could just go check/uncheck fields that are accessible after the required number of posts.


If you are seeing SpamBots posting URL's in fields which are not intended to hold a URL why not validate those fields? If they hold content which looks like a URL stop/ban the attempted registration :-)

You will find code that you can derive this feature from in 'includes/functions_validate.php' in the 'validate_optional_fields' function.

Here is an extract by way of a simple example...

Code: Select all

// If the $feild_being_validated look like a URL halt the registration

if (!preg_match('#^http[s]?\\:\\/\\/[a-z0-9\-]+\.([a-z0-9\-]+\.)?[a-z]+#i', $field_being_validated))
{
  die('Bot registration attempt');		
}