[BETA] Unique Registration Hash

A place for MOD Authors to post and receive feedback on MODs still in development. No MODs within this forum should be used within a live environment! No new topics are allowed in this forum.
Forum rules
READ: phpBB.com Board-Wide Rules and Regulations

IMPORTANT: MOD Development Forum rules

On February 1, 2009 this forum will be set to read only as part of retiring of phpBB2.
User avatar
pentapenguin
Former Team Member
Posts: 11030
Joined: Thu Jul 01, 2004 4:15 am
Location: GA, USA

Post by pentapenguin » Mon Oct 30, 2006 12:18 am

drathbun, I hear you. My site (probably since I'm a Team Member as well) is a major target for spam bots. But I can say that after installing this MOD, the Easy BotStopper (changed to disallow all profile fields), and a few other small changes the spam bots have dropped to almost nothing. The only way to stop humans registering is to make the form so hard to fill out that no one will want to but that kinda defeats the point. :roll: But 0.2.0 coming out soon will add a few new features to make it just a little harder for spam bots to register.
Support Resources: Support Request Template
If you need professional assistance with your board, please contact me for my reasonable rates.

T.T.H.
Registered User
Posts: 6
Joined: Fri Mar 14, 2003 6:02 pm

Post by T.T.H. » Tue Nov 14, 2006 6:57 pm

While installation of this mod was easy and it does work flawless for human users my forum still gets successfully hit by spam bot registrations, no change in quantity.

I am using "2006-08-19 - Version 0.1.0".

Just FYI...

User avatar
pentapenguin
Former Team Member
Posts: 11030
Joined: Thu Jul 01, 2004 4:15 am
Location: GA, USA

Post by pentapenguin » Sat Nov 18, 2006 6:02 am

It will reduce (somewhat) the amount of spam bots but clever ones can still get pass this MOD (or any MOD for that matter). That's why I recommend this MOD in conjunction with another MOD like the Easy BotStopper MOD.
Support Resources: Support Request Template
If you need professional assistance with your board, please contact me for my reasonable rates.

Bramster
Registered User
Posts: 605
Joined: Sun Jul 27, 2003 10:40 am

Post by Bramster » Sat Nov 18, 2006 8:41 am

Hi all,
This MOD helps to prevent spam bots from registering by changing the "agreed=true" part of the registration URL to a unique value. This unique value is generated by MD5 hashing the user's IP address and their session ID number.


I just installed this mod but do not see anything different in the registering screen. is that correct ?

How do I check if this mod is working and is installed correctly ?

Bramster

- - - - - Edit - - - -

I did some checking an comparising with other phpbb forum. Does this (check image below) indicate things are working as they supposed to work ? Or am I on the wrong track ?


Image


Seems pretty easy to by-pass since the the link still contains the text "agreed=" .

Or is it still very difficult for a bot to find out which link to use to agree with the rules of the forum ?
Navy & Merchant Marine Forum:
www.DutchFleet.net

Stinos
Registered User
Posts: 5
Joined: Sun Aug 29, 2004 12:38 pm

Post by Stinos » Sat Nov 18, 2006 4:16 pm

I just installed the mod.

When I try to register myself:
- I agreed i'm over 13 years old
- I enter all the necessary information
- When i hit the submit button I'm being forwarded to the Registration Agreement Terms :?

User avatar
drathbun
Former Team Member
Posts: 12204
Joined: Thu Jun 06, 2002 3:51 pm
Location: TOPICS_TABLE
Contact:

Post by drathbun » Sat Nov 18, 2006 4:26 pm

Bramster wrote: Seems pretty easy to by-pass since the the link still contains the text "agreed=" .

But the value of "agreed" is not "true" as it is in the default phpBB install, so you have installed the MOD correctly. With a little work, you can also change "agreed" to something else, and end up with a registration URL that looks like this:

Code: Select all

http://www.example.com/profile.php?mode=register&token=2df029942d2b
I took the idea from pentapenguin's description and made my own MOD that allows the admin to change the name of the variable ("token" in my case) and the length of the variable value (it's a substring from the session ID) so that each board has the potential to be different.

What makes phpBB succeptable to bot spammers is that the registration page for every single board is the same. If you can add even a minor wrinkle to the registration process, it can have an impact on bot registrations. It will not, unfortunately, have an impact on human registrations. For that you still have to resort to pruning and banning.

That has been my experience, so far, anyway.
I blog about phpBB: phpBBDoctor blog
Still using phpbb2? So am I! Click below for details
Image

User avatar
drathbun
Former Team Member
Posts: 12204
Joined: Thu Jun 06, 2002 3:51 pm
Location: TOPICS_TABLE
Contact:

Post by drathbun » Sat Nov 18, 2006 4:27 pm

Stinos wrote: - When i hit the submit button I'm being forwarded to the Registration Agreement Terms :?

You most likely missed an edit, or did it incorrectly. Check the edits for includes/usercp_register.php and ensure they match the edits provided by the MOD...
I blog about phpBB: phpBBDoctor blog
Still using phpbb2? So am I! Click below for details
Image

comusthumbs
Registered User
Posts: 1
Joined: Fri Nov 24, 2006 7:35 am

Post by comusthumbs » Fri Nov 24, 2006 8:31 am

Hi guys
Maybe someone can adapt this idea into an official mod...

I took this mod and changed it slightly to add the following...

This hack first uses javascript to write a hidden image to the browser..

The image is actually a script that creates a hash file AND sets a cookie and displays an image.

The browser must have cookies and javascript enabled.

The bot now must load images, set cookies from images and run Javascript and pass 3 hashed keys around.

When the accept link is clicked and the page is submitted the script looks for the hash key file first.
Then it looks for the hash key cookie
if both conditions are okay then it allows the sign up form.

At the top of the code where we have...

Code: Select all

$registration_hash = md5($userdata['session_ip'] . $userdata['session_id']);
add this...

Code: Select all

$registration_hash2=md5('change'.$registration_hash.'me');
$hidden_script="<script>var regkey=\"<img src='regkey.php?rk=$registration_hash2' border=0>\"; document.writeln(regkey); </script>";
$registration_file=md5('unique'.$registration_hash2.'code');
$reg_cookie=md5('iam'.$registration_hash2.'ok');
$is_bot=1;
if(is_file('dat/'.$registration_file) ){
    if($_COOKIE[$reg_cookie]=='1'){
        $is_bot=0;
    }
}
//(housework) remove dat files more than a day old.
$pa = 'dat/';
$thetime=time();
if ($handle = opendir($pa)) {
    $count = 0;
    while (false !== ($file = readdir($handle))) {
        if($file !='..' && $file !='.'){
            $s =  $pa . $file;
            if(is_file($s)){
                $sa = filemtime($s)+(60*60*24);
                if ($sa < $thetime) {
                    @unlink($s);
                }
            }
            $count++;
        }
    }
    closedir($handle);
}
Locate the show coppa line..

Code: Select all

	include($phpbb_root_path . 'includes/page_header.'.$phpEx);

	show_coppa();
and add the hidden javascript...

Code: Select all

	include($phpbb_root_path . 'includes/page_header.'.$phpEx);
                echo $hidden_script;
	show_coppa();
Create a file called 'regkey.php' and place it in your phpbb root folder

Code: Select all

<?PHP //regkey anti bot code
$newrk=md5('unique'.$_GET[rk].'code');
$fh=fopen('dat/'.$newrk,'w');
fwrite($fh,'ok');
fclose($fh);
setcookie(md5('iam'.$_GET[rk].'ok'),1);
header("Content-Type: image/jpeg");
$im=imagecreate(1,1);
imagejpeg($im,'',100);
?> 
Notice the key pairs of
'change'+'me'
'unique'+'code'
'iam'+'ok'

Feel free to change these to whatever you like, the redundancy is probably overkill, but it sure makes things ugly for anyone trying to get all 3 keys.

Create a folder called dat, chmod it to 777 and place this .htaccess file in it, so it cant be read
from the web.

Code: Select all

 order allow,deny
 deny from all
Force show coppa if the bot test fails.
Locate this line ..

Code: Select all

if ( $mode == 'register' && $HTTP_POST_VARS['agreed'] != $registration_hash && $HTTP_GET_VARS['agreed'] != $registration_hash )
And change to

Code: Select all

if ( $mode == 'register' && ($HTTP_POST_VARS['agreed'] != $registration_hash && $HTTP_GET_VARS['agreed'] != $registration_hash || $is_bot) )
If your server doesnt have GD graphics lib installed the imagecreate function will fail, so use this instead.

Code: Select all

<?PHP //Alternate regkey anti bot code without GD Lib
 $newrk=md5('unique'.$HTTP_GET_VARS[rk].'code');
 $fh=fopen('dat/'.$newrk,'w');
 fwrite($fh,'ok');
 fclose($fh);
 setcookie(md5('iam'.$HTTP_GET_VARS[rk].'ok'),1);
 header("Content-Type: image/gif");
 $fn=fopen("1pixel.gif","r");
 fpassthru($fn);
?> 
Then you'll need to create and place a small 1x1 transparent gif image in the same path as regkey.php called 1pixel.gif to get this version to work.

Good Luck,
--------
Comus Thumbs Free PHP Software For Webmasters in it for the Money.

oldlock
Registered User
Posts: 255
Joined: Mon Feb 28, 2005 7:47 am

Post by oldlock » Sun Nov 26, 2006 12:32 pm

I have Coppa disabled, and hence this will not install with easymod, is there a workaround ?

TIA

Paul

yakusha
Registered User
Posts: 71
Joined: Mon Apr 03, 2006 8:30 pm

Post by yakusha » Mon Nov 27, 2006 2:16 pm

a added this mod and using my premod project...

i changed agreement page like vbulletin

i added a agreed chackbox -> name="agreed" value="unique reg hash"

a spambots reading links but not reading checkbox

Image

Soulmancer
Registered User
Posts: 14
Joined: Wed Jun 22, 2005 4:13 pm

Post by Soulmancer » Sat Dec 02, 2006 10:13 pm

Um, I'm just getting an error on line 83 in my registration after I followed the instructions.

Go take a look for yourself.

http://arimyth.planetdiablo.gamespy.com ... e=register

The line looks like this in code.

if ( $mode == 'register' && $HTTP_POST_VARS['agreed'] != $registration_hash && $HTTP_GET_VARS['agreed'] != $registration_hash

Zypher
Registered User
Posts: 381
Joined: Fri Mar 12, 2004 7:04 am
Location: Australia
Contact:

Post by Zypher » Sat Dec 02, 2006 10:41 pm

OMG, that sounds like a cool MOD. I might try that out.
- Zypher

~Beware of the Darkness Within!~

Fully Loaded

enderandrew
Registered User
Posts: 71
Joined: Thu Nov 30, 2006 7:55 am
Location: Omaha, NE
Contact:

Post by enderandrew » Sun Dec 03, 2006 12:02 am

drathbun wrote: FWIW...

I had been meaning to develop this one on my own, and did so last night. I combined the ideas of a unique hash with an ACP option to change the name of "agreed" which - from reading the description - is what the "ConfusaBot" MOD does. So my MOD allows me to change the name of the "agreed" variable, and also allows me to specify the length of the hash (from 2 to 32). I didn't look at the code for ConfusaBOT so I don't know exactly how it works; I did briefly look at the code for this MOD but rewrote it to suit my needs rather than basing my MOD off of this.


I don't care who writes it, but I would love to see a version released like this that combines the concept of ConfusaBot with a hash. Would you please release your version?
Nihilism makes me smile.

User avatar
drathbun
Former Team Member
Posts: 12204
Joined: Thu Jun 06, 2002 3:51 pm
Location: TOPICS_TABLE
Contact:

Post by drathbun » Sun Dec 03, 2006 2:41 pm

enderandrew wrote:
drathbun wrote:FWIW...

I had been meaning to develop this one on my own, and did so last night. I combined the ideas of a unique hash with an ACP option to change the name of "agreed" which - from reading the description - is what the "ConfusaBot" MOD does. So my MOD allows me to change the name of the "agreed" variable, and also allows me to specify the length of the hash (from 2 to 32). I didn't look at the code for ConfusaBOT so I don't know exactly how it works; I did briefly look at the code for this MOD but rewrote it to suit my needs rather than basing my MOD off of this.


I don't care who writes it, but I would love to see a version released like this that combines the concept of ConfusaBot with a hash. Would you please release your version?

I have it working, started to write it up, and decided to go in a different direction. I'm rewriting the registration system so that it's not a sub-module of profile but instead a stand-alone screen. It seems that along with renaming the "agreed" variable the next best defense would be to rename the entire registration URL. :twisted:

In any case, I don't want to hijack this topic with my own code but I've posted it here for the time being. Note that the code as posted is no longer going to be enhanced or released as I've gone a different direction with my idea.
I blog about phpBB: phpBBDoctor blog
Still using phpbb2? So am I! Click below for details
Image

Soulmancer
Registered User
Posts: 14
Joined: Wed Jun 22, 2005 4:13 pm

Post by Soulmancer » Mon Dec 04, 2006 7:23 am

Can anyone tell me where to re-download the registration file? Since no one appears to be able to help me with my problem and I followed the installation isntructions exactly only to have my registration entirly screwed up...

Like a fool I accidently overwrote the old file without backing it up and my attempts at fixing it have felt... can someone help me or provide me with a clean registration php?

Post Reply

Return to “[2.0.x] MODs in Development”