Unwanted registrations (security issue)

The 2.0.x discussion forum has been locked; this will remain read-only. The 3.0.x discussion forum has been renamed phpBB Discussion.
Pooh22
Registered User
Posts: 13
Joined: Wed Feb 04, 2004 8:56 pm

pessimistic...

Post by Pooh22 »

Hi All

I'm pessimistic about this, because if I know spammers, this will just escalate to the point where they change ip numbers / e-mail adresses faster than we can add them to any filter. If there's no solution that is structural, i.e. very little impact on the administrator, this could cause a lot of people to abandon maintaining sites like this (using phpbb). I have a few ideas for combatting these (sorry, I'm at a loss for words)...

* Don't show new users in the user list until they have been confirmed.
* Have an easy click list for the admin to go through (not using a link in e-mail)
* Have a new moderator type to moderate user names, so the admin can delegate this task
* allow mass deletion based on a pattern (dangerous!)
* create spamassassin like functionality in all input points for phpbb (expensive!)

I've heard of techniques to easily break these "human-only" images. (just copy the image, show it on a different, unrelated website as a gimmick (or entry option for porn, since people do anything for porn apparently, copy the result PEOPLE enter there into the registration form; bingo!)

I don't think this can be ignored or solved by a simple computerised solution.

Cheers

Simon

Pooh22
Registered User
Posts: 13
Joined: Wed Feb 04, 2004 8:56 pm

hmm another thought occurred to me

Post by Pooh22 »

Would they actually parse this bb's memberlist to get a list of phpbb sites quickly? I'm sure most of us have a link to our own, vain, creations in our profile, right?

/Simon

geocator
Registered User
Posts: 16242
Joined: Fri Jan 09, 2004 11:56 pm
Location: On dry land
Contact:

Post by geocator »

The best defense against this is installing the anti-robot registration add on which is in the contrib folder of the download. You probably will need to redownload as you have to delete the contrib folder whenyou install.

User avatar
jtphpbb
Registered User
Posts: 4
Joined: Wed Mar 24, 2004 8:32 pm

Crawlers

Post by jtphpbb »

Google can be used for good AND evil:
http://www.google.com/search?q=phpBB+pr ... 3Dregister
(just an example, not revealing any exploit here)

Google finds this site, it crawls this site. No need to any extra work. In fact, that's the porn spammer's motto!

Pooh22
Registered User
Posts: 13
Joined: Wed Feb 04, 2004 8:56 pm

That's not my idea of a good solution

Post by Pooh22 »

Like I said in the other posting, I don't believe this kind of blocking will work for long. So I don't see why I should bother with it, when it will only make things more complicated.

I'd like to see some of the suggestions I made in a future version of phpbb. They don't seem to me like they would be very difficult to add and would help reduce this problem more effectively. if I would give priority:

* don't show users that are not active
* make an easy form to approve/reject new users
* add new type of moderator for moderating users
* implement more agressive delete options
* create hooks for spamassassin like filters

/Simon

Darth Wong
Registered User
Posts: 2398
Joined: Wed Jul 03, 2002 5:20 am
Location: Toronto, Canada
Contact:

Post by Darth Wong »

I use both visual confirmation and admin-approved registrations. Stops 'em cold.
Not a three-foot tall green gnome in real-life: My home page.
My wretched hive of scum and villainy: http://bbs.stardestroyer.net/

User avatar
jtphpbb
Registered User
Posts: 4
Joined: Wed Mar 24, 2004 8:32 pm

Re: That's not my idea of a good solution

Post by jtphpbb »

Pooh22 wrote: Like I said in the other posting, I don't believe this kind of blocking will work for long. So I don't see why I should bother with it, when it will only make things more complicated.


Very true. It isn't a good solution to prevent anything other than that individual. The reason I did it was to stop that luser from continuing to do it until I could make some minor mods. It is only a matter of time before this gets worse.
* don't show users that are not active

AMEN! Currently, with or without any approval, they succeed in their mission to post their links on our sites. Hopefully the changes I made and Visual Confirmation will help.
* make an easy form to approve/reject new users

I already accomplish something like this with having admin-approval enabled. Currently I think it says "click here to approve this user" but nothing about "click here to reject and delete this user".
* create hooks for spamassassin like filters

How would you like this to work? I've never looked at the bad word filtering capabilities. Are you talking about applying something like this to usernames?

Pooh22
Registered User
Posts: 13
Joined: Wed Feb 04, 2004 8:56 pm

short answer...

Post by Pooh22 »

as for spamassassin hooks, it could be used for postings as well as new users. Not to reject, but to flag for moderators (like spamassassin works). Also take source IP and other info into account.

seeing the support forum, phpbb is a new playground for spammers, this is going to be hecktic sooner than later!

/Simon

BlueRook
Registered User
Posts: 2892
Joined: Wed Mar 10, 2004 2:38 am

Re: That's not my idea of a good solution

Post by BlueRook »

* don't show users that are not active

AMEN! Currently, with or without any approval, they succeed in their mission to post their links on our sites. Hopefully the changes I made and Visual Confirmation will help.


You can keep inactive users from showing in the newest user or member list with a couple of easy MODs.

First use information from this topic to keep the user from showing as newest user.

Next if you want then not to show on the memberlist then use the MOD from this topic to do that. That topic also allows you to show the number of registered users as those that are active.

I've implemented these on my board and they work so far.

NativeMind
Registered User
Posts: 45
Joined: Sun Apr 27, 2003 9:51 pm
Contact:

Post by NativeMind »

Hmm, does 2.0.8 fix this problem?
Developer MX-System: modular portal for phpBB

User avatar
sambeckett
Registered User
Posts: 118
Joined: Mon Oct 21, 2002 3:28 am

Post by sambeckett »

same issue, ive had 40 porn people sign up in the last day.

geocator
Registered User
Posts: 16242
Joined: Fri Jan 09, 2004 11:56 pm
Location: On dry land
Contact:

Post by geocator »

geocator wrote: The best defense against this is installing the anti-robot registration add on which is in the contrib folder of the download. You probably will need to redownload as you have to delete the contrib folder whenyou install.


Just to quote what I said earlier as no one seems to have read it :twisted:

csscr
Registered User
Posts: 8
Joined: Sun Apr 13, 2003 4:10 am

Post by csscr »

Hi All,
I have just taken a couple of steps towards spam prevention.
Firstly I only display active users in the members list. To do this open memberslist.php and replace the sql statement at abouut line 145 with

Code: Select all

$sql = "SELECT username, user_id, user_active, user_viewemail, user_posts, user_regdate, user_from, user_website, user_email, user_icq, user_aim, user_yim, user_msnm, user_avatar, user_avatar_type, user_allowavatar 
	FROM " . USERS_TABLE . "
	WHERE  user_active = '1' and user_id <> " . ANONYMOUS . " 
	ORDER BY $order_by";
and then at about line 276 replace another sql statement with

Code: Select all

	$sql = "SELECT count(*) AS total
		FROM " . USERS_TABLE . "  
		WHERE  user_active = '1' and user_id <> " . ANONYMOUS;
That wont stop them registering but it will stop the unregistered users from displaying in the members list and most of the spam user are unregistered.
Don't forget to have enable account activation set to user in the admin panel.

The other little thing I did was log ip addresses of members on registration. This can then be used to block the IP adresses that cause most of the spam. To do this you need to create a table in your database
the sql for this would be something like:

Code: Select all

Create table iplog (user varchar(40)  primary key, ip char(15));
If your not comfortable with sql try using PHP MySQL Table Manager it makes creating tables and managing the content easy.
Then to log the ip address open usercp_register.php and at about line 247 look for
else if ( $mode == 'register' )
{
if ( empty($username) || empty($new_password) || empty($password_confirm) || empty($email) )
{
$error = TRUE;
$error_msg .= ( ( isset($error_msg) ) ? '<br />' : '' ) . $lang['Fields_empty'];
and then after it and before the closing bracket "}" add

Code: Select all

// IP loging   **********************
          }else{
            $ip=$_SERVER['REMOTE_ADDR'];
            $msql="insert into iplog values ('$username', '$ip')";
            $db->sql_query($msql);
//end  ip stuff ********************
You should have two closing brackets after it.
These steps are not a only a step in the right direction not a final solution to the problem.

csscr
Registered User
Posts: 8
Joined: Sun Apr 13, 2003 4:10 am

Post by csscr »

Hi geocator,
I had read your post and will have a look into the anti robot registration mod.
A couple of things that worry me is that not all the spammers are using robots and without seeing the mod I'm going out on a bit of a limb but if it requires you to type the images that are displayed would it then not be difficult for blind users or people using screen readers to complete registration.
I suppose we have to draw the line somewhere to stop spammers.

transm
Registered User
Posts: 99
Joined: Mon Feb 09, 2004 2:26 pm

Post by transm »

The guy doing this is on the IP: [Removed]

He has 5 sites on this server:

3 of them are:

[Removed]
[Removed]
[Removed]

He is using this ISP and location: [Removed]

[Edited by Draegonis: We don't want to see thses sites anymore than you do. Kindly don't link to them. There's also no need to give out his personal details to the public. You're just as able to contact his ISP's absue department as we are]

Locked

Return to “2.0.x Discussion”