PhpBB: easy to spam?

The 2.0.x discussion forum has been locked; this will remain read-only. The 3.0.x discussion forum has been renamed phpBB Discussion.
Graham
Former Team Member
Posts: 8462
Joined: Tue Mar 19, 2002 7:11 pm
Location: UK
Contact:

Post by Graham »

Daan Vanheel wrote: well it's better than nothing and it can be a good temporary solution.


Not really. Many people (including me) have their systems set up to block the referrer from being sent when they view a page so check that would cause more trouble than it's worth.
"So Long, and Thanks for All the Fish"

phpBB Useful Links: Knowledge Base | Userguide | Forum Search | MOD Database | Styles Database
My Links: Blog!

modenaf1
Registered User
Posts: 49
Joined: Sat Jul 26, 2003 11:29 pm

Post by modenaf1 »

Draegonis wrote: That's because there isn't really a valid long-term solution. That's why there's such a thing as a ban.
As a side note, just think how easy it is to spam an email address...


hah! your right about that. Once you get one spam email they send your addy out to everyone and it spreads like wildfire lol.

Anyways, something I noticed with phpBB 2.1.2 is that when it detects a similar post has been made or something, it tell you that it has been made and asks if you want to revise or post it anyway or something like that. That could probably screw up a script like the one you talked about Daan Vanheel.

But, I guess there really is not that much of a way around this, although I think you could probably have it so it makes the post limiter/timer thingy go off of an IP instead of a username, im not sure, I dont know very much about this stuff.

BTW, there really arent any forums the admin cant see ;) So even if someone gets into a secret forum (more likely to happen on VB anyways) the admin will probably come across it and ban the user ;)

Speaking of VB, their permissions are kinda lousy compared to phpBB, I have been able to monitor the moderator promotion candadates section, I guess if the admin isnt paying attention it is quite easy to mess up with VB, that is not the only thing I noticed, but who wants to hear me ramble about VB? probably no one so ill shut up now.

-f1
8)

libertate
Registered User
Posts: 79
Joined: Tue Jul 30, 2002 11:13 pm
Location: Kiritimati
Contact:

Post by libertate »

Actually that's not such a bad idea.

The combination of the poster's IP address/session ID and 2.1.2 similar post detection system would work well.

There are limited reasons to cross post the same message, or to quote yourself within a few minutes.

Ergo, the system can block someone's spam by blocking any duplicate messages where a percentage of the original post is identical. It could be even further complicated by changing the percentage within a range. Say, if the message is between 70 to 90% is identical to previous message, the duplicate message posting is triggered.

The trigger could be set for several hours, making spamming worthless.
libertate

mbwalker
Registered User
Posts: 5
Joined: Tue Apr 20, 2004 4:23 pm
Contact:

Post by mbwalker »

Seems to me the easiest way to stop spam of this type would be to require authentication for people. This could be required for new posters or members and then no required once people become familiar to the board.

The type of authentication I'm thinking of is like the one required to register for this board, where you need to identify and type some unique letters for each post. That's a hassle for newcomers, but one that's relatively minor. And, as I mention, you could do away with the requirement for "approved" posters.

Graham
Former Team Member
Posts: 8462
Joined: Tue Mar 19, 2002 7:11 pm
Location: UK
Contact:

Post by Graham »

modenaf1 wrote: But, I guess there really is not that much of a way around this, although I think you could probably have it so it makes the post limiter/timer thingy go off of an IP instead of a username, im not sure, I dont know very much about this stuff.

You could base it off the IP address certainly, but using the IP address for that type of thing has it's own problems.

As an example of one of the problems consider the following: You have a forum which is primarily used by students at a university but hosted off-site for some reason. All off-site web access is routed through one proxy so everyone appears to come from the same IP. Controlling based on IP in that instance would be unusable for most of the users.

There are other examples involving AOL which I could come up with as well.
"So Long, and Thanks for All the Fish"

phpBB Useful Links: Knowledge Base | Userguide | Forum Search | MOD Database | Styles Database
My Links: Blog!

NativeMind
Registered User
Posts: 45
Joined: Sun Apr 27, 2003 9:51 pm
Contact:

Post by NativeMind »

I think the fix is fairly simple, and it's basically a fix to cross site request forgeries as well (Which is really what this is...).

Basically you don't want anyone submitting a form that didn't come from browsing your site in the first place. So, the form display should generate a unique key (not the SID) and use that when it actually processes the post to verify that the form post came from the website.

Of course that solves CSRF, but a spammer could still just use CURL to get the page and extract that unique token each time. A better solution would to be both generate a random token and the random identifier of the token so they would really have to reverse engineer your algorithm to have a shot at the creating a SPAM script. You could even create multiple random identifiers/tokens to really make it hard (only one of the multiple ones would be really). You could also alternate algorithms... i.e. one time you just have one token, the next time you have 2 tokens, the third time you have the md5 digest of the 2 tokens, etc.

As an aside, what the deuce is with people registering names with a ! in them even when *!* is in the ban list?!
Developer MX-System: modular portal for phpBB

d-ArkAngel
Registered User
Posts: 64
Joined: Sun Jun 02, 2002 11:30 am
Location: England, Redcar
Contact:

Post by d-ArkAngel »

To foil a spam script you could always modify the anti bot registration hack to be applied to posting.php so that it does the user copy numbers from an image test. But untill you have a problem with it, I doubt it's worth pissing off the users :-)
Robert Laverick (dArkAngel)
Your just jealous that the voices talk to me!
Living the thin line between Inspiration and Insomnia
Image

User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Post by Techie-Micheal »

d-ArkAngel wrote: To foil a spam script you could always modify the anti bot registration hack to be applied to posting.php so that it does the user copy numbers from an image test. But untill you have a problem with it, I doubt it's worth *beep* off the users :-)
Hey d-ArkAngel. Haven't seen you in ages. That's actually a much more feasible idea than mine. Wish I thought of that. :P
Proven Offensive Security Expertise. OSCP - GXPN

NeoThermic
Security Consultant
Posts: 2141
Joined: Thu Dec 25, 2003 1:33 am
Location: United Kingdom
Contact:

Post by NeoThermic »

d-ArkAngel wrote: To foil a spam script you could always modify the anti bot registration hack to be applied to posting.php so that it does the user copy numbers from an image test. But untill you have a problem with it, I doubt it's worth *beep* off the users :-)


As an addum, you could also make it only appear randomly, so that regular posters are not always botherd by 'Enter in this code' requests.

NeoThermic
NeoThermic.com... a well of information. Ask me for the bit bucket so you can drink its goodness. ||新熱です

d-ArkAngel
Registered User
Posts: 64
Joined: Sun Jun 02, 2002 11:30 am
Location: England, Redcar
Contact:

Post by d-ArkAngel »

Techie-Micheal wrote: Hey d-ArkAngel. Haven't seen you in ages. That's actually a much more feasible idea than mine. Wish I thought of that. :P


yeah I've just been arround submitting exploits to the security e-mail address again, so I thought I'd have a read of the top couple of converstaions again...

(the main reason you've not seen me arround is cos I forgot my password, and couldn't be bothered retriveing it so I've been just reading a little here and there and then being too lazy to reply)
Robert Laverick (dArkAngel)
Your just jealous that the voices talk to me!
Living the thin line between Inspiration and Insomnia
Image

strobe
Registered User
Posts: 168
Joined: Thu Sep 18, 2003 9:53 pm
Location: Detroit, MI
Contact:

Post by strobe »

Two simple solutions that I just thought of for this that could help:

1) Have phpBB generate a random string every X number of minutes and include it as a hidden field in the posting form, then simply verify it against the string in the database for that time range with each post. This would prevent someone from using a script, yet it wouldn't force the user to enter anything. You could even make the last 'X' number of strings valid to prevent slow posters from getting hung up through a rotation cycle.

In theory, you could actually generate a string with each post, but that would probably be overkill.

2) You could have a small manual field for each post with something as simple as a single letter that needs to be verified.

I don't know - just some dumb ideas I'm tossing out here. Any comments?
** An official 'n00b' and provider of 'destructive advice' since December 17th, 2003 **

Still living in mom and dad's basement -- been at home since 74' and not leaving anytime soon!!!

Brucey, Brucey, Bruce - The Internet's Golden Goose.

soapy
Registered User
Posts: 1
Joined: Sun Apr 03, 2005 6:56 pm
Contact:

Post by soapy »

I have published a simple, (very) low overhead solution to this issue. It's on Codewalkers, and you can see it at www.officedevils.com/contactsnippet.php

Basically it just includes a sum in the form with two hidden variables, so you have to correctly complete the sum before the submission is accepted.

This could be made far tougher by various means, such as changing the "+" to the word "plus", adding in "-", "*", etc., as well as changing the function a bit, so it printed "one", "twenty", etc. instead.

Or use a gif of the numbers, storing a solution someplace server side, but this stops the blind.

Obviously these would be weaker solutions than a rendered gif, but they do use a lot more processor than 2 + 40! (They are roughly in order of increased processor load) The spammer has to then write a complex regexp to cover all the possible options, which will be beyond most, and those that do sort it will still be stopped (at least) every n tries by the rendered gif.

Using the gif every n attempts alone would be a failure, though, since the spammer then still gets n-1 spams through *and* you still get the overhead issues!

Edit: No responses to this so far, but there is a new program out to try to brute-force the image systems, called Caecus ver 1.0, which OCRs the image, and automates the registration!

Locked

Return to “2.0.x Discussion”