Page 1 of 2

PhpBB: easy to spam?

Posted: Sat Apr 17, 2004 1:33 pm
by Daan Vanheel
Let me first tell you a story: I'm on a message board run by Vbulletin, and me and my friend discovered a hidden forum... after posting a little while, we found out we could post anything we wanted there, and nobody would see it (it wasn't even in our latest posts, etc.). I got bored with the fact that there was a 30 second spam protection, and it took me a while to get more posts.
So I started writing a little script that had a variable with some text in it, scrambled the text to make some random crap out of those words, put it into a form with the exact names of the forms for posting replies in Vbulletin. I was surprised to see that it actually worked. After some more scripting (this is all basic PHP) I found a way to automaticly send the forms when the page loads, and refresh it after 30 seconds to post another post 'o crap.
All good and well, but I'm not a spammer: I was more excited about the fact that it works rather than the fact that I could get more posts.
Then I came on a messageboard that has PHPBB2, and I decided to test it out. All I had to do was change some variables names and voila, a spam machine for PHPBB2.
What I'm trying to say is.. this isn't very thoughtful and I was shocked there wasn't protection for this in PHPBB, nor VBulletin. Anybody, even me, can make a spam page for any forum.
This can be avoided easily, just by checking the referer page on the posting.php page.

If you want I can give you the script.. but I don't feel that it's necesary, nor safe to display it on these boards.

Thanks for your time,
Daan Vanheel

edit: don't get me wrong, I'm not using this for bad (spamming). I just wanted to test if it worked

Posted: Sat Apr 17, 2004 1:59 pm
by niekas
checking HTTP-REFERRER is not a perfect solution at all - your spam script can be easily modified to spoof that.

and remember some people have all kind of privacy applications on their computer and quite a few of them block HTTP-REFERRER from being passed back to the script.

Posted: Sat Apr 17, 2004 2:01 pm
by Daan Vanheel
well it's better than nothing and it can be a good temporary solution.

Posted: Sat Apr 17, 2004 2:05 pm
by Draegonis
That's because there isn't really a valid long-term solution. That's why there's such a thing as a ban.
As a side note, just think how easy it is to spam an email address...

Posted: Sat Apr 17, 2004 2:18 pm
by Daan Vanheel
I believe some genious scripter must be able to think of something.
Although most genious scripters are on the "dark side" :mrgreen:

Posted: Sat Apr 17, 2004 2:19 pm
by Draegonis
The genius scripter that wrote phpBB has already thought this through many many times. ;)
phpBB 2.2 will have greated user management controls too.

Posted: Sat Apr 17, 2004 2:22 pm
by ShadowLord
Cant wait till 2.2 gets more stable in the cvs, im anxious in making a mod or two on it lol. Will the updated version have a message delay timer so you cant periodicly spam topics?

Posted: Sat Apr 17, 2004 2:23 pm
by Draegonis
phpBB already has a message delay timer.

Posted: Sat Apr 17, 2004 2:29 pm
by ShadowLord
It does? Never noticed, probably because im on a very slow dial up connection :lol:

Posted: Sat Apr 17, 2004 4:34 pm
by yoshi15
ShadowLord wrote: It does? Never noticed, probably because im on a very slow dial up connection :lol:


Probably becuase the default amount is 15 seconds.

Posted: Sat Apr 17, 2004 4:49 pm
by andrew johnson
if change to 60 secs that will prevent spamming :)

Posted: Sat Apr 17, 2004 5:27 pm
by Daan Vanheel
well then just change the refresh time on my script to 60 seconds and there ya go.. some more spamming...

Posted: Sat Apr 17, 2004 5:28 pm
by Draegonis
andrew johnson wrote: if change to 60 secs that will prevent spamming :)


Not quite, as noted by the topic starter. It will, however, certinally help reduce spam on smaller boards, but is not reccomended on larger boards, as it would surley drive your members to their wit's end.

Posted: Sun Apr 18, 2004 2:43 am
by Darth Wong
There's no really automatic way to block spammers, because it's hard for software to distinguish between a spammer and a guy who just posts a lot.

The only workable solution is to ban people who spam, and if they're really stubborn, switch to admin-approved registrations in order to make it more of a pain in the nuts for them to get back in.

Posted: Sun Apr 18, 2004 3:21 pm
by Techie-Micheal
Darth Wong wrote: There's no really automatic way to block spammers, because it's hard for software to distinguish between a spammer and a guy who just posts a lot.

The only workable solution is to ban people who spam, and if they're really stubborn, switch to admin-approved registrations in order to make it more of a pain in the nuts for them to get back in.
I can think of a couple of ways, but they are overkill. I can't go into a whole lot of details because I haven't worked out everything yet. :P

One way is to detect someone requesting say posting.php every 10 seconds, then send a RST packet. But as you said, that could lead to a lot of false positives. Another way might be to look for known signatures, and reset the connections for those. Like I said, overkill, but in theory it could work. Again, this one is riddled with problems as well. The signatures can be easily spoofed.