Anti-Spam Thread!

The 2.0.x discussion forum has been locked; this will remain read-only. The 3.0.x discussion forum has been renamed phpBB Discussion.
User avatar
drathbun
Former Team Member
Posts: 12204
Joined: Thu Jun 06, 2002 3:51 pm
Location: TOPICS_TABLE
Contact:

Re: Anti-Spam Thread!

Post by drathbun »

It will be an interesting experiment, but I can tell you that I've already changed the "welcome inactive" and other email templates years ago, before spam was an issue, and it does not stop spammer registrations. My welcome active / welcome inactive contain a number of paragraphs about the board and so on so the text is completely different. I was still getting spammer registrations.
I blog about phpBB: phpBBDoctor blog
Still using phpbb2? So am I! Click below for details
Image
User avatar
Dog Cow
Registered User
Posts: 2500
Joined: Fri Jan 28, 2005 12:14 am
Contact:

Re: Anti-Spam Thread!

Post by Dog Cow »

drathbun wrote:My welcome active / welcome inactive contain a number of paragraphs about the board and so on so the text is completely different. I was still getting spammer registrations.
Spam bots don't care about extra text, so I can see why that wouldn't change anything. They have regex's to search out the activation URLs:

Code: Select all

[USERNAME]
yournickname

[PASSWORD]
yourpassword

[HOST]
pop.mail.ru

[PORT]
110

[HEADERNEEDS]
#--------------------------------------------------------------------
#   [...] îçíà÷àåò, ÷òî òàì ìîæåò ÷òî-òî áóäåò, à ìîæåò è íå áóäåò
#--------------------------------------------------------------------
[...]Ðåãèñòðàöèÿ[...]
[...]Äîáðî ïîæàëîâàòü[...]
[...]Òðåáîâàíèÿ íåîáõîäèìûå[...]
[...]òðåáóåò àêòèâàöèè[...]
[...]Àêòèâàöèÿ ïîëüçîâàòåëÿ[...]
[...]Äàííîå äåéñòâèå òðåáóåòñÿ[...]
[...]Äàííîå äåéñòâèå òðåáóåò[...]
[...]Welcome to[...]
[...]Benvenuto[...]
[...]Bienvenido[...]
[...]Willkommen auf[...]
[...]Bienvenue sur[...]
[...]Action Req[...]
[...]Registra[...]
[...]rejestra[...]
[...]Account validated at[...]
[...]activation[...]
[...]Aktivierung[...]
[...]Attivare[...]
[...]Ïîäòâåðæäåíèå ðåãèñòðàöèè[...]
[...]Äàííûå äëÿ àêòèâèçàöèè[...]
[...]Àêòèâèçàöèè àêêàóíòà[...]
[...]Confirm Your Account[...]
[...]- Your Password[...]
[...]Àêòèâàöèÿ[...]
[...]Account validated[...]
[...]Bine ati[...]
[...]tejte na[...]
[...]tejte v[...]
[...]Bine ati[...]
[...]Bienven[...]
[...]for[...]
[ENDLIST]

[LINKNEEDS]
#--------------------------------------------------------------------
#   ñëîâî - íå÷òî, íàõîäÿùååñÿ ìåæäó ïðîáåëàìè,<,>,(,),[,],çàïÿòûìè,êîíöàìè ñòðîê.êàâû÷êàìè
#   ññûëêà - ñëîâî, ïîäõîäÿùåå ïîä îäèí èç ýòèõ øàáëîíîâ 
#--------------------------------------------------------------------
http://[...]?act=Reg&CODE=03&SID=[...]
http://[...]?act=Reg&CODE=03&aid=[...]
http://[...]register.php?a=act[...]i=[...]
http://[...]profile.php?mode=activate[...]&act_key=[...]
http://[...]index.php?act=Reg[...]&CODE=[...]&aid=[...]
http://[...]?action=profile;username=[...]
http://[...]?name=Your_Account&op=activate&username=[...]
http://[...]profile.php?action=confirm_account&id=[...]
http://[...]ultimatebb.cgi[...]
http://[...]/login.php[...]
http://[...]index.php?t=emailconf&conf_key=[...]
http://[...]panel.php?act=activate&id=[...]
http://[...]action=activate;u=[...]
http://[...]/act?u=[...]
[ENDLIST]

[USERNAMENEEDS]
Your Username is: [TO][CR]
-Username: [TO][CR]
-Password: [TO][CR]
Username: [TO][CR]
username: [TO][CR]
User: [TO][CR]
user: [TO][CR]
Âàøå èìÿ ïîëüçîâàòåëÿ -  [TO],
Ëîãèí: [TO][CR]
Your Login (User) Name: [TO][CR]
Your login (user) name: [TO][CR]
Ëîãèí ïîëüçîâàòåëÿ: [TO][CR]
Èìÿ ïîëüçîâàòåëÿ: [TO][CR]
Nom d’utilisateur: [TO][CR]
[ENDLIST]


[PASSNEEDS]
Ïàðîëü: [TO][CR]
Password: [TO][CR]
Pass: [TO][CR]
password: [TO][CR]
pass: [TO][CR]
 è Âàø ïàðîëü -  [TO][CR]
Your password: [TO][CR]
Mot de passe: [TO][CR]
Heslo: [TO][CR]
[ENDLIST]
That's the entire contents of the spam bot's xpop.txt file.

Some other notes
I sent the bot out to my own site to probe it. Since in my admin panel, I can see the exact session URLs, I was able to watch the bot. Not only was it able to navigate to the general discussion forum named 'Cafe', but it also navigated to Cafe's subforum, 'Links'. Note too that on my site, there was a change made years ago such that viewforum.php was renamed to showcat.php. They can scrape text, find if it's part of a link, then go there. :shock: I know some of this sounds pretty obvious, but it is pretty neat to sit back and watch the effects-- then try and see how you can thwart it. :twisted:

There's even some code where if it can detect that either BBCode or HTML has been disabled, it will always use the appropriate markup so its links work. On my forum, I have those three statuses removed, so the bots always post HTML, which of course looks really bad and does not render (though the links get auto-magically link-ified).
Moof!
Mac GUI Vault: Retro Apple II & Macintosh computing archive.
Inside Allerton bookMac GUIMac 512K Blog
User avatar
drathbun
Former Team Member
Posts: 12204
Joined: Thu Jun 06, 2002 3:51 pm
Location: TOPICS_TABLE
Contact:

Re: Anti-Spam Thread!

Post by drathbun »

Hm, then I didn't read this closely enough. You wrote:
Dog Cow wrote:The World's Best Anti-Spam MOD
If my theories are correct, I now have the world's best anti-spam mod for automated spam bots. Here it is:

Change the strings in lang_main.php, then change the contents of the welcome_inactive email
Then you wrote:
Dog Cow wrote:Spam bots don't care about extra text, so I can see why that wouldn't change anything.
What did you mean to suggest changing then?
I blog about phpBB: phpBBDoctor blog
Still using phpbb2? So am I! Click below for details
Image
User avatar
Dog Cow
Registered User
Posts: 2500
Joined: Fri Jan 28, 2005 12:14 am
Contact:

Re: Anti-Spam Thread!

Post by Dog Cow »

drathbun wrote:Hm, then I didn't read this closely enough. You wrote:
Dog Cow wrote:The World's Best Anti-Spam MOD
If my theories are correct, I now have the world's best anti-spam mod for automated spam bots. Here it is:

Change the strings in lang_main.php, then change the contents of the welcome_inactive email
Then you wrote:
Dog Cow wrote:Spam bots don't care about extra text, so I can see why that wouldn't change anything.
What did you mean to suggest changing then?
In the email, they are searching for a specific thing. Everywhere else, they are also searching for specific text. One must change that-- what they are searching for.
Moof!
Mac GUI Vault: Retro Apple II & Macintosh computing archive.
Inside Allerton bookMac GUIMac 512K Blog
Locked

Return to “2.0.x Discussion”