Anti-Spam Thread!

[Free-Spirit]

Didn't mean to step on toes. I have learned so much from this forum figured I should at least help out on something easy he he....

[EXreaction]

Didn't mean to step on toes. I have learned so much from this forum figured I should at least help out on something easy he he....

Its great that people try and help, its just that I opened the window in an extra tab, and didn't get around to reading it for a few min. By that time you already posted(I just have to remember to refresh the page before I post and see if there were new posts).

[dealsaroundus]

Very Helpful

[Arella]

For those interested, a site about tracking the spammers can be found here.

[4040]

Guys, quick question:

Will putting *@example.com ban all registration using an 'example.com' mail address?

That would be such a lifesaver for me.

[EXreaction]

Guys, quick question:

Will putting *@example.com ban all registration using an 'example.com' mail address?

That would be such a lifesaver for me.

Yes.

[slinger]

I don't think there can be much doubt about "human" spammers hitting our boards after just being spammed by these people...

h**p://www.forumposters.org/forum/

Legit? You decide.

[Toumal]

I have bad news:

The spammers don't bother using your registration forms. They don't even have to solve any captchas.

I know this, because I completely commented out and removed the original phpbb user registration code and am now handling the registrations in another part of the site. I received a couple of spams recently, and they registered a user WITHOUT going through my main site. All I saw was a new phpbb user, but NO trace in the main site logs. Since there is no code in my phpbb that does an insert into the user table anymore this can mean only one of the following:

1) A not-yet discovered SQL injection in phpbb itself

or

2) An SQL injection in the attachment mod (which I'm also running)


I'm afraid that until the hole is found, any "enhancement" to the captcha graphics will not yield any fruit.

[EXreaction]

What code did you remove?

[Toumal]

In include/usercp_register.php, there's only one line with "insert into" and the USERS_TABLE. I grepped through the entire forum and I'm fairly sure that there is NO way to register a user via the phpbb-supplied code anymore.

And the other entry logs all the registrations AND does a couple of other things in the db, so I know for certain that they do not use the (selfmade) main entrance. Considering the postings in this forum, I'd say they use a vulnerability.


EDIT: I have a suggestion: Someone of you with a medium-sized forum that has this spam problem should enable complete mysql logging. I can't do this myself because it would mean a pretty insane amount of log data after just a short time
Then, wait until a couple of spammers do their job. I bet that the SQL trail leading up to the "insert into phpbb.Users" will be different from the one you see with normal users, and that it will be the same for all spammers.

[EXreaction]

Beats me, you should submit it to the security tracker then.

[Toumal]

Unfortunately, my forum is too heavily modded so I cannot point the finger to phpbb and say "this is it".

However, I do have another suggestion for you guys:

Try changing your phpbb table name prefix to something else, something that is hard to guess. You will have to rename the tables, and then change the table prefix in config.php

The default prefix is "phpbb_" which makes it very easy to inject something into a table if there's an injection hole. If you change the table names, the attacker has to find out the table name himself.

NOTE: You also need to disable debugging (in constants.php) or else error messages may show the table name.

[Ramon Fincken]

Block all fields with forbidden words / Antispam for all fields updated !

http://www.phpbb.com/phpBB/viewtopic.php?p=2148409

** upgrade 1.1.2 -> 1.1.3 23032006
* Better word recognition algoritm
* Possibility to sent mail to site admin with ALL the post vars, incl link to profile and IP + proxy forwarded IP
* Possibility to create a usergroup. The 'bypass group'-members have the check option set to OFF so they can post without restrictions.

** upgrade 1.1.3 -> 1.1.4 28032006
* Added a function for group check. Was left out in V 1.1.3
Upgrade instructions are in the 1.1.4 zipfile
Thanks to Stephen W. Thomas for posting the error!

[Toumal]

UPDATE: Changing the table names did not help. Also, I am now biting into the lemon and have enabled complete SQL logging. So next time a spammer comes along, I will know how he came in.


@Ramon: I don't want to make your efforts look bad, but word filtering is only effective until the spammers do the same things they do in emails these days: obfuscating the text via "sp3_c1al w rit ing th4t fo ols fillterrs".

[Ramon Fincken]

UPDATE: Changing the table names did not help. Also, I am now biting into the lemon and have enabled complete SQL logging. So next time a spammer comes along, I will know how he came in.


@Ramon: I don't want to make your efforts look bad, but word filtering is only effective until the spammers do the same things they do in emails these days: obfuscating the text via "sp3_c1al w rit ing th4t fo ols fillterrs".

@toumal check out my code... or check out the specs in the topic..

My code will read

Code: Select all

sp3_c1al w rit ing th4t fo ols fillterrs

as

Code: Select all

special writing that fools fillterrs

feel free to check it out!

rfn