Anti-Spam Thread!

The 2.0.x discussion forum has been locked; this will remain read-only. The 3.0.x discussion forum has been renamed phpBB Discussion.
Locked
Free-Spirit
Registered User
Posts: 15
Joined: Sun Jun 04, 2006 4:15 am
Contact:

Post by Free-Spirit »

:lol: Didn't mean to step on toes. I have learned so much from this forum figured I should at least help out on something easy he he....
User avatar
EXreaction
Former Team Member
Posts: 5666
Joined: Sun Aug 21, 2005 9:31 pm
Location: Wisconsin, U.S.
Name: Nathan

Post by EXreaction »

Free-Spirit wrote: :lol: Didn't mean to step on toes. I have learned so much from this forum figured I should at least help out on something easy he he....


Its great that people try and help, its just that I opened the window in an extra tab, and didn't get around to reading it for a few min. By that time you already posted(I just have to remember to refresh the page before I post and see if there were new posts). :P
User avatar
dealsaroundus
Registered User
Posts: 10
Joined: Tue Jan 25, 2005 4:38 pm
Contact:

Post by dealsaroundus »

Very Helpful
Don't just Shop , Shop smarter.

www.dealsaroundus.com

..never miss a deal
Arella
Registered User
Posts: 4
Joined: Thu Jun 22, 2006 4:56 am
Location: New Zealand
Contact:

Post by Arella »

For those interested, a site about tracking the spammers can be found here.
4040
Registered User
Posts: 104
Joined: Fri Jan 21, 2005 10:29 pm

Post by 4040 »

Guys, quick question:

Will putting *@example.com ban all registration using an 'example.com' mail address?

That would be such a lifesaver for me.
User avatar
EXreaction
Former Team Member
Posts: 5666
Joined: Sun Aug 21, 2005 9:31 pm
Location: Wisconsin, U.S.
Name: Nathan

Post by EXreaction »

4040 wrote: Guys, quick question:

Will putting *@example.com ban all registration using an 'example.com' mail address?

That would be such a lifesaver for me.


Yes. :P
slinger
Registered User
Posts: 13
Joined: Sun Jul 18, 2004 11:39 pm

Post by slinger »

I don't think there can be much doubt about "human" spammers hitting our boards after just being spammed by these people...

h**p://www.forumposters.org/forum/

Legit? You decide.
Toumal
Registered User
Posts: 13
Joined: Tue Jun 28, 2005 8:36 am

Post by Toumal »

I have bad news:

The spammers don't bother using your registration forms. They don't even have to solve any captchas.

I know this, because I completely commented out and removed the original phpbb user registration code and am now handling the registrations in another part of the site. I received a couple of spams recently, and they registered a user WITHOUT going through my main site. All I saw was a new phpbb user, but NO trace in the main site logs. Since there is no code in my phpbb that does an insert into the user table anymore this can mean only one of the following:

1) A not-yet discovered SQL injection in phpbb itself

or

2) An SQL injection in the attachment mod (which I'm also running)


I'm afraid that until the hole is found, any "enhancement" to the captcha graphics will not yield any fruit.
User avatar
EXreaction
Former Team Member
Posts: 5666
Joined: Sun Aug 21, 2005 9:31 pm
Location: Wisconsin, U.S.
Name: Nathan

Post by EXreaction »

What code did you remove?
Toumal
Registered User
Posts: 13
Joined: Tue Jun 28, 2005 8:36 am

Post by Toumal »

In include/usercp_register.php, there's only one line with "insert into" and the USERS_TABLE. I grepped through the entire forum and I'm fairly sure that there is NO way to register a user via the phpbb-supplied code anymore.

And the other entry logs all the registrations AND does a couple of other things in the db, so I know for certain that they do not use the (selfmade) main entrance. Considering the postings in this forum, I'd say they use a vulnerability.


EDIT: I have a suggestion: Someone of you with a medium-sized forum that has this spam problem should enable complete mysql logging. I can't do this myself because it would mean a pretty insane amount of log data after just a short time :?
Then, wait until a couple of spammers do their job. I bet that the SQL trail leading up to the "insert into phpbb.Users" will be different from the one you see with normal users, and that it will be the same for all spammers.
User avatar
EXreaction
Former Team Member
Posts: 5666
Joined: Sun Aug 21, 2005 9:31 pm
Location: Wisconsin, U.S.
Name: Nathan

Post by EXreaction »

Beats me, you should submit it to the security tracker then. :)
Toumal
Registered User
Posts: 13
Joined: Tue Jun 28, 2005 8:36 am

Post by Toumal »

Unfortunately, my forum is too heavily modded so I cannot point the finger to phpbb and say "this is it".

However, I do have another suggestion for you guys:

Try changing your phpbb table name prefix to something else, something that is hard to guess. You will have to rename the tables, and then change the table prefix in config.php

The default prefix is "phpbb_" which makes it very easy to inject something into a table if there's an injection hole. If you change the table names, the attacker has to find out the table name himself.

NOTE: You also need to disable debugging (in constants.php) or else error messages may show the table name.
User avatar
Ramon Fincken
Registered User
Posts: 4835
Joined: Thu Oct 14, 2004 1:04 am
Location: NL, The Netherlands Amsterdam area @GMT +1
Contact:

Post by Ramon Fincken »

Block all fields with forbidden words / Antispam for all fields updated !

http://www.phpbb.com/phpBB/viewtopic.php?p=2148409

** upgrade 1.1.2 -> 1.1.3 23032006
* Better word recognition algoritm
* Possibility to sent mail to site admin with ALL the post vars, incl link to profile and IP + proxy forwarded IP
* Possibility to create a usergroup. The 'bypass group'-members have the check option set to OFF so they can post without restrictions.

** upgrade 1.1.3 -> 1.1.4 28032006
* Added a function for group check. Was left out in V 1.1.3
Upgrade instructions are in the 1.1.4 zipfile
Thanks to Stephen W. Thomas for posting the error!
Dutch quality fully managed WordPress hosting - ManagedWPHosting.nl

Before changing a file, some code or installing a MOD >> Make a backup first!

Do you like my mods? paypal me $1 :) forumsoftware[AT}creativepulses[DOT}nl [/size]
PhpBBantispam.com || Instant find your mod here
Toumal
Registered User
Posts: 13
Joined: Tue Jun 28, 2005 8:36 am

Post by Toumal »

UPDATE: Changing the table names did not help. Also, I am now biting into the lemon and have enabled complete SQL logging. So next time a spammer comes along, I will know how he came in.


@Ramon: I don't want to make your efforts look bad, but word filtering is only effective until the spammers do the same things they do in emails these days: obfuscating the text via "sp3_c1al w rit ing th4t fo ols fillterrs".
User avatar
Ramon Fincken
Registered User
Posts: 4835
Joined: Thu Oct 14, 2004 1:04 am
Location: NL, The Netherlands Amsterdam area @GMT +1
Contact:

Post by Ramon Fincken »

Toumal wrote: UPDATE: Changing the table names did not help. Also, I am now biting into the lemon and have enabled complete SQL logging. So next time a spammer comes along, I will know how he came in.


@Ramon: I don't want to make your efforts look bad, but word filtering is only effective until the spammers do the same things they do in emails these days: obfuscating the text via "sp3_c1al w rit ing th4t fo ols fillterrs".


@toumal check out my code... or check out the specs in the topic..

My code will read

Code: Select all

sp3_c1al w rit ing th4t fo ols fillterrs
as

Code: Select all

special writing that fools fillterrs
feel free to check it out!

rfn
Dutch quality fully managed WordPress hosting - ManagedWPHosting.nl

Before changing a file, some code or installing a MOD >> Make a backup first!

Do you like my mods? paypal me $1 :) forumsoftware[AT}creativepulses[DOT}nl [/size]
PhpBBantispam.com || Instant find your mod here
Locked

Return to “2.0.x Discussion”