[ABD] phpBB spam hammer

Any abandoned MODs will be moved to this forum.

WARNING: MODs in this forum are not currently being supported or maintained by the original MOD author. Proceed at your own risk.
Forum rules
IMPORTANT: MOD Development Forum rules

WARNING: MODs in this forum are not currently being supported nor updated by the original MOD author. Proceed at your own risk.
dangerousprototypes
Registered User
Posts: 91
Joined: Fri Feb 11, 2011 5:53 am
Contact:

Re: [DEV] phpBB spam hammer

Post by dangerousprototypes » Thu Feb 24, 2011 5:51 pm

Checked in class vr751:
*fixes to extreme mode
*fixes to extreme mode logging
*if you only include site.com in URL whitelists it should be OK with http://site.com and site.com

I fixed the whitelistsite.com/http://whitelistsite.com issue by changing the order of the search and replace operations. It should replace whitelists sites with ownsite FIRST now, and then so the HTTP:// replacement, and THEN do link removal. That should whitelists all variants of whitelist sites without a lot of coding fuss, PROVIDED: you must enter them as externalsite.com NOT http://externalsite.com
Please do not PM or mail with questions. Ask in the forum where everyone can share the answer.

John T. Folden
Registered User
Posts: 188
Joined: Tue Sep 04, 2007 12:16 am

Re: [DEV] phpBB spam hammer

Post by John T. Folden » Fri Feb 25, 2011 12:08 am

Great work, thanks for that!

---

This logging stuff is even more fun than I expected... not only are some of the bots really dumb but some of the human spammers seem not so very bright, either. :mrgreen:

I'm curious about a particular behavior I'm seeing though...

Occasionally, I'm seeing something like:
Anonymous 79.140.172.25 Today, 5:34 pm {Spam hammer: CHECKED POST of 'Anonymous'. OK}
Anonymous 78.47.204.124 Today, 9:12 am {Spam hammer: CHECKED POST of 'Anonymous'. OK}

and at first I thought it was simply an approved guest post... but then once last night and twice today now, I've noticed what seems to be 15-20 messages like the above over the course of a 5 minute period. There are no posts in the forum that match these time periods, either...

Is this some sort of brainless zombie bot trying to post what happens to be a non-spammy message and hitting preview instead of submit or...???? :lol:
The Blue Whale Pub - SPN/SF/F TV Discussion Forum
ZOMBIE ALERT: The Walking Dead are coming to AMC!

dangerousprototypes
Registered User
Posts: 91
Joined: Fri Feb 11, 2011 5:53 am
Contact:

Re: [DEV] phpBB spam hammer

Post by dangerousprototypes » Fri Feb 25, 2011 7:17 am

and at first I thought it was simply an approved guest post... but then once last night and twice today now, I've noticed what seems to be 15-20 messages like the above over the course of a 5 minute period. There are no posts in the forum that match these time periods, either...
It also logs the preview because it scans and shows errors when users preview a message. I'd guess it was a bot or even search bot pressing the button on the guest post.
Please do not PM or mail with questions. Ask in the forum where everyone can share the answer.

dangerousprototypes
Registered User
Posts: 91
Joined: Fri Feb 11, 2011 5:53 am
Contact:

Re: [DEV] phpBB spam hammer

Post by dangerousprototypes » Fri Feb 25, 2011 9:05 am

Uploaded r753 class to SVN. This is a drop-in upgrade
*Fixed extreme delete for too many links in post problem (needed to include user functions and global variables)
*Cleaned up the extreme delete logs, now does a short log to admin, detailed log to user with content that caused delete
*General cleanup
*extreme set to false by default (accidentally checked in my own copy last time)
*tested new whitelist function, seems to work ok.
Please do not PM or mail with questions. Ask in the forum where everyone can share the answer.

Philthy
Registered User
Posts: 210
Joined: Tue Dec 27, 2005 10:05 am
Location: Dawlish, Devon
Contact:

Re: [DEV] phpBB spam hammer

Post by Philthy » Sat Feb 26, 2011 10:43 am

Updated the install package to include the latest class, and edited the wiki to correct the install instructions.
Go on ! it's not as steep as it looks.....

Philthy
Registered User
Posts: 210
Joined: Tue Dec 27, 2005 10:05 am
Location: Dawlish, Devon
Contact:

Re: [DEV] phpBB spam hammer

Post by Philthy » Sat Feb 26, 2011 10:57 am

Just looking at my logs :)
A thought occurs. While it's fun watching the spammer trying to figure out which word/s are causing offence, eventually, they can eliminate them, and make a post. I'm wondering if it might be a bit more difficult for them, if we didn't tell them which word/s caused the error?
They could spend ages trying to work it out then !
I don't think this would be too hard to implement either. A simple function to return a false here:
private $show_trigger_word=true; //show the user the word that triggered the error

Easy enough to edit anyway, just thinking out loud really :D
Go on ! it's not as steep as it looks.....

dangerousprototypes
Registered User
Posts: 91
Joined: Fri Feb 11, 2011 5:53 am
Contact:

Re: [DEV] phpBB spam hammer

Post by dangerousprototypes » Sat Feb 26, 2011 4:55 pm

Thanks Philthy, thanks especially for being on top of the changes and making the package possible. It wouldn't happen without you!

Setting that variable to false will stop showing the trigger word to the user. We could add the option to set it in the ACP if you like. The reason I have not done so is because of you :) When you noticed that scum triggered the filter (the filter is very stupid), I realized it could really confuse real users who don't understand what part of the message is triggering the filter. Rather than suffer calls for a better filter I thought defaulting to show the term was most user friendly.

LOL:
We should make the word filter first so they spend time working out all the words before they find out links are not allowed ;) That would save CPU cycles by kicking out the message before doing the more intensive URL stuff :)

Code: Select all

Anonymous 	173.11.39.220 	Sat Feb 26, 2011 5:41 pm 	{LOG SPAM HAMMER}
spam hammer: DELETED sharonk for profile abuse. 	
Anonymous 	199.15.234.88 	Sat Feb 26, 2011 5:10 pm 	{LOG SPAM HAMMER}
spam hammer: DELETED Qejl08 for profile abuse. 	
Anonymous 	119.30.38.83 	Sat Feb 26, 2011 4:52 pm 	{LOG SPAM HAMMER}
spam hammer: DELETED michawoods for signature abuse. 	
Anonymous 	173.193.25.227 	Sat Feb 26, 2011 4:32 pm 	{LOG SPAM HAMMER}
spam hammer: DELETED wikinotion for profile abuse. 	
Anonymous 	199.15.234.88 	Sat Feb 26, 2011 4:00 pm 	{LOG SPAM HAMMER}
spam hammer: DELETED Cedh34 for profile abuse. 	
Anonymous 	188.95.60.39 	Sat Feb 26, 2011 3:52 pm 	Users pruned and posts deleted
» spam hammer zombie cleanup: 	
Anonymous 	122.144.4.190 	Sat Feb 26, 2011 3:14 pm 	{LOG SPAM HAMMER}
spam hammer: DELETED falih for signature abuse. 	
Anonymous 	199.15.234.88 	Sat Feb 26, 2011 2:49 pm 	{LOG SPAM HAMMER}
spam hammer: DELETED Weya91 for profile abuse. 	
Anonymous 	91.201.67.23 	Sat Feb 26, 2011 2:33 pm 	{LOG SPAM HAMMER}
spam hammer: DELETED seodysar for profile abuse. 	
Anonymous 	91.201.67.23 	Sat Feb 26, 2011 2:03 pm 	{LOG SPAM HAMMER}
spam hammer: DELETED seomrе for profile abuse. 	
Anonymous 	112.205.70.68 	Sat Feb 26, 2011 1:56 pm 	{LOG SPAM HAMMER}
spam hammer: DELETED Restoration05 for signature abuse. 	
Anonymous 	58.178.46.145 	Sat Feb 26, 2011 1:51 pm 	Users pruned and posts deleted
» spam hammer zombie cleanup: 	
Anonymous 	199.15.234.88 	Sat Feb 26, 2011 1:36 pm 	{LOG SPAM HAMMER}
spam hammer: DELETED Geeq09 for profile abuse.
Over the last 24 hours we have only had scriptbot spammers, no real people. With extreme mode enabled NOT ONE has even attempted a spam, according to the logs. They all exit through the signature or profile abuse functions, LOL :) The Zombie purge is even empty because there are no spammer accounts remaining are extreme mode does its thing. Hi spammer, bye spammer :) Logs show no real users being caught so far, even with these super extreme measures.
Please do not PM or mail with questions. Ask in the forum where everyone can share the answer.

Philthy
Registered User
Posts: 210
Joined: Tue Dec 27, 2005 10:05 am
Location: Dawlish, Devon
Contact:

Re: [DEV] phpBB spam hammer

Post by Philthy » Sat Feb 26, 2011 6:47 pm

dangerousprototypes wrote: We should make the word filter first so they spend time working out all the words before they find out links are not allowed ;) That would save CPU cycles by kicking out the message before doing the more intensive URL stuff :)
Maybe I'm being vindictive, but I'd like to see them get through some strict membership filters (like Q & A very effective, without testing real users), have to validate their junk address, then work their way through all the word filters. How long is that going to take? Then get deleted :D

In reality of course, I will leave my security settings turned down/off, because it encourages legitimates to join/post.
Go on ! it's not as steep as it looks.....

John T. Folden
Registered User
Posts: 188
Joined: Tue Sep 04, 2007 12:16 am

Re: [DEV] phpBB spam hammer

Post by John T. Folden » Sun Feb 27, 2011 12:54 am

Philthy wrote: Maybe I'm being vindictive, but I'd like to see them get through some strict membership filters (like Q & A very effective, without testing real users), have to validate their junk address, then work their way through all the word filters. How long is that going to take? Then get deleted :D

In reality of course, I will leave my security settings turned down/off, because it encourages legitimates to join/post.
That's pretty much the position I'm in. It's fun to treat spammers as if they were a mouse in a maze (all that effort to find their way through, just to be shown the door at the end - minus treat, of course!) but the reality is that my public forum is not a support group or anything, no one HAS to post there... so all these anstispam hoops needs to be largely invisible.

I'd really like to use the Zombie purge, too, but it's not quite granular enough for me. It need a "Days since last login" variable at the least, I think.

Aside from lurkers, I also run a live chat on the forum. A measurable number of people who use the chat don't regularly post in the forum itself. They could have registered 3 months ago, never made a post, but logged in yesterday to chat. I believe the zombie purge, as it is, would consider this a deadwood account.
The Blue Whale Pub - SPN/SF/F TV Discussion Forum
ZOMBIE ALERT: The Walking Dead are coming to AMC!

User avatar
heredia21
Registered User
Posts: 942
Joined: Sun Apr 18, 2010 6:14 pm
Contact:

Re: [DEV] phpBB spam hammer

Post by heredia21 » Sun Feb 27, 2011 1:35 am

Code: Select all

{Spam hammer: CHECKED POST of 'kellykellyd'. DETECTED: links, ERRORS: Your post looks too spamy for a new user, please remove off-site URLs. CONTENTS: BlackBerry Messenger (BBM) PIN Swap22F44D3E I'm an 18 year old girl from Canada. Anyone who wants to talk :) I'm new here and would just like to meet some rad people from around the world! [size=80][b][i][ Post made via BlackBerry 9700][/i][/b][/size] [img]http://www.blackberryempire.com/forum/images/BlackBerry%209700.png[/img]}
New users posting from mobile site are getting this. The link image and url is from internal site. Why is it doing this?
Best BlackBerry website for all users! BlackBerry News - http://blackberryempire.com

dangerousprototypes
Registered User
Posts: 91
Joined: Fri Feb 11, 2011 5:53 am
Contact:

Re: [DEV] phpBB spam hammer

Post by dangerousprototypes » Sun Feb 27, 2011 9:10 am

New users posting from mobile site are getting this.
No idea, I have not looked at the mobile MOD and don't know how it works. If it is phpBB mobile theme, I plan to install when it is official and then I'll take a look at the bugs.
Please do not PM or mail with questions. Ask in the forum where everyone can share the answer.

Philthy
Registered User
Posts: 210
Joined: Tue Dec 27, 2005 10:05 am
Location: Dawlish, Devon
Contact:

Re: [DEV] phpBB spam hammer

Post by Philthy » Sun Feb 27, 2011 9:38 am

heredia21 wrote: New users posting from mobile site are getting this. The link image and url is from internal site. Why is it doing this?
Haven't got a clue.
I would suggest you add your own domain to the whitelist in ACP, so the auto generated signature in your mobile forum doesn't trigger the spam hammer. Or you could remove the image url by editing that styles code.
Beyond this, you will have to wait until this mod is released before we can start checking errors on individual boards.
Go on ! it's not as steep as it looks.....

John T. Folden
Registered User
Posts: 188
Joined: Tue Sep 04, 2007 12:16 am

Re: [DEV] phpBB spam hammer

Post by John T. Folden » Sun Feb 27, 2011 9:57 am

I've noticed, if the domain is http://mysite.com that http://www.mysite.com is treated as an external link as far as spam hammer is concerned. It doesn't affect me as I have www. redirect but...a poster trying to add the www would get the spam warning.
The Blue Whale Pub - SPN/SF/F TV Discussion Forum
ZOMBIE ALERT: The Walking Dead are coming to AMC!

dangerousprototypes
Registered User
Posts: 91
Joined: Fri Feb 11, 2011 5:53 am
Contact:

Re: [DEV] phpBB spam hammer

Post by dangerousprototypes » Sun Feb 27, 2011 11:12 am

Thanks for the report. The WWW or no WWW thing is part of the original disable links MOD. It uses a PHP variable to get the name of the local server (will return mobile.mysite.com for example) and another to match the protocol (http://, https://, etc). It does not recognize other sub domain variants (www., forum., etc) than what the forum exists on.

I'll think about how to solve that issue. Nothing comes to mind that is especially universal without some pretty intensive checking and validation, or an "expensive" REGEX replace. We'd need to know if there is already a www., and if not, if there is something else we need to remove first (forum.). A simpler way is a regular expression replace (blast anything http://[maybe some stuff, but not too much, plus a .]mysite.com/?), but it is very compute intensive and the wrong statement opens the door for vulnerabilities (like using the site URL to mask spam to the REGEX). If you see this issue in the logs, I'd recommend white listing the site variants that makes sense for your forum as an immediate solution. I'll try to figure out a way to automate it in the future.
Please do not PM or mail with questions. Ask in the forum where everyone can share the answer.

User avatar
victory1
Registered User
Posts: 935
Joined: Sun Oct 10, 2010 6:47 pm
Contact:

Re: [DEV] phpBB spam hammer

Post by victory1 » Sun Feb 27, 2011 11:57 am

dangerousprototypes wrote:
New users posting from mobile site are getting this.
No idea, I have not looked at the mobile MOD and don't know how it works. If it is phpBB mobile theme, I plan to install when it is official and then I'll take a look at the bugs.
I think he's using STG-Mobile Device Browser Style located here: http://startrekguide.com/community/viewforum.php?f=39

It's a great style that detects which device that the user is using. You can add as many as you want. Like I have an ebook reader site that a lot of them come with wifi or 3g for web browsing so it's able to detect which ebook reader the person is using and will say at the bottom (This post was made via the Sony Reader) with a tiny image of the Sony Reader. He probably have a detection and image for each Blackberry brand with it being a smart phone PDA. I will definitely wait for the release now since I don't want any interference with my mobile style. :D Thanks

By the way it looks like this.
click on image for full view of screenshot:
http://i.imgur.com/XSG4Q.png

This is the detection script that detect which device and add the image so it obviously conflicting with that:

Code: Select all

	// begin mobile browser detection mod - by sithnar
   	if ($user->data['is_mobile'] && $mode != 'edit' && !$preview  && !$refresh)
   	{
   	include_once($phpbb_root_path . 'includes/mods/mobile_device_detect.' . $phpEx);
   	$status = mobile_device_detect();

      	$message_parser->message .= "\n\n[size=80][b][i][ Post made via " . $status[1] . "][/i][/b][/size] [img]http://www.sonyreaderboards.com/forums/images/mobile" . $status[1] . ".png[/img]";
   	}
   	// end mobile browser detection mod

Locked

Return to “[3.0.x] Abandoned MODs”