[2.0.13] disable spambots

The cleanup is complete. This forum is now read only.

Rating:

Excellent!
17
47%
Very Good
3
8%
Good
8
22%
Fair
2
6%
Poor
6
17%
 
Total votes: 36

Phineus1
Registered User
Posts: 64
Joined: Sat Nov 08, 2003 11:55 pm

Post by Phineus1 » Fri Dec 31, 2004 11:21 pm

Is this compatible with v2.0.11 ?

User avatar
magenta
Registered User
Posts: 81
Joined: Thu Jun 05, 2003 12:16 am
Location: Seattle
Contact:

Post by magenta » Fri Dec 31, 2004 11:46 pm

Yeah, works great.

dilvie
Registered User
Posts: 4
Joined: Thu Mar 04, 2004 7:58 pm
Contact:

Post by dilvie » Fri Feb 04, 2005 11:56 pm

Does this do anything to prevent automated registrations? I already set permissions to disallow guest posting.

- Eric

Phineus1
Registered User
Posts: 64
Joined: Sat Nov 08, 2003 11:55 pm

Post by Phineus1 » Sat Feb 05, 2005 12:30 am

I should probably have come back here and let you know how things went. I installed it and it works fine. However, if I click 'quote' message, then copy and paste that text into a text editor (because I like typing that way) and then when I copy and paste it back into the textbox several minutes later, I often see the preview screen rather than the post, even tho plenty of time has elapsed. I'm not complaining. Just letting you know.




dilvie, I'm not sure but this one might do what you want

http://www.phpbb.com/phpBB/viewtopic.php?t=213812

User avatar
magenta
Registered User
Posts: 81
Joined: Thu Jun 05, 2003 12:16 am
Location: Seattle
Contact:

Post by magenta » Sat Feb 05, 2005 2:02 am

Hm, the only thing I can think of is that maybe during the long delay between hitting "reply" and "post," your IP address changed.

ISPs which use rotating proxy servers (like AOL) might be problematic, as well.

dilvie: 2.0.11 comes with a vaguely-useful registration CAPTCHA which you can enable from the forum config.

`checho`
Registered User
Posts: 63
Joined: Fri Nov 12, 2004 7:08 pm
Contact:

Post by `checho` » Fri Mar 11, 2005 6:55 pm

Phineus1 wrote: However, if I click 'quote' message, then copy and paste that text into a text editor (because I like typing that way) and then when I copy and paste it back into the textbox several minutes later, I often see the preview screen rather than the post, even tho plenty of time has elapsed.


I have exactly the same problem on 2.0.13. Sometimes when I click "Submit" I get the preview screen even though I have spent more than a minute on the message. It happened when I tried to quote an already published message.
And no IP address change has occured in my case. I am not using proxies either.

User avatar
magenta
Registered User
Posts: 81
Joined: Thu Jun 05, 2003 12:16 am
Location: Seattle
Contact:

Post by magenta » Sat Mar 12, 2005 2:46 am

Hm, okay, there might be a stupid bug or something. I'll look into it.

User avatar
magenta
Registered User
Posts: 81
Joined: Thu Jun 05, 2003 12:16 am
Location: Seattle
Contact:

Post by magenta » Sun Mar 13, 2005 4:20 am

Okay, it looks like in some circumstances, the hidden forum values don't actually get added to the form, which makes absolutely no sense because it gets inserted using the same code which adds other stuff which posting.php won't work without. If anyone else can figure out what might be causing that, please let me know!

User avatar
magenta
Registered User
Posts: 81
Joined: Thu Jun 05, 2003 12:16 am
Location: Seattle
Contact:

Post by magenta » Sun Mar 13, 2005 4:26 am

Hm, I just realized that there's a possibility that some browsers sometimes change their User-Agent on the fly for various reasons (like to try to spoof browser detection to prevent a site from breaking), and that might be what's going on here. The easiest fix is to just change the line:

Code: Select all

$authval = md5($_SERVER['HTTP_USER_AGENT'] . $secretkey . $_SERVER['REMOTE_ADDR']);
to:

Code: Select all

$authval = md5($secretkey . $_SERVER['REMOTE_ADDR']);
which should also help for some users who run specific user-agent cloaking things for some reason (privacy nuts can be a little, well, nuts).

If that fixes it for everyone then I'll just release a new version with that fix.

User avatar
magenta
Registered User
Posts: 81
Joined: Thu Jun 05, 2003 12:16 am
Location: Seattle
Contact:

Post by magenta » Sun Mar 13, 2005 4:40 am

Argh! I know *exactly* what's going on now. In quote mode, $topic_id isn't set when the secret key is determined. Whee! So this was always failing when a message was being quoted.

Phineus1
Registered User
Posts: 64
Joined: Sat Nov 08, 2003 11:55 pm

Post by Phineus1 » Sun Mar 13, 2005 4:43 am

I use netscape which should be pretty constant. However, I'll make the change and let you know in a couple days.

User avatar
magenta
Registered User
Posts: 81
Joined: Thu Jun 05, 2003 12:16 am
Location: Seattle
Contact:

Post by magenta » Sun Mar 13, 2005 5:17 am

Okay, I just submitted a fixed version which fixes the always-previews-on-quote problem and also adds a bit more security to the time value. Hopefully a mod admin can validate it soon. :)

The only change is to that BEFORE, ADD block, which now appears as:

Code: Select all

#
#-----[ BEFORE, ADD ]------------------------------------------ 
# 
switch ($mode) {
case 'newtopic':
        $secretkey = 'f' . $forum_id;
        break;

case 'quote':   // If we're quoting, we need to determine the topic ID
        $sql = 'SELECT topic_id FROM ' . POSTS_TABLE . ' WHERE post_id='
                . $post_id;
        if (!($query = $db->sql_query($sql)))
                message_die(GENERAL_MESSAGE, 'Could not obtain quoted topic information', '', __LINE__, __FILE__, $sql);

        if (($row = $db->sql_fetchrow($query)))
                $topic_id = $row['topic_id'];
        else
                message_die(GENERAL_MESSAGE, 'No_such_post');
        // Fall through to 'reply' case

case 'reply':
        $secretkey = 't' . $topic_id;
        break;
case 'editpost':
        $secretkey = 'p' . $post_id;    
        break;                
}

$authkey = md5("nana" . $secretkey . "foofoo");
$authval = md5($HTTP_SERVER_VARS['HTTP_USER_AGENT'] . $secretkey . $HTTP_SERVER_VARS['REMOTE_ADDR']);  
$timekey = md5("time" . $secretkey);
$timepad = preg_replace('/[^0-9]/', '', $HTTP_SERVER_VARS['REMOTE_ADDR']) + 0;
$timeval = time() ^ $timepad;

# If this is a submit which doesn't jive with the above, turn it into a preview
if ($submit && (!isset($HTTP_POST_VARS[$authkey])
                || $HTTP_POST_VARS[$authkey] != $authval
                || !isset($HTTP_POST_VARS[$timekey])
                || ($HTTP_POST_VARS[$timekey] ^ $timepad) > time() - 5))
{
        $submit = false;
        $preview = true;
}

Phineus1
Registered User
Posts: 64
Joined: Sat Nov 08, 2003 11:55 pm

Post by Phineus1 » Mon Mar 14, 2005 12:07 am

So far so good. Thanks.

`checho`
Registered User
Posts: 63
Joined: Fri Nov 12, 2004 7:08 pm
Contact:

Post by `checho` » Thu Mar 17, 2005 9:37 pm

No it's not so good. :cry: I still have that problem when I quote...

User avatar
magenta
Registered User
Posts: 81
Joined: Thu Jun 05, 2003 12:16 am
Location: Seattle
Contact:

Post by magenta » Fri Mar 18, 2005 12:33 am

Before

Code: Select all

$authkey = ...
add:

Code: Select all

if (! $secretkey ) message_die(GENERAL_MESSAGE, 'No secret key! get=' . getenv('QUERY_STRING');
and if an error comes up, just paste what it is here so I can debug it better.

Thanks.

Post Reply

Return to “[2.0.x] MOD Database Cleanup”