[ABD] Block normal act_key requests/Prevent spam activation

A place for MOD Authors to post and receive feedback on MODs still in development. No MODs within this forum should be used within a live environment! No new topics are allowed in this forum.
Forum rules
READ: phpBB.com Board-Wide Rules and Regulations

IMPORTANT: MOD Development Forum rules

On February 1, 2009 this forum will be set to read only as part of retiring of phpBB2.
Locked
User avatar
Ramon Fincken
Registered User
Posts: 4835
Joined: Thu Oct 14, 2004 1:04 am
Location: NL, The Netherlands Amsterdam area @GMT +1
Contact:

[ABD] Block normal act_key requests/Prevent spam activation

Post by Ramon Fincken »

Spambots getting past your 'visual confirmation' line of defence and have activation by user set to on?

* Will not stop bot-registrations.
* But will stop bots from becoming active.


Then you'll like this one:

the normal activation link is altered. This is the link needed to activate your account.
( Scroll down for examples )

Now when a spambot hits the 'normal' url this will happen:
* account is NOT activated
*admin gets a warning per email

In the email is the ip, the proxy ip, membername and a clickable
link to the members profile..

Installing takes 4 minutes of work.
It will not ask for any database changes..
Make a backup of your files first !


Instructionset:
1.0.2. Instructionset wrote: OPEN

Code: Select all

usercp_register.php

*******************************
FIND
# You'll have to do this FIND -- AFTER, ADD combination *4* times !!

Code: Select all

'U_ACTIVATE' => $server_url . '?mode=activate&' . POST_USERS_URL . '=' . $user_id . '&act_key=' . $user_actkey

AFTER, ADD

Code: Select all

,
						'U_ACTIVATE2' => $server_url . '?mode=activate&' . POST_USERS_URL . '=' . $user_id . '&act_key=' . $user_actkey .'&eow='.$user_actkey

*******************************

OPEN

Code: Select all

includes/usercp_sendpasswd.php
FIND

Code: Select all

'U_ACTIVATE' => $server_url . '?mode=activate&' . POST_USERS_URL . '=' . $user_id . '&act_key=' . $user_actkey
AFTER, ADD

Code: Select all

 .'&eow='.$user_actkey

OPEN

Code: Select all

languages/lang_english/email/user_welcome_inactive.tpl
FIND

Code: Select all

Subject: Welcome to {SITENAME} Forums
Charset: iso-8859-1

{WELCOME_MSG}
AFTER, ADD

Code: Select all

Warning ! Do not click the first activation link, but scroll down for the correct link.


FIND

Code: Select all

{EMAIL_SIG}


AFTER, ADD

Code: Select all

Correct link:
{U_ACTIVATE2}


OPEN

Code: Select all

usercp_activate.php
FIND

Code: Select all

if ( !defined('IN_PHPBB') )
{
	die('Hacking attempt');
	exit;
}
AFTER, ADD

Code: Select all

// MOD Ramon Fincken
// Phpbbinstallers.com
// Block normal act_key requests V1.0.2
if( !(isset($HTTP_GET_VARS['eow']))  ||  ! trim($HTTP_GET_VARS['eow']) === trim($HTTP_GET_VARS['act_key']) )
{
	// Delete user, or ban...
	// START settings
	$admin_email = 'board@board.com';
        $html_on = true;
        // END settings

	$headers = "From: PhpBB-board <".$admin_email .">\r\n";  
	$headers .= "Reply-To: PhpBB-board <".$admin_email .">\r\n";  
	$headers .= "MIME-Version: 1.0\r\n";
	if($html_on) $headers .= "Content-type: text/html; charset=iso-8859-1\r\n";            
        
	$user_id = intval($HTTP_GET_VARS[POST_USERS_URL]);
	$username = convert_id($user_id);	
	
	$user_ip = htmlspecialchars($_SERVER['REMOTE_ADDR']) . '   '.htmlspecialchars($_SERVER['HTTP_X_FORWARDED_FOR']); 
	$the_post_vars_value = "ip => $user_ip\n<br />";  
 	$the_post_vars_value .= "userdata_username => ". $username."\n<br />";
 		
	// Member of this board.. 
	// http://www.board.com/profile.php?mode=viewprofile&u=3    
	$map = $board_config['script_path'] . '/';                                                                          
       	$the_post_vars_value .= '<a href="http://' . $_SERVER['HTTP_HOST'] . $map. append_sid("profile.$phpEx?mode=viewprofile&" . POST_USERS_URL . "=" . $user_id) . '">Click here to see the profile of '.$username.'</a><br /><br />';

	$the_post_vars_value .= "http_referer => ". $_SERVER["HTTP_REFERER"]."\n<br />";
	$the_post_vars_value .= "http_user_agent => ". $_SERVER["HTTP_USER_AGENT"]."\n<br />\n<br />";
	
	 if ( !empty($HTTP_POST_VARS) )
      	{                
      		$the_post_vars = $HTTP_POST_VARS;
     		 while (list($key, $val) = each($the_post_vars)) {
			   $the_post_vars_value .= "$key => $val\n<br />";
		}
	 }     

	// TODO: use $emailer
	mail($admin_email,'Phpbb: Spam activation attempt','<html>Post vars are below:<br /><br />'.$the_post_vars_value.'</html>',$headers);
	
	message_die(GENERAL_MESSAGE, $lang['Wrong_activation']);
}
else
{
// MOD Ramon Fincken
// Phpbbinstallers.com
// Block normal act_key requests V1.0.2

FIND

Code: Select all

?>
BEFORE, ADD

Code: Select all

}
// MOD Ramon Fincken
// Phpbbinstallers.com
// Block normal act_key requests V1.0.2

DIY INSTRUCTIONS

Code: Select all

** find the 'eow' in usercp_register.php and in usercp_activate.php
now change it to some bogus text like 'sies' or 'lciw'
do NOT enter a number, just alphabetical characters ( a till z )					
** find the 	$admin_email in usercp_activate.php and enter your own admin email  


Example of the activation mail:
Welcome to board.com Forums

Warning ! Do not click the first activation link, but scroll down for the correct link.

Please keep this email for your records. Your account information is as follows:

----------------------------
Username: testuser
Password: testpass
----------------------------

Your account is currently inactive. You cannot use it until you visit the following link:

http://board.com/board/profile.php?mode ... 3a8513d09d

Please do not forget your password as it has been encrypted in our database and we cannot retrieve it for you. However, should you forget your password you can request a new one which will be activated in the same way as this account.

Thank you for registering.

--
Thanks,
The Management
www.board.com


Correct link:
http://board.com/board/profile.php?mode ... 3a8513d09d


Example of admin mail: ( subject = Phpbb : Spam activation attempt )
Username is below


--------------------------------------------------------------------------------

Text is below


--------------------------------------------------------------------------------

Post vars are below:

ip => 123.456.789.10
userdata_username => testuser
Click here to see the profile of testuser

http_referer =>
http_user_agent => Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4
Last edited by Ramon Fincken on Sun Oct 08, 2006 7:59 am, edited 9 times in total.
Dutch quality fully managed WordPress hosting - ManagedWPHosting.nl

Before changing a file, some code or installing a MOD >> Make a backup first!

Do you like my mods? paypal me $1 :) forumsoftware[AT}creativepulses[DOT}nl [/size]
PhpBBantispam.com || Instant find your mod here
User avatar
Ramon Fincken
Registered User
Posts: 4835
Joined: Thu Oct 14, 2004 1:04 am
Location: NL, The Netherlands Amsterdam area @GMT +1
Contact:

Post by Ramon Fincken »

future uses of this mod:

* instant ban ip
* instant delete user

and of course:
* instant paypal me all your money ( just kiddin )
Dutch quality fully managed WordPress hosting - ManagedWPHosting.nl

Before changing a file, some code or installing a MOD >> Make a backup first!

Do you like my mods? paypal me $1 :) forumsoftware[AT}creativepulses[DOT}nl [/size]
PhpBBantispam.com || Instant find your mod here
User avatar
*=Matt=*
Registered User
Posts: 389
Joined: Mon Dec 20, 2004 11:56 pm
Location: Oakdale, Wisconsin

Post by *=Matt=* »

I dont think this MOD is 100% cool more like 90% for simple fact that not everyones smart. Well for me when I sign up for a phpBB forum I know the email i'll get and I just dont read the useless stuff and just click the link. I really wouldn't want to be classified as a spammer and probably get banned from the site if the board owner really cares that much aobut spam. I see you are planning of haveing a instant ban and a instant delete user. :( Well my edvice change the email template so its not like the phpBB one. Then people who don't like to read(Me) or people who are not very smart can not get cought. :)
User avatar
Ramon Fincken
Registered User
Posts: 4835
Joined: Thu Oct 14, 2004 1:04 am
Location: NL, The Netherlands Amsterdam area @GMT +1
Contact:

Post by Ramon Fincken »

scroll up for the

Example of the activation mail:

the line is:

Code: Select all

Warning ! Do not click the first activation link, but scroll down for the correct link. 
you can change it to whatever you want it to be in the tpl file if you think users may not read it ...

However at this version ( 1.0.0 ) a user who clicks the standard url will see an error message, but is NOT banned and NOT deleted....

Ramon
Dutch quality fully managed WordPress hosting - ManagedWPHosting.nl

Before changing a file, some code or installing a MOD >> Make a backup first!

Do you like my mods? paypal me $1 :) forumsoftware[AT}creativepulses[DOT}nl [/size]
PhpBBantispam.com || Instant find your mod here
User avatar
*=Matt=*
Registered User
Posts: 389
Joined: Mon Dec 20, 2004 11:56 pm
Location: Oakdale, Wisconsin

Post by *=Matt=* »

I know I for my board but I'm saying like if I got to sign up for someone elses board, I don't read the emails I get, I just click the link. Well I dont know. Good Luck with this MOD :P I would be an awesome way to prevent spammer users
User avatar
Ramon Fincken
Registered User
Posts: 4835
Joined: Thu Oct 14, 2004 1:04 am
Location: NL, The Netherlands Amsterdam area @GMT +1
Contact:

Post by Ramon Fincken »

Intention was the KISS principle ( Keep it simple stupid )

building this mod took me 10 minutes incl testing, the power is the line of txt you add in the .tpl file.

You can also make it something like

Code: Select all

*************

ATTENTION !! do NOT click the link below !!
Scroll down and click the 'Correct link' to activate !


*************

Ramon
Dutch quality fully managed WordPress hosting - ManagedWPHosting.nl

Before changing a file, some code or installing a MOD >> Make a backup first!

Do you like my mods? paypal me $1 :) forumsoftware[AT}creativepulses[DOT}nl [/size]
PhpBBantispam.com || Instant find your mod here
User avatar
Ramon Fincken
Registered User
Posts: 4835
Joined: Thu Oct 14, 2004 1:04 am
Location: NL, The Netherlands Amsterdam area @GMT +1
Contact:

Post by Ramon Fincken »

upgraded to 1.0.1

whats new: the installation instructions.


How to upgrade from 1.0.0 to 1.0.1

make sure you check if this combo is done 4 times :

Code: Select all

FIND
# You'll have to do this FIND -- AFTER, ADD combination *4* times !! 
AND

I forgot 1 statement, make sure you do the instructions for:

Code: Select all

languages/lang_english/email/user_activate_passwd.tpl
in the 1rst post..
Dutch quality fully managed WordPress hosting - ManagedWPHosting.nl

Before changing a file, some code or installing a MOD >> Make a backup first!

Do you like my mods? paypal me $1 :) forumsoftware[AT}creativepulses[DOT}nl [/size]
PhpBBantispam.com || Instant find your mod here
User avatar
Ramon Fincken
Registered User
Posts: 4835
Joined: Thu Oct 14, 2004 1:04 am
Location: NL, The Netherlands Amsterdam area @GMT +1
Contact:

Post by Ramon Fincken »

upgraded to 1.0.2

whats new: the installation instructions. ( forgot the sendpasswd instructions in previous versions )


How to upgrade from 1.0.1 to 1.0.2

OPEN

Code: Select all

includes/usercp_sendpasswd.php
FIND

Code: Select all

'U_ACTIVATE' => $server_url . '?mode=activate&' . POST_USERS_URL . '=' . $user_id . '&act_key=' . $user_actkey
AFTER, ADD

Code: Select all

 .'&eow='.$user_actkey
Dutch quality fully managed WordPress hosting - ManagedWPHosting.nl

Before changing a file, some code or installing a MOD >> Make a backup first!

Do you like my mods? paypal me $1 :) forumsoftware[AT}creativepulses[DOT}nl [/size]
PhpBBantispam.com || Instant find your mod here
tm6tech
Registered User
Posts: 166
Joined: Mon Apr 14, 2003 1:51 pm

Post by tm6tech »

Ramon Fincken wrote: Intention was the KISS principle ( Keep it simple stupid )

building this mod took me 10 minutes incl testing, the power is the line of txt you add in the .tpl file.

You can also make it something like

Code: Select all

*************

ATTENTION !! do NOT click the link below !!
Scroll down and click the 'Correct link' to activate !


*************



Ramon


i wonder if you could set the text of the false link to be the same colour as the background, so a human wouldn't actually SEE it? Would that help ensure that only a bot would follow the bad link?
User avatar
Ramon Fincken
Registered User
Posts: 4835
Joined: Thu Oct 14, 2004 1:04 am
Location: NL, The Netherlands Amsterdam area @GMT +1
Contact:

Post by Ramon Fincken »

that would help, but the outgoing mails are in plain format, not in the colorful HTML format like a webpage...

so if you create a HTML format mail your solution would be succesfull :)
Dutch quality fully managed WordPress hosting - ManagedWPHosting.nl

Before changing a file, some code or installing a MOD >> Make a backup first!

Do you like my mods? paypal me $1 :) forumsoftware[AT}creativepulses[DOT}nl [/size]
PhpBBantispam.com || Instant find your mod here
User avatar
Ramon Fincken
Registered User
Posts: 4835
Joined: Thu Oct 14, 2004 1:04 am
Location: NL, The Netherlands Amsterdam area @GMT +1
Contact:

Post by Ramon Fincken »

Changed status to ABD.

This mod is too weak for the current spambots, it will work, but it will not stop bots from registering..

If anyone want's to take over, sent me a PM.
Dutch quality fully managed WordPress hosting - ManagedWPHosting.nl

Before changing a file, some code or installing a MOD >> Make a backup first!

Do you like my mods? paypal me $1 :) forumsoftware[AT}creativepulses[DOT}nl [/size]
PhpBBantispam.com || Instant find your mod here
User avatar
MHobbit
Former Team Member
Posts: 4761
Joined: Thu Mar 18, 2004 5:32 pm
Location: There and Back Again

Post by MHobbit »

Locked as such.
Former phpBB MOD Team member
No private support is offered.
"There’s too many things to get done, and I’m running out of days..."
Locked

Return to “[2.0.x] MODs in Development”