Not logged in. · Lost password · Register
Forum: Customising UNB Modifications and plug-ins RSS
Hack to avoid spammers using the messaging system
Page:  1  2  next 
Avatar
splitbrain 2011-01-09, 13:00 #1
Member since Sep 2006 · 18 posts · Location: Berlin, Germany
Group memberships: Members
Show profile · Link to this post
Subject: Hack to avoid spammers using the messaging system
We had a few cases where spammers used the "send email" function to spam registered forum members. As a quick fix I changed the function to give access to active members only (registered for more than 14 days, at least one post). This should keep most of the spammers out. At least for the messaging function.

--- cp.inc.php.bak      2011-01-09 13:40:32.000000000 +0100
+++ cp.inc.php  2011-01-09 13:40:46.000000000 +0100
@@ -1470,6 +1470,14 @@
                $error .= $UNB_T['error.access denied'] . '<br />';
        }
 
+
+       // ANDI
+       if( (time() - $UNB['LoginUser']->GetRegDate()) < 60*60*24*14 ||
+           !UnbGetLastPost("User=".(int) $UNB['LoginUserID']) ) {
+               $error .= $UNB_T['error.access denied'] . '<br />';
+       }
+
+
        if (($_POST['id'] == '' || trim($_POST['Msg']) == ''))
        {
                $error .= $UNB_T['cp.error.form not complete'] . '<br />';
@@ -3085,8 +3093,19 @@
 {
        if ($_REQUEST['action'] == 'email' || $_REQUEST['action'] == 'sendemail')
        {
-               EMailForm($userid);
-               UteRemember('userprofile.html', $TP);
+               // ANDI
+               if( (time() - $UNB['LoginUser']->GetRegDate()) < 60*60*24*14 ||
+                   !UnbGetLastPost("User=".(int) $UNB['LoginUserID']) ) {
+
+
+                       $TP['errorMsg'] .= $UNB_T['error.access denied'] . '<br />'.
+                                          'You\'re not allowed to use the email system, yet.<br />';
+                       $TP['headNoIndex'] = true;
+               }else{
+                       EMailForm($userid);
+                       UteRemember('userprofile.html', $TP);
+               }
+
        }
        elseif ($_REQUEST['action'] == 'emailsuccess')
        {
forum.dokuwiki.org
Avatar
NFG 2011-01-09, 23:32 #2
Member since Sep 2006 · 125 posts
Group memberships: Members
Show profile · Link to this post
It hasn't been a problem for me (yet!) but your fix looks like a good solution.  I've implemented it for my forum too.

Long live dokuwiki & UNB.  =D
gnauck 2011-02-20, 15:27 #3
Member since Feb 2006 · 33 posts
Group memberships: Members
Show profile · Link to this post
thanks for this patch. I applied it becase I also had problems with spammers i the past.

Alex
gnauck 2011-05-23, 08:34 #4
Member since Feb 2006 · 33 posts
Group memberships: Members
Show profile · Link to this post
running this patch for a while now and the private mail SPAM is gone. But I get more and more SPAM post.
Has anybody experience with http://www.stopforumspam.com/ ?
This API could be used to check username, email and ip address on user registration with hooks to prevent signup of SPAMMERS, and reporting when a new SPAMMER has registered and psted SPAM.

Alex
Avatar
Yves (Administrator) 2011-05-24, 18:41 #5
User title: UNB developer & webmaster
Member since Jan 2004 · 3855 posts · Location: Erlangen, Germany
Group memberships: Administrators, Members
Show profile · Link to this post
Looks like we don't have plugin hooks for the registration process yet. For a post checking, the "post.verifyaccept" hook can be used. There's the sample spam filter plugin already using it.

How would one use that API? Ask for IP, username and e-mail - or just a few of them - and reject registration/posting if the server says "appears"? What about the frequency value, how can it be interpreted? How to handle false positives?

Would we eventually want to report spam back to the database? (Through a new "spam and delete" button to delete all user's posts and the user itself in one step.) I guess this step depends on how much spam will pass the filter.

I've also still got a link to BadBehaviour floating around in my inbox. That might be useful as well.
♪ ...nanananah, all in all we’re just brilliant thieves, nanananah... ♪♬
gnauck 2011-05-26, 10:20 #6
Member since Feb 2006 · 33 posts
Group memberships: Members
Show profile · Link to this post
Quote by Yves on 2011-05-24, 18:41:
Looks like we don't have plugin hooks for the registration process yet. For a post checking, the "post.verifyaccept" hook can be used. There's the sample spam filter plugin already using it.
ya, I couldn't find a hook in the API docs.

Quote by Yves on 2011-05-24, 18:41:
How would one use that API? Ask for IP, username, e-mail - or just a few of them - and reject registration/posting if the server says "appears"? What about the frequency value, how can it be interpreted? How to handle false positives?
I checked the last SPAMMERS which appeared in my forums against this database, and the username was always already in the database. But I think we should check all, username and and ip. I have no idea about the frequency. We should start with a plugin and then tweak the frequency based on the experience. This value could be configurable in the administration.

When the registration gets denied (false positive) I would show some text like: Because of ....... we assume you are a spammer, when we are wrong then please email the forums administrator.

Quote by Yves on 2011-05-24, 18:41:
Would we eventually want to report spam back to the database? (Through a new "spam and delete" button to delete all user's posts and the user itself in one step.) I guess this step depends on how much spam will pass the filter.
yes this would be awesome.

Quote by Yves on 2011-05-24, 18:41:
I've also still got a link to BadBehaviour floating around in my inbox. That might be useful as well.
Don't know this service, I'll check now.

Alex
Avatar
Yves (Administrator) 2011-05-27, 20:05 #7
User title: UNB developer & webmaster
Member since Jan 2004 · 3855 posts · Location: Erlangen, Germany
Group memberships: Administrators, Members
Show profile · Link to this post
An update! :huh: There's an update to UNB 1.6 :-D after more than a year! :blush: ...

It features two things, both relevant to this thread, so I'll mention them here. First, we have a new plug-in hook to verify user registrations. This can be used for the things we talked in this thread. Second, I have finally backported the new CAPTCHA image library I've built into UNB2 and that I'm using in several other newer websites for a while. It should be harder to circumvent automatically (if that's ever been a real problem in the past, sometimes I doubt it). Be sure to also apply the little changes to the template and language files when updating!

Download | Change log (be sure to read it, it's not too much!)
♪ ...nanananah, all in all we’re just brilliant thieves, nanananah... ♪♬
Avatar
NFG 2011-05-28, 01:04 #8
Member since Sep 2006 · 125 posts
Group memberships: Members
Show profile · Link to this post
Thanks for that update, Yves!

Over the years I've been adding more and more customization to my UNB installation, with all kinds of nutty tweaks and expansions...  One day I might even release a facebook/OpenGraph plugin I whipped up...

But for now, my horrifying disaster of code is probably not going to accept a standard update, so I'm hoping you can detail what changes were made to the new release?  Specifically, what files, and perhaps a dif for those so I can manually work out where to put the new stuff...

And then I need to dig through the archives to figure out (again) how to remove the update-available message.  =D
Avatar
Yves (Administrator) 2011-05-28, 09:23 #9
User title: UNB developer & webmaster
Member since Jan 2004 · 3855 posts · Location: Erlangen, Germany
Group memberships: Administrators, Members
Show profile · Link to this post
If you do custom modifications to the source, it's always a good idea to keep the old release archive (see how I just put the dev-release date in the URL, they're all there) so that you can simply diff it against the new archive. Then you could possibly even generate patch files that will apply seamlessly to your code. :-) Or is that what 3-way merge is supposed to do? Just check out what Beyond Compare can do for you.
♪ ...nanananah, all in all we’re just brilliant thieves, nanananah... ♪♬
Avatar
splitbrain 2011-06-02, 10:45 #10
Member since Sep 2006 · 18 posts · Location: Berlin, Germany
Group memberships: Members
Show profile · Link to this post
In reply to post #7
Quote by Yves on 2011-05-27, 20:05:
It features two things, both relevant to this thread, so I'll mention them here. First, we have a new plug-in hook to verify user registrations. This can be used for the things we talked in this thread.

Very cool. I created a very simple plugin for hooking this event to stopforumspam.com: https://github.com/splitbrain/unb-plugin-stopforumspam
forum.dokuwiki.org
gnauck 2011-06-09, 17:25 #11
Member since Feb 2006 · 33 posts
Group memberships: Members
Show profile · Link to this post
you rock!!! I'll check it out tomorrow.

Thanks,
Alex
gnauck 2011-06-10, 08:59 #12
Member since Feb 2006 · 33 posts
Group memberships: Members
Show profile · Link to this post
the new plugin is installed and blocked already lots of signups according to th logs.

Thanks,
Alex
Avatar
Yves (Administrator) 2011-06-10, 19:21 #13
User title: UNB developer & webmaster
Member since Jan 2004 · 3855 posts · Location: Erlangen, Germany
Group memberships: Administrators, Members
Show profile · Link to this post
In reply to post #10
Looks good. Could it possibly also handle guest postings? :-)
♪ ...nanananah, all in all we’re just brilliant thieves, nanananah... ♪♬
Avatar
Yves (Administrator) 2011-07-05, 21:47 #14
User title: UNB developer & webmaster
Member since Jan 2004 · 3855 posts · Location: Erlangen, Germany
Group memberships: Administrators, Members
Show profile · Link to this post
Seems we need guest posting protection as well. I've just mass-removed some 180 guest posts with garbage contents from the database. For now, I have disabled guest posting. And I've installed this plugin to see how effective it works here.
♪ ...nanananah, all in all we’re just brilliant thieves, nanananah... ♪♬
Avatar
splitbrain 2011-07-28, 15:31 #15
Member since Sep 2006 · 18 posts · Location: Berlin, Germany
Group memberships: Members
Show profile · Link to this post
I don't have guest posting enabled, so I didn't look into it.

There is one thing I'd love to have for the stopforum plugin:

Each post should have a link called [Delete Spammer] (only available to admins of course) that would do three things:

  • delete all posts the author of this post made
  • delete the author's account
  • report his user name, registration ip and email address to stopforumspam.com

As far as I can see there's no easy way to implement that in a plugin currently.
forum.dokuwiki.org
Close Smaller – Larger + Reply to this post:
Verification code: VeriCode Please enter the word from the image into the text field below. (Type the letters only, lower case is okay.)
Smileys: :-) ;-) :-D :-p :blush: :cool: :rolleyes: :huh: :-/ <_< :-( :'( :#: :scared: 8-( :nuts: :-O
Special characters:
Page:  1  2  next 

Go to forum
This board is powered by the Unclassified NewsBoard software, 20120620-dev, © 2003-2011 by Yves Goergen
Page created in 197 ms (147.7 ms) · 142 database queries in 114.9 ms
Current time: 2013-05-21, 23:27:39 (UTC +02:00)