Spam cleanup - Deleted Users with 0 posts

[Cage]

I guess I am one of those who haven't posted before. Never found the need to since I generally find what questions I would ask with the search button.

[skywalk]

I guess I am one of those who haven't posted before.

Dang! I had my itchy trigger finger on the Report Button...

[GWarner]

A while back we had to do the same thing because we started getting flooded with spam posts.

We also decided to add modirator approval to member registration process.

Another forum I frequent, also powered by phpBB, have applied a modification that requires users with < 10 posts to complete a CAPTCHA validation. Seems to have had quite some success in reducing automated spam.

That will work for a while, since the bots can already get past the CAPTCHA in most forums, they just have to add CAPTCHA handling to the message posting code.

Wow at least 800 (iirc) members less, that's what i call "a cleaning"

I was surprised too when we deleted our zero post accounts, there was over 300 of them.

Regarding the search engine bots showing up as registered users. That's because in a sense they are. Most forum software that recognizes them will put them all in a search engine group, the reason and advantage of this is now you can control what level of access you want the bots to have to your forums. Most forums will start them off with the same privleges as guests but because they are in a different user group you can change their access without affecting guests and visa versa.

[greyhoundcode]

That will work for a while, since the bots can already get past the CAPTCHA in most forums, they just have to add CAPTCHA handling to the message posting code.

In practice all we can do is reduce, not eliminate. A free service like ReCAPTCHA is easily used in place of some of the weaker GD lib generated CAPTCHAs out there - I find it pretty effective. A hard target is never hit as many times as a soft one.

[freepurebasic]

try to use this code instread capcha :

Code: Select all

<?php
function protectform(){
	//phpinfo();die();
	if($_SERVER["REQUEST_METHOD"]!='GET'){

		$servername=$_SERVER["SERVER_NAME"];
		$noterror=true;
		if (isset($_SERVER["HTTP_REFERER"]))
			$gethost=Parse_url($_SERVER["HTTP_REFERER"]);
		else
			$noterror=false;
		$pimp=false;
		if (!$noterror )
			$pimp=true;
		if(isset($gethost))
			if	($gethost['host']!==$servername)
				$pimp=true;
		
	
		if ($pimp){
			//print_r($gethost);
			die('ciao!');
		}

	}
}
 protectform();
?>

put it where receive the posts $_REQUEST the will stop any sends out of your website, is much better than any captcha
cheese!

[greyhoundcode]

Hmm, that may also work against legitimate users where anti-virus suites etc dispose of the Referrer header field. Per the bible itself (highlighting is mine):

HTTP_REFERER:
The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.

[freepurebasic]

are you read carefully ?

try to read this

Code: Select all

 if   ($gethost['host']!==$servername)
            $pimp=true;

well you wrong.

if i use a php browser on other server and i try to post headers from that server i will be pimp.
try to set up a php browser to post datas to this sctipt with any referer value you want.
and show us a screen about what you got

post.php

Code: Select all

<?php
function protectform(){
   //phpinfo();die();
   if($_SERVER["REQUEST_METHOD"]!='GET'){

      $servername=$_SERVER["SERVER_NAME"];
      $noterror=true;
      if (isset($_SERVER["HTTP_REFERER"]))
         $gethost=Parse_url($_SERVER["HTTP_REFERER"]);
      else
         $noterror=false;
      $pimp=false;
      if (!$noterror )
         $pimp=true;
      if(isset($gethost))
         if   ($gethost['host']!==$servername)
            $pimp=true;
      
   
      if ($pimp){
         //print_r($gethost);
         die('ciao!');
      }

   }
}
protectform();
phpinfo();
?>

and here is let's say a minimal html (not php headers) a html page from other server ,or maybe from your desktop

Code: Select all

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><html>
<head>
<title></title>
<style></style>
</head>
<body>
  <form method=post action="http://www.yourhost.com/post.php" name="">
	<input type="text" name="sdasdasds"><input type="submit" value="asdsad" name="asdsadsads">
  </form>
</body></html>

instread of this try to send headers to http://www.yourhost.com/post.php with a php script, upload it on a ftp you have,
download the php browser , modify it to send referer like "yourhost.com" and try to run the exploit.
then return here and show me in a snapshot the results

[greyhoundcode]

are you read carefully ?

I don't generally have any problems in terms of my reading ability, but thanks for asking all the same.

well you wrong.

if i use a php browser on other server and i try to post headers from that server i will be pimp.
try to set up a php browser to post datas to this sctipt with any referer value you want.
and show us a screen about what you got

My point was that you can't trust the HTTP_REFERER field, hence my previous quote from the PHP manual. Let's look at your code.

Code: Select all

// First you are checking if the referrer header has been sent
if (isset($_SERVER["HTTP_REFERER"]))

    // Then you are parsing it for further testing later in the code
    $gethost=Parse_url($_SERVER["HTTP_REFERER"]);

try to read this

Code: Select all

 if   ($gethost['host']!==$servername)
            $pimp=true;

All I need to do (if post.php is located on yourhost.com) is set my CURL options appropriately, in fact most of my referrer string can be complete gibberish because you are only testing against one part of it (the host name).

curl_setopt($handler, CURLOPT_REFERER, 'fiction://yourhost.com:port/not_a_real_path?blah_blah#fragment');

Now instead of seeing "Ciao!" I will see the contents of the php_info dump, as $gethost['host'] and $servername are now equal.