Check Proxy RBL on New User Registration Version 4.1

Version 4.1 includes remains unchanged from version 4.0 with the exception of a code fix to deal with an SQL injection security hole in the code.

What does this hack do?

Hooking in at register_addmember_process and register_addmember_complete this hack compares the IP address of the person registering with the Realtime Block List(s) of your choice. Based on your configuration the RBL Checker will then perform one of these actions:

Nothing, the registration continues as normal.
Registration continues as normal, but the user is automatically moved into the "Pending Moderation" group of your choice.
Registration continues as normal, but the user is automatically permanently banned.
Registration is blocked, an error message is displayed to the user.

Please Note: It is strongly recommended that you configure PM or Thread based notification so that you may monitor registrations that are from IPs that are a positive hit on the RBL. Especially if you configure the checker to allow registrations to complete normally.

These options are configurable in AdminCP > Options > DM-RBL Check on Registration.


Why Block Proxies?

Banned and Spammers users often get around IP bans by simply using an open proxy - of which there are thousands - to get around the IP ban. Very few legitimate users slow their surfing by using an anonymous proxy.


How do you Install?

Create a user from which PMs, Posts, etc. will be generated.
In your adminCP obtain values for the "banned" and "pending moderation" groupIDs (Defaults are 8 and 4).
Install the attached product.

IMPORTANT NOTE:You must specify a username if you plan on configuring the AUTOBAN or NOTIFICATION options. Otherwise you WILL get errors.


What is the default config?
By default the RBLChecker will check the IP of a new registration, allow registration to complete, but add the new user to the "COPPA Members Awaiting Moderation" usergroup. You can then approve/reject those members depending on whether you think they are/aren't spammers/trolls.

You can modify the settings in the AdminCP to Ban or Block as you like.


Hack History:

Version 4.1
- Fixed SQL Injection security hole.
- Fixed some minor typos in automatically generated messages.

Version 4.0
- Added ability to specify error reported on blocks.
- Added ability to specify ban reason and custom title.
- Added ability to move users to "pending moderation" group if registration is allowed.
- Updated list of RBLs checked based on testing with lists of "anonymous" proxies.
- Fixed IP address of Notification Posts equalling IP of blocked user. (Now Notification IP = 1.2.3.4)

Version 3.2
- Fixed typo causing blocked registrations to be reported as allowed.

Version 3.1
- change in variable name in v3.0 broke RBL checking. Corrected error.
- match notification now includes the name of the RBL that matches the IP.

Version 3.0
- plugin now fires at "register_addmember_process" allowing the user to completely fill in the form.
- Added the ability to specify more than one RBL.
- Added option to specify whether registration is blocked or allowed to complete.
- Added option to automatically ban registrations that are allowed to complete but have a positive IP match.
- Added option to specify user who is "notifier".
- Added option to specify a forum where a notification thread will be created.
- Added option to supress notification PM / Thread when an IP matches blacklist or known proxy list.
- Added customized error codes for notifications - notification now indicates whether a registration IP has matched the RBL, blacklist, or predefined list of anonymizers.
- Reworded Phrases.
- Removed 10.x.x.x IP from known proxy/anonymizer list.

version 2.0
- Added configuration options under vboptions > DM-RBL Check on Registration.
- Added PM on Block.
- Added option to select RBL.
- Added Custom Whitelist.
- Added Custom Blacklist.
- Added list of free proxies.
- Changed default RBL to sbl-xbl.spamhaus.org
- Added option to enable/disable checking.

version 1.0
- added plugin to check against opm.tornevall.org
- added custom phrase to be reported as error on registration start.


Using this Hack?
If you install this hack please click "Installed" to receive updates.

If you find this hack useful you can always hit that paypal button too...

Reserved.

Thnx, for your first hack....:) First install! :up: Oops..mean first reply.

Open Proxies are often exploited by malicious users to circumvent IP bans. If you feel your IP is being blocked in error you may contact the site administrator.

Is there an option to whitelist an IP if they are found to be blocked and can prove they are blocked in error? Is opm.tornevall.org the only list this works with or do you offer other options, as I have never heard of them and the site is not in english to get more info on their RBL. Can this work off a custom built RBL database? Looking good though!

where are options?
have options?

More information please ;)

Hey guys... thanks for the feedback.

I had written this hack quickly but I agree there was room for improvement.

I have uploaded a new version - much improved.


Thnx, for your first hack....:) First install! :up: Oops..mean first reply.

Thanks!

Is there an option to whitelist an IP if they are found to be blocked and can prove they are blocked in error? Is opm.tornevall.org the only list this works with or do you offer other options, as I have never heard of them and the site is not in english to get more info on their RBL. Can this work off a custom built RBL database? Looking good though!

There is now.

There is a custom whitelist / blacklist to which you can add IPs. There is also a "known proxy" list that contains the IPs of sites like "the cloak" or "proxify". I will add to that list with each update.

Also, I've been having some issues getting opm.tornevall.org to resolve addresses so I've replaced the default with sbl-xbl.spamhaus.org which is a much more well known RBL.

where are options?
have options?

More information please ;)

There were no options... but there are now.

DL and install the new product and check in your ACP > VB Options. There should be an entry.

I've also added the ability to PM user(s) when an IP gets blocked.

Thx Guys!

I like the new options, thanks! :)

I installed this and then fired up Hide IP Platinum (http://www.hide-ip-soft.com/) and with various IP's ranging from Slovakia to Saudi Arabia was still able to register successfully on my forum with fake id's.

I don't know much about what, who or how Hide IP works, but whatever it is doing, it's getting past this - any ideas how to circumvent it too?

Great idea though, thanks.

I installed this and then fired up Hide IP Platinum (http://www.hide-ip-soft.com/) and with various IP's ranging from Slovakia to Saudi Arabia was still able to register successfully on my forum with fake id's.

I don't know much about what, who or how Hide IP works, but whatever it is doing, it's getting past this - any ideas how to circumvent it too?

Great idea though, thanks.

The problem is that products like hideIP or anonymizer aren't getting blacklisted by RBLs.

I guess its debatable on whether or not they should...

I'm looking into different RBLs to see if I can find one that hits those ranges.

maybe this product can expand to also allow multiple ip checking sites.. not just 1.. also Custom msg explaining why the registration was denied with admin option to enable or disable it. The msg would show in format of vbulletin error msg instead being PM one..

my 2cents.. otherwise this is great idea for a product. Looking very promising.. maybe it could evolve into some front-end security suite for vbulletin, but who knows.. its me just dreamin.

maybe this product can expand to also allow multiple ip checking sites.. not just 1.. also Custom msg explaining why the registration was denied with admin option to enable or disable it. The msg would show in format of vbulletin error msg instead being PM one..

my 2cents.. otherwise this is great idea for a product. Looking very promising.. maybe it could evolve into some front-end security suite for vbulletin, but who knows.. its me just dreamin.

Hi Nitron.

There is an error message that is displayed to the user in the standard vb error display format. You can edit exactly what it says by editing the phrase DM_found_in_rbl.

The PM option allows you, as an admin, to receive a PM with the IP when its blocked.

I will look at adding multiple RBLs in the next version.

oh sweet.. just got confused by what the options were for.. since there was no clear explanation.. :)

can the PM options have drop down menu and let you chose PM or EMAIL?
You can solve that by making one line option with multiple boxes..
example

"Notify Following UserID's [enter userid# here] by [drop down box with options EMAIL/PM] about failed registrations"
and user id "0" would disable that whole option.

Isn't the sbl-xbl.spamhaus.org blacklist a list of IP's that are used by email spammers? I'd expect that to be successful for blocking email spam, but that is not the same as blocking anonymous http proxy sites like Proxify.

countrycheck.com used to try to keep track of anonymous http proxy servers, but they seem to have gone out of business. Their site has contained just an error message for a few weeks now.

Isn't the sbl-xbl.spamhaus.org blacklist a list of IP's that are used by email spammers? I'd expect that to be successful for blocking email spam, but that is not the same as blocking anonymous http proxy sites like Proxify.

countrycheck.com used to try to keep track of anonymous http proxy servers, but they seem to have gone out of business. Their site has contained just an error message for a few weeks now.


spamhaus.org rolls up a number of other RBLs. You can also specify whatever RBL you want to use.

Which Spamhaus (or other source) RBL contains anonymous http proxy servers?

When you say open proxy, does that mean aol is not blocked?

Which Spamhaus (or other source) RBL contains anonymous http proxy servers?

From spamhaus.org:

Incorporates CBL data and NJABL proxy data

The XBL wholly incorporates data from two highly-trusted DNSBL sources, with tweaks by Spamhaus to maximise the data efficiency and lower False Positives. The main components are:
- the CBL (Composite Block List) from cbl.abuseat.org
- the NJABL Open Proxy IPs list from www.njabl.org.

http://www.spamhaus.org/xbl/index.lasso

Obviously many of those open proxy IPs reflect mailservers but I have had some success with IPs found googling "anonymous HTTP proxy" getting blocked.

I'm still looking for a proper list of anonymous web proxies.

When you say open proxy, does that mean aol is not blocked?


That is correct - AOL is not blocked because it is proxying for its customers.

I have been doing some testing with different RBL's and google'd lists of open proxy servers... so far list.dsbl.org seems to return the most "hits" for known proxy IPs.

I will be testing it out to see if I get any false positives and may update the product to use it as a default... more info: http://dsbl.org/main

Wow, this has actually been really effective sinced I installed it a couple of days ago.:up:

My only recommendation would be maybe an option that let you designate a post notification in the forum choice of the Admin (such as a Private Forum for mods and/or admins), instead of the PM notifiications. The AE multiple account detector does that.

Other than that, good job! :up:

I've combined this with other proxy hacks (such as Paul M's Proxy to Real IP hack) with some good success. :)

Wow, this has actually been really effective sinced I installed it a couple of days ago.:up:

My only recommendation would be maybe an option that let you designate a post notification in the forum choice of the Admin (such as a Private Forum for mods and/or admins), instead of the PM notifiications. The AE multiple account detector does that.

Other than that, good job! :up:

I've combined this with other proxy hacks (such as Paul M's Proxy to Real IP hack) with some good success. :)

Thanks... I'll look at adding that for the next version.

Thanks... I'll look at adding that for the next version.

So far, I've had ten blocks of a persistent troll who appears to be using "Hide My IP" or "Multi-Proxy" to try and get back in as his proxy IPs have been rotating. So far so good...but he's apparently not giving up yet as he spent the entire day yesterday trying to reregister using various proxies without success. All I can say is that he has waaay too much time on his hands. :cool:

Thank you to both you and Paul M for your mods! :cool:

Hi Daniel, hope this is as awesome as it sounds. It looks great as it stands, and should solve my recurring proxy issues... I don't think my members are too creative with their proxy choices, but I guess I am about to find out :p

I too would really like to see a blocked-ip-to-post feature, if another signature on the list helps any.

Ed; Knowing nothing about proxy RBLs, I have to ask - why not make it possible to list multiple RBLs, so we don't have to rely on just spamhaus or just another one, when we could just stick multiple servers up? I don't claim to be a pro, but I would expect that blocking the same IP twice because of duplicate entries would not have any effect.

Hi Daniel, hope this is as awesome as it sounds. It looks great as it stands, and should solve my recurring proxy issues... I don't think my members are too creative with their proxy choices, but I guess I am about to find out :p

I too would really like to see a blocked-ip-to-post feature, if another signature on the list helps any.

Ed; Knowing nothing about proxy RBLs, I have to ask - why not make it possible to list multiple RBLs, so we don't have to rely on just spamhaus or just another one, when we could just stick multiple servers up? I don't claim to be a pro, but I would expect that blocking the same IP twice because of duplicate entries would not have any effect.


Hey there... I will be adding a "post a thread" option when I update the hack (probably after the holidays as I'm insanely busy with real work (tm) and life in general). I will also be adding an "email" option as well for those that want it.

I haven't considered multiple RBLs but can... It shouldn't be that much effort to code.

The main reason I haven't is that most of the larger RBLs amalgamate the data from smaller ones... so listing 3 or 4 RBLs will get you the result of listing the biggest, most inclusive one.

Hi Daniel! No rush ;) vB modding is a hobby after all. I might see if I can cobble something together myself, because my PM box is cramping up a lot.

For people curious about the efficiency of this mod, I have had a reasonable amount of trouble with people from obscure ISP's, particularly one large one in Italy, getting blocked. However, it is very easy to ask them their ISP when they complain, then google the ISP and find out that it is not a proxy. Then I manually create their account via the adminCP, making sure to set the "IP on Registration" as well so it is no trouble to ban them if they act up. It takes about 5 minutes of my time, and it has happened 3 times since I installed. Of those three times, two of the new users bought subscriptions to my site because they were so impressed with the care I took to help them out ;)

If you have an Italian board, I don't recommend this mod. There is a big Italian ISP that is marked by spamhaus because its dynamic IP system can be used by spammers (or something like that. Don't ask me, I'm an English teacher, not an IP person.)

Hey Daniel,

Thought you users might get a chuckle out of the way I set it up.

I created a user called "Troll Stomper" and he's set up as the chosen "informant" member for both your Proxy RBL Checker and the Multiple account login detector (AE Detector) (https://vborg.vbsupport.ru/showthread.php?t=125871).

Now whenever your Proxy RBL Checker detects either someone using a proxy, or a spam bot trying to register...our Mods get this PM. https://vborg.vbsupport.ru/external/2009/02/1.gif

http://www.ronaldreagan.com/current_events/troll_stomper_pm.gif

He also shows up in the Private Forum if the Multiple Account (AE) Detector gets tripped and posts the alert as a thread.

My Mods also had a suggestion that doesn't seem that relevant to me, but they said they would like to know what username the person or bot tries to use. I don't see how that info would be very relevant, but they indicated they would like it as it would help them recognize a problem user if they do manage to switch their IP into one that was not listed (basically recognizing them if they try using the same username).

Anyway, it's been great as it is not only stopping trolls trying to use proxies to bypass bans, but it's also stopping the spam bots right at the door as well. https://vborg.vbsupport.ru/external/2011/01/19.gif

I really want the username and email the blocked IP tried to register from to be included in the PM. Actually, the way I want it to work is for a new thread to be created in a specified forum. In the first post of the thread would be the IP as well as the hostname the IP resolves to, the username and email address the IP tried to register with, and the blacklist that pegged the IP.

Subsequent registration attempts from the same IP would appear as replies in the thread and would only list the username and email the IP tried to use.

Some of this is within my abilities so if I ever get time (hahahahahaahaha) I will try to set it up myself, but I am at best a no-talent hack at this stuff. I'm not even sure I can get it to detect the name and email :p

I really want the username and email the blocked IP tried to register from to be included in the PM. Actually, the way I want it to work is for a new thread to be created in a specified forum. In the first post of the thread would be the IP as well as the hostname the IP resolves to, the username and email address the IP tried to register with, and the blacklist that pegged the IP.

Subsequent registration attempts from the same IP would appear as replies in the thread and would only list the username and email the IP tried to use.


Actually that does make a lot of sense. :D

That would be awesome! https://vborg.vbsupport.ru/external/2011/01/19.gif

I think that was what my Mods were asking for...they just didn't state it as clearly as you just did. ;)

Hi Guys --

I can look into adding that as a feature for the next run - right now the hack hooks in to register_start which means for anyone who is registering from a blocked IP they don't get to enter ANY information before being blocked.

Now that you mention it... it might be a good idea to let them get far enough to enter a username/email so they can be tracked.

Also - I love the Troll Stomper thing, can you shoot me a link to that avatar?

This is just what I was looking for, thanks so much and I hope it helps me a bit..

Hi Guys --

I can look into adding that as a feature for the next run - right now the hack hooks in to register_start which means for anyone who is registering from a blocked IP they don't get to enter ANY information before being blocked.

Now that you mention it... it might be a good idea to let them get far enough to enter a username/email so they can be tracked.

Also - I love the Troll Stomper thing, can you shoot me a link to that avatar?

Hooking it later would also make it take longer for people to get to the blocked screen, so they could stop trying 70 times per hour and filling my inbox ;) or the report thread, whichever.

Also - I love the Troll Stomper thing, can you shoot me a link to that avatar?

http://www.ronaldreagan.com/images/troll_stomper.gif

Can you consider adding an option that when you add an IP address to the Blacklist, you are no longer notified about that IP as attempting to register.

I'm getting bombarded by a few persistant and consistant IP's and since they're now in my Blacklist, I don't care to know about their registration attempts via the PM notifications.

One of them is 216.145.49.15 which resolves to 'snv-global1.corp.yahoo.com' - anyone know if that is a legit one - if so I can add it to my Whitelist. I'm suspicious that it's a bot or something tripping up on it, but I'm not sure.

Thanks in both cases!

Feature Request: The ability to do the checking for DNS BL upon registration, but in a non-blocking mode. That is, give the option for what to do to the admin. I would very much like to do a dry run to see how things lie for me, prior to enabling this in full blocking mode. I had the plugin installed, and it was rejecting some users at login. Yes, they were using proxies, and I can easily add them to the white list, however I'd like to get a baseline without blocking out a lot of users right off the bat.

Until then, I've had to uninstall the plugin.

It shouldn't block people at login as it only fires at register_start.

I'll look at adding a report/block option.

I couldn't reproduce my users' problem. It might be useful to include the URL that the user was getting blocked on, that way if there is a user who is having a problem, we can better help them.

Also, in the default list of "Known Proxies" is "10.237.44.144", which is an RFC1918 (http://www.faqs.org/rfcs/rfc1918.html) Non-routable ip address (as are 192.168.x.x addresses). It'll never trip, but it's also probably not a good idea to include ip addresses that often exist in corporate private networks.

One more thing (sorry sorry, i know that you do this in your free time, but I want to help you make it the best it can be), The "RBL Match Mask" only allows to match against the first octet (I haven't tested this, but it's what it says). It would be useful if we could provide a list of things to match against. Different DNSBL's return different 127.0.0.x addresses, which indicate the type of host that is matching. From http://www.spamhaus.org/sbl/howtouse.html,
127.0.0.2 - Direct UBE sources, verified spam services and ROKSO spammers

127.0.0.4-6 - Illegal 3rd party exploits, including proxies, worms and trojan exploits

and for NJABL (dynablock.njabl.org):
http://www.njabl.org/use.html
# 127.0.0.2 - open relays
# 127.0.0.3 - dial-up/dynamic IP ranges *
# 127.0.0.4 - Spam Sources
This will include both commercial spammers as well as some dial-up direct-to-mx spammers and open proxies as it's not always possible to differentiate between these sources. For commercial spammers, once we have spam on file from some of their IPs, we may add their entire IP range if it can be reliably determined.
# 127.0.0.5 - Multi-stage open relays
Before adding multi-stage open relays to our list, we make an attempt to notify the NIC contacts for their IP space and give them at least one week to fix their systems. This type is deprecated. We no longer list multi-stage open relays.
# 127.0.0.6 - Passively detected "bad hosts"
These hosts have done things a proper SMTP server should not do. They're very likely to be spam proxies. We can't say much more about this. No supporting evidence is made available for listing these IPs.
# 127.0.0.8 - Systems with insecure formmail.cgi or similar CGI scripts which turn them into open relays
This includes the output IP when a server with an insecure formmail CGI smarthosts outgoing email through another server or servers.
# 127.0.0.9 - Open proxy servers

I'm only interested in blocking Open proxies/relays, and not spam hosts (127.0.0.4) nor dial-up/dynamic IP ranges (127.0.0.3).

I think it's dangerous just to blindly use a DNSBL without making sure that you want to block everything it has to offer. In the context of a bulletin board system, you might not want to block the same hosts that you'd block in the context of an anti-spam system.

I have removed the 10. IP from the list of "known proxies" .. I suspect that was a typo on my part. The RBL mask currently only matched the first octet because various RBLs have various return codes - all varieties of 127.0.0.x

If you want to be granular to the point of the last octet then the benefit of using more than one RBL - which was requested by several people - goes out the window as no 2 RBLs tend to use the same definitions.

I - for one - am looking at a more "inclusive" matching pattern. That being I would rather block people that shouldn't be than allow trolls in... the function of a whitelist allows you to specify IPs that are erroneously getting blocked.

Can you consider adding an option that when you add an IP address to the Blacklist, you are no longer notified about that IP as attempting to register.


Added... see v3.


My only recommendation would be maybe an option that let you designate a post notification in the forum choice of the Admin (such as a Private Forum for mods and/or admins), instead of the PM notifiications. The AE multiple account detector does that.

Added... you can now have a PM, a new thread, or both...

I too would really like to see a blocked-ip-to-post feature, if another signature on the list helps any.

Ed; Knowing nothing about proxy RBLs, I have to ask - why not make it possible to list multiple RBLs, so we don't have to rely on just spamhaus or just another one, when we could just stick multiple servers up? I don't claim to be a pro, but I would expect that blocking the same IP twice because of duplicate entries would not have any effect.

Multiple RBLs added as well... bear in mind it has to do a reverse IP lookup at each one you list...

Hey Daniel,

Thought you users might get a chuckle out of the way I set it up.

I created a user called "Troll Stomper" and he's set up as the chosen "informant" member for both your Proxy RBL Checker and the Multiple account login detector (AE Detector) (https://vborg.vbsupport.ru/showthread.php?t=125871).

Now whenever your Proxy RBL Checker detects either someone using a proxy, or a spam bot trying to register...our Mods get this PM. https://vborg.vbsupport.ru/external/2009/02/1.gif

My Mods also had a suggestion that doesn't seem that relevant to me, but they said they would like to know what username the person or bot tries to use. I don't see how that info would be very relevant, but they indicated they would like it as it would help them recognize a problem user if they do manage to switch their IP into one that was not listed (basically recognizing them if they try using the same username).


I like that VERY much. Will be configuring the same thing on my forum. Added the option to select a "source" user for notifications by username. The alerts now include the username and email as well as the IP.

I really want the username and email the blocked IP tried to register from to be included in the PM. Actually, the way I want it to work is for a new thread to be created in a specified forum. In the first post of the thread would be the IP as well as the hostname the IP resolves to, the username and email address the IP tried to register with, and the blacklist that pegged the IP.

Subsequent registration attempts from the same IP would appear as replies in the thread and would only list the username and email the IP tried to use.


I may look at that for an extra "feature release" ... say v3.5. Right now it will create a thread or PM with the username and IP.

Thanks for all the positive feedback guys... what started as a quick and dirty hack for my own forum is actually getting to be a decent hack.

I have removed the 10. IP from the list of "known proxies" .. I suspect that was a typo on my part. The RBL mask currently only matched the first octet because various RBLs have various return codes - all varieties of 127.0.0.x

If you want to be granular to the point of the last octet then the benefit of using more than one RBL - which was requested by several people - goes out the window as no 2 RBLs tend to use the same definitions.

I - for one - am looking at a more "inclusive" matching pattern. That being I would rather block people that shouldn't be than allow trolls in... the function of a whitelist allows you to specify IPs that are erroneously getting blocked.

First, I appreciate the update, I'll give it a try as soon as I get a chance.

How about this idea:
It could come, preconfigured, with a good number of common SBLs. For each of these, the admin has the ability to choose open proxies, spammy servers, dial-up networks, etc etc. Additionally, give the ability to add their own SBLs with their own options for matching against there.

I think it might give many admins a false-sense of accomplishment once they install this and start blocking lord knows what, but believe that they're only bad things (The plugin name says block proxies, but in reality it is blocking far more than just proxies). It's widely known that large American broadband networks are responsible for a great deal of spam, and a good number of these block-lists include those subnets. I'm afraid of doing a disservice to the users if we choose to just blindly block everything. I think that for this plugin to truly be successful, the admin should be able to finely tune what is and isn't blocked. If you've got a forum with tens of thousands of users, with hundreds of signups a day, whitelisting things would be almost certainly unmaintainable.

As for trolls and whitelisting, how are you going to know if someone is a troll or not before they've even posted anything? What indicators should be used to go ahead and whitelist one IP over another? I think that in order for our individual communities to grow, it's like dealing with spam in that it's important that we make sure that all the good guys can get in, even if that means some cruft gets in on occasion. I'd rather ban 2 or 3 trolls a month, than waste my time trying to figure out if 233.44.23.XX is going to be a troll or not, over and over and over again.

Added... see v3.



Added... you can now have a PM, a new thread, or both...



Multiple RBLs added as well... bear in mind it has to do a reverse IP lookup at each one you list...



I like that VERY much. Will be configuring the same thing on my forum. Added the option to select a "source" user for notifications by username. The alerts now include the username and email as well as the IP.



I may look at that for an extra "feature release" ... say v3.5. Right now it will create a thread or PM with the username and IP.

Thanks for all the positive feedback guys... what started as a quick and dirty hack for my own forum is actually getting to be a decent hack.

WhoHoo!! https://vborg.vbsupport.ru/ http://www.ronaldreagan.com/forums/images/smilies/whohoo.gif http://www.ronaldreagan.com/forums/images/smilies/3d_christmas_smilies/merry_christmas.gif

Thanks Daniel! https://vborg.vbsupport.ru/

Added... see v3.

Thanks for adding my requested feature. Installing now!

First, I appreciate the update, I'll give it a try as soon as I get a chance.

How about this idea:
It could come, preconfigured, with a good number of common SBLs. For each of these, the admin has the ability to choose open proxies, spammy servers, dial-up networks, etc etc. Additionally, give the ability to add their own SBLs with their own options for matching against there.

I think it might give many admins a false-sense of accomplishment once they install this and start blocking lord knows what, but believe that they're only bad things (The plugin name says block proxies, but in reality it is blocking far more than just proxies). It's widely known that large American broadband networks are responsible for a great deal of spam, and a good number of these block-lists include those subnets. I'm afraid of doing a disservice to the users if we choose to just blindly block everything. I think that for this plugin to truly be successful, the admin should be able to finely tune what is and isn't blocked. If you've got a forum with tens of thousands of users, with hundreds of signups a day, whitelisting things would be almost certainly unmaintainable.

As for trolls and whitelisting, how are you going to know if someone is a troll or not before they've even posted anything? What indicators should be used to go ahead and whitelist one IP over another? I think that in order for our individual communities to grow, it's like dealing with spam in that it's important that we make sure that all the good guys can get in, even if that means some cruft gets in on occasion. I'd rather ban 2 or 3 trolls a month, than waste my time trying to figure out if 233.44.23.XX is going to be a troll or not, over and over and over again.

You know, I had the exact same concerns when I first installed this hack almost a month ago, and I have carefully examined EVERY alert.

I would take the IP address and I would go over to DnsStuff.com (http://www.dnsstuff.com/) and run it through WHOIS and the Spam Database Lookup, to get a clearer picture of who or what was trying to register.

I run a 10,000+ member board and the only IP denial from the RBL Checker I have ever recieved that was questionable, was an IP address that was of a grade school that that was apparently running a proxy. However the DnsStuff.com Spam Database Lookup had multiple reports from the many various spam moniter services that tended to indicate that even if if the school was legit (as it seemed to be), what the school's proxies had been used for apparently wasn't. It's very possible that the schools proxy servers may have been infiltrated and they were being abused without the school even being aware of it.

I also modified the xml file to include a link to the "Contact Us" section of the board I run.

I haven't had anyone contact me except for the troll for which I primarly installed it for...and yes, he was hoping mad that he couldn't get back in using the rotating proxy software he had been able to use to bypass our ban. He literally spent almost two days of what seemed like non-stop trying. That is why I asked Daniel to be able to change the notification system from PMs to a thread (preferably in the private forum for Mods & Admins) notification, as some of my Mods that aren't always around were having their PM boxes filled to the brim, as it took this idiot several days to finally give up.

I actually figured that once I got rid of him that I would disable it...until if I got another problem poster using proxies to bypass our ban again.

Anyway, like I said I monitored the alerts very closely, and from that most of the blocked IPs were from places like India, China, Brazil, Hungary, Saudi Arabia, Russia Etc. Now then you may have members from those countries, but out of our 10,000+ members...none of ours that are legitimate are from those countries. Could there be?...of course, but very doubtful. Now I have several alerts a day from those countries as they are spam bots who normally made it to the Captcha system before getting denied. The Proxy RBL checker now was stopping them at the front door instead, thus triggering an alert.

Also, seeing the sheer amount caused by spam bots was also a real eye opener, as since the new vBulletin 3.6+ version we haven't been getting many spam bots as the new Captcha system has made a big difference.

Anyway, even though it was interesting seeing just how many spam bot attempts were actually made, it was starting to get annoying which is also why I'm glad that Daniel moved the RBL checker back a little bit to "register_addmember_process", thus allowing the Captcha system to deny them...thus cutting down on the alerts.

Anyway, like I said I only installed this mod because of a very determined troll who was using rotating proxies to get back in. I was having to go into either the AdminCP or the server itself (to access my .htaccess forwarding to another place based on IPs) two or three times a day to add whatever new proxy address he was using. It was a real "cat and mouse" game, as I woud block him and then he would simply switch IPs and re-register and not only was it annoying, but it was taking up a good bit of my time, as I had to verify that the IP was a proxy or spam IP, and then login to the either the AdminCP or the .htaccess file on the server to ban that IP. Once I got rid of him, I planned to disable this mod, but I decided to leave it on (mostly if he back) and monitor it closely. With that one questionable denial, the other have been shown to be either spam or proxy registration attempts.

I think the changes in this updated version of the RBL checker will really give Admins the necessary controls to be either agressive or leniant in the registration process.

I suggest people who are skeptical like I was, to try it and monitor it and verify the registration information against WHOIS, known proxy and spam lists (such as those at DnsStuff.com (http://www.dnsstuff.com/)). If after examinning the RBL Checker Alerts, you think that legitimate users are being denied, then either disable it (like I had planned to do) or simply uninstall it.

I honestly am not trying to be a cheerleader for Daniel or this mod, but I think this approach on an old problem is fresh and unique (I also like Paul M's Real IP Detection (https://vborg.vbsupport.ru/misc.php?do=producthelp&pid=paulm_20050630) for a 1, 2 punch). :)

Indeed ... I recommend anyone who isn't sure the RBL is granular enough to not block legitimate users configure the first three options YES - YES - NO and give the blocker a forumid to post reports.

We have not had problems with trolls as yet... although our site has only been open less than 2 months and only has about 1000 users. I'm using the multiple login detector to track when we have more than 1 user @ a given IP but my experience on other boards is that trolls use proxies to get around IP bans... I have seen the same person banned 5 or 6 times in a day, and I have seen registration turned off temporarily to stop trolls from registering... this is much more intrusive than banning their IP and blocking registration from proxies.

I'm a bit of a prick so I have the RBL Blocker configured to block registration... you could easily configure it to allow registration and only change it to block if you start to get a lot of hits in association with troll activity on the board.

In part, allowing the person to get to the "submit" portion of registration also captures and hotmail/etc. addresses they have setup to get around IP/email address bans.

Of course... you will have to manually add those email addresses to the email banning options. The other option would be to enable auto-banning.

nice mod i was wondering they had a nice way to block anonymous proxy's in phpbb via a mod which was pretty nice would you be able to see if you can work any of that into this? you can take a look on how its written here and what it does. http://web-professor.net/wp/2005/05/20/block-anonymous-proxies-mod-for-phpbb/

You know, I had the exact same concerns when I first installed this hack almost a month ago, and I have carefully examined EVERY alert.

Oh, believe me, I'm understand the full potential of this plugin, in addition to how I might use it effectively (I work in computer security, and actually make use of DNSBL's). My only problem is that the plugin enables people to blindly use DNSBL's, assuming that they are blocking just open proxies, as the title of this entails. I, as an admin, do not want to prevent people coming from IPs associated with SPAM (or other non-proxies), as I am well aware of the fact that the majority of spam in the world comes from hosts and networks that have been compromised by worms.

My suggestion is that if you are going to create a plugin that purports to block Open proxies, and, while it does block open proxies, it also blocks lots of other things, then that's a disservice. I'm erring on the side of caution, here. Upon further investigation of my user who had a problem the other day, according to the DNSBL, she was coming from an IP that had been known to be compromised by a worm. Do I care about that? Not particularly. I only really care about whether or not it's a proxy.

After looking at the link provided by "DementedMindz", I've found that SORBs actually does something right. Check out the link, http://www.us.sorbs.net/using.shtml. I've opted to enable http.dnsbl.sorbs.net, socks.dnsbl.sorbs.net, and misc.dnsbl.sorbs.net, as they are only related to proxies, and nothing else.

Here's the deal: I don't really want to babysit my messageboard by investigating every hit that comes through. If I know definitively that a particular IP is only matching because it hosts an open-proxy, I'm fine with that. I just think that if you're going to do that, you'll end up chasing a lot of wild geese, seeing as the DNSBL that come enabled by default, and have otherwise been recommended, do a lot more than just monitor for open proxies. It's a mis-use of these DNSBLs.

ok so you just added them to the Target RBL also is there suppose to be a space between each or a line break? also check out http://www.us.sorbs.net/using.shtml#largesites for more options it seems

ok so you just added them to the Target RBL also is there suppose to be a space between each or a line break?
I did put them in the Target RBL with a newline between each one.

So, for me, it's as follows:

http.dnsbl.sorbs.net
socks.dnsbl.sorbs.net
misc.dnsbl.sorbs.net

alternatively, you can use:
proxies.dnsbl.sorbs.net

which points to all three of those systems (it'd also mean one query as opposed to three).

yeah my main thing that i really want to block is anonymous proxys as well as other proxies too. hopefully this will work in doing that. im going to try and test it out and see. cause i have another script in thats suppose to only work on proxies but anonymous get right by it.

ok so you just added them to the Target RBL also is there suppose to be a space between each or a line break? also check out http://www.us.sorbs.net/using.shtml#largesites for more options it seems

One on each new line...

alternatively, you can use:
proxies.dnsbl.sorbs.net

which points to all three of those systems (it'd also mean one query as opposed to three).

Hmmm... I'll look into SORBS, I might make it the default.

ok so is that just going to block all proxies with proxies.dnsbl.sorbs.net and also is there any way at all to block anonymous proxies?

Operationally, there is no difference between any proxy and one that puports to be an anonymous proxy. All that an anonymous proxy is is one that strips out any data that might be used to track back to the proxy user (often cookies, common server headers, etc).

To answer your question, proxies.dnsbl.sorbs.net will block all proxies registered with it, anonymous or not. Now, it's possible that your understanding of what an anonymous proxy is might be different than that of mine, but I can assure you that they aren't any sort of special beast that is hard to slay. They're just proxy servers.

ok well for example i have that in there but say you go to this site. http://anonymouse.org/anonwww.html try to register on your site with a new name i bet it works. I havent found a way to block these sort of sites yet cause they dont seem to pass the http variables.

ok well for example i have that in there but say you go to this site. http://anonymouse.org/anonwww.html try to register on your site with a new name i bet it works. I havent found a way to block these sort of sites yet cause they dont seem to pass the http variables.

The problem with that is that a large number of web "anonymizers" don't get added to RBLs. Whether or not they should is a matter for debate. You'll notice there is a section for known anonymizers/proxies and I have added the IPs of a number of "free anonymous hosting" sites...

I may look at building a "report an IP" function into my next release so I can build on the list of proxies that get past the RBL.

Another method of configuring the RBL checker would be to do the following -

1) Create a new user group based on whatever group your "registered users" end up in and call it "Possible Trolls".
2) Set RBL Checker to allow registration but "autoban" user into the "possible troll" group.

You can now watch these users a little more closely - and if satisfied they're not trolls you can move them to your registered users group.

I have added this to my board but It doesnt appear to work I had a user who is on the sbl-xbl.spamhaus.org list but he was not blocked. I check the that the plugin was active, settings were good. Any ideas why this would occur.

You are correct ... I had tested everything was working but then cleaned up some variable names to standardize all the variables I use in the product and managed to misname one of the variables used in the RBL checking part of the code. Please download and install 3.1 - tha pronblem is fixed and I've also changed the error message for RBL blocked users to include the name of the RBL doing the check (over time this should let people prune the list of RBLs they use down to the most effective one.)

Also - doing some tests with lists of free anonymous proxies and it looks like dnsbl.ahbl.org blocks the most IPs (checking on dnsstuff.com) the only problem is that www.ahbl.org has NO information so I'm not willing to make it the default or use it on my production forum.

Once I can get some information on it I may make it the default - certainly it reports all the open proxies as being such using DNS stuff.

Thanks for pointing out the RBL check wasn't working SinisterPain...

Thanks for the update, as I have been overwhelmed recently with spammers.

might wanna check it again cause its not working still atleast for me

It seemed to work fine now just got my first bust

Which proxy are you using for testing? Works for me with any anonymous proxy I found using a combination of spamhaus.org and ahbl.org I blocked all attempts from anonymous proxies.

Which proxy are you using for testing? Works for me with any anonymous proxy I found using a combination of spamhaus.org and ahbl.org I blocked all attempts from anonymous proxies.

Sorry I edited my post above, to say it did work any thank you for this great mod.

Installed....thanks for sharing this code with us. :up:

Sorry I edited my post above, to say it did work any thank you for this great mod.

Ha! No problem... thanks for letting me know its working for you.

Installed....thanks for sharing this code with us. :up:

My pleasure. Anything to keep the trolls at bay...


Incidentally, I recommend checking out www.ahbl.org - they seem to have resolved the issues they were having with their site and from my tests on dnsstuff.com with various google'd lists of proxy servers they have ALL the ones I tested listed...

I've setup my production server to use ahbl.org and assuming I get no false positives between now and the next update (what? no new requests for features?) then I may make that the default rather than spamhaus.org which is less targetted to web proxies.

Ha! No problem... thanks for letting me know its working for you.



My pleasure. Anything to keep the trolls at bay...


Incidentally, I recommend checking out www.ahbl.org - they seem to have resolved the issues they were having with their site and from my tests on dnsstuff.com with various google'd lists of proxy servers they have ALL the ones I tested listed...

I've setup my production server to use ahbl.org and assuming I get no false positives between now and the next update (what? no new requests for features?) then I may make that the default rather than spamhaus.org which is less targetted to web proxies.
Can you not use both?

Can you not use both?

For sure... I've put it first for testing.

For sure... I've put it first for testing.

Are you using this addy for check dnsbl.ahbl.org

Are you using this addy for check dnsbl.ahbl.org

Yes..

My list is as follows:

sbl-xbl.spamhaus.org
proxies.dnsbl.sorbs.net
dnsbl.ahbl.org

Originally I had ahbl.org at the top - since the RBL Checker stops after a positive match I've moved it to the bottom. This way when I see a report with ahbl.org I know the IP was missed by spamhaus.org and sorbs.net.

If anyone else is willing to setup their forum the same way and report back on whether or not spamhaus, sorbs, or ahbl does the majority of the blocking it will help me decide on a default for the next release.

I don't really want to do too many checks... so I'd like to have 1-2 RBLs as the default.

Guys, I'd recommend against using dnsbl.ahbl.org or sbl-xbl.spamhaus.org. Their primary function is to provide a list of Open Mail Relays (http://en.wikipedia.org/wiki/Open_relay) and email spamming sources, which are an ENTIRE different world than Open Proxies (http://en.wikipedia.org/wiki/Open_proxy). I don't think that fact is illustrated enough in this thread.

AHBL is particularly aggressive in that they are willing to list blocks of ip addresses. That is, if you have users on a Seattle Area DSL network, and an open mail relay shows up on their network, both that mail relay and your users (or potential users) will be blocked by AHBL.

You guys really need to read and understand the purpose and the usage of these blacklists before slapping them in. Many of these blocklists prohibit the usage of their services in this way. You're unnecessarily hitting services that have finite resources. Don't be so eager to block IPs willy nilly and think you're making a difference. You're not. If your goal is to block users coming through anonymizers, proxies, or even the TOR (http://tor.eff.org) network, then use blacklists whose function is to only report anonymizers, proxies, and TOR networks. The fact of the matter is that you're not going to see a lot of hits with a blacklist like this simply because not many people are going to register with your site who are actually using proxies.

Here's what I'm using currently:
proxies.dnsbl.sorbs.net
tor.ahbl.org

I don't get many hits, but that's because I don't expect many hits (that's the reality of things).

Again, I like this add-on, I think it's very useful. I'm not criticizing it's usage. All I'm trying to do is help people understand what they're doing a little bit better.

If your goal is to block users coming through anonymizers, proxies, or even the TOR (http://tor.eff.org) network, then use blacklists whose function is to only report anonymizers, proxies, and TOR networks.

ok so would what you listed stop all of these? im mostly looking to block anonymizers this way they can not connect and make a user name with a anonymous proxie

proxies.dnsbl.sorbs.net
tor.ahbl.org

ok so would what you listed stop all of these? im mostly looking to block anonymizers this way they can not connect and make a user name with a anonymous proxie

proxies.dnsbl.sorbs.net
tor.ahbl.org

You're never going to stop ALL proxies in the world. You can only stop those that have been reported or found. However, my list will ONLY block proxies, and will not false-positive by blocking legitimate hosts who happen to match up with spammy networks, etc.

Now, If this add-on had the ability to interpret the response from various blacklists, you could get more coverage. For example, spamhaus will return indicators as to why a particular IP has matched in their database, and these indicators might include an option saying that it is an open proxy. However, this interpretation doesn't occur, so you will end up matching ips against things like Dial up networks, dynamic ip hosts, and ip netblocks that *might* include spammers.

DementedMindz, and anyone else, if it is your intention to block just Open Proxies, then use the following two hosts, as I do:

proxies.dnsbl.sorbs.net
tor.ahbl.org

yeah im looking at opm.tornevall.org now as they have a few on there too im reading about it here http://opm.tornevall.org/ cause say you go to http://anonymouse.org you can get right by all these things.

yeah im looking at opm.tornevall.org now as they have a few on there too im reading about it here http://opm.tornevall.org/ cause say you go to http://anonymouse.org you can get right by all these things.

There might be political reasons why Anonymouse.org isn't listed in either of the ones that I use...I can't say for certain. opm.tornevall.org looks pretty good, actually. I think I might be adding it to my list, since it only deals with open proxies.

Also, ircbl.ahbl.org (http://www.ahbl.org/docs/ircbl.php) might work. Here's how AHBL describes it:
This list contains only the proxy and DDoS drone data from our main list, without extras such as the Spam Sources list and Shoot On Sight.
My only concern is the inclusion of "DDoS drone data" ... this data is outside of the scope of an Open Proxy, so I'm a bit hesitant to make use of it.

yeah im going to try out opm.tornevall.org and see how it works out. yeah Anonymouse.org had me puzzled cause it gets right by everything. But ill be looking around today to see what I can come up with. as for ircbl.ahbl.org im going to look more info up on that one now also.

I obviously do not wish to block out legit people, but as of the last few days we have had more than our usual registrations and most from third world countries.
These people would register than make a post pointing to either a trojan or some advertisement or both. We never had these issues till recent and as of right now most people who were refused registration from the RBL checker program were listed as big time spammers.

I obviously do not wish to block out legit people, but as of the last few days we have had more than our usual registrations and most from third world countries.
These people would register than make a post pointing to either a trojan or some advertisement or both. We never had these issues till recent and as of right now most people who were refused registration from the RBL checker program were listed as big time spammers.
I'm confused, were the people who posted these things coming from the IPs that were listed as "big time spammers"? Or did you get several of these attacks, and then enabled this add-on and observed that people were registering from IPs of "big time spammers" ?

What were the IPs of the people who posted the ads/trojans?
What were the IPs of the spammers?
What BL's are you using?

My point in my earlier post was that people should be aware of what they are getting into when using the blacklists like they are.

I have been inundated recently with guest registering on our forum and the only purpose is to place spam on our board. I personally used spamhaus.org in the checker. But have reviewed the ips through dnsstuff.com and all the ip that were caught were listed as spammers and not small time either. I had one guy trying to register with a bogus email. One person registered and placed a link to trojan file which my antivirius flaged immediately and prompted me to remove the link from the board. Obviously I can not post IPs here but I will say that the person was comming out of Germany.

I will not just refuse people but to date the ones who have been caught are known spammers and I do check to make sure.

Forum post made by this mod says "This registration attempt has been allowed." even when it is set to not allow the registration.

I think you missed an "s":

if ($DM_rblcheck_allowreg == "0") {

should be:

if ($DM_rblcheck_allowregs == "0") {

dang... you're right. Will upload a new file.

I'm not really sure this mod is working or not...but...

There is one thing I would like to see.

A way to add a warning on the registration page that users using a proxy will not be allowed to finish registration.

Thanks!

Brew

Thanks for the update on this, I was being overun with spamers and this hack caught about 95% of the problems before registration.

I seem to be getting about 5 new threads created on each RBL match. I can't tell if the person registering is somehow looping through the registration process multiple times (like maybe they didn't enter all the required information and had to re-enter the form) or if it's a bug. They really shouldn't keep registering since I have it set to allow the registration attempt on RBL match. Since the timestamp of the posts often span a few minutes time, I suspect it is not a bug with this product.

Anyone else seeing this?

I seem to be getting about 5 new threads created on each RBL match. I can't tell if the person registering is somehow looping through the registration process multiple times (like maybe they didn't enter all the required information and had to re-enter the form) or if it's a bug. They really shouldn't keep registering since I have it set to allow the registration attempt on RBL match. Since the timestamp of the posts often span a few minutes time, I suspect it is not a bug with this product.

Anyone else seeing this?

The only thing I have seen is some people trying to register with a bogus email which they do often. Vbulletin will not allow this so they may try different emails. Just a thought

It turns out that the reason I am seeing multiple threads created on an RBL match is because they are being denied registration even though I have "Allow Registration from IPs on RBL" set to YES. I would like the registration to be successful.

Looks like a bug.

It turns out that the reason I am seeing multiple threads created on an RBL match is because they are being denied registration even though I have "Allow Registration from IPs on RBL" set to YES. I would like the registration to be successful.

Looks like a bug.


Do you have the latest version installed?

Yes, version 3.2

You guys ever come to a definitive conclusion on which proxy lists to use?

One thing I noticed. If you have this post in a forum. Then the poster shows as having posted using the IP that was denied. Which is undesirable to say the least.

You guys ever come to a definitive conclusion on which proxy lists to use?
I use the three mentioned a few threads back

One thing I noticed. If you have this post in a forum. Then the poster shows as having posted using the IP that was denied. Which is undesirable to say the least.

Ha... you know I just noticed that today. I'll take a look at the code this weekend.

Does anyone have any "feature requests".

Daniel,

First off, thank you very much for this hack. I installed it on my boards recently and when I had "open" registrations, it caught over 50 people trying to register with open proxies. I followed the advice of another poster to this thread and I am NOT using any of the RBL's that include spammers. I'm using the following RBL's, in the following order:

proxies.dnsbl.sorbs.net
tor.ahbl.org
ircbl.ahbl.org
opm.tornevall.org
list.dsbl.org

I have found that about 90% of the open proxy IP's are being caught by list.dsbl.org

One thing I was wondering, I have the hack set to allow rbl ip's to complete the registration, then ban those users to a group I created specifically for this hack. I tried it myself and the "error message" I got, was:

"You have been banned for the following reason:

Date the ban will be lifted:
Never"

As you can see, no reason is given for why the user is being banned.

Is there a way to make it so that when a user registers with a "banned" RBL IP, it would give a user defined reason, such as "registering via an Open Proxy IP"?

I checked the vbulletin phrases and I'm guessing it uses the $vbphrase[nopermission_banned] variable.

Is there any way I can add a "reason" to that and have it display in conjuction with the RBL hack? I've gotten a few angry emails and I think it's because the people saw they were banned after registering, but it gave them no reason.

Any ideas on how to adjust that? I hope you can see what I'm talking about here. I'm fairly good at tweaking vbulletin the way I like it, but having a specific reason for this hack show up in the error message has me stumped.

Thank you again for an excellent hack and if there's any more info you need from me about this, please ask.

Corporal Clegg

This is my first kill.

ALERT!

Someone has tried to register using the IP Address 85.140.236.169 which is MATCHED IN THE RBL DATABASE of the sbl-xbl.spamhaus.org RBL.

This registration attempt has been allowed.

Registration Details: Very-old-gibon ( very_old_gibon@cashette.com )

I have a question. I received the PM from the program with this alert, but it was also supposed to post it in a hidden forum for the moderators.
Can this send the message to PM's and a forum, or just one or the other?
Do I use the full url of the forum or do I just write in the forum name and the ID number?

This is my first kill.



I have a question. I received the PM from the program with this alert, but it was also supposed to post it in a hidden forum for the moderators.
Can this send the message to PM's and a forum, or just one or the other?
Do I use the full url of the forum or do I just write in the forum name and the ID number?

It will do both thats how I currently have it set up.
"ForumID For RBL reports
The forum you want RBL reports to be posted into. " In this option field put your forum id where you would like the post to go.

I just recieved four of these identical PMs at the same time (2:25 pm), but it still hasn't posted anything in the special forum.
I copied and pasted the forum url from the browzer bar into the forum ID box.
I have all the permissions set so that it can access the hidden forum and make posts and threads.
I will have to re-check everything to see if I missed something.
ALERT!

Someone has tried to register using the IP Address 193.193.193.153 which is MATCHED IN THE RBL DATABASE of the dnsbl.ahbl.org RBL.

This registration attempt has been allowed.

Registration Details: abossakon ( abossbsd@pelotka.info )

This is my first kill.

I have a question. I received the PM from the program with this alert, but it was also supposed to post it in a hidden forum for the moderators.
Can this send the message to PM's and a forum, or just one or the other?
Do I use the full url of the forum or do I just write in the forum name and the ID number?

Hmmmmm...I usually don't post images of my Admin CP, but in this case it may help.

I have mine setup to post in the moderator's private forum (24), as well as send me (The Finman) a PM.

I would check yours against mine, as that would probably be the easiest way to find the problem.

http://www.ronaldreagan.com/temp/rbl2.jpg

Let me know if that helps. :)

I see it.
You have the forum number (24) where I pasted the entire url into the box.
I'le just put in the forum number and see if it works.
By the way, it just killed another spammer a few minutes ago.
This program is great!

It works now, thanks Finman.:)
It blocked this spammer this morning.

ALERT!

Someone has tried to register using the IP Address 125.252.11.214 which is MATCHED IN THE RBL DATABASE of the sbl-xbl.spamhaus.org RBL.

This registration attempt has been allowed.

Registration Details: Sazanas ( sazanas@cardsphonesites.com )

It blocked it four times in a row with each registration attempt being one minute apart.
I assume this was an automated spam bot?

If you're getting multiple hits that close together I'm going to assume you're getting hit by a spam bot as I haven't had too many other reports of multiple hits like that... I've looked through the code and can't see anything that would cause it.

Glad to hear its helping out!!!

It works now, thanks Finman.:)
It blocked this spammer this morning.

It blocked it four times in a row with each registration attempt being one minute apart.
I assume this was an automated spam bot?


Yes, that is what it was.

I don't get too many of those, but I have had a couple try three times in under a minute.

This hack addresses the unique ability of bots to try and register using abilities beyond that of an ordinary human.


This mod calculates the time it takes to go between these two pages:

The point is to try and prevent bots from registering at your forum when the time between the two pages is humanly impossible, assuming that humans actually take the time to complete the registration page.

Should a user be blocked from registering at your forum, an email will be sent to your vB webmasteremail address and the user will see the vB noregister phrase message, so no screenshot is necessary.

https://vborg.vbsupport.ru/showthread.php?t=135094&highlight=bot+registration+time

I've downloaded it, but I haven't had a chance to install it. If any of you try it before I do. I would very much like some feedback on it. :)

Sincerely

~Fin

I'm using

proxies.dnsbl.sorbs.net
tor.ahbl.org
ircbl.ahbl.org
opm.tornevall.org
list.dsbl.org
sbl-xbl.spamhaus.org

Is this overkill?

I'm primarily concerned with people who use fake IPs and such.

I'm using

proxies.dnsbl.sorbs.net
tor.ahbl.org
ircbl.ahbl.org
opm.tornevall.org
list.dsbl.org
sbl-xbl.spamhaus.org

Is this overkill?

I'm primarily concerned with people who use fake IPs and such.

I have all of these on my list.

sbl-xbl.spamhaus.org
http.dnsbl.sorbs.net
socks.dnsbl.sorbs.net
misc.dnsbl.sorbs.net
proxies.dnsbl.sorbs.net
http://www.ahbl.org
dnsbl.ahbl.org
tor.ahbl.org
ircbl.ahbl.org
opm.tornevall.org
list.dsbl.org

So far the only one that has blocked them is sbl-xbl.spamhaus.org.
Whether or not it is over kill to have this many on the list, it doesn't hurt to have a big arsenel.

I'm primarily concerned with people who use fake IPs and such.

Block this IP number ---> IP# 209.67.219.98

Blocking this IP blocks all of these proxy servers.

http://www.proxypanther.com/
http://www.doggyproxy.com/
http://www.elephantproxy.com/
http://www.monkeyproxy.net/
http://www.rainbowproxy.com/
http://www.thruzilla.com/
http://www.anonymizator.com/
http://www.anonymitor.com/
http://www.passthem.com/
http://www.sneakover.com/

I completly ruined a forum invasion with this one.:)

So far the only one that has blocked them is sbl-xbl.spamhaus.org.
Whether or not it is over kill to have this many on the list, it doesn't hurt to have a big arsenel

That's because as soon as it matches one it stops processing ... if you move another one to the top of the list you'll see it show up in the reports.


Block this IP number ---> IP# 209.67.219.98

I completly ruined a forum invasion with this one.:)

I'll add that to the next release.

Actually, I only use sbl-xbl.spamhaus.org

I get 4-5 a day.

My original intent was simply to block people from using proxies, and as I stated in my earlier posts, I had one nut case that had been using rotating proxies and this stopped him cold. He spent two days trying to get back in, and by judging the E-mails I got from him...he was hoping mad. :D

But yeah, the pleasant side effect has been stopping the spam bots. I never realized I had so many. I rarely got them when we used UBB, and I don't know if was the CGI versus PHP thing, but I suspect it's just the difference in the popularity of vBulletin.

Nice hack, works as it should!

Saves my mod's some work deleting those spammers.
Thanks!

This hack is a god send

THANK YOU

Sounds like a great hack!!

I have a question tho, if theres a site that we know that 'anonyminizes your IPs' does that count as this ?? And do I just add the webstite url to the list in the admincp??

So : When somebody tries to register, and he is using a proxyserver, registration is denied? Am I right?

If you're getting multiple hits that close together I'm going to assume you're getting hit by a spam bot as I haven't had too many other reports of multiple hits like that... I've looked through the code and can't see anything that would cause it.


I am still seeing this problem also on most RBL matches - 4 or 5 tries usually within a minute or two of each other. I have it set to allow the registration upon an RBL match, so I don't see how it can be a spam bot. As far as they can tell, the registration is successful so further registrations using the same user name and email address should be denied, but also unnecessary.

I moderate all new registrations also. Maybe that gives a clue into the problem.

Need to change the hook the plugin is using. It is currently using register_addmember_process, but should be using register_addmember_complete. What is happening is when it hits process, and say the user puts in the wrong captcha, doesn't match their passwords, doesn't put in a required field, etc. When you use the _complete hook it fires once the user has properly filled out the registration form. Only use this hook however if you want the registration to complete, but not get multiple notifications. If you are blocking registrations, then leave it using the process hook.

I've installed this hack on our board for about a month now. It has successfully identified and blocked all 3 malicious registrations we've had so far. (We are not a large community.) It's not perfect, since it has blocked a nonmalicious one as well. But it comes in handy for us webmasters, since we no longer need to use rather subjective criteria for determining which ones are malicious. Nice mod overall. :up:

Is there any way we can get this to work for user LOGINS and not just new registrations? The problem I have is users can easily guess other's passwords and essentially hack their way in that way (sometimes with just 1 or 2 tries because VB does not enforce safe passwords). Even if it didn't ban them but just blocked them from logging in with a proxy IP that would be great.

I would be willing to donate $$$ for such a modification in the next couple days.

-vissa

Based on your configuration the RBL Checker will then perform one of these three actions:

1. Nothing, the registration continues as normal.
2. Registration is blocked, an error message is displayed to the user.
3. Registration continues as normal, but the user is automatically permanently banned.

could there be a forth option where the user is registered but the account lays dormant until and admin has aproved it?

YOu mean to option to move the user into a moderation que?

or two a group when an admin would have to aprove thier account before it could become active

yes, also i noticed this overrides the VB registration defaults with regards to banend email addies

I have banned all email addresses ending in @mail.ru but if they using a proxy they get passed that ban for some reason the proxy checker then bans their account.

i would not minde this but we get between 5 to 20 bots registering a day with the @mail.ru and we feel it would be better if mail.ru would not work hence forcing them to use anotehr email which they most liekly would not and there fore go else where

also what would be suefull is when it banned that user9if u selected that option) it then said banend due to proxy use or something, as wehave qutie a big list and it usefull tos ee the reasons

Hello, nice hack.
First I am not allowing registrations to complete so am not banning anyone, but get the following message posted in the designated forum:
ALERT!

Someone has tried to register using the IP Address 219.71.194.233 which is MATCHED IN THE RBL DATABASE of the sbl-xbl.spamhaus.org RBL.

This registration attempt has been denied.

Please be aware that the user may try using other methods in an attempt to register.

Please monitor any new registrations carefully for the next few hours. and the account has been permanently banned.

Registration Details: rotanga ( rotanga43@mail.ru )

And may I suggest that as an option, we specify a thread number and instead of new threads being created in a nominated forum, replies are posted to a nominated thread? This would keep things nice and tidy.
Thanks

I have been doing some testing with different RBL's and google'd lists of open proxy servers... so far list.dsbl.org seems to return the most "hits" for known proxy IPs.

I will be testing it out to see if I get any false positives and may update the product to use it as a default... more info: http://dsbl.org/main

sbl-xbl.spamhaus.org is the current RBL.
list.dsbl.org (can I add this in below sbl-xbl.spamhaus.org in the check proxy admin area?)

Does this mod prevent members from going to tools/internet options/connections/lan settings etc and using a proxy server to register? How about these anonomous proxy lists that can be found on tonnes of websites..how does this mod prevent them from being used to register?

Need to change the hook the plugin is using. It is currently using register_addmember_process, but should be using register_addmember_complete. What is happening is when it hits process, and say the user puts in the wrong captcha, doesn't match their passwords, doesn't put in a required field, etc. When you use the _complete hook it fires once the user has properly filled out the registration form. Only use this hook however if you want the registration to complete, but not get multiple notifications. If you are blocking registrations, then leave it using the process hook.


hi, i want to still add members to a certain suer group, but i want it to run through the process that try and stop bots does your method allow for that

It works! :)

Suggestions:
Allowing us to enter a ban reason in the settings of the AdminCP.
Option to disable site viewing. (Simply blocks the user from the site.)

this mod would be 100 times more effective if it ran the proxy check after confirming that the person details are correct.

i.e. that the image verification word is valid, that if the person using NoSpam that the anwser is valid and that the email address has not been banned

damien

This is very useful, my friends forum always was flooded by German trolls. They came five at once and registered with different proxies and filled up all forums with spam and trojan links and with foul language and rampage posting.
God bless you for this wonderful hack! :up:

Hey guys... sorry I haven't replied in a while. Moved jobs + a new baby and I've been insanely busy...

Before the month is over I will try and code a new version that addresses everyone's requests...

Hey guys... sorry I haven't replied in a while. Moved jobs + a new baby and I've been insanely busy...

Before the month is over I will try and code a new version that addresses everyone's requests...

Welcome back! :)
If your not busy any more, please try to add the following:

Suggestions:
Allowing us to enter a ban reason in the settings of the AdminCP.
Option to disable site viewing. (Simply blocks the user from the site.)

Hey guys... sorry I haven't replied in a while. Moved jobs + a new baby and I've been insanely busy...

Before the month is over I will try and code a new version that addresses everyone's requests...

congrats on the new job and baby

cool to see this imrpoved a bit more, it nearly perfect as it is. Just cut down the work if it ran the check after all the other checks are passed. Also put less strain on the database


since incorpating nospam and this addon we not had any spam

can anyone running nospam check the plugin and see where it hooks and what # its running at?

<hookname>register_addmember_process</hookname>

it use multiple hooks as it protect multiple areas.

on area it also protect unless the person has signed in in the contact us page.

Any chance this program protecting that as well.

Damien

any many thanks

<hookname>register_addmember_process</hookname>

it use multiple hooks as it protect multiple areas.

on area it also protect unless the person has signed in in the contact us page.

Any chance this program protecting that as well.

Damien

any many thanks

There should also be an "Execution Order" # on that page...

Well, what started as a 5 line hack has - IMHO - reached the point where I think the feature set is quite significant.

I have fixed -
. reporting errors.
. the post IP = blocked IP issue (it is now 1.2.3.4)

I have made the following feature changes -
. added ability to specify error message someone sees when blocked.
. added ability to specify the group to add banned accounts to.
. added ability to specify a reason for being banned.
. added ability to specify a custom title for banned users.
. added the ability to place users in COPPA Users Awaiting Moderation queue - or another moderation queue.
- updated reporting to reflect new features.
. changed adminCP options order / titles / etc. to clean things up.
. changed the RBLs - # used, order, etc.

Basically, as I am testing it, out of the box the configuration will be:

Allow users to register, do not ban them, but place them in the moderation group.

If you enable banning it will automatically skip the moderation part.

If you choose to block registration it will never get far enough to mod/ban because the account isn't created.

I've finished those dev changes and am testing - I still need someone to tell me the hook order for those other hacks so I can have the checker fire AFTER they do... otherwise I should be uploading a new file within the week.

<plugin active="1" executionorder="1">
<title>Check if NoSpam! question has been answered correctly</title>
<hookname>register_addmember_process</hookname>

the plug in also covers searchs
new post by un reg users
searches by un reg users
contact us by un reg users

if you need any of the hooks for those or other hooks in nospam let me know and i will do my best

this mod would be 100 times more effective if it ran the proxy check after confirming that the person details are correct.

i.e. that the image verification word is valid, that if the person using NoSpam that the anwser is valid and that the email address has not been banned

damien


Just to clear this up - it does.

The hook of the plugin (there's now actually 2...) so the hook of the RBL checking plugin is at register_addmember_process... This is to allow blocking of registration. If you don't have blocking turned on then the first plugin still does the check and generates notifications...

The 2nd plugin needs to fire after the new member has been added to the DB so it runs at register_addmember_complete. Depending on the options selected it either bans or flags the new member for moderation.

Thanks for the update!
Edit: Is there a way so that it will completely block them out? Even from the home page? So, that they have no access whatsoever? (Like, as soon as the user comes on the website, it will check the IP) Or is that just too many queries?

Thanks for the update!
Edit: Is there a way so that it will completely block them out? Even from the home page? So, that they have no access whatsoever? (Like, as soon as the user comes on the website, it will check the IP) Or is that just too many queries?

You really need to do that at the server itself.

If you are running Apache, I recommend using an .htaccess file to bounce them anywhere on the internet you want to, as well as any troll boards or websites linking to you (you can combine both features into one .htaccess file).

Blocking users by IP at the server using .htaccess (http://www.javascriptkit.com/howto/htaccess5.shtml)

Blocking users/ sites by referrer using .htaccess (http://www.javascriptkit.com/howto/htaccess14.shtml)

Although, technically any time a server has to check and verify a query, it is taking additional time and the more queries it has to check & verify, it does increase the time involved. However, on any given day I have about 30 banned IPs & sites in our .htaccess files on various VPS accounts, but I can't notice any appreciable time difference. However, the servers these VPS accounts are located on are very fast...so I suspect, any noticeable time lag will vary on how big your .htaccess list is, and how fast your server itself is.

You really need to do that at the server itself.

If you are running Apache, I recommend using an .htaccess file to bounce them anywhere on the internet you want to, as well as any troll boards or websites linking to you (you can combine both features into one .htaccess file).

Blocking users by IP at the server using .htaccess (http://www.javascriptkit.com/howto/htaccess5.shtml)

Blocking users/ sites by referrer using .htaccess (http://www.javascriptkit.com/howto/htaccess14.shtml)

Although, technically any time a server has to check and verify a query, it is taking additional time and the more queries it has to check & verify, it does increase the time involved. However, on any given day I have about 30 banned IPs & sites in our .htaccess files on various VPS accounts, but I can't notice any appreciable time difference. However, the servers these VPS accounts are located on are very fast...so I suspect, any noticeable time lag will vary on how big your .htaccess list is, and how fast your server itself is.

Oh, thank you very much but, I'll stick with the Vbulletin IP banning system for now. I have bookmarked those links though in case if I need them in the future. :) Thanks!

Here's a list of proxy ip's i took from proxy4free.com (the first site thats listed when you type "free proxy list"). Keep in mind the list always changes, but here it is anyways:

216.75.2.22
63.118.235.195
218.94.80.6
66.98.238.8
66.150.105.20
61.166.68.74
218.16.245.54
80.80.12.125
222.175.129.85
203.116.61.164
218.111.110.57
165.228.129.10
84.19.177.62
219.255.135.8
71.237.166.6
198.151.39.94
64.34.113.120
203.113.130.59
219.207.176.130
216.133.248.226
200.174.68.28
195.175.37.6
200.87.6.19
210.212.95.103
200.253.116.3
210.245.197.217
202.194.194.246
202.58.71.30
201.57.111.132
201.57.66.2
219.93.182.98
72.252.22.186
213.172.62.58
61.135.204.121
165.228.130.10
222.83.228.34
216.133.248.228
86.35.121.75
200.171.232.21
213.5.161.51
202.155.4.114
200.118.112.202
200.171.57.149
203.158.215.2
218.7.48.22
221.13.66.161
200.67.30.248
203.130.150.221
86.124.33.235
210.102.52.15
202.188.111.50
200.31.42.3
201.216.218.73
202.82.116.26
202.108.119.227
200.206.165.40
210.176.2.27
125.244.26.4
212.80.89.130
200.107.11.20
202.157.76.70
201.45.178.130
80.80.12.124
201.0.175.100
209.88.89.183
201.21.68.208
195.175.37.71
203.200.187.170
87.120.162.65
222.124.11.218
195.58.111.152
219.87.129.186
195.175.37.8
201.136.159.129
202.94.214.194
203.187.205.32
195.224.154.232
216.133.248.227
222.39.13.42
202.28.186.3
200.174.85.195
218.248.22.100
165.228.128.11
61.19.23.226
61.8.251.92
202.63.233.8
61.47.19.211
201.38.74.70
80.58.205.61
200.78.117.240
59.87.19.236
222.223.173.76
198.151.39.114
89.167.37.146
203.113.130.49
203.146.102.24
58.216.235.242
195.175.37.70
202.141.117.188
165.228.128.10
199.203.55.3
210.56.29.10
201.28.123.98
218.140.138.174
125.244.26.2
219.96.46.219
211.231.187.4
212.122.243.2
220.56.244.231
211.67.66.171
200.174.68.23
210.187.119.244
200.59.162.83
200.174.68.20
165.228.133.10
220.227.77.186
84.19.176.62
200.174.68.29
61.17.191.13
216.133.248.229
159.148.29.62
210.212.95.100
220.181.39.121
202.175.58.10
84.234.106.186
220.227.171.147
200.21.168.45
62.128.166.194
200.174.68.22
200.174.68.27
200.174.68.25
83.151.14.167
222.89.67.78
86.122.0.40
200.174.85.193
211.74.200.203
125.244.70.130
81.7.87.242
165.228.131.10
208.9.62.65
165.228.131.12
200.238.102.170
125.99.121.201
221.11.92.46
222.235.3.43

Here's a list of proxy ip's i took from proxy4free.com (the first site thats listed when you type "free proxy list"). Keep in mind the list always changes, but here it is anyways:

Here is every IP listed on their site:
200.174.85.195
200.31.42.3
202.194.194.246
200.174.68.27
64.34.113.120
199.203.55.3
202.175.58.10
210.212.95.103
198.151.39.94
61.17.191.13
210.245.197.217
203.130.150.221
63.118.235.195
210.102.52.15
159.148.29.62
212.80.89.130
61.166.68.74
222.124.11.218
219.207.176.130
125.244.26.4
200.174.68.28
62.128.166.194
222.235.3.43
86.124.33.235
222.89.67.78
203.200.187.170
203.116.61.164
61.47.19.211
198.151.39.114
165.228.130.10
165.228.133.10
218.248.22.100
89.167.37.146
195.175.37.6
203.158.215.2
80.58.205.61
86.122.0.40
201.0.175.100
213.172.62.58
80.80.12.125
203.187.205.32
221.13.66.161
200.107.11.20
125.244.70.130
84.234.106.186
200.238.102.170
200.59.162.83
200.78.117.240
200.206.165.40
203.113.130.59
165.228.128.11
201.28.123.98
81.7.87.242
61.19.23.226
216.133.248.229
83.151.14.167
200.21.168.45
222.223.173.76
66.98.238.8
209.88.89.183
195.175.37.71
195.224.154.232
202.141.117.188
202.94.214.194
211.231.187.4
213.5.161.51
202.28.186.3
201.136.159.129
211.67.66.171
61.135.204.121
211.74.200.203
212.122.243.2
216.133.248.227
200.118.112.202
86.35.121.75
210.176.2.27
200.171.57.149
201.216.218.73
84.19.177.62
222.39.13.42
201.57.66.2
218.140.138.174
218.16.245.54
59.87.19.236
222.175.129.85
222.83.228.34
208.9.62.65
80.80.12.124
66.150.105.20
201.21.68.208
220.227.77.186
200.87.6.19
218.111.110.57
200.174.68.29
221.11.92.46
202.155.4.114
61.8.251.92
87.120.162.65
203.146.102.24
216.75.2.22
200.174.85.193
125.244.26.2
219.87.129.186
202.157.76.70
216.133.248.226
165.228.131.12
201.38.74.70
220.56.244.231
72.252.22.186
202.82.116.26
200.174.68.25
219.255.135.8
210.56.29.10
216.133.248.228
125.99.121.201
200.171.232.21
71.237.166.6
201.57.111.132
195.175.37.8
165.228.129.10
210.212.95.100
202.58.71.30
195.58.111.152
58.216.235.242
219.93.182.98
218.94.80.6
200.253.116.3
200.174.68.22
202.188.111.50
219.96.46.219
201.45.178.130
218.7.48.22
220.227.171.147
200.174.68.20
200.67.30.248
165.228.131.10
84.19.176.62
210.187.119.244
202.108.119.227
220.181.39.121
203.113.130.49
200.174.68.23
195.175.37.70
202.63.233.8
165.228.128.10 Enjoy!

Remeber the more IPs you add to the "blacklist" the longer it takes to process a registration... I'm not sure what list length will = a performance degredation.

The new version is amazing thankyou.

Just one thought (not too worried about it) but would be intresrtead in you view and view of other peoples.

Current user, is it worth checking to see if current user and using proxies. Maybe only doing it once or maybe one a wekk or something.

What do people think

The new version is amazing thankyou.

Thank you.


Just one thought (not too worried about it) but would be intresrtead in you view and view of other peoples.

Current user, is it worth checking to see if current user and using proxies. Maybe only doing it once or maybe one a wekk or something.

What do people think

Personally I think once they're registered it doesn't matter ... I originally wrote this hack to deal with trolls more than with spammers, the fact that it blocks spammers is a bonus as far as I'm concerned. We've been lucky - at 1500 members we have only had 1 troll. I've been on other boards where the same trolls keep re-registering after getting banned, in 99% of cases they're using a proxy to get around the IP ban.

This kills alot of their options...

The next thing I'm going to do is look at updating the "known proxies" list... not with the IPs from those open proxy sites - most of those IPs get on the RBLs pretty quick - but with sites that are specific for anon-web surfing. They don't tend to get on RBLs as much...

What about web based proxies? Like anonymouse.org

What about web based proxies? Like anonymouse.org

just tested that and unfortunately it got pass the protection


how ever it does transmit its host name there for could itbe blcoked with htaccess based on hostname????

this is the details of that site

IP 85.195.123.29
Host anonymouse.org
Browser & OS http://Anonymouse.org/ (Unix)

What about web based proxies? Like anonymouse.org

See my post above... the next thing I'll be doing is spending some time updating the "known proxies" section - places like "anonymous" don't get added to the RBLs effectively enough...

what we need is a database that can be shearch for these sites

We have about 170 people registering per day. Since installing this hack, the amount of spam on the forums has dropped off by maybe 90% or more.
I have had one or two complaints from what sound like genuine users.
Here is such a message
Hi, I can't register because the server blacklisted my ip as an open proxy/ or as a spammer.
I'm not using an open proxy, my provider www.fastweb.it uses NAT technology to provide network access, so me and about other 1000 user that uses the same ip address can't register.
Could you please disban my ip address ?
Obviously all fastweb ip address aren't open proxy but simple Nat, so all fastweb user (about 2 million of people) cannot register to your forum.
You can read an article about Fastweb nat techonlogies here: http://www.cisco.com/application/pdf/en/us/guest/netsol/ns242/c647/cdccont_0900aecd801779b4.pdf
This occasional event aside, it's a very positive hack :up:

Its odd that fastweb's natting addresses are on a RBL. I would add the IPs to the whitelist.

Can you PM me with the fastweb.it IPs as well, I'll like to check them against the RBLs and see where the hits are coming from/why.

Thanks!

Its odd that fastweb's natting addresses are on a RBL. I would add the IPs to the whitelist.

Can you PM me with the fastweb.it IPs as well, I'll like to check them against the RBLs and see where the hits are coming from/why.

Thanks!

I'd love to but I have absolutely no idea what they are.

Does this hack also work on site like proxy.org? I ask because I found out a few of my banned members were using that as a "work-around"....:cool:

Just installed this hack due to trolls in my forum. Hopefully this will take care of them.

C.

Its odd that fastweb's natting addresses are on a RBL. I would add the IPs to the whitelist.

Can you PM me with the fastweb.it IPs as well, I'll like to check them against the RBLs and see where the hits are coming from/why.

Thanks!

Ok I heard back from the person using Fastweb. He said
By the way, fastweb ip addresses will always be in spamcop etc. blacklists because fastweb doesn't have an abuse center and doesn't block users who send spam. Obviously spamcop and etc block the ip address.


So Fastweb can remain in the blacklist as far as I'm concerned.

I've got this installed on a 3.6.4 board ( with the security patch) and it is generating 5 PM's and 5 threads every time it detects someone and although I've said allow registration to continue appears to banning them anyway.

Any ideas what could be causing this?

Darat, I think this post explains your problem (and mine since I am seeing the same as you):
https://vborg.vbsupport.ru/showpost.php?p=1185514&postcount=107

Hello, will this still work if I have installed:

Proxy to Real I.P. Detector located here

https://vborg.vbsupport.ru/showthread.php?t=120082

Thanks for any info.

I am getting below database error to my email ???

Invalid SQL:
INSERT INTO userban (userid, usergroupid, displaygroupid, usertitle,
customtitle, adminid, bandate, liftdate, reason)
VALUES
(32322, 8, 8, 'Otomatik Ban', 1, ,1178614929, 0, 'Otomatikmen sitemiz
tarafindan banladiniz, uyeliginiz kontrolden gecirilip, yeniden acilacaktir!!!

Sebebi; proxy ip kullanmanizdan kaynaklaniyor, lutfen direk ip adresinizle
giriniz. Eger gereksiz yere banlandiginizi dusunuyorsaniz, lutfen
admin@dizitr.com email adresinden yardim isteyiniz..');

MySQL Error : You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use near
'1178614929, 0, 'Otomatikmen sitemiz tarafindan banladiniz, uyeliginiz
kontrolden' at line 3
Error Number : 1064
Date : Tuesday, May 8th 2007 @ 04:02:10 AM
Script : http://www.dizi-tr.com/forum/register.php?do=addmember
Referrer : http://www.dizi-tr.com/forum/register.php?do=addmember
IP Address : 85.104.94.112
Username : starture
Classname : vb_database

I've got this installed on a 3.6.4 board ( with the security patch) and it is generating 5 PM's and 5 threads every time it detects someone and although I've said allow registration to continue appears to banning them anyway.

Any ideas what could be causing this?

No idea, uninstall and reinstall with the latest version. Let me know if that fixes it...


Darat, I think this post explains your problem (and mine since I am seeing the same as you):
https://vborg.vbsupport.ru/showpost.php?p=1185514&postcount=107

That post has nothing to do with multiple hits - the issue there is people getting blocked before the captcha fires, leading to extra hits from bots. There are now 2 plugins, one that fires on reg and one at reg_complete...

I am getting below database error to my email ???

Invalid SQL:
INSERT INTO userban (userid, usergroupid, displaygroupid, usertitle,
customtitle, adminid, bandate, liftdate, reason)
VALUES
(32322, 8, 8, 'Otomatik Ban', 1, ,1178614929, 0, 'Otomatikmen sitemiz
tarafindan banladiniz, uyeliginiz kontrolden gecirilip, yeniden acilacaktir!!!

Sebebi; proxy ip kullanmanizdan kaynaklaniyor, lutfen direk ip adresinizle
giriniz. Eger gereksiz yere banlandiginizi dusunuyorsaniz, lutfen
admin@dizitr.com email adresinden yardim isteyiniz..');

MySQL Error : You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use near
'1178614929, 0, 'Otomatikmen sitemiz tarafindan banladiniz, uyeliginiz
kontrolden' at line 3
Error Number : 1064
Date : Tuesday, May 8th 2007 @ 04:02:10 AM
Script : http://www.dizi-tr.com/forum/register.php?do=addmember
Referrer : http://www.dizi-tr.com/forum/register.php?do=addmember
IP Address : 85.104.94.112
Username : starture
Classname : vb_database


There is no adminid in the mySQL query...

* DaNIEL MeNTED points up at the install instructions...


IMPORTANT NOTE:You must specify a username if you plan on configuring the AUTOBAN or NOTIFICATION options. Otherwise you WILL get errors.

How can i add the adminid?

In the adminCP go to the settings for the RBL checker - the third option (you can see it in the first screenshot above) is CONFIG - Username for Bans & Notifications ... put in a username of the admin user and then you can use notifications and bans...

I was just able to register perfectly fine with xroxyx.com and youhide.com and it didn't block me at all?

this is confusing

I was just able to register perfectly fine with xroxyx.com and youhide.com and it didn't block me at all?


You'll note earlier in the thread I mention the fact that specific proxy sites don't get added to RBLs. I'm working on getting access to a liveupdating blocklist than includes these sites for the next version.

Not sure it has been meantioned but take a look at
http://oldwww.temp.ahbl.org/docs/ircbl.php


IRCbl Lookup System For IRC Networks
We've put together a list for IRC admins who wish to take advantage of our list on their IRC networks to help prevent abuse and open proxies from connecting to their servers. This list contains only the proxy and DDoS drone data from our main list, without extras such as the Spam Sources list and Shoot On Sight.

Ok, I had to entirely uninstall this script. It said that it had a positive match on a user's IP address that attempted to register. WROOOOOOOOONG... the IP address resolves to a local ISP here in Detroit, MI. Crazy!

So?
Could that user be an open proxy or maybe one has been run before at that IP?
Did you goto Sh and look up the IP and seen what it said?

I went to ws.arin.net and it resolves to WideOpenWest's IP address range.

I went to ws.arin.net and it resolves to WideOpenWest's IP address range.

What's the IP?

69.14.74.25

Can the IP Black list block a range of IPs such as 120.45.*.*?

Can the IP Black list block a range of IPs such as 120.45.*.*?

Good question, I was about to ask the same thing. Most of my registrations are inside Switzerland, and I was getting a couple of addresses inside dynamic ranges blocked by list.dsbl.org

Remeber the more IPs you add to the "blacklist" the longer it takes to process a registration... I'm not sure what list length will = a performance degredation.

Actually, since you are only doing a simple match here, I can't imagine that it will make TOO much off a difference. Remember this plugin in only firing on new user registrations, it's not as if it is firing on every single page. Therefore, probably not that much reason to stress :-)

Top marks on a excellent mod by the way!

Here's some unsupported and untested code that can be used to modify the current version of Proxy RBL mod (4.0) to work together with GLA (https://vborg.vbsupport.ru/showthread.php?t=151601) (Geographic Location Awareness). This allows you to specify an additional whitelist or blacklist based on the country where the user has registered from. In my case I seem to have quite a few Swiss IP addresses listed, but most of my registrations are from Switzerland. Therefore I simply whitelist Switzerland. You can also use this so users from a certain country are always matched, regardless of whether their IP address is listed in a certain blacklist.

I haven't made a fancy user interface for this, because this is not my mod. My code is posted freely here for Daniel to consider implementing as standard. Please remember that unless you have installed and tested GLA first and it is working (details on the GLA thread), then this code won't work. Right let's get started:

Go into the AdminCP -> Plugins and Products -> Plugin Manager -> DMeNTED's RBL Checker -> Check IP against RBLs/IPs. Click the large edit box and locate this code:

if ($DM_rblcheck_result == $DM_rblcheck_srvmask) {

// ********************** NOTIFICATIONS ********************** Above this section insert:
// Modification to incorporate country checks into RBL checker. This will only work if GLA is already installed, tested and working
// Obtain GLA here: https://vborg.vbsupport.ru/showthread.php?t=151601
if (isset($vbulletin->session->vars['country']))
{
// Country blacklist - enter a list of countries which are exempted from the RBL checker (use valid *lower case* ISO 2 letter codes only!)
// See http://en.wikipedia.org/wiki/ISO_3166-1_alpha-2 for list of codes
// example: $whitelist = array('gb', 'fr', 'it');
$whitelist = array();
if (in_array($vbulletin->session->vars['country_iso2'], $whitelist))
{
// We have a match on the whitelist, bail out of the entire plugin, but reset the variables first.
$DM_rblcheck_result = null;
return;
}
// Same as above example for whitelist. People from these countries will be flagged as positive matches, regardless of the RBL status.
// Think carefully before using the blacklist - it is generally not recommended to ban entire countries
$blacklist = array();
if (in_array($vbulletin->session->vars['country_iso2'], $blacklist))
{
// We have a match on the blacklist, set the variables and continue
$DM_rblcheck_result = $DM_rblcheck_srvmask;
$DM_rblcheck_errcode = "Matched a blacklisted country: " . $vbulletin->session->vars['country'];
}
}This modification is untested (though it is running on my system, but I haven't had any alerts yet so I can't say 100% whether it is working). If it works for you - maybe say so. Don't forget that you have to insert the correct country codes into the code (see the comments in the code itself), and don't get to use 'quotation' marks and commas to separate multiple entries.

Now to add the country name into your reports find this line:

$DM_rblcheck_errcode = "MATCHED IN THE RBL DATABASE of the " . $DM_rblcheck_rblserv . " RBL.";And replace with:

$DM_rblcheck_errcode = "USER FROM: $vbulletin->session->vars['country'] MATCHED IN THE RBL DATABASE of the " . $DM_rblcheck_rblserv . " RBL.";Also, further to this post, I recommend moving the hook used for Check IP against RBLs/IPs to register_addmember_complete (and change to execution order 4 if you do this), due to the fact that multiple notifications get sent for every bot that turns up.

It might be useful to duplicate sections of code in both plugins so that blocking is done in the Check IP against RBLs/IPs plugin and notifications are done in Auto-Ban or Flag for Moderation plugin. This would avoid all the unnecessary notifications for bots that never succeed in registering anyway.

Remember, just to repeat myself again (I know some people have trouble reading instructions sometimes). Do not ask for support for GLA on this thread - install it and if it doesn't work go through every post on the GLA thread as there are steps for verifying it on that thread.

Need to change the hook the plugin is using. It is currently using register_addmember_process, but should be using register_addmember_complete. What is happening is when it hits process, and say the user puts in the wrong captcha, doesn't match their passwords, doesn't put in a required field, etc. When you use the _complete hook it fires once the user has properly filled out the registration form. Only use this hook however if you want the registration to complete, but not get multiple notifications. If you are blocking registrations, then leave it using the process hook.

Has anyone confirmed that this works? I use the NoSpam! mod, and because of that, I get bots trying to register 6 times with their accounts banned (which is good). However, if this mod allowed NoSpam! to run first, they wouldn't even get to the point of registering an account most of the time. I believe I tried the above several months ago and it didn't work. Any suggestions at getting this to run after NoSpam! verification/etc?

Thanks
-vissa

Hey everyone - I apologize for the extended absence. I am back and plan on redesigning the hack with even more features.

Right now the list includes:

- Ability for blocked registrations to send a message to admins in case they feel there is an error.
- Ability for admins to whitelist IPs from the automatic posts/PMs.
- Ability to blacklist or whitelist using a mask - #.*.*.*
- Ability to ban + blacklist IP from any post for spammers that sneak through.

I'm also toying with the idea of keeping a central RBL that the RBL checker reports to on positive or manual hits...

Glad to see I can once again enable this plugin on my site after the upgrade to 4.1 :up:

recieved this error multiple times when user tryed to register
set to allow registration and ban the user if know proxy
highlighted problem

[CODE][Database error in vBulletin 3.6.8:

Invalid SQL:
INSERT INTO userban (userid, usergroupid, displaygroupid, usertitle, customtitle,
adminid, bandate, liftdate, reason)
VALUES
(2977, 8, 8, 'Banned by DM-RBLCheck', 1, ,1198585277, 0, 'Automatically
Banned. The registration IP address matched a proxy/blacklisted IP.');

MySQL Error : You have an error in your SQL syntax; check the manual that corresponds
to your MySQL server version for the right syntax to use near '1198585277, 0, 'Automatically
Banned. The registration IP address matched a prox' at line 3
Error Number : 1064/CODE]

Guess I should have read the above install note.
I believe I sorted this thanks

uhuh... the error trapping in the next version will be a little more thorough...

Hi and Merry Christmas Daniel!

Somone posted the below back in May. I tried to register through youhide.com and I was able to register with no problem.

I was just able to register perfectly fine with xroxyx.com and youhide.com and it didn't block me at all?


Is there a way to manually add these sites? I just wanted to test the system and I can't find a web-proxy that will "ban" me.... In two cases, a web-proxy site prompted me for payment before I could register. That's good news...

Oh yeah, I forgot. Is there also any way to test against "existing" members to see if I have current "registered" trolls before I installed the hack? Wishful thinking, I know...but hey, it's Christmas!

Well... the problem is that a lot of the 'free' or 'pay' proxies out there are not listed in RBLs/SBLs... that's why I'm thinking of setting up an additional check in the next version to a custom online list of proxies. For that to work I will also be looking at adding 'reporting' features so you can submit IPs of proxies used by spammers/trolls that are not in the list...

Hey everyone - I apologize for the extended absence. I am back and plan on redesigning the hack with even more features.


Right now the list includes:

- Ability for blocked registrations to send a message to admins in case they feel there is an error.
- Ability for admins to whitelist IPs from the automatic posts/PMs.
- Ability to blacklist or whitelist using a mask - #.*.*.*
- Ability to ban + blacklist IP from any post for spammers that sneak through.

I'm also toying with the idea of keeping a central RBL that the RBL checker reports to on positive or manual hits...

Many thanks!! Your mod still rocks!

Well... the problem is that a lot of the 'free' or 'pay' proxies out there are not listed in RBLs/SBLs... that's why I'm thinking of setting up an additional check in the next version to a custom online list of proxies. For that to work I will also be looking at adding 'reporting' features so you can submit IPs of proxies used by spammers/trolls that are not in the list...

Totally understood. This is a great hack, but I can see where there is no way you could update web anonimizers without help. Check out the LONG list here (http://www.freeproxy.ru/en/free_proxy/cgi-proxy.htm)!

I tested the first one (Anonymouse (http://anonymouse.ws/)) twice and it appears that when someone registers in a forum through this proxy, they get an IP of 193.200.150.167. It would be good to see if several other people could test to see if the IP stays consistent. If so, it's one we could add to the list.

Totally understood. This is a great hack, but I can see where there is no way you could update web anonimizers without help. Check out the LONG list here (http://www.freeproxy.ru/en/free_proxy/cgi-proxy.htm)!

I tested the first one (Anonymouse (http://anonymouse.ws/)) twice and it appears that when someone registers in a forum through this proxy, they get an IP of 193.200.150.167. It would be good to see if several other people could test to see if the IP stays consistent. If so, it's one we could add to the list.

Well... I was debating how big a rewrite I wanted to do of this mod and I've decided to do a MAJOR rewrite. Looking at adding a custom RBL for those specific 'anonymous' surfing sites that don't get blocked by RBLs... I'm in the process of setting up a new site just to support this mod.

Cheers.

Awesome! I'll be donating once it's in place and working :up:

Hey Guys...

I'm about 40% complete on the rewrite, just hard finding time with some work related projects on the go. I've registered a new domain/vb license in support of this and some other projects I've got going on...

If anyone needs to get a hold of me PM/email me at this account as the other account I use ('Daniel Mented') is for the forum I admin...

Thanks and happy new year (a little late I know) to everyone!

Thanks for the update! Looking forward to the new hack:up:

HI,

I think you mentioned this before, but wanted a bit more info when you have time. Currently, default setting for RBLS that you have are:

dnsbl.ahbl.org
proxies.dnsbl.sorbs.net
list.dsbl.org

Does the "proxies.dnsbl.sorbs.net" also encompass the spam? It appears not to, but I could be wrong. I was trying to research it, but I'm techy enough to "get it". Here's the URL I'm referring to: http://www.us.sorbs.net/using.shtml

Paula

It depends on the context. All RBLs are really designed to stop email spammers. What we're interested in is preventing vb spammers that are taking advantage of the same 'compromised servers' to pump spam into forums...

Most spammers try to use proxies to obfuscate their IP/location/etc. So blocking proxies is helpful in that regard.

I think you misunderstood :) BTW, I LOVE the proxie blocker! My question is:

Does the "proxies.dnsbl.sorbs.net" also encompass the spam addy (spam.dnsbl.sorbs.net) for Sorbs?

They have a huge list (http://www.us.sorbs.net/using.shtml), and I just wanted to make sure I was covered, so to speak :)

Hello. This might be a stupid question, but I am new to this plugin and I am not sure how it works. When I try to view in a browser the urls for the RBLs listed in the config for this plugin, I get 'Server Not Found' errors for all three of them. Does this mean those pages are not working, or is a protocol other than HTTP being utilized to communicate with those sites? Thanks for a great plugin, BTW. Eric

I just went to fbiproxy.com and registered on my website and nothing happened, no error message no awaiting moderation. I also configured everything correctly.

Hello. This might be a stupid question, but I am new to this plugin and I am not sure how it works. When I try to view in a browser the urls for the RBLs listed in the config for this plugin, I get 'Server Not Found' errors for all three of them. Does this mean those pages are not working, or is a protocol other than HTTP being utilized to communicate with those sites? Thanks for a great plugin, BTW. Eric

Those are DNS server addresses - the RBL checker performs a dns query against those servers and if it receives a match (typically 127.0.0.x) it blocks registration... If the ip isn't listed with the RBL specified then it doesn't return a 127. response...

I just went to fbiproxy.com and registered on my website and nothing happened, no error message no awaiting moderation. I also configured everything correctly.

Anon- web surfing sites do not get added to RBLs... the next version of the product will include a solution to that particular 'hole'.

Cheers.

Anon- web surfing sites do not get added to RBLs... the next version of the product will include a solution to that particular 'hole'.

How are you coming along with that? Any projected release date? :D

This catches people every single day on my site. I google their email address and sure enough I find spam on several other VBulletin sites that they have left.

This is one of the best hacks available for a popular site or one with a good Google ranking.

Thanks for this mod.

I have those RBLS:
dnsbl.ahbl.org
proxies.dnsbl.sorbs.net
list.dsbl.org
http.dnsbl.sorbs.net
socks.dnsbl.sorbs.net
misc.dnsbl.sorbs.net
dnsbl.njabl.org

I just checked and tried to register using a proxy (hidemyass.com). A very popular one. I was able to complete registration. Does that mean my RBLs are wrong ? ^^

edit: I got a lot of PMs today. So it seems to be blocking users. However I really wonder why hidemyass.com is not blocked ><

You can add it manually to the known proxies list.

not trying to thread steal but I just finished working on a RBL of known forum spammers. vbStopForumSpam, which does lookups (at registration) from www.stopforumspam.com

I run a small forum and its stopped all the new registrations since I installed it :)

Well, it's all cool and stuff. But, I like the RBL method used here, considering I have a larger forum, and it catches about 8-10 a day with a 99% accuracy rate. There are some false positives, which is due to some of them coming from spam zombies, but you're going to have that anyway. In those cases, we give an alternate method of registration that involves human intervention. New members that are legit do go for that option.

Also, this addon does handle proxies.

I'm hoping we'll see a version for 3.7

This version works on my 3.7

Thanks that good to know.

Does anyone have a good list of RBL's and Known Proxies IP's?

Also, further to this post, I recommend moving the hook used for Check IP against RBLs/IPs to register_addmember_complete (and change to execution order 4 if you do this), due to the fact that multiple notifications get sent for every bot that turns up.

It might be useful to duplicate sections of code in both plugins so that blocking is done in the Check IP against RBLs/IPs plugin and notifications are done in Auto-Ban or Flag for Moderation plugin. This would avoid all the unnecessary notifications for bots that never succeed in registering anyway.


Was this idea implemented in the latest version?

How are you coming along with that? Any projected release date? :D

None as of yet... I'm in the process of selling my house so time is at a bit of a premium. I hope to have a beta for testing by the end of may... I've built it so its fully customizable.

IP black list/white list...
country blacklist/whitelist...
configure as many RBLs as you want...
configure specific response codes to the RBLs...

Everything is based on weighting... so you set a score you want to block at and then set 'confidence' levels for SCLs... if an IP's score > your threshold then a block/ban/etc. gets fired.

I'm also working on a system where when a forum blocks an IP it get added to a central DB, so everyone can benefit from a site's positive blocks...

Also built in a user-context menu 'ban as spammer' and 'ban as troll'...


I'm hoping we'll see a version for 3.7

The next version will be tested on both 3.6/3.7

Again... sorry for the delay in responding. I admin one forum, volunteer code for a couple of organizations, and lately have been traveling to trade shows for work.

I don't really like coding in dribs and drabs... I'm hoping I can dedicate a week to finishing up a beta for testing this month.

Cheers.

Hey Daniel... thanks for all the work you've done. I don't think we've mentioned that You've helped make our forums quieter.

Here's all the BLs I use...

dnsbl.ahbl.org
list.dsbl.org
sbl-xbl.spamhaus.org
cbl.abuseat.org
bl.spamcop.net
dnsbl-1.uceprotect.net
dnsbl-2.uceprotect.net
dnsbl-3.uceprotect.net
zen.spamhaus.org

I don't understand why people are using spam blacklists to block proxy servers. I think this post needs to be read again:

Guys, I'd recommend against using dnsbl.ahbl.org or sbl-xbl.spamhaus.org. Their primary function is to provide a list of Open Mail Relays (http://en.wikipedia.org/wiki/Open_relay) and email spamming sources, which are an ENTIRE different world than Open Proxies (http://en.wikipedia.org/wiki/Open_proxy). I don't think that fact is illustrated enough in this thread.

AHBL is particularly aggressive in that they are willing to list blocks of ip addresses. That is, if you have users on a Seattle Area DSL network, and an open mail relay shows up on their network, both that mail relay and your users (or potential users) will be blocked by AHBL.

You guys really need to read and understand the purpose and the usage of these blacklists before slapping them in. Many of these blocklists prohibit the usage of their services in this way. You're unnecessarily hitting services that have finite resources. Don't be so eager to block IPs willy nilly and think you're making a difference. You're not. If your goal is to block users coming through anonymizers, proxies, or even the TOR (http://tor.eff.org) network, then use blacklists whose function is to only report anonymizers, proxies, and TOR networks. The fact of the matter is that you're not going to see a lot of hits with a blacklist like this simply because not many people are going to register with your site who are actually using proxies.

Here's what I'm using currently:
proxies.dnsbl.sorbs.net
tor.ahbl.org

I don't get many hits, but that's because I don't expect many hits (that's the reality of things).

Again, I like this add-on, I think it's very useful. I'm not criticizing it's usage. All I'm trying to do is help people understand what they're doing a little bit better.

proxies.dnsbl.sorbs.net
dnsbl.ahbl.org

I only use 2 lists... 99% of blocks are from proxies.dnsbl.sorbs.net...

As Tom said, you should make sure you avoid some aggressive SBLs. While its logical for mailservers (the primary users of SBLs) to block traffic from IP ranges assigned by ISPs to consumer addresses (DSL, Dial-up, etc.) as they're not legitimate sources of SMTP traffic its counter productive to do so with a forum...

Obviously you'll get a lot of matches. But a lot of them might be people who actually want to get on your forum.

You should also enable reporting - and check reports regularly. 99.9% of my blocks come from registration emails that are .ru (I run a small Canadian forum....) so its easy to see that those are spammers. (Usernames like 'cheapcigarettes' are a good hint too.)

You want to make sure that you don't tighten the screws down so tight you block legitimate users... especially if your board relies on donations.

Will this mod continue to work with VB 3.7 or is there an upgrade?

Will this mod continue to work with VB 3.7 or is there an upgrade?

I have not tested it but there has been at least 1 post in the thread confirming it does work with 3.7

It works in 3.7.0 for me no problem.

Also, with the size of our forum, using the other blacklists has helped a lot more than just sticking with two. Working in IT, I know that if you compromise any system (whether it'd be mail, proxy, web, or other server, along with desktops and laptops), you can do whatever you want with it, and that includes forum spam. Since I deal primarily with security at work, I've seen it.

Working in 3.7

However, I have the 5 threads created per action. I tried switching the hook location so they were both _complete, but when I do that I get an error upon registration. Reg goes thru, but the user gets the DB error page, not redirected to thanks message.

I have it set to complete, then ban, then alert me in staff forum. No blocking of registration.

Can I disable the register hook, or will that make it lose functionality?

Also, is there a central blacklist for web based anonymizers that we can plug into? (hidemyass.com, etc). Thats where most of my trolls are coming from, and keeping that up to date by hand is going to be a pain.

Thanks for the great hack!

I don't have that problem at all with the multiple threads. Of course, mine is set to deny registration.

As far as the proxies, I would love to see an RBL for it.

I have found that it does not work fully on 3.7. I have it set to allow then ban and the ban part never seems to work.

Only proxy based one i see in any of the ones mentioned here is proxies.dnsbl.sorbs.net. Not sure how good it is. Putting it at front of my list, with zen.spamhaus.org after it. See what picks up.

While the spam reduction is good, the HTTP, web based anonymizers is what needs to be blocked consistently. Most trolls don't understand full proxy programs or situations, they just use the web based ones found in google searches.

As for "Feature Requests"

- It would be good so that if you allow registrations, with automatic banning, if you then review the situation and decide to unban the person, you can send them an altered Email with reactivation codes. Something like:

Banning Information
Banned by RBL DoubleCheck XYZ [LIFT BAN]

Lift Ban does -
--Removes Custom User Title we just put there.
-- Moves to "Users Waiting Email Confirmation" usergroup.
-- Sends email with new activation codes
-- Additional lines in that email state (template it up so we can adjust i guess)
---- that they were originally banned due to their IP being on a Blacklist,
---- due to further review, staff has decided to approve their registration.
---- please click the link to re-confirm their account.
---- their account will be watched for X amount of time to double check for spam, trolling, or alt id abuse.

Also might be good to add links in the Edit User Page under the banned box directly to link pages for dnsstuff.com, and/or google searches on the username. That way you can quickly see if that person exists on other sites/forums, etc.

Possibly parse their email to do a search for whatever they entered before the @ symbol, and do a google search for that too. That sometimes brings up useful data.

All those searches and the data that can come back can help you discern if the person is real and/or a trouble maker elsewhere, therefore allowing a false-positive to be reversed easily.

bump, request a mod like this for 3.7 !!
Anyone know if there is anything like this?

Awesome mod, I really need check proxy mod.

First I would like to say I really appreciate this hack as it saves me a lot of hassle.

I noticed that when it catches someone trying to use a hidden ip address even though the settings are set to ban user, it does not. What it does during registration is that will does not accept the human verification answer and allows them to continue to try.

If any help is available on this I would appreciate it greatly.

First I would like to say I really appreciate this hack as it saves me a lot of hassle.

I noticed that when it catches someone trying to use a hidden ip address even though the settings are set to ban user, it does not. What it does during registration is that will does not accept the human verification answer and allows them to continue to try.

If any help is available on this I would appreciate it greatly.

I have the same issue.

First I would like to say I really appreciate this hack as it saves me a lot of hassle.

I noticed that when it catches someone trying to use a hidden ip address even though the settings are set to ban user, it does not. What it does during registration is that will does not accept the human verification answer and allows them to continue to try.

If any help is available on this I would appreciate it greatly.

I just want to make sure I update the list.
The error was on my end with one of the templates and once corrected it is up and running just as described.

Thanks for such a useful tool.

I just want to make sure I update the list.
The error was on my end with one of the templates and once corrected it is up and running just as described.

Thanks for such a useful tool.
Which template? Mine is still not working correctly.

Try reverting this template:

Admin CP -> Styles & Templates -> Style Manager -> « » -> Registration Templates -> register

After doing a little testing I found that banning does not occur unless the second notification window appears to the person logging in.
It would be nice to have this banning action occur on the first message of notifying the register of using a proxy server.

To test this I used this and was caught http://www.freeproxyserver.net/

and this one got through do to it not getting the second notice http://www.cantbustme.com/

I still like the hack but just wanted to pass this along as I am really getting hit hard by an idiot.

As another note I am receiving two post for every one attempt to log in.

I do not know if this link has been listed but it helps in finding the servers you want to use.

http://openrbl.org/

use the OpenRBL JS Client, it uses java and you can see which list blockers catch the ip's you want to block.
I try and limit the amount of blocking sites as possible so to avoid valid people are not affected.

oppss duplicate post #218

Dave

After doing a little testing I found that banning does not occur unless the second notification window appears to the person logging in.
It would be nice to have this banning action occur on the first message of notifying the register of using a proxy server.

To test this I used this and was caught http://www.freeproxyserver.net/

and this one got through do to it not getting the second notice http://www.cantbustme.com/

I still like the hack but just wanted to pass this along as I am really getting hit hard by an idiot.

It seems I have my own answer here.:cool:
The reason I found why the new registrations is not being banned is because I have the Spam Hack so I can make up my own question and answer. The ones that are not being banned must be spam bots and are unable to answer the question.

The one that can answer the question but caught by the RBL Checker is banning them.:eek:

Running 3.7.1 and am also getting two pms. Also have it set to move the person into a certain usergroup how ever it seems that is not happening.

Running 3.7.1 and am also getting two pms. Also have it set to move the person into a certain usergroup how ever it seems that is not happening.

Kylek I am not sure if the same thing is occuring with mine but I found that through trail and error if they are able to registered and then banned they will be banned.

If you are unsuccessful in registering then it will not ban as the are not a member yet.

Dave

Sorry, I'm not clear, is this hack compatible with VB 3.7?

Sorry, I'm not clear, is this hack compatible with VB 3.7?

As far as I can tell no not completely. It does part of the job but fails on the auto banning. I'm using it anyways on 3.7 as one more deterrent.

Any chance of this getting a proper port to 3.7?

As far as I can tell no not completely. It does part of the job but fails on the auto banning. I'm using it anyways on 3.7 as one more deterrent.

Thanks, on that basis I've implemented it.

A couple of other questions. The introduction gives reasons for banning proxies, but does not make it clear whether this product implements a ban, or whether the author is recommending that something else should be used to block proxies. If the latter, is there a reliable, supported proxy blocker?

With RBL implemented, it seems to be blocking only a minority of spammers. Is there anything else that can be done?

I personally use a three tier approach that catches 99% of the attempts:

Registration Attempt -> Stop Forum Spam Check (https://vborg.vbsupport.ru/showthread.php?t=176481) -> Proxy RBL Check
Post Attempt -> Akismet Check (https://vborg.vbsupport.ru/showthread.php?t=155386)

For RBL I'm a little more aggressive on the IPCONFIG checks that the default setting:

dnsbl.ahbl.org
list.dsbl.org
sbl-xbl.spamhaus.org
cbl.abuseat.org
bl.spamcop.net
dnsbl-1.uceprotect.net
dnsbl-2.uceprotect.net
dnsbl-3.uceprotect.net
zen.spamhaus.org

works on 3.7.2 inc auto banning

however it makes a post twice when it catches an offender

Is there any way someone can make this script also check/block registrations from proxy IPs? Here are three big sites containing lists of proxy site IP addresses:
http://www.samair.ru/proxy/
http://www.publicproxyservers.com/page1.html (Page 1 through 5)
http://www.proxy.org/tor.shtml

Will pay a coder to make this available to everyone somehow.

Edit: Proxy.org has a blacklist of Proxy IPs that you can add to your .htaccess file here (http://proxy.org/tor_blacklist.txt). Would still like to use the above IP addresses to be blocked by a script automatically - would be very useful if the script could auto-update itself as the sites do. The sites contain such a massive index of proxy IPs that are freshly updated it would really prevent problematic users.

Never mind... Just read post:
https://vborg.vbsupport.ru/showpost.php?p=1503948&postcount=203

Problem is that anonymous surfing sites are not blocked. Will anxiously wait for update.

For RBL I'm a little more aggressive on the IPCONFIG checks that the default setting:

dnsbl.ahbl.org
list.dsbl.org
sbl-xbl.spamhaus.org
cbl.abuseat.org
bl.spamcop.net
dnsbl-1.uceprotect.net
dnsbl-2.uceprotect.net
dnsbl-3.uceprotect.net
zen.spamhaus.org


Thanks for this list... 2 of the 3 defaults are not working and the remaining one didn't list the IPs of a recent offender I've been battling with.

Hey Daniel... thanks for all the work you've done. I don't think we've mentioned that You've helped make our forums quieter.

Here's all the BLs I use...

dnsbl.ahbl.org
list.dsbl.org
sbl-xbl.spamhaus.org
cbl.abuseat.org
bl.spamcop.net
dnsbl-1.uceprotect.net
dnsbl-2.uceprotect.net
dnsbl-3.uceprotect.net
zen.spamhaus.org

Also try opm.tornevall.org. That server also looks for webspamming/abuse (and updates TOR-nodes hourly). You can read about it here (http://dnsbl.tornevall.org/?language=en&do=usage).

Also try opm.tornevall.org. That server also looks for webspamming/abuse (and updates TOR-nodes hourly). You can read about it here (http://dnsbl.tornevall.org/?language=en&do=usage).
Thank you for that list! :)

What is the best list to use? I am using this now:

proxies.dnsbl.sorbs.net
dnsbl.ahbl.org
opm.tornevall.org

But there's also this one?


dnsbl.ahbl.org
list.dsbl.org
sbl-xbl.spamhaus.org
cbl.abuseat.org
bl.spamcop.net
dnsbl-1.uceprotect.net
dnsbl-2.uceprotect.net
dnsbl-3.uceprotect.net
zen.spamhaus.org

Should I use a combination of both?

What is the best list to use? I am using this now:



But there's also this one?



Should I use a combination of both?
That may be a good idea. Some of the listed rbls (tornevall.org is one of them) also support bitmasked detection, which mean you can choose what to block of the returned answers from DNS (which this plugin also supports (https://vborg.vbsupport.ru/showthread.php?t=96318) :P).

The biggest problem with a lot of diffrent blocklists is that it may slow down the forum if resolving takes too much time. There may also be a lot of false alarms, depending on how updated the RBL is.

I don't know why today my forum http://www.webcosmoForums.com got hit by spammers all day long. They been registering one after another posting porns and links. Apparently they been using a proxy for registration. I been getting tired of deleting and banning.

So now that I have installed this, hopefully it will stop the spam flood. Great work.

I got hit today too and I have a lot of custom code added that really make it tough for the spammers to get through but I had one today really testing the site by adjusting the words and phrases in the spam.

My problem was their IP kept changing with each new post/account. I hope this fixes that issue...

Wow, worked like a charm and my spamer decided to go somewhere else! I had a real person on the site trying to get in with his bots and I could tell as they were getting some tricky spam blocks mastered but once their IPs couldn't be faked they were not getting through and gave up.

Simply awsome tool!

I am getting double posts in my reporting forum. Any ideas?

Uninstalled... it is causing me loads of unnecessary work. Since last night it has sent almost 20 legitimate users to moderation queue.

Either the program is faulty or the black lists are incorrect... either way it gets a big thumbs down from me.

any ideas why i might be getting double posts of blocked ip's that are the same?

this does ban the ip that is bad so that they cant even tryto register doesnt it?

Uninstalled... it is causing me loads of unnecessary work. Since last night it has sent almost 20 legitimate users to moderation queue.

Either the program is faulty or the black lists are incorrect... either way it gets a big thumbs down from me.

Hm, yes, I have'nt checked this mod out deeper, but it actually seems that it is resolving all ip's every time someone visit the page. If it is like that, bigger forums will definetively suffer heavy load. Take a look at this one (https://vborg.vbsupport.ru/showthread.php?t=96318) instead, and see if that mod can solve your problems.

Does this or will there be a 3.8.1??

I would like to know this too.

I have had this on for a while, works well only problem I am having is the posts it generates are put in moderation cue, im currently running VB 3.8.1 on a small forum.

Does anyone know why this is happening, other than this works perfect. blocks the spammers and informs use all be it moderated.

is that work with 3.8 0 ?

is this compatible with version 3.8

I am still using it no problem with vB 3.8.1 PL1.

is this still being supported by the developers or has it died.

IF no-one running with it might ahve enough time to take it over and work in it

Also i suggest if its still being supported using the service offered by http://www.projecthoneypot.org/ as they have a black list of web based trouble makers. However with the current forrm of this mod its not compatible

This is still in use on my board no problems.

If you are looking for an alternative, I highly suggest Stop Forum Spam which is working great for VB.