PDA

View Full Version : Anti-Spam Options - Hostname or Useragent Registration Ban


nhawk
02-23-2012, 11:00 PM
THIS ADD-ON IS NO LONGER AVAILABLE AND IS NOT SUPPORTED

This is an add-on that is designed with vBulletin 4.1.5. It may not work on earlier versions of vBulletin. It is known to be working on vB versions 3.8.7, 4.0.7 and 4.1.5 through 4.2.0. I don't know if it is compatable with all versions of vB or not.

On my site, I receive quite a few PMs asking me how I prevent spam from being posted there. While I can't release everything I use because some of it is server based (external from vBulletin), I can release one of the lines of defense that I use.

This mod allows you to ban Hostnames and Useragents from registering on your site.

If a hostname or useragent contains any of the words you specify and they are trying to register, they are presented with an error telling them they are forbidden from registering on your site. And no registration screen ever appears.

In the event the hostname is blank, a WHOIS can be performed to establish the identity of the system being used to register.

The 'External Content' pulled by this mod is only the WHOIS information when that is enabled.

WARNING: This mod has the potential of banning humans from registering. Choose what words you use carefully.

Personally, I am not very concerned about banning an occasional human from registering. So, from time to time my system may ban a human that uses an anonymous proxy.

NOTE: This mod has a 'Don't Ask, Don't Tell' clause. Please don't post telling people what words to ban. We don't need spammers getting around this mod by reading posts telling them what is being filtered.

REQUIREMENTS: In order for the WHOIS function used in this mod to work properly, your server must have OPENSSL installed.


* INSTALLATION *
---------------------
1) Upload the contents of the 'upload' folder to your forum's root.
(If your forum's location is http://www.example.com/forums/, the root is /forums/)

2) Import the product XML file (product-hostusercheck.xml) into the Product Manager in AdminCP.

3) Take some time to set the options in ACP->Settings->Options->Prevent Hostname or Useragent from Registering.

4) Be sure to turn on the mod when setting options in ACP->Settings->Options->Prevent Hostname or Useragent from Registering.



* History (Changelog) *
-----------------------------
1.0.3 (December 12, 2013)
- Fix hostname not being checked under certain circumstances.

1.0.2 (March 1, 2012)
- Fix error on registration page when Useragent or Hostname to ban is blank.

1.0.1 (February 24, 2012)
- Wrong hook being used for one of the plugins.

1.0.0 (January 22, 2012)
- Public Release

voglermc
02-24-2012, 02:33 PM
Love it! nominated and rated!

Nirjonadda
02-24-2012, 02:38 PM
Working on 4.1.10

tareqbd
02-24-2012, 03:54 PM
I am using 4.1.3, is it possible for me?

nhawk
02-24-2012, 03:58 PM
I am using 4.1.3, is it possible for me?

It hasn't been tested with 4.1.3 so I can't answer that.

If you could try it and let us know, I'd appreciate it.

EDIT: I was just able to test it on vB 4.0.7 and it worked, so I would imagine it works on 4.1.3.

Also, when I tested it on 4.0.7 I discovered a wrong hook was in the install file. So, version 1.0.1 has now been uploaded. Please update to that version if you've already downloaded it.

Krusty1231
02-24-2012, 04:27 PM
I do no see a pre-defined list of hostnames or useragents provided? It would be helpful to us noobs if you could provide a list to start us off?

I tagged this - looks promising.

nhawk
02-24-2012, 04:29 PM
I do no see a pre-defined list of hostnames or useragents provided? It would be helpful to us noobs if you could provide a list to start us off?

I tagged this - looks promising.

There is a reason for that and I state it in the initial post..

NOTE: This mod has a 'Don't Ask, Don't Tell' clause. Please don't post telling people what words to ban. We don't need spammers getting around this mod by reading posts telling them what is being filtered.

But as a hint, two of the more important words are given in the option descriptions.

Also, every site will be different. Not every site will have problems from the same hostname or useragent. If you don't know which hostnames or useragents are giving your site problems, then this add-on is not for you.

tareqbd
02-24-2012, 04:43 PM
It hasn't been tested with 4.1.3 so I can't answer that.

If you could try it and let us know, I'd appreciate it.

EDIT: I was just able to test it on vB 4.0.7 and it worked, so I would imagine it works on 4.1.3.

Also, when I tested it on 4.0.7 I discovered a wrong hook was in the install file. So, version 1.0.1 has now been uploaded. Please update to that version if you've already downloaded it.

after installing it i found this error.

Warning: stristr() [function.stristr]: Empty delimiter in [path]/showthread.php(123) : eval()'d code on line 35

Warning: stristr() [function.stristr]: Empty delimiter in [path]/showthread.php(123) : eval()'d code on line 46

Warning: stristr() [function.stristr]: Empty delimiter in [path]/showthread.php(123) : eval()'d code on line 46

nhawk
02-24-2012, 04:47 PM
after installing it i found this error.

Warning: stristr() [function.stristr]: Empty delimiter in [path]/showthread.php(123) : eval()'d code on line 35

Warning: stristr() [function.stristr]: Empty delimiter in [path]/showthread.php(123) : eval()'d code on line 46

Warning: stristr() [function.stristr]: Empty delimiter in [path]/showthread.php(123) : eval()'d code on line 46

See my post above..

Also, when I tested it on 4.0.7 I discovered a wrong hook was in the install file. So, version 1.0.1 has now been uploaded. Please update to that version if you've already downloaded it.

Also, I tested this on vB 3.8.7 and it works there too. :D

tareqbd
02-24-2012, 04:52 PM
Also, when I tested it on 4.0.7 I discovered a wrong hook was in the install file. So, version 1.0.1 has now been uploaded. Please update to that version if you've already downloaded it.
which version. and is it for vbulletin version or this mod version. for a clear info let me tell you, i don't want to upgrade vb to higher than 4.1.3 thinking many of the mod will stop working. Please clear your solution. Thanks.

nhawk
02-24-2012, 04:54 PM
which version. and is it for vbulletin version or this mod version. for a clear info let me tell you, i don't want to upgrade vb to higher than 4.1.3 thinking many of the mod will stop working. Please clear your solution. Thanks.

The add-on version. You have version 1.0.0. I uploaded version 1.0.1

Download the file again, and re-install the XML file. Be sure to set the 'Allow Overwrite' to yes when you update.

tareqbd
02-24-2012, 05:08 PM
The add-on version. You have version 1.0.0. I uploaded version 1.0.1

Download the file again, and re-install the XML file. Be sure to set the 'Allow Overwrite' to yes when you update.

many thanks.

DirtRider
03-01-2012, 03:07 PM
I had to uninstall this mod due to this issue Registration Page a mess (https://www.vbulletin.com/forum/showthread.php/397178-Registration-Page-a-mess?p=2270214#post2270214)

nhawk
03-01-2012, 06:40 PM
I had to uninstall this mod due to this issue Registration Page a mess (https://www.vbulletin.com/forum/showthread.php/397178-Registration-Page-a-mess?p=2270214#post2270214)

All you had to do was put something to ban in both the Useragent field and the Hostname field.

The error was because one of those fields was blank.

I'll see about a fix for that soon.

EDIT: Fix released today (version 1.0.2)

DirtRider
03-02-2012, 04:43 AM
Thanks I did not know about that but I have installed the fix now and it works

home9000
03-30-2012, 07:52 PM
Can we have this Hack for 3.8 ?

nhawk
03-30-2012, 08:08 PM
Can we have this Hack for 3.8 ?

It may already work...

It is known to be working on vB versions 3.8.7, 4.0.7 and 4.1.5 through 4.1.10. I don't know if it is compatable with all versions of vB or not.

The fact that it worked with 3.8.7 was not expected. If it doesn't already work with earlier versions, I won't be coding for earlier versions of vB.

Max Taxable
03-30-2012, 08:21 PM
If you tell them they are blocked from registering, they will know there some detection method involved and find a way to work around it. Why not just have the standard vBulletin message, "The Administrator has Disabled Registration" come up, instead of the gotcha?

This is the same thing, but also allows redirect off-site with no 'gotcha' either:

https://vborg.vbsupport.ru/showthread.php?t=268208

nhawk
03-30-2012, 08:23 PM
If you tell them they are blocked from registering, they will know there some detection method involved and find a way to work around it. Why not just have the standard vBulletin message, "The Administrator has Disabled Registration" come up, instead of the gotcha?

This is the same thing, but also allows redirect off-site with no 'gotcha' either:

https://vborg.vbsupport.ru/showthread.php?t=268208

I've been running this for a very long time (as in years) on a few different sites. Nobody has gotten around it yet.

And it's not quite the same as the mod you posted. This one also bans hostnames, which is a HUGE difference that works wonders.

EDIT: The only reason for the 2 updates to this were...
Update 1) I exported from my development server which I forgot was set to a different hook.
Update 2) I never expected anyone to leave a field blank.

Max Taxable
03-30-2012, 08:34 PM
I've been running this for a very long time (as in years) on a few different sites. Nobody has gotten around it yet.

And it's not quite the same as the mod you posted. This one also bans hostnames, which is a HUGE difference that works wonders.

EDIT: The only reason for the 2 updates to this were...
Update 1) I exported from my development server which I forgot was set to a different hook.
Update 2) I never expected anyone to leave a field blank.

https://vborg.vbsupport.ru/external/2012/03/3.gif

MarkusB
07-22-2012, 08:20 PM
I`m missing the upload folder in the download file, is there one or works now without?

I see just the xml and txt file

nhawk
07-23-2012, 09:49 AM
I`m missing the upload folder in the download file, is there one or works now without?

I see just the xml and txt file

Sorry about that!

Download it again. I re-uploaded the zip file with the upload folder.

Max Taxable
07-23-2012, 12:05 PM
I bet that makes all the difference!

EDIT to ask: Upload the individual files in the "phpwhois-4.2.2" folder? Or just upload the folder itself, to root?

nhawk
07-23-2012, 01:06 PM
I bet that makes all the difference!

EDIT to ask: Upload the individual files in the "phpwhois-4.2.2" folder? Or just upload the folder itself, to root?

Upload the whole folder 'phpwhois-4.2.2' to the root. Not just the files.

Root
---- phpwhois-4.2.2

Max Taxable
07-23-2012, 02:42 PM
Upload the whole folder 'phpwhois-4.2.2' to the root. Not just the files.

Root
---- phpwhois-4.2.2Yep that's what I assumed and did, just wanted it clarified for the peeps.

tambo
08-02-2012, 09:29 AM
Has anyone got this working for v4.1.12?

nhawk
08-02-2012, 09:46 AM
Has anyone got this working for v4.1.12?

It works with 4.1.12.

tambo
08-02-2012, 11:42 AM
So it does. :D

Marked as installed. Very neat and very impressive. Thankyou for releasing it.

I'm experimenting with a few registration restriction mods as a means of limiting the incessant spamming from some wannabe revolutionaries on our site (using alt accounts of course... wouldn't want to sully their real identity).

Essentially, I'm wanting to block people from using a proxy at the point of registration (not bothered if they use a proxy to browse or post thereafter), so that they can't maintain their complete anonymity. I know that's an almost impossible task and fraught with difficulty.

I've managed to limit some tor hostnames (in less than an hour) using your mod and that's working well and slowed the problem, but most web proxies don't seem to have an identifiable hostname.

Any advice on how your mod can be used to tackle these, from your experience? Or if I should be looking at another solution to plug that gap, like LordOfWAR_PC's "Registration CIDR/IP (https://vborg.vbsupport.ru/showthread.php?t=257228)" mod?

I've thought about using some port scanning mods as well, but they don't seem surgical enough.

nhawk
08-02-2012, 12:20 PM
So it does. :D

Marked as installed. Very neat and very impressive. Thankyou for releasing it.

I'm experimenting with a few registration restriction mods as a means of limiting the incessant spamming from some wannabe revolutionaries on our site (using alt accounts of course... wouldn't want to sully their real identity).

Essentially, I'm wanting to block people from using a proxy at the point of registration (not bothered if they use a proxy to browse or post thereafter), so that they can't maintain their complete anonymity. I know that's an almost impossible task and fraught with difficulty.

I've managed to limit some tor hostnames (in less than an hour) using your mod and that's working well and slowed the problem, but most web proxies don't seem to have an identifiable hostname.

Any advice on how your mod can be used to tackle these, from your experience? Or if I should be looking at another solution to plug that gap, like LordOfWAR_PC's "Registration CIDR/IP (https://vborg.vbsupport.ru/showthread.php?t=257228)" mod?

I've thought about using some port scanning mods as well, but they don't seem surgical enough.

I can't go into too much detail as it would reveal the info to spammers, etc.

But, this does take some work on your end. You'll need to look up the IP owner for those that don't show a hostname. Make note of the NETNAME of the owner. (IE: DARL-TELECOM)

To do this I always start with ARIN and go from there...
ARIN - https://www.arin.net/
RIPE - https://apps.db.ripe.net/search/query.html
ASIA - http://wq.apnic.net/apnic-bin/whois.pl
LATIN AMERICA - http://lacnic.net/cgi-bin/lacnic/whois?lg=EN

There are a couple of others like AFRINIC and Japan, but I don't use those very often.

Then enable Do Whois in the mod and add the netname to hostnames that are banned.

Also keep in mind that no registration should ever come from a 'dedicated server' ip address (such as a 'rackcentre' address). That's a dead giveaway that it's a proxy.

YOODA230
09-01-2012, 07:28 PM
not working for me (vBulletin 4.2.0 Patch Level 2) help me !!

nhawk
09-02-2012, 09:25 AM
not working for me (vBulletin 4.2.0 Patch Level 2) help me !!

It does work on 4.2 PL2.

Make sure you've turned it on in ACP->Settings->Prevent Hostname or Useragent from Registering. And make sure you're entered the hostnames and useragents you want banned.

YOODA230
09-02-2012, 02:09 PM
this is an image..

http://windos.me/test/pm-7RWQ.html

nhawk
09-02-2012, 02:11 PM
rtrtr.com is neither a hostname or a useragent it is a TLD name.

If that is what is showing in the hostname or useragent in who's online, then just put rtrtr in the hostname or useragent box.

lazytown
09-04-2012, 04:43 AM
Does this support wildcards? For example if I want to block any hosting ending with .ru, will this allow me to do it? Or will it wind up blocking things like 123.rummy.au ? Pretty important to know!

nhawk
09-04-2012, 10:11 AM
Does this support wildcards? For example if I want to block any hosting ending with .ru, will this allow me to do it? Or will it wind up blocking things like 123.rummy.au ? Pretty important to know!

If you ban ru, rummy will be banned.

I suggest using the full useragent or hostname minus any TLD extension such as .ru, .com, etc.

lazytown
09-04-2012, 12:38 PM
I see, but I may *WANT* to ban something line .ru or .cn from registering.. That could be very effective for me. :) Seems to me it's just an issue of how the wildcards are set up (if the program accepts them, etc)..

nhawk
09-04-2012, 02:18 PM
I see, but I may *WANT* to ban something line .ru or .cn from registering.. That could be very effective for me. :) Seems to me it's just an issue of how the wildcards are set up (if the program accepts them, etc)..

This mod is not to ban TLDs.

What you enter is automatically wildcarded. That is why you can't enter .ru and expect .rummy not to be banned.

From the settings screen for the mod..

NOTE: You do not need to enter the entire hostname. A partial match will result in a registration ban. So if you enter 'proxy', a hostname with 'I am a proxy' will be banned from registering.

The same holds true for useragents.

EDIT:

As an example, let's use googlebot.
It has a hostname of..
crawl-66-249-72-133.googlebot.com

So, all you would enter is googlebot in the hostname setting. Then all hostnames that have 'googlebot' in them will be banned from registering no mattter what else in in the hostname.

lazytown
09-04-2012, 09:17 PM
Thanks for your responses... Is there anyway for me to easily modify the code so that it only looks at the last part of the hostname? I've ok with PHP editing.

Is there a log in vbulletin somewhere that shows the useragent (and not who's online because I'm not online all the time)? Or do we have to go digging through raw http log files?

Thank you!!

nhawk
09-04-2012, 09:50 PM
Thanks for your responses... Is there anyway for me to easily modify the code so that it only looks at the last part of the hostname? I've ok with PHP editing.

Is there a log in vbulletin somewhere that shows the useragent (and not who's online because I'm not online all the time)? Or do we have to go digging through raw http log files?

Thank you!!

Again, this is not a mod to ban TLDs.

All of the code is in the plugins for the mod. However, I will not assist in changing the code for what you want to do. That is not the purpose of this mod.

You will need to look through your http logs. There's no log in vB of hostnames or useragents.

Bruce1984
09-07-2012, 03:27 PM
Nice mod, thank you for releasing and your continuous work on it.

I have not downloaded/tested it yet, but I've got one little question; is it possible to like edit the message that will be shown once a username/hostagent has been blocked?

Basically, like you mentioned, it wouldn't be too bad if an occasional human would be prevented from registering. But if it would happen often, for example if you choose to prevent people using proxies when registering (but fine when browsing), the message could show something along the lines of "If you are trying to register and feel you are wrongfully being blocked, feel free to message support[at]host[dot]com"?

In the above case, you're not immediately allowing people to register anyway and can verify a 'legitimate' user by the correspondence with him/her. At least, that's what I'm thinking :).

nhawk
09-07-2012, 04:03 PM
Nice mod, thank you for releasing and your continuous work on it.

I have not downloaded/tested it yet, but I've got one little question; is it possible to like edit the message that will be shown once a username/hostagent has been blocked?

Basically, like you mentioned, it wouldn't be too bad if an occasional human would be prevented from registering. But if it would happen often, for example if you choose to prevent people using proxies when registering (but fine when browsing), the message could show something along the lines of "If you are trying to register and feel you are wrongfully being blocked, feel free to message support[at]host[dot]com"?

In the above case, you're not immediately allowing people to register anyway and can verify a 'legitimate' user by the correspondence with him/her. At least, that's what I'm thinking :).

The message that is displayed is a vB phrase and can be edited to say whatever you want.

Bruce1984
09-07-2012, 04:41 PM
Awesome! Also, thanks for your quick reply :).

Barcham
03-03-2014, 04:22 PM
Lately I've been getting a ton of registration attempts lately, all with either iPod or iPhone user agents and the majority of them coming from the same host - vpn999. I have a couple of mods installed, Spam Hammer and Proxy Alert, which seemed to be blocking most of them - neither program sends me an alert email or PM when blocking a registration, sot their effectiveness was not really known - but a few were still getting through. This really wasn't much of a problem because they never confirmed the verification email and as a result had no access to my board. But it was still a pain.

So I was over on Ozzy's site and came across a thread about stopping spammers and decided to give this mod a shot. Wow!! In the little over a day since it's been installed, It's stopped 15 bots from registering and notified me of each one with a nice, clear PM. So now while they're still lurking around, trying to modify their user profile that was never created, I sit back and laugh at them. :D

I noticed that no one has posted in this thread for over a year and a half so I figured I'd give it a bump. It's a great mod and really helpful to stop spammers. If you decide to install it, visit Ozzy's site to download the list of hostnames and user agents which is what really makes this mod work so effectively.

Here's the original link that led me here. There are a few other very useful mods listed there also! http://ozzmodz.com/showthread.php/506-The-Era-Of-Big-Spam-Is-Over

Huge thanks again to Ozzy47 and Max Taxable for their work to keep spammers at bay!!!

Max Taxable
03-03-2014, 06:17 PM
Lately I've been getting a ton of registration attempts lately, all with either iPod or iPhone user agents and the majority of them coming from the same host - vpn999. I have a couple of mods installed, Spam Hammer and Proxy Alert, which seemed to be blocking most of them - neither program sends me an alert email or PM when blocking a registration, sot their effectiveness was not really known - but a few were still getting through. This really wasn't much of a problem because they never confirmed the verification email and as a result had no access to my board. But it was still a pain.

So I was over on Ozzy's site and came across a thread about stopping spammers and decided to give this mod a shot. Wow!! In the little over a day since it's been installed, It's stopped 15 bots from registering and notified me of each one with a nice, clear PM. So now while they're still lurking around, trying to modify their user profile that was never created, I sit back and laugh at them. :D

I noticed that no one has posted in this thread for over a year and a half so I figured I'd give it a bump. It's a great mod and really helpful to stop spammers. If you decide to install it, visit Ozzy's site to download the list of hostnames and user agents which is what really makes this mod work so effectively.

Here's the original link that led me here. There are a few other very useful mods listed there also! http://ozzmodz.com/showthread.php/506-The-Era-Of-Big-Spam-Is-Over

Huge thanks again to Ozzy47 and Max Taxable for their work to keep spammers at bay!!!This is one of the really great and under-appreciated tools in the anti-spam toolbox. Glad you're using it as part of your moat and it's helping.

ozzy47
03-03-2014, 09:29 PM
Yeah this mod,I am surprised it has not drawn more attention, I use it, and recommend it. :)

Barcham
03-03-2014, 09:44 PM
It works great. Blocked 25 so far and just keeps on going. Sure, some if not all of those may have been blocked by Spam Hammer or Proxy alert but I had at least 2 per day getting through and being able to register. Since I installed this mod, not one bot has made it in.

I did find it surprising, however, that every user agent blocked so far has been either an iPhone or iPod.

ozzy47
03-03-2014, 09:46 PM
Yeah that is a new thing they try to do in order to get through. With this mod, and the rest from the post on my site, using the lists I included, you should be good to go. :)

Max Taxable
03-03-2014, 10:42 PM
It works great. Blocked 25 so far and just keeps on going. Sure, some if not all of those may have been blocked by Spam Hammer or Proxy alert but I had at least 2 per day getting through and being able to register. Since I installed this mod, not one bot has made it in.

I did find it surprising, however, that every user agent blocked so far has been either an iPhone or iPod.The spam programs can spoof the user agent string. I have seen it happen on my board - failing to get in with IE 6 suddenly I see i-phone from exact IP and provider, not even 10 seconds later.

That's why this is a excellent bullet to have in the anti-spam gun. Still another layer.

Barcham
03-04-2014, 02:21 AM
Yeah that is a new thing they try to do in order to get through. With this mod, and the rest from the post on my site, using the lists I included, you should be good to go. :)

I did download the lists and added them to the mod along with the 'vpn999' that I noticed all the bots were connecting through. All but 5 of the banned bots so far have come from this 'vpn999' host.

Is it wrong of me to get some perverse pleasure seeing these bots spin around in circles? I wonder if they will ever just give up? LOL :D

AK47-
03-04-2014, 02:38 PM
This prevent TOR users?

Barcham
03-04-2014, 04:46 PM
I use Proxy Alert to block TOR users. It works fine in conjunction with this and other mods I have installed to block spammers.

https://vborg.vbsupport.ru/showthread.php?t=299546&page=15&highlight=proxy+alert

Max Taxable
03-04-2014, 04:47 PM
This prevent TOR users?If you have tor on the list it does.

Barcham
03-04-2014, 10:46 PM
The spam programs can spoof the user agent string. I have seen it happen on my board - failing to get in with IE 6 suddenly I see i-phone from exact IP and provider, not even 10 seconds later.

That's why this is a excellent bullet to have in the anti-spam gun. Still another layer.

Yup. They are definitely spoofing the user agent. I was getting a lot of guests with an iPhone or iPod user agent but now they all seem to have an Android 2.2 one. But despite their pitiful attempts to register, they are still being blocked. I've started a little game with one of my mods where we see who can guess what user agent they will try next! :p

lazytown
03-21-2014, 02:07 AM
Would be great if this would post in a thread instead of PMing admin for the blocks.

ozzy47
03-21-2014, 02:20 AM
Would be great if this would post in a thread instead of PMing admin for the blocks.

TBH, I would just turn off the PM's, once you know the mod is working after sending you some PM's, there is no need for them, you know it is working, so turn them off. :)

BadgerDog
03-21-2014, 11:41 AM
Installed with thanks on 4.1.3pl5 for testing, using ossmodz's list of hostnames... :)

Is it better to have Do Whois option ON or OFF?

Regards,
Doug

Max Taxable
03-21-2014, 11:42 AM
Installed with thanks on 4.1.3pl5 for testing, using ossmodz's list of hostnames... :)

Is it better to have Do Whois option ON or OFF?

Regards,
DougI keep it on.

BadgerDog
03-21-2014, 11:49 AM
I keep it on.

Thank you .. :)

I've also been trying to locate in "phrases", the text that gets shown...

Can't seem to find it. Is there a phrase I can enter to help locate it?

Regards,
Doug

Edit: also, is their a list of useragents, as in Ozz's hostnames that I could start with?

ozzy47
03-21-2014, 11:51 AM
Thank you .. :)

I've also been trying to locate in "phrases", the text that gets shown...

Can't seem to find it. Is there a phrase I can enter to help locate it?

Regards,
Doug

What text are you talking about?

BadgerDog
03-21-2014, 11:58 AM
What text are you talking about?

Perhaps I'm confused. .. :confused:

I was referencing this post ...

https://vborg.vbsupport.ru/showpost.php?p=2363401&postcount=41

Is there a phrase that the user who's blocked sees?

Regards,
Doug

ozzy47
03-21-2014, 12:00 PM
That would be the phrase, hostusercheck_error

BadgerDog
03-21-2014, 12:06 PM
That would be the phrase, hostusercheck_error

Roger that ... :up:

Thanks again ...

Got this running with your list, so will observe and see what happens ... :)

Regards,
Doug

BadgerDog
03-21-2014, 12:16 PM
Ok... had to turn it OFF quickly... :D

It's blocking our Sucuri Verified Site monitor access ... :eek:

I checked the hostname in the PM it sent and it's monitor5.sucuri.net which is not in the list .. :confused:

How do I tell this mod that this is ok?

What I don't understand, is why it's blocking a registration when there's no registration needed for this access?

Thanks...

Regards,
Doug

ozzy47
03-21-2014, 12:18 PM
I can check it out when I get home, not sure why, as I use sucuri also, and have no issues.

BadgerDog
03-21-2014, 12:22 PM
I can check it out when I get home, not sure why, as I use sucuri also, and have no issues.

Thanks... :)

I have left the mod OFF for now...

I have also sent you a PM with the message I received from mod... ;)

Regards,
Doug

Max Taxable
03-21-2014, 05:58 PM
I checked the hostname in the PM it sent and it's monitor5.sucuri.net which is not in the list ..See if just 'securi' is on the list.

nhawk
03-21-2014, 07:25 PM
'monitor' could also be in the list.

Also without the exact IP address in question, it could be other things.

Such as securi.net is a proxy system. So, if it returned the word 'proxy' and that word is in the list it would be banned.

BadgerDog
03-21-2014, 07:32 PM
Neither sucuri nor monitor are in the list ...

I have the exact IP...

66.228.40.185 tried to register.

It had a host name of: monitor5.sucuri.net

It had a useragent of: Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16; Ipad

Regards,
Doug

nhawk
03-21-2014, 07:53 PM
Without seeing your list (please DON'T post that in public), I don't know why it would have banned them. If you want, send me your list via PM and I'll have a look.

The other thing that could be in your list that is associated with that IP is 'LINODE'.

And check your hostname list too. Something might be in there.

Max Taxable
03-21-2014, 07:57 PM
If you have it set to do the WHOIS check it might be returning the word "proxy."

nhawk
03-21-2014, 08:01 PM
If you have it set to do the WHOIS check it might be returning the word "proxy."

That's what I thought at first, but it returns..

Hostname: monitor5.sucuri.net
NetName: LINODE-US <------- This is the important one

Max Taxable
03-21-2014, 08:12 PM
That's what I thought at first, but it returns..

Hostname: monitor5.sucuri.net
NetName: LINODE-US <------- This is the important oneJust so... Just so.

But, not finding that either when I search the list he said he is using.

Max Taxable
03-21-2014, 08:16 PM
What I don't understand, is why it's blocking a registration when there's no registration needed for this access?If it attempts to register it will be blocked if it is on the list, otherwise nothing happens to it.

That it's using a i-phone as a UA seems strange to me. Using a spoof UA and trying to register aren't the behavior you would expect of a site monitor.

Again, the only way this mod fires is if a register attempt is made. It doesn't block anything else. It does not block access.

The key is, "Tried to register." Sucuri Verified Site Monitor is not blocked from access and it has no legitimate business loading the register page..

Max Taxable
03-21-2014, 08:29 PM
Spammer botnets often infect systems such as these site monitors and verifiers. I believe this mod stopped a attempted bot registration. It did its job.

It did not restrict any other access by your site monitoring service. At all. I recommend you turn it back on.

You might ask Sucuri why their bot product is trying to register.

ozzy47
03-21-2014, 08:43 PM
That is a legit sucuri IP address.

Doug, what do you have in your robots.txt file?

nhawk
03-21-2014, 08:52 PM
As Max said, this add-on only triggers when someone tries to register. It doesn't prevent access to the site. It prevents registration.

So if securi attempted to register and either the hostname or useragent for the securi bot contained blocked information then the add-on did it's job. It blocked a registration, that's all. It didn't prevent access to the site.

Max Taxable
03-21-2014, 08:53 PM
That is a legit sucuri IP address.Right, which means they are very likely infected and have some botnet zombie computers on their system. It's not at all unusual to see.

Point is, it has no business at all loading the register page or trying to register. This mod did its job.

And his site monitoring service is not blocked from the site. Just the register page, where it doesn't need to be.

I'd leave it.

nhawk
03-21-2014, 08:56 PM
Max I wish I could like your posts multiple times, but C'est la vie :D

Max Taxable
03-21-2014, 08:57 PM
Max I wish I could like your posts multiple times, but C'est la vie :DMe too, Just tried liking another of yours haha.

BadgerDog
03-21-2014, 09:55 PM
Without seeing your list (please DON'T post that in public), I don't know why it would have banned them. If you want, send me your list via PM and I'll have a look.

The other thing that could be in your list that is associated with that IP is 'LINODE'.

And check your hostname list too. Something might be in there.

PM's you with list, which is the one Ozz recommended... :)

Regards,
Doug

nhawk
03-21-2014, 10:13 PM
PM's you with list, which is the one Ozz recommended... :)

Regards,
Doug

LOL, this one was simple.

It's blocked because 'tor' is in the list (monitor5.securi.net). So it did it's job.

In either case, securi.net has no business accessing register.php, so the add-on did it's job.

It didn't ban securi from accessing the site, it just stopped it from registering.

So, re-enable the add-on.

Max Taxable
03-21-2014, 10:16 PM
LOL, this one was simple.

It's blocked because 'tor' is in the list (monitor5.securi.net). So it did it's job.

In either case, securi.net has no business accessing register.php, so the add-on did it's job.

It didn't ban securi from accessing the site, it just stopped it from registering.

So, re-enable the add-on.And that is a oversight on my own part, since I compiled most of that list.

I'll be recommending "tor" be removed post haste. I think we have it covered with another definition anyway.

BadgerDog
03-21-2014, 10:23 PM
LOL, this one was simple.

It's blocked because 'tor' is in the list (monitor5.securi.net). So it did it's job.

In either case, securi.net has no business accessing register.php, so the add-on did it's job.

It didn't ban securi from accessing the site, it just stopped it from registering.

So, re-enable the add-on.

Unfortunately, Sucuri needs to access out site as it's a primary security monitor and does complete server scans every 1/2 hour...

Regards,
Doug

BadgerDog
03-21-2014, 10:26 PM
And that is a oversight on my own part, since I compiled most of that list.

I'll be recommending "tor" be removed post haste. I think we have it covered with another definition anyway.

Ok, I removed tor and have saved the mod and restarted it.. :)

Thanks for all the help guys... :up:

Regards,
Doug

nhawk
03-21-2014, 10:30 PM
Unfortunately, Sucuri needs to access out site as it's a primary security monitor and does complete server scans every 1/2 hour...

Regards,
Doug

It can access the site. The add-on doesn't stop that. It just threw an error to it saying it can't register.

Max Taxable
03-21-2014, 10:42 PM
Unfortunately, Sucuri needs to access out site as it's a primary security monitor and does complete server scans every 1/2 hour...

Regards,
DougOnce again... It does not and should not be trying to register. That is not part of its normal behavior.

BadgerDog
03-21-2014, 10:42 PM
It can access the site. The add-on doesn't stop that. It just threw an error to it saying it can't register.

Roger that ... :up:

Thanks again... :)

Regards,
Doug

lazytown
03-22-2014, 07:35 PM
TBH, I would just turn off the PM's, once you know the mod is working after sending you some PM's, there is no need for them, you know it is working, so turn them off. :)

I prefer to keep logs, but a log with dozens of PMS a day is unmanageable. See ask the recent posts above for an example of why you'd would to keep a record so that you can search if later (sucuri being blocked).

nhawk
03-22-2014, 09:36 PM
I prefer to keep logs, but a log with dozens of PMS a day is unmanageable. See ask the recent posts above for an example of why you'd would to keep a record so that you can search if later (sucuri being blocked).

Securi was not blocked from the site. Nobody is blocked from the site with this mod. Securi was blocked from registering. There's a big difference.

https://vborg.vbsupport.ru/showpost.php?p=2488837&postcount=86

ozzy47
03-23-2014, 04:39 PM
Ok just a follow up on the Sucuri situation.

Sucuri will scan your site with several different user-agents (including the one you mentioned).
During this scan, the bot will crawl through all links found in the site, and looks like it's hitting the registration link.

Sucuri will not follow the robots.txt directives. Since it tries to behave as a "real user" it'll ignore that file. The only way to do it would be creating a .htaccess file to redirect SiteCheck to a 404 or a different page when hitting those forms.

So you can add tor back to the list if you wish, and add this to your htaccess file.

<Filesmatch "^(register)\.php$">
order allow,deny
allow from all
deny from 192.155.95.139
deny from 66.228.40.185
</Filesmatch>

That will stop Sucuri from hitting the registration trigger, and it is what they recommended to me. :)

nhawk
03-24-2014, 01:48 PM
I am still curious what difference it makes if Securi is sent to the error page when it hits register.php or not?

It seems Securi is scanning pages for malware and the error page shouldn't have any malware.

Or, does Securi know exactly what register.php is suppose to contain and they throw an error on their end if it contains anything else?

ozzy47
03-24-2014, 04:36 PM
I believe they just check it for malware.

Max Taxable
03-29-2014, 01:34 AM
Hey Snog... Any plans to make the filter list one per line, so it has to be exact match to get caught? Example - just had a spammer register from "Biznet" but adding this to the filter is going to catch everything that has 'biz' or 'net' in the name.

ozzy47
03-29-2014, 01:35 AM
Yeah that would be a optimal way to do it. :)

nhawk
03-29-2014, 10:17 AM
Hey Snog... Any plans to make the filter list one per line, so it has to be exact match to get caught? Example - just had a spammer register from "Biznet" but adding this to the filter is going to catch everything that has 'biz' or 'net' in the name.

No it won't. It will catch BIZNET.

The entire word has to be matched. The word isn't broken down into smaller sections for detection. So bizmarknet would NOT be caught. But badbiznet would.

Max Taxable
03-29-2014, 11:29 AM
No it won't. It will catch BIZNET.

The entire word has to be matched. The word isn't broken down into smaller sections for detection. So bizmarknet would NOT be caught. But badbiznet would.How then did we catch "monitor5.securi.net" using the word 'tor' in the filter?

nhawk
03-29-2014, 01:02 PM
How then did we catch "monitor5.securi.net" using the word 'tor' in the filter?

The plain word 'tor' was in the list. That matched the tor in "monitor5.securi.net"

See the difference..

BIZNET

bizmarknet would NOT be caught.

but somethingbiznetelse would be.

Max Taxable
03-29-2014, 05:51 PM
The plain word 'tor' was in the list. That matched the tor in "monitor5.securi.net"

See the difference..Okay... Yep I get it.

With "Ban Spiders by User Agent" we don't get such matches, I assume because the definitions are line by line instead of separated by commas?

nhawk
03-30-2014, 10:49 AM
Okay... Yep I get it.

With "Ban Spiders by User Agent" we don't get such matches, I assume because the definitions are line by line instead of separated by commas?

Well, no it's more because of the way they check for matches. I look for it in any part of the host name or user agent. They match the exact item.

I've found that doing it the way I do gives better protection overall. Mainly because if you decide you don't want any servers registering you just have to enter 'server'. That kills a good number of bots right off the bat. Another example would be rackcentre. Anything with that in the host name is a server. Listing each server from rackcentre would be a list 10 miles long. So with the way I do it, just entering it once kills them all.

ozzy47
03-30-2014, 11:11 AM
Let me ask you this, can it be made to have each one on it's own line without a performance issue? It would be much easier to maintain the list that way.

nhawk
03-30-2014, 12:00 PM
Let me ask you this, can it be made to have each one on it's own line without a performance issue? It would be much easier to maintain the list that way.

It could be done. But to keep it simple, I would also have to retain the csv format to account for old installations.

I'll put it on the wish list for the mod.

ozzy47
03-30-2014, 12:12 PM
Cool, I would really like to see that. ;)

Alan_SP
03-30-2014, 05:01 PM
With "Ban Spiders by User Agent" we don't get such matches, I assume because the definitions are line by line instead of separated by commas?

Actually, we do.

I had problem with banning string MSIE 1, with which I tried to block old MSIE 1 users. But, today there are MSIE 10 and MSIE 11, both browsers also were blocked, as they contain "MSIE 1" in their UA. As I remember, to block only MSIE 1 we should use this string: MSIE 1. (dot at the end), as it is identified with MSIE 1.0.

I wrote about it Ban Spiders thread.

We need to be very careful what string we block, unless we get blocking innocent users.

ozzy47
03-30-2014, 05:34 PM
Yeah it is best to be cautious when adding things to these types of mods. :)

Max Taxable
03-30-2014, 08:11 PM
Actually, we do.

I had problem with banning string MSIE 1, with which I tried to block old MSIE 1 users. But, today there are MSIE 10 and MSIE 11, both browsers also were blocked, as they contain "MSIE 1" in their UA. As I remember, to block only MSIE 1 we should use this string: MSIE 1. (dot at the end), as it is identified with MSIE 1.0.

I wrote about it Ban Spiders thread.

We need to be very careful what string we block, unless we get blocking innocent users.Right, I remember that well. I merely stopped worrying about IE 1 since the likelihood of any device using that, still surviving seems very low.

CaptainAwesome
05-26-2014, 08:18 AM
So how do i collect hostnames and useragents to ban? I saw post 29 but being a newbie it means nothing to me.

Lets start with an example. I just had a spammer try to register. Their IP is 137.175.68.84 and looking at stopforumspam confirms there is a lot of spamming going on from this IP.

What would be my next step (in newbie talk)? When i tried to do a hostname search using whatismyip.com, it just threw up the IP address i just posted.

nhawk
05-26-2014, 10:04 AM
If you don't understand what's in post 29, it really can't be explained in any simpler terms.

Look up the IP at ARIN as described in post 29.

In the case of that IP, you would want to ban 199-180-100-0-1

CaptainAwesome
05-26-2014, 10:23 AM
Got it

fxdigi-cash
08-03-2014, 09:28 PM
This great mod should be a built-in vb as a security and protection tool ...

princesspepper
12-07-2014, 09:55 AM
Installed on VB4.2.2 PL2

ozzy47
12-07-2014, 10:01 AM
You will find this is a invaluable tool on your site. :)

adwade
12-11-2014, 06:36 PM
Quick question: If netzip is entered as a useragent to be blocked, will that also block NetZIP and NetZip?(i.e. Are the useragent names case sensitive in order to work for all occurrences?)

Also, what about Mata Hari vs. Mata.Hari ? If only Mata Hari is entered as the useragent, will that catch Mata.Hari as well?

nhawk
12-11-2014, 07:44 PM
Quick question: If netzip is entered as a useragent to be blocked, will that also block NetZIP and NetZip?(i.e. Are the useragent names case sensitive in order to work for all occurrences?)

Also, what about Mata Hari vs. Mata.Hari ? If only Mata Hari is entered as the useragent, will that catch Mata.Hari as well?

Useragents are not case sensitive.

Mata Hari will only catch Mata Hari, not Mata.Hari.

markoroots
01-29-2015, 07:32 PM
All you had to do was put something to ban in both the Useragent field and the Hostname field.

The error was because one of those fields was blank.

I'll see about a fix for that soon.

EDIT: Fix released today (version 1.0.2)

Hi guys,
too me I have the same problem? What I can do to fix it.
I have installed the 3.0.1 version of the mod.

nhawk
01-29-2015, 07:50 PM
Hi guys,
too me I have the same problem? What I can do to fix it.
I have installed the 3.0.1 version of the mod.

You should not be having the same problem with version 1.0.3.

But try putting something in both the Useragent field and the Hostname field to see if your problem stops.

markoroots
01-29-2015, 08:27 PM
Hi Nhawk and thanks for your reply.
In the Hostname box is just full of host names.
The Useragent box is empy. What I can add?
Have you a list of useragents please?

nhawk
01-29-2015, 08:34 PM
Hi Nhawk and thanks for your reply.
In the Hostname box is just full of host names.
The Useragent box is empy. What I can add?
Have you a list of useragents please?

Just add the word proxy

markoroots
01-29-2015, 09:10 PM
Inside the Mod?
Is a new release?

nhawk
01-29-2015, 09:21 PM
Inside the Mod?
Is a new release?

I don't understand what you're asking now.

You asked what to add to the Useragent box and I answered that.

markoroots
01-29-2015, 11:06 PM
Ahhh sorry...
I thought you have added something in the mod. sorry... :)

I go to try.

markoroots
01-29-2015, 11:13 PM
I do it but nothing change. :(
You can see the page that is visualized, here:

https://vborg.vbsupport.ru/external/2015/01/3.png

nhawk
02-01-2015, 12:05 PM
I do it but nothing change. :(
You can see the page that is visualized, here:


Sorry for the delay in replying. For some reason I didn't get an email notification that you replied.

Unfortunately this time I can't duplicate what's happening to you. Would you be willing to give me admin access to your site so I can investigate what's going on? If yes, send me a user name and password, along with your site address via PM so I can log in and see what's happening.

nhawk
02-01-2015, 12:14 PM
After a little experimentation I was able to duplicate what you're seeing.

Make sure what's entered in both the Hostnames and Useragents fields for the add-on options do not end with a comma.

BAD: aba,aaa,aaad,

GOOD: aba,aaa,aaad

Also be sure you don't have any double commas in the lists.

BAD: aba,,aaa,aaad

markoroots
02-05-2015, 04:41 PM
Sorry for delay I read right now.
Yes bro, you rock. ;)
There was a comma after the last word of Hostnames.
I delete it and now the Mod work well. ;)
Great! :)
Many thanks for your mod and for your help. ;)