This has become a huge problem in the last few months. I've been using another technique to auto moderate these posts, because if this "image" displays before the mods see it, the stuffer has already accomplished what they set out to accomplish, to at least some victims. I have the mods clear their cookies and cache after they've reviewed the moderated post, because doing so stuffs their browser too. I might add your plugin as another layer of protection.

If I'm reading your description correctly, you cannot add an additional option to auto moderate these, is that correct? Despite what I said about having my own technique, I think your mod + that capability would work even better.

Some others notes:

If this hooks into new post_process, does it see the quoted portion of a post as well? They are quoting valid posts and inserting them there.

They don't always use broken image links. They are embedding a link that resolves to a standard looking vBulletin smiley, and displays as such, but there's actually a PHP script that's being run in the process. Tip: don't use standard vBulletin smilies and convert what you have to PNG's. <some domain>/happy.gif is the most common. I believe the use of the GIF extension is what is enabling them to run scripts via these images.

Use relevant replacements to replace known cookie stuffer domains with something else. Not only will this block future attempts from these domains, it will also clean up existing posts.

They will try to get this on one page of every thread. That increases the possibility that a Google click through will be successful in the event what the searcher is looking for is on a specific page of your thread (other than page 1)

There's another technique that's being used to inject this in these into these into the footer template.
If you want to stay on top of their techniques, read the places they hang out. Search Google for blackhatseo and cookie stuffing. Their are even YouTube instructional videos on how to cookie stuff.

Edit your reportpost_newthread phrase to wrap quoted posts with no parse tags. This will help you see the domain better, so the URL tag doesn't mask it. Do the same with infraction_thread_post. Otherwise, the mods can't see the offending link without editing the post.

If you're an admin, create new infraction types (e.g., cookie stuffing) That way you can quickly look through the reports and infractions forum and review these yourself. I have a pretty large board, so this makes it easier for me to manage.

This article best describes every technique under the sun:
[url]http://www.esrun.co.uk/blog/cookie-stuffing/[/url]

If you run a large board, and are just reading this for the first time, there's a good chance your forum already has a lot of these. Once you clean them up, and put some protection mechanisms in place, it's unlikely you will see these show up in someone who has more than a 15 posts.

Use BOP's plugin to block members with less than <x> posts from using signatures. They are sticking them there too. I would link everyone, but I'm typing all this from a phone.

At one point, I think they were using spam bots to cookie stuff. The posts would often consist of only text that said "great information" or something of not much substance. Now there are live human beings that are on topic and are fitting in with regular members.

I have some more insightful tips info, and what I do to control this, but I actually think they read these forums and I'm not giving my secrets to them ;)

Keep in mind, this problem doesn't just exist in your forum. It's all over blogs, and even sites that might look legitimate. I clear my cookies constantly now.

Sorry for hijacking your thread, but this has been a huge nuisance.

cstreater,

Thanks for the detailed info. You are correct this mod will NOT auto-moderated a post.

It requires a human to make sure the count of images matches the number of images the user sees.

What is that if someone does use a fake smiley that smiley will count as an image and this mod will display it's warning banner. If they had used a real forum smiley this mod will ignore it and there would be no banner.

So, in summary, if you see the warning banner and only a default smiley in the post- that is very suspicious and should probably be deleted.

Back in the day, they used to hide warez within images and put them on a webhost. Most of the time they were broken images, but if they took enough time, would be a tiny image like a smiley, but which had a huge file size. We had a script on cron that would scan real late at night, find and report these images. It is possible to have php review the code of the actual image and look for domains in that code. No image should have any domain such as 'amazon' within it's code. Take any image and open it with wordpad. Now find a cookie stuffer image and do the same. You will know what your addon needs to do after seeing that. All it really has to do is look for certain words in the image code, or you can give that option to the forum owner to insert what keywords he would like the addon to check for in the image code.

That's a good idea for a mod Webdude... it won't be part of this one as it would involve very different code and setup but I will do some investigation and see what can be done.

Is it possible to only show this alert to certain user groups? I don't want regular members seeing it.

Yes, the built in option Show Report Usergroups controls what usergroups see the notices.