You know, I had the exact same concerns when I first installed this hack almost a month ago, and I have carefully examined EVERY alert.

I would take the IP address and I would go over to DnsStuff.com and run it through WHOIS and the Spam Database Lookup, to get a clearer picture of who or what was trying to register.

I run a 10,000+ member board and the only IP denial from the RBL Checker I have ever recieved that was questionable, was an IP address that was of a grade school that that was apparently running a proxy. However the DnsStuff.com Spam Database Lookup had multiple reports from the many various spam moniter services that tended to indicate that even if if the school was legit (as it seemed to be), what the school's proxies had been used for apparently wasn't. It's very possible that the schools proxy servers may have been infiltrated and they were being abused without the school even being aware of it.

I also modified the xml file to include a link to the "Contact Us" section of the board I run.

I haven't had anyone contact me except for the troll for which I primarly installed it for...and yes, he was hoping mad that he couldn't get back in using the rotating proxy software he had been able to use to bypass our ban. He literally spent almost two days of what seemed like non-stop trying. That is why I asked Daniel to be able to change the notification system from PMs to a thread (preferably in the private forum for Mods & Admins) notification, as some of my Mods that aren't always around were having their PM boxes filled to the brim, as it took this idiot several days to finally give up.

I actually figured that once I got rid of him that I would disable it...until if I got another problem poster using proxies to bypass our ban again.

Anyway, like I said I monitored the alerts very closely, and from that most of the blocked IPs were from places like India, China, Brazil, Hungary, Saudi Arabia, Russia Etc. Now then you may have members from those countries, but out of our 10,000+ members...none of ours that are legitimate are from those countries. Could there be?...of course, but very doubtful. Now I have several alerts a day from those countries as they are spam bots who normally made it to the Captcha system before getting denied. The Proxy RBL checker now was stopping them at the front door instead, thus triggering an alert.

Also, seeing the sheer amount caused by spam bots was also a real eye opener, as since the new vBulletin 3.6+ version we haven't been getting many spam bots as the new Captcha system has made a big difference.

Anyway, even though it was interesting seeing just how many spam bot attempts were actually made, it was starting to get annoying which is also why I'm glad that Daniel moved the RBL checker back a little bit to "register_addmember_process", thus allowing the Captcha system to deny them...thus cutting down on the alerts.

Anyway, like I said I only installed this mod because of a very determined troll who was using rotating proxies to get back in. I was having to go into either the AdminCP or the server itself (to access my .htaccess forwarding to another place based on IPs) two or three times a day to add whatever new proxy address he was using. It was a real "cat and mouse" game, as I woud block him and then he would simply switch IPs and re-register and not only was it annoying, but it was taking up a good bit of my time, as I had to verify that the IP was a proxy or spam IP, and then login to the either the AdminCP or the .htaccess file on the server to ban that IP. Once I got rid of him, I planned to disable this mod, but I decided to leave it on (mostly if he back) and monitor it closely. With that one questionable denial, the other have been shown to be either spam or proxy registration attempts.

I think the changes in this updated version of the RBL checker will really give Admins the necessary controls to be either agressive or leniant in the registration process.

I suggest people who are skeptical like I was, to try it and monitor it and verify the registration information against WHOIS, known proxy and spam lists (such as those at DnsStuff.com). If after examinning the RBL Checker Alerts, you think that legitimate users are being denied, then either disable it (like I had planned to do) or simply uninstall it.

I honestly am not trying to be a cheerleader for Daniel or this mod, but I think this approach on an old problem is fresh and unique (I also like Paul M's Real IP Detection for a 1, 2 punch). :)

Indeed ... I recommend anyone who isn't sure the RBL is granular enough to not block legitimate users configure the first three options YES - YES - NO and give the blocker a forumid to post reports.

We have not had problems with trolls as yet... although our site has only been open less than 2 months and only has about 1000 users. I'm using the multiple login detector to track when we have more than 1 user @ a given IP but my experience on other boards is that trolls use proxies to get around IP bans... I have seen the same person banned 5 or 6 times in a day, and I have seen registration turned off temporarily to stop trolls from registering... this is much more intrusive than banning their IP and blocking registration from proxies.

I'm a bit of a prick so I have the RBL Blocker configured to block registration... you could easily configure it to allow registration and only change it to block if you start to get a lot of hits in association with troll activity on the board.

In part, allowing the person to get to the "submit" portion of registration also captures and hotmail/etc. addresses they have setup to get around IP/email address bans.

Of course... you will have to manually add those email addresses to the email banning options. The other option would be to enable auto-banning.

nice mod i was wondering they had a nice way to block anonymous proxy's in phpbb via a mod which was pretty nice would you be able to see if you can work any of that into this? you can take a look on how its written here and what it does. http://web-professor.net/wp/2005/05/...mod-for-phpbb/

Oh, believe me, I'm understand the full potential of this plugin, in addition to how I might use it effectively (I work in computer security, and actually make use of DNSBL's). My only problem is that the plugin enables people to blindly use DNSBL's, assuming that they are blocking just open proxies, as the title of this entails. I, as an admin, do not want to prevent people coming from IPs associated with SPAM (or other non-proxies), as I am well aware of the fact that the majority of spam in the world comes from hosts and networks that have been compromised by worms.

My suggestion is that if you are going to create a plugin that purports to block Open proxies, and, while it does block open proxies, it also blocks lots of other things, then that's a disservice. I'm erring on the side of caution, here. Upon further investigation of my user who had a problem the other day, according to the DNSBL, she was coming from an IP that had been known to be compromised by a worm. Do I care about that? Not particularly. I only really care about whether or not it's a proxy.

After looking at the link provided by "DementedMindz", I've found that SORBs actually does something right. Check out the link, http://www.us.sorbs.net/using.shtml. I've opted to enable http.dnsbl.sorbs.net, socks.dnsbl.sorbs.net, and misc.dnsbl.sorbs.net, as they are only related to proxies, and nothing else.

Here's the deal: I don't really want to babysit my messageboard by investigating every hit that comes through. If I know definitively that a particular IP is only matching because it hosts an open-proxy, I'm fine with that. I just think that if you're going to do that, you'll end up chasing a lot of wild geese, seeing as the DNSBL that come enabled by default, and have otherwise been recommended, do a lot more than just monitor for open proxies. It's a mis-use of these DNSBLs.

ok so you just added them to the Target RBL also is there suppose to be a space between each or a line break? also check out http://www.us.sorbs.net/using.shtml#largesites for more options it seems

I did put them in the Target RBL with a newline between each one.

So, for me, it's as follows:

http.dnsbl.sorbs.net
socks.dnsbl.sorbs.net
misc.dnsbl.sorbs.net

alternatively, you can use:
proxies.dnsbl.sorbs.net

which points to all three of those systems (it'd also mean one query as opposed to three).

yeah my main thing that i really want to block is anonymous proxys as well as other proxies too. hopefully this will work in doing that. im going to try and test it out and see. cause i have another script in thats suppose to only work on proxies but anonymous get right by it.

One on each new line...

Hmmm... I'll look into SORBS, I might make it the default.

ok so is that just going to block all proxies with proxies.dnsbl.sorbs.net and also is there any way at all to block anonymous proxies?

Operationally, there is no difference between any proxy and one that puports to be an anonymous proxy. All that an anonymous proxy is is one that strips out any data that might be used to track back to the proxy user (often cookies, common server headers, etc).

To answer your question, proxies.dnsbl.sorbs.net will block all proxies registered with it, anonymous or not. Now, it's possible that your understanding of what an anonymous proxy is might be different than that of mine, but I can assure you that they aren't any sort of special beast that is hard to slay. They're just proxy servers.

ok well for example i have that in there but say you go to this site. http://anonymouse.org/anonwww.html try to register on your site with a new name i bet it works. I havent found a way to block these sort of sites yet cause they dont seem to pass the http variables.

The problem with that is that a large number of web "anonymizers" don't get added to RBLs. Whether or not they should is a matter for debate. You'll notice there is a section for known anonymizers/proxies and I have added the IPs of a number of "free anonymous hosting" sites...

I may look at building a "report an IP" function into my next release so I can build on the list of proxies that get past the RBL.

Another method of configuring the RBL checker would be to do the following -

1) Create a new user group based on whatever group your "registered users" end up in and call it "Possible Trolls".
2) Set RBL Checker to allow registration but "autoban" user into the "possible troll" group.

You can now watch these users a little more closely - and if satisfied they're not trolls you can move them to your registered users group.

I have added this to my board but It doesnt appear to work I had a user who is on the sbl-xbl.spamhaus.org list but he was not blocked. I check the that the plugin was active, settings were good. Any ideas why this would occur.

You are correct ... I had tested everything was working but then cleaned up some variable names to standardize all the variables I use in the product and managed to misname one of the variables used in the RBL checking part of the code. Please download and install 3.1 - tha pronblem is fixed and I've also changed the error message for RBL blocked users to include the name of the RBL doing the check (over time this should let people prune the list of RBLs they use down to the most effective one.)

Also - doing some tests with lists of free anonymous proxies and it looks like dnsbl.ahbl.org blocks the most IPs (checking on dnsstuff.com) the only problem is that www.ahbl.org has NO information so I'm not willing to make it the default or use it on my production forum.

Once I can get some information on it I may make it the default - certainly it reports all the open proxies as being such using DNS stuff.

Thanks for pointing out the RBL check wasn't working SinisterPain...

Thanks for the update, as I have been overwhelmed recently with spammers.

might wanna check it again cause its not working still atleast for me

It seemed to work fine now just got my first bust

Which proxy are you using for testing? Works for me with any anonymous proxy I found using a combination of spamhaus.org and ahbl.org I blocked all attempts from anonymous proxies.

Sorry I edited my post above, to say it did work any thank you for this great mod.

Installed....thanks for sharing this code with us. :up:

Ha! No problem... thanks for letting me know its working for you.

My pleasure. Anything to keep the trolls at bay...


Incidentally, I recommend checking out www.ahbl.org - they seem to have resolved the issues they were having with their site and from my tests on dnsstuff.com with various google'd lists of proxy servers they have ALL the ones I tested listed...

I've setup my production server to use ahbl.org and assuming I get no false positives between now and the next update (what? no new requests for features?) then I may make that the default rather than spamhaus.org which is less targetted to web proxies.

Can you not use both?

For sure... I've put it first for testing.

Are you using this addy for check dnsbl.ahbl.org

Yes..

My list is as follows:

sbl-xbl.spamhaus.org
proxies.dnsbl.sorbs.net
dnsbl.ahbl.org

Originally I had ahbl.org at the top - since the RBL Checker stops after a positive match I've moved it to the bottom. This way when I see a report with ahbl.org I know the IP was missed by spamhaus.org and sorbs.net.

If anyone else is willing to setup their forum the same way and report back on whether or not spamhaus, sorbs, or ahbl does the majority of the blocking it will help me decide on a default for the next release.

I don't really want to do too many checks... so I'd like to have 1-2 RBLs as the default.

Guys, I'd recommend against using dnsbl.ahbl.org or sbl-xbl.spamhaus.org. Their primary function is to provide a list of Open Mail Relays and email spamming sources, which are an ENTIRE different world than Open Proxies. I don't think that fact is illustrated enough in this thread.

AHBL is particularly aggressive in that they are willing to list blocks of ip addresses. That is, if you have users on a Seattle Area DSL network, and an open mail relay shows up on their network, both that mail relay and your users (or potential users) will be blocked by AHBL.

You guys really need to read and understand the purpose and the usage of these blacklists before slapping them in. Many of these blocklists prohibit the usage of their services in this way. You're unnecessarily hitting services that have finite resources. Don't be so eager to block IPs willy nilly and think you're making a difference. You're not. If your goal is to block users coming through anonymizers, proxies, or even the TOR network, then use blacklists whose function is to only report anonymizers, proxies, and TOR networks. The fact of the matter is that you're not going to see a lot of hits with a blacklist like this simply because not many people are going to register with your site who are actually using proxies.

Here's what I'm using currently:
proxies.dnsbl.sorbs.net
tor.ahbl.org

I don't get many hits, but that's because I don't expect many hits (that's the reality of things).

Again, I like this add-on, I think it's very useful. I'm not criticizing it's usage. All I'm trying to do is help people understand what they're doing a little bit better.

ok so would what you listed stop all of these? im mostly looking to block anonymizers this way they can not connect and make a user name with a anonymous proxie

proxies.dnsbl.sorbs.net
tor.ahbl.org

You're never going to stop ALL proxies in the world. You can only stop those that have been reported or found. However, my list will ONLY block proxies, and will not false-positive by blocking legitimate hosts who happen to match up with spammy networks, etc.

Now, If this add-on had the ability to interpret the response from various blacklists, you could get more coverage. For example, spamhaus will return indicators as to why a particular IP has matched in their database, and these indicators might include an option saying that it is an open proxy. However, this interpretation doesn't occur, so you will end up matching ips against things like Dial up networks, dynamic ip hosts, and ip netblocks that *might* include spammers.

DementedMindz, and anyone else, if it is your intention to block just Open Proxies, then use the following two hosts, as I do:

proxies.dnsbl.sorbs.net
tor.ahbl.org

yeah im looking at opm.tornevall.org now as they have a few on there too im reading about it here http://opm.tornevall.org/ cause say you go to http://anonymouse.org you can get right by all these things.

There might be political reasons why Anonymouse.org isn't listed in either of the ones that I use...I can't say for certain. opm.tornevall.org looks pretty good, actually. I think I might be adding it to my list, since it only deals with open proxies.

Also, ircbl.ahbl.org (http://www.ahbl.org/docs/ircbl.php) might work. Here's how AHBL describes it:
My only concern is the inclusion of "DDoS drone data" ... this data is outside of the scope of an Open Proxy, so I'm a bit hesitant to make use of it.

yeah im going to try out opm.tornevall.org and see how it works out. yeah Anonymouse.org had me puzzled cause it gets right by everything. But ill be looking around today to see what I can come up with. as for ircbl.ahbl.org im going to look more info up on that one now also.

I obviously do not wish to block out legit people, but as of the last few days we have had more than our usual registrations and most from third world countries.
These people would register than make a post pointing to either a trojan or some advertisement or both. We never had these issues till recent and as of right now most people who were refused registration from the RBL checker program were listed as big time spammers.

I'm confused, were the people who posted these things coming from the IPs that were listed as "big time spammers"? Or did you get several of these attacks, and then enabled this add-on and observed that people were registering from IPs of "big time spammers" ?

What were the IPs of the people who posted the ads/trojans?
What were the IPs of the spammers?
What BL's are you using?

My point in my earlier post was that people should be aware of what they are getting into when using the blacklists like they are.

I have been inundated recently with guest registering on our forum and the only purpose is to place spam on our board. I personally used spamhaus.org in the checker. But have reviewed the ips through dnsstuff.com and all the ip that were caught were listed as spammers and not small time either. I had one guy trying to register with a bogus email. One person registered and placed a link to trojan file which my antivirius flaged immediately and prompted me to remove the link from the board. Obviously I can not post IPs here but I will say that the person was comming out of Germany.

I will not just refuse people but to date the ones who have been caught are known spammers and I do check to make sure.

Forum post made by this mod says "This registration attempt has been allowed." even when it is set to not allow the registration.

I think you missed an "s":

if ($DM_rblcheck_allowreg == "0") {

should be:

if ($DM_rblcheck_allowregs == "0") {

dang... you're right. Will upload a new file.

I'm not really sure this mod is working or not...but...

There is one thing I would like to see.

A way to add a warning on the registration page that users using a proxy will not be allowed to finish registration.

Thanks!

Brew

Thanks for the update on this, I was being overun with spamers and this hack caught about 95% of the problems before registration.

I seem to be getting about 5 new threads created on each RBL match. I can't tell if the person registering is somehow looping through the registration process multiple times (like maybe they didn't enter all the required information and had to re-enter the form) or if it's a bug. They really shouldn't keep registering since I have it set to allow the registration attempt on RBL match. Since the timestamp of the posts often span a few minutes time, I suspect it is not a bug with this product.

Anyone else seeing this?