[cstreater]

This has become a huge problem in the last few months. I've been using another technique to auto moderate these posts, because if this "image" displays before the mods see it, the stuffer has already accomplished what they set out to accomplish, to at least some victims. I have the mods clear their cookies and cache after they've reviewed the moderated post, because doing so stuffs their browser too. I might add your plugin as another layer of protection.

If I'm reading your description correctly, you cannot add an additional option to auto moderate these, is that correct? Despite what I said about having my own technique, I think your mod + that capability would work even better.

Some others notes:

If this hooks into new post_process, does it see the quoted portion of a post as well? They are quoting valid posts and inserting them there.

They don't always use broken image links. They are embedding a link that resolves to a standard looking vBulletin smiley, and displays as such, but there's actually a PHP script that's being run in the process. Tip: don't use standard vBulletin smilies and convert what you have to PNG's. <some domain>/happy.gif is the most common. I believe the use of the GIF extension is what is enabling them to run scripts via these images.

Use relevant replacements to replace known cookie stuffer domains with something else. Not only will this block future attempts from these domains, it will also clean up existing posts.

They will try to get this on one page of every thread. That increases the possibility that a Google click through will be successful in the event what the searcher is looking for is on a specific page of your thread (other than page 1)

There's another technique that's being used to inject this in these into these into the footer template.
If you want to stay on top of their techniques, read the places they hang out. Search Google for blackhatseo and cookie stuffing. Their are even YouTube instructional videos on how to cookie stuff.

Edit your reportpost_newthread phrase to wrap quoted posts with no parse tags. This will help you see the domain better, so the URL tag doesn't mask it. Do the same with infraction_thread_post. Otherwise, the mods can't see the offending link without editing the post.

If you're an admin, create new infraction types (e.g., cookie stuffing) That way you can quickly look through the reports and infractions forum and review these yourself. I have a pretty large board, so this makes it easier for me to manage.

This article best describes every technique under the sun:
[url]http://www.esrun.co.uk/blog/cookie-stuffing/[/url]

If you run a large board, and are just reading this for the first time, there's a good chance your forum already has a lot of these. Once you clean them up, and put some protection mechanisms in place, it's unlikely you will see these show up in someone who has more than a 15 posts.

Use BOP's plugin to block members with less than <x> posts from using signatures. They are sticking them there too. I would link everyone, but I'm typing all this from a phone.

At one point, I think they were using spam bots to cookie stuff. The posts would often consist of only text that said "great information" or something of not much substance. Now there are live human beings that are on topic and are fitting in with regular members.

I have some more insightful tips info, and what I do to control this, but I actually think they read these forums and I'm not giving my secrets to them

Keep in mind, this problem doesn't just exist in your forum. It's all over blogs, and even sites that might look legitimate. I clear my cookies constantly now.

Sorry for hijacking your thread, but this has been a huge nuisance.