DNSBL/Open Proxy-Blocking

History

I've had some problems with abuse via open proxies for a time ago, and when we were banning abusers, they always found a new proxy to use and register new accounts with. Since this forum was a large type we could'nt just ban e-mails etc just like that, because this was leading to a very large amount of other banned users too.

At IRC, in the other hand, we had Open Proxy Monitors, that was banning everything that was blacklisted in some DNSBL-databases. No spammers had a chance to get in there as long they were listed in such database.

This is a plugin that blocks blacklisted hosts from some different DNSBL's. It uses the global_start-hook, a very simple handler for blocking proxies, and a vBphrase called OPM_Deny.


April 2006

The source has been rewritten a bit. The proxychecker is now using a cache that, by default, stores all ip's in a database for 6 hours. It scans some DNSBL's and can be configured to block proxies from bitmasks (defined in the plugin) which makes it a little bit more reliable, because it does'nt block everything it see).

Configuration is made from the plugin (hopefully there will be a nice admin interface in the future). Exceptions (ip's that can pass through this system even if it is a proxy) are also handled differently now.

// CHANGES
//
// 2008-09-20 (2.0.8)
//
// * Changed the routines for how to handle inclusion/exclusions
// * Splitted up plugins for 3.5/3.6 and 3.7
//
// 2007-08-05
//
// * Fixed reported bug, based on resolved hosts ending with 127
// * Changed database-tables to get rid of (hopefully) duplicate keys
// * Added resolver-function
// * Added two new block-methods available at the efnet-rbl
//
// 2006-06-28 (2.0.6/Another fix)
//
// * Proxyinclusions/exclusions didn't work properly
//
// 2006-06-28 (2.0.5/Fix only)
//
// * Fixed a bug in the $block-array that affected some of the blocking results
//
// 2006-06-28 (2.0.4)
//
// * opm.tornevall.org has a new entry for anonymizers, added support for this
// * Default value on "block everything detected" in plugin changed to "no"
//
// 2006-06-26 (2.0.3)
//
// * Created options for admincp (removed plugin-configuration)
// * Fixed a bit-bug for njabl
// * Plugin is now a function (rbl_livecheck) for external lookups
// * Added options for "only block on newuser-registrations"
//
// 2006-06-22 (2.0.3 RC)
//
// * The monitor is now a function
// * Added small compatibility with other plugins (with return)
//
// 2006-05-13
//
// * sorbs zones added (no bitmasking)
// * opm.blitzed.org removed
// * time() changed to TIMENOW
//
// 2006-04-21
// ==========
//
// * proxyinclusions
// quickly add own hosts that should be treated as a proxy
//


How does it work with other vBulletins?

This filter actually works with both 3.5 and 3.6, but for now, they will be separate versions, but for 3.5 and 3.6 you should look here and for 3.7 you should look here.


How to use the compatibility thing

If you have a plugin that you want to use together with the proxy monitor (only returns a value if a an ip-address is registered as a proxy or not) you can call the function rbl_livecheck like this (example):

PHP Code:

global $rblInstalled;

if ($rblInstalled) {
$remoteIsProxy = rbl_livecheck(1, $_SERVER['REMOTE_ADDR']);

//
// .. your code here ..
//

} 


Report bugs if you find them...



Don't forget to install it

[eoc_Jason]

Or... Just use it for the test...

PHP Code:

if (THIS_SCRIPT=='register') { 
    OPM_proxy_check(IPADDRESS); 
} 


[TMM-TT]

I'm just curious - has anyone tested opm.tornevall.org-resolver, and got false positives?

[thedvs]

Hey check this out today... which is better?

https://vborg.vbsupport.ru/showthrea...threadid=98705

[eoc_Jason]

Different methodology with his. He's basically doing a check for guests only, every time when they post.

There's a million different ways you can implement a DNSBL for a forum, it all just depends on what you are trying to prevent.

[thedvs]

im trying to prevent any ba****d spammer trouble maker

[cnutter]

Quote:

Originally Posted by skydancer

Yes, just edit the plugin and add at the top:

if (THIS_SCRIPT=='register') {

and at the bottom:

}

FYI -- This seems to have buggered up ANYONE from joining my forum. I have gotten at least 50 email in the past 3 days from people who say they just get a blank page when they try to join the site. This is was confirmed by myself when I tried to create a test account and couldnt. After I removed skydancers code change everything went back to being fine. Though I am getting around 15 to 20 of my normal users reporting blacklist issues. So I have hence uninstalled this plugin. Thanx guys but the high number of false postives and lack or whitelist option precluded me from using this any longer...

[MikeGK]

how do you know which ip is blocked or banned from the admin control panel? I been looking around ..sorry I'm a noobie .

[eoc_Jason]

There is no recording of that data (in any of the code that I've seen posted). Though you could probably output the IP & time to one of the various logs if you wanted to.

[ximcix]

Quote:

Originally Posted by eoc_Jason

There is no recording of that data (in any of the code that I've seen posted). Though you could probably output the IP & time to one of the various logs if you wanted to.

Question: I installed this plugin over the weekend (eoc_Jason's version) & a friend of mine told me to test it with http://anonymouse.org/ and it went right through. later that same day a friend of mine who uses T-Mobile service on his PDA said he get a message about blacklisted proxy when he tried to log in. So my question is, who updates these lists & how does one get an IP added?

http://anonymouse.org/ only uses 2 IP Addresses:
82.96.100.100
85.195.119.22

[eoc_Jason]

Each list is maintained by a separate group of people. Most are automatic testing scripts that look for certain ports and test to see if they can connect properly. I've noticed that the CBL list seems to generate a lot of false positives, and also contains a lot of stale data. (i.e. I had one IP that was last checked over 6 months ago and it was listed!)

Sites like the one you posted above is not considered an exploited proxy since they are offering the service. If you don't want users using that service than simply block their IPs as usual.

I modified my script slightly to help people that were experiencing errors. Basically I changed the line in the code to add the IP address as such:

PHP Code:

eval(standard_error(fetch_error('OPM_Deny',IPADDRESS))); 


Then modified my phrase as such:

Code:

<p><b>Sorry, but you do not have access to this forum!</b>
<p>The reason is you are trying to access this site via a <b>Blacklisted Open Proxy</b>! If you are using a dynamic IP you probably just got dumped with one that a person abused before you.
<p>Fear not! You can find out more info about where your IP is blacklised (and removal) via the <a href="http://www.spamhaus.org/query/bl?ip={1}">Spamhaus Website</a>.
<p>The IP in question is: <b>{1}</b>
<p><b>DO NOT</b> contact us about being removed, <u>we do not control the lists</u>! Please follow the link above, once you go to the site that has your IP listed, removal is usually a 1-click process. After submitting your IP for removal, the DNS is usually refreshed within the hour.