DNSBL/Open Proxy-Blocking

History

I've had some problems with abuse via open proxies for a time ago, and when we were banning abusers, they always found a new proxy to use and register new accounts with. Since this forum was a large type we could'nt just ban e-mails etc just like that, because this was leading to a very large amount of other banned users too.

At IRC, in the other hand, we had Open Proxy Monitors, that was banning everything that was blacklisted in some DNSBL-databases. No spammers had a chance to get in there as long they were listed in such database.

This is a plugin that blocks blacklisted hosts from some different DNSBL's. It uses the global_start-hook, a very simple handler for blocking proxies, and a vBphrase called OPM_Deny.


April 2006

The source has been rewritten a bit. The proxychecker is now using a cache that, by default, stores all ip's in a database for 6 hours. It scans some DNSBL's and can be configured to block proxies from bitmasks (defined in the plugin) which makes it a little bit more reliable, because it does'nt block everything it see).

Configuration is made from the plugin (hopefully there will be a nice admin interface in the future). Exceptions (ip's that can pass through this system even if it is a proxy) are also handled differently now.

// CHANGES
//
// 2008-09-20 (2.0.8)
//
// * Changed the routines for how to handle inclusion/exclusions
// * Splitted up plugins for 3.5/3.6 and 3.7
//
// 2007-08-05
//
// * Fixed reported bug, based on resolved hosts ending with 127
// * Changed database-tables to get rid of (hopefully) duplicate keys
// * Added resolver-function
// * Added two new block-methods available at the efnet-rbl
//
// 2006-06-28 (2.0.6/Another fix)
//
// * Proxyinclusions/exclusions didn't work properly
//
// 2006-06-28 (2.0.5/Fix only)
//
// * Fixed a bug in the $block-array that affected some of the blocking results
//
// 2006-06-28 (2.0.4)
//
// * opm.tornevall.org has a new entry for anonymizers, added support for this
// * Default value on "block everything detected" in plugin changed to "no"
//
// 2006-06-26 (2.0.3)
//
// * Created options for admincp (removed plugin-configuration)
// * Fixed a bit-bug for njabl
// * Plugin is now a function (rbl_livecheck) for external lookups
// * Added options for "only block on newuser-registrations"
//
// 2006-06-22 (2.0.3 RC)
//
// * The monitor is now a function
// * Added small compatibility with other plugins (with return)
//
// 2006-05-13
//
// * sorbs zones added (no bitmasking)
// * opm.blitzed.org removed
// * time() changed to TIMENOW
//
// 2006-04-21
// ==========
//
// * proxyinclusions
// quickly add own hosts that should be treated as a proxy
//


How does it work with other vBulletins?

This filter actually works with both 3.5 and 3.6, but for now, they will be separate versions, but for 3.5 and 3.6 you should look here and for 3.7 you should look here.


How to use the compatibility thing

If you have a plugin that you want to use together with the proxy monitor (only returns a value if a an ip-address is registered as a proxy or not) you can call the function rbl_livecheck like this (example):

PHP Code:

global $rblInstalled;

if ($rblInstalled) {
$remoteIsProxy = rbl_livecheck(1, $_SERVER['REMOTE_ADDR']);

//
// .. your code here ..
//

} 


Report bugs if you find them...



Don't forget to install it

[ximcix]

Quote:

Originally Posted by eoc_Jason

Each list is maintained by a separate group of people. Most are automatic testing scripts that look for certain ports and test to see if they can connect properly. I've noticed that the CBL list seems to generate a lot of false positives, and also contains a lot of stale data. (i.e. I had one IP that was last checked over 6 months ago and it was listed!)

Sites like the one you posted above is not considered an exploited proxy since they are offering the service. If you don't want users using that service than simply block their IPs as usual.

I modified my script slightly to help people that were experiencing errors. Basically I changed the line in the code to add the IP address as such:

PHP Code:

eval(standard_error(fetch_error('OPM_Deny',IPADDRESS))); 


Then modified my phrase as such:

Code:

<p><b>Sorry, but you do not have access to this forum!</b>
<p>The reason is you are trying to access this site via a <b>Blacklisted Open Proxy</b>! If you are using a dynamic IP you probably just got dumped with one that a person abused before you.
<p>Fear not! You can find out more info about where your IP is blacklised (and removal) via the <a href="http://www.spamhaus.org/query/bl?ip={1}">Spamhaus Website</a>.
<p>The IP in question is: <b>{1}</b>
<p><b>DO NOT</b> contact us about being removed, <u>we do not control the lists</u>! Please follow the link above, once you go to the site that has your IP listed, removal is usually a 1-click process. After submitting your IP for removal, the DNS is usually refreshed within the hour.

Thanks. I am using your script with that line intact.

[Robert Basil]

Quote:

Originally Posted by eoc_Jason

Which list were the false positives coming from? I usualy found most were coming from CBL, which I disabled that code in mine. There were IPs that were last checked / listed many, many months ago. Which you would *think* would get de-listed over time, but they wern't.

Do I just comment out the line below to disable CBL?

PHP Code:

    127.0.0.4 = CBL   / Composite Block List @ cbl.abuseat.org 


Also, does anyone have a test online proxy I can run through to make sure it's working correctly?

[TJFweb]

I don't get this... For eoc_Jason's hack, do you just install the XML and that's it?

Is there any need to configure anything?

Thanks.

[clearchannel]

Quote:

Originally Posted by eoc_Jason

Or... Just use it for the test...

PHP Code:

if (THIS_SCRIPT=='register') { 
    OPM_proxy_check(IPADDRESS); 
} 


I have added this snippet of code right after

*********************************************/

and before:

if ($vbulletin->session->vars['OPM'] == 0) {

Would someone be so kind as to explain where I went wrong?

I only want to check for proxies during registration.

I also have a problem with a very reliable member, they can not access the forums with this hacked installed as a stock plugin. They sent me the following:

My IP address from home is blacklisted. It is my earthlink account.
Thanks in advance

[thalamus]

Sorry if this has already been asked, but where can you put your own list of IPs? For instance, if I find IP addresses that are being used as open proxies but have not been listed at spamhaus, can I put these into my own file somewhere as a '2' value and, if so, does this go straight into the DB?

[TJFweb]

Quote:

Originally Posted by thalamus

Sorry if this has already been asked, but where can you put your own list of IPs? For instance, if I find IP addresses that are being used as open proxies but have not been listed at spamhaus, can I put these into my own file somewhere as a '2' value and, if so, does this go straight into the DB?

Please don't tell me that this hack has been abandoned already...

This could have been really big.

[clearchannel]

It appears it has. That's a shame, when security is more needed then ever.

[thalamus]

so I guess it means a little reverse engineering for this - has anyone else found a solution to adding unlisted IPs before I start to reinvent the wheel?

[eoc_Jason]

You can blacklist IPs in the vB Options...

Otherwise to have it work smooth with the current RBL checks you could install a DNS server locally that can be used as a local RBL.

Or you could fudge it and create an array with the list of IPs, then do a second check to see if it's in_array() and if so set the flag to block them.

I would love to develop it further, but I just don't have the time with other projects. Some things you might want to consider changing is have the check run as a shutdown query or something, so that the user doesn't have to sit and wait and get impatient if the check doesn't run quickly.

[jayhawk785]

I know some people warned that on large sites this may cause problems. I'm here to say that is VERY true. My server loads were, on average, 1.00 across the board or less. After the board started picking up more and more members, and averaging more than 20 online at a time--the load was up to 4-8 (average). I couldn't think of what the problem was, i started blaming PHP and apache lol... but that wasn't it. Just keep this in the back of your mind if you use it. I removed it, and my load on the server and page load time - is back to normal:

Page generated in 0.28239 seconds with 17 queries [Server Loads: 0.37 0.40 : 0.76]