Administrative and Maintenance Tools - vbStopForumSpam - known spammer lookup for new registrations

vbStopForumSpam

This provides access to a RBL type system for forum admins, listing known spam IP / email / usernames. The RBL database is provided by www.stopforumspam.com. You do NOT need an API key from the website in order to access the database. only to submit data if you should wish to do so.

At the point of user registration, the mod checks if the IP number / provided username / email addresses appear on a block list and can block the registration.

Whilst this isnt the most perfect way to stop all forum spam, its another step that spammers have to overcome.

VB4 here https://vborg.vbsupport.ru/showthrea...hreadid=230921
Its the same code, it works in 3.54 to 4.0


What it does

It checks with a remote database of known forum spammers. Their IP number, email address and forum username are tested and based on your configuration, you can reject / log / accept user registrations based on what you get back.

This version doesnt have
- whitelisting or the ability to submit users to the database but it will within the next week.
- automatic user deletion / post / PM purging. There are good tools out there already, this does something else.

Instructions are included in the installation.txt file - PLEASE read it first and dont forget to actually upload the files in the upload folder, otherwise it WILL kill your registration progress and you wont see the log file options in admincp. You do not need to download the product-vbstopforumspam-3.54.xml file unless you are using a vBulletin version older than 3.6.0

Changes to vB
- 3 new database tables
- 2 database table alternations
- No new templates.
- 2 Hook (register_addmember_process & register_addmember_complete)

Ive tested it but had feedback that it works with versions as old as 3.6.2... Support should go back to older versions, as long as they have hook support for register_addmember_process / register_addmember_complete

Known to work - tested by me
- vBulletin 3.6.8 on Apache 2.2 / PHP 5.1.2 on Linux using cUrl
- vBulletin 3.7 Gold on Apache 2.0 / PHP 4.4.3 on Windows without cUrl (template changes wont work on 3.7 - thats in the next version with auto template changes)

For code to submit spammers to the database, check this post for code changes
https://vborg.vbsupport.ru/showpost....&postcount=288

Reported in the thread to work
- 3.6.1, 3.6.2, 3.6.9, 3.6.10, 3.7.0, 3.7.1, 3.7.2, 3.7.3, 3.74, 3.80, 3.81, 3.82, 3.83, 3.8.4, 4.0beta3

If you have 3.54, then you can use the product-vbstopforumspam-3.54.xml file attached instead of the one in the ZIP file, which will allow older vBulletin versions to access this mods' features. I personally havent tested this version, its a user contribution, thanks to Darrell Mobley, that changes the way the XML works when imported into older versions.

Installers should remember to refresh their ACP navigation window when they first install it so they can see the new log file menu item.

REQUIRES MySQL 4.1.1+

Future versions
- Automatic integration into vBulletin to add users to the stopForumSpam.com database from a form
- Whitelisting of username / IP / email addresses
- AJAX integration to allow for lookups from within the users profile
- Decreased remote query count from three per user to one per user.

Versions / Changes

0.1 Initial Release

0.2 pedigrees special brew birthday release.
- Small security update. If you have 0.1 installed, download 0.2 and replace your existing functions_vbsfs.php with the one in the archive. It just tests to see if its running inside the VB framework before anything else. This is what happens when you code at 2am after drinking wine

0.3
- stopped it processing valid registrations twice
- moved all non-function code into the plugin. Not a big one as 0.2 basically did that
- fixed a typo in the log pruner that stopped it working (404)
- removed unused fields from the database for people with mysql that doesnt support varchar > 255 (ie mySQL4). If you have 0.2 installed and dont need to prune your logs just yet, you dont really need to install this version but can instead wait for 1.0 unless of a massive security update.

0.4
- logs registrations that arent/wouldnt be blocked
- fixed XML errors when username has a space it in
- tightened up the cache so that it doesnt test a username against an email name to give a bypass result (for when a username is an email address that isnt banned where the email address is)
- fixed some basic logic errors in the PHP

0.6
- Should work on PHP 4.4 now - rewrote the XML with PHP4 in mind (tested on Apache2.0/PHP 4.4.3)
- Fixed a caching system where data wasnt being updated correctly which could cause a remote query when one wasnt needed
- Possible false negative situation when a spammer was blocked due to SFS.com being down who then visited again when it was up but within the cache expiry time
- Remote query failure when the result page isnt XML should work a bit better now. It does a very basic test for valid XML results.
- Fixed log purging (again) and it should actually work properly now.
- No longer requires PHP5
- The log viewer now links to a user profile when registration is allowed.

v0.61 - Removed a template change that was invalid vBulletin code. The package you download will still say its 0.60 however

NB : When upgrading from any version to 0.6, you must remove and then add the plugin due to changes in one of the database tables

You need to have an API key from www.stopforumspam.com in order to submit data, its free and easy to get... You DONT need an API key in order to use this mod however, only to submit spammer data.

Issues are
- The usergroup permissions / view details etc DONT work. I jumped the gun and put the permissions controls in there before I put the code in. Please delete the includes/xml/bitfield_vbstopforumspam.xml file and rebuild your postbit

Installation
- Follow the instructions in the zip file, that includes upload the correct folders
- ONLY download the 3.54 xml file if youre using a vbulletin version prior to 3.6.0. use this file to install the mod instead of the xml file in the zip file.

Please click Installed

[pedigree]

MAC address is very difficult as most webservers (I would guess in the high 99.9% here) dont have or allow access to p0f type tools to provide packet level inspection. MAC addresses arent all that unique as once youre removed the device manufacturer ID (which doesnt fill the full 24 bit), you only have a 24bit uniqie ID. There are a lot of network cards out there with the same MAC address and thats fine, just as long as there arent two with the same mac on the same subnet. Filtering on MAC therefore is a no-go area.

Th eonly way to stop automated bot register/post tools is to stop registration by means that the application doesnt know about, extra fields, simple questions, tick this box, click here serverside maps etc. Manual spammers is a different story, you just have to make it as hard as possible.

[skippybosco]

I agree, no solution will be 100% short of encroaching on impacting legitimate users.

For the record, I really like the notion of renaming register.php (obvious risks are third party mods which call that link directly(?!?!) and existing phrases that call it directly.. both manageable.

In that vein, modifying things in the page source like Generator Meta, etc. which specifically call out that you are running a VBulletin site.

That being said, hopefully you are:

1. Spending tons of time with the new child
2. Closing all feature adds for v7 (scope creep is addictive)
3. See #1

:-)

[StepOnFrog]

WOW !!! That was an unnecessarily defensive reply to my post, for which mine was just helping one user be aware of the IP dynamics of t'internet.

------- Please skip past this thread if you don't like long posts -------

Pedigree, where in my post do you think I've attacked your creation?

Apologies to any users, including yourself, Pedigree, should you believe this post is 'Threadwaste/Postwaste', but surely some of you will have got to a point with users misunderstanding the context, or entirety of the posts you make - this is one of those very moments; I am really *sick* to the back teeth of posts not being read correctly, and then someone taking their hat off at some poor user about it.

I really do not see why you have come to be so defensive from what I have written, and so, I feel I should make myself much more clearly understood...

Quote:

Originally Posted by pedigree

Like I said, this mod isnt a perfect method of stopping spam. Ive addressed the changing IP issues but if you look at spamhaus / spamcop, are you seriously trying to tell me that this systems are inherently flawed?

In fact, I do not *try* to *tell* you anything about flawed systems at other locations, and I certainly do not, at any point, comment on the level of quality your MOD provides.

Quote:

They stop billions of spams every day. Sure there is colateral damage.... Im guessing from the spambot registrations on my board, in the four figures now, there mightve been 1 false positive and thats what the Contact Us page is for.

I haven't complained about collateral damage. I haven't complained about any of my members not being able to register due to IP blocking. I did, however, directly inform a single user that IP blocking can be a problem for board registrations, other users will read the same post and understand the same. With regards the Conact Us page, should you happen to read any of the many quality articles that other experienced Bulletin Board Admins have written (not just vB), you may come to realise that when an internet user searches, and happens to come across a website, if the information they are seeking is not within the first several clicks, they are more likely to move onto another website; Contact Us, is no guarantee that you will keep a customer in your shop, so to speak. (this is not a criticism to your post, btw).

Quote:

Most of my spammers are caught on the email and username fields. If you look at the mod, you can disable checking on the IP number. As spambots dont register a new email address for every forum they try to register on, its a really good field for testing.

This mod gives you control of your forum, it doesnt push policy on anyone.

Now, that part of your post was, IMO, the only constructive part, in response to my post. Although, looking through your MOD listing description, at no point do you mention any switching of IP blocking facility, or any facilities, as I come to read the description again; only after looking at the second attached screenshot, do I spot a selection box showing ENABLE, and then one must logically assume there is a DISBLE selection too, though, unfortunately, this fact of logic may not be readily obvious to some (honestly, there are users that just don't know, we've all come across them, and we help them).

Quote:

If I want to stop an IP used for spamming within the 24 hours then *I* can.

And, this does seem quite an over-defensive response to something I haven't written; your use of "*I* can" is what pushed me to write this lengthy tome. It appears, judging from your sentence, that you believe I have somehow attempted to stop you from preventing spammers..? Sorry, I fail to see where I have restricted your use of your MOD.

Quote:

If you dont like the idea that you might block some poor innocent person who had the same IP as some spammer 6 hours after spammer changed IP, then dont test on IP number. From what Ive seen from my logs (and skippy, wired1 etc) is that it blocks a lot of persistent static/near static IP addresses. I think that youll be hard pushed to find a user of this mod complaining that its blocking innocent people on a mass scale but if you do, then why dont you code another mod?

I haven't said that I don't like the idea of blocking 'some poor innocent person'. And, why should I code a MOD? I had come to this MOD thread to examine your MOD, to check whether it was the product for me. I did suggest an addition, not only to your MOD, but to any MOD that attempts to prevent spamming registrations by using the points I had listed so many times before, and herein.

Quote:

Session cookies so change, restart your browser, its gone. You cant rely on session cookies as spambot engines do cookies.

You really have misunderstood the suggestions I have made....
You know, as well as I, that vB sets a cookie on your system (or spambot system) each and every visit to your vB board. So, if you record the cookie with each registration, then if that registration fails and another attempt is made with the same username/email, and the cookie is different the second time round, then your vB software will know that the registration MAY be a spambot. For this suggestion to work, you must assume that people are not THICK, and that they will try registering again within the same cookie session, should their first attempt 'balls up', somehow. Ergo, humans register and reregister in the same cookie session, whereas spambots go away and come back later to try again.

Quote:

Im working on the mod each day and new features will be added all the time. Maybe Ill take some more time to add your suggested cookie theory... Its adds more control, which is what this mod is about

Exactly! So, why be so defensive?

Quote:

IP address count is about (256^4) - (2^25 + 2^16 + 2^20) give or take some for subnet broadcast addresses. 10/8 192.168/16 172.16/12 and 224/8 multicast

It's nice to know some people care, and know perfectly well what they're on about...!

But, aside from clearing any misunderstandings, I would really like to hear your views on the suggestions I've provided, ie. the failed spambot registrations due to the image verification process.

I hope this has made things much clearer. However, please do not hesitate to contact me with regards any of the above.

Yours,

;-D

[pedigree]

Did what you said, skipped your rant.

No more feature creep, I dont have the time. Maybe in a couple of months when I do.... Who knows but Ill keep your cookie/captcha idea in mind.

[pedigree]

Quote:

Originally Posted by skippybosco

1. Spending tons of time with the new child
2. Closing all feature adds for v7 (scope creep is addictive)
3. See #1
:-)

1. Oh yes
2. No more feature creep. Nothing new is going in, Im working on the last stages, data submission to stop forums spam.
3. See #1

[Embroidables]

First of all, let me compliment you on your mod. I really like what you’re doing here. Also, congratulations on the new baby! I know that you are trying to keep the scope of the project from getting out of hand and that you also want to spend time with your family (which, I completely agree with)… But here is a suggestion that would be easy to add and would be a really nice compliment to the mod you already have. When you get a chance, take a look at Project Honey Pot (www.projecthoneypot.org). They have a list of known automated spammer ip addresses similar to the http://www.stopforumspam.com list, except the list is bigger, and probably less vulnerable to list contamination because of the way that the ip addresses are collected. Since they have an established api and sample code it would be really simple to have your mod query their data base in addition to the stop forum spam database.

Here’s a link to some sample code as well as some information about their api:

http://www.projecthoneypot.org/board...10&i=179&t=179
http://www.projecthoneypot.org/httpbl_api

I hope that you like the idea. Let me know what you think.

[Wired1]

Quote:

Originally Posted by pedigree

Th eonly way to stop automated bot register/post tools is to stop registration by means that the application doesnt know about, extra fields

BINGO. You wouldn't believe how many spammers I've caught simply because they slapped URLs where it asks for their motherboard

[pedigree]

Quote:

Originally Posted by Embroidables

First of all, let me compliment you on your mod. I really like what you’re doing here. Also, congratulations on the new baby!

Thank you, its really nice to hear positive feedback

Quote:

I know that you are trying to keep the scope of the project from getting out of hand and that you also want to spend time with your family (which, I completely agree with)… But here is a suggestion that would be easy to add and would be a really nice compliment to the mod you already have. When you get a chance, take a look at Project Honey Pot (www.projecthoneypot.org). They have a list of known automated spammer ip addresses similar to the http://www.stopforumspam.com list, except the list is bigger, and probably less vulnerable to list contamination because of the way that the ip addresses are collected. Since they have an established api and sample code it would be really simple to have your mod query their data base in addition to the stop forum spam database.

Hmm, Im going to go look at this now and if the sample code can be added to the mod without too much trouble (which I hope is that case as I tried to make it flexible), then Ill most certainly add it.

Edit : Ive looked at this and it looks really really good. The code is small and can added very easily to my new code rewrite without too much trouble at all. As its DNS based, I dont have to worry about caching data ike I am with stopforumspam, its lightweight and should make the mod even more useful (to those that have actually installed it)

[DangerousDale]

Cheers for this m8, starting using it yesterday and for the first time in 24hrs I have not got a single spammer

Well Done, have some wine! hehe

[Embroidables]

I'm glad that you liked the honey pot recommendation. By checking both databases the mod should be even that much better at blocking spam.