Miscellaneous Hacks - Check Proxy RBL on New User Registration.

Check Proxy RBL on New User Registration Version 4.1

Version 4.1 includes remains unchanged from version 4.0 with the exception of a code fix to deal with an SQL injection security hole in the code.

What does this hack do?

Hooking in at register_addmember_process and register_addmember_complete this hack compares the IP address of the person registering with the Realtime Block List(s) of your choice. Based on your configuration the RBL Checker will then perform one of these actions:

1. Nothing, the registration continues as normal.
2. Registration continues as normal, but the user is automatically moved into the "Pending Moderation" group of your choice.
3. Registration continues as normal, but the user is automatically permanently banned.
4. Registration is blocked, an error message is displayed to the user.

Please Note: It is strongly recommended that you configure PM or Thread based notification so that you may monitor registrations that are from IPs that are a positive hit on the RBL. Especially if you configure the checker to allow registrations to complete normally.

These options are configurable in AdminCP > Options > DM-RBL Check on Registration.


Why Block Proxies?

Banned and Spammers users often get around IP bans by simply using an open proxy - of which there are thousands - to get around the IP ban. Very few legitimate users slow their surfing by using an anonymous proxy.


How do you Install?

1. Create a user from which PMs, Posts, etc. will be generated.
2. In your adminCP obtain values for the "banned" and "pending moderation" groupIDs (Defaults are 8 and 4).
3. Install the attached product.

IMPORTANT NOTE:You must specify a username if you plan on configuring the AUTOBAN or NOTIFICATION options. Otherwise you WILL get errors.


What is the default config?
By default the RBLChecker will check the IP of a new registration, allow registration to complete, but add the new user to the "COPPA Members Awaiting Moderation" usergroup. You can then approve/reject those members depending on whether you think they are/aren't spammers/trolls.

You can modify the settings in the AdminCP to Ban or Block as you like.


Hack History:

Version 4.1
- Fixed SQL Injection security hole.
- Fixed some minor typos in automatically generated messages.

Version 4.0
- Added ability to specify error reported on blocks.
- Added ability to specify ban reason and custom title.
- Added ability to move users to "pending moderation" group if registration is allowed.
- Updated list of RBLs checked based on testing with lists of "anonymous" proxies.
- Fixed IP address of Notification Posts equalling IP of blocked user. (Now Notification IP = 1.2.3.4)

Version 3.2
- Fixed typo causing blocked registrations to be reported as allowed.

Version 3.1
- change in variable name in v3.0 broke RBL checking. Corrected error.
- match notification now includes the name of the RBL that matches the IP.

Version 3.0
- plugin now fires at "register_addmember_process" allowing the user to completely fill in the form.
- Added the ability to specify more than one RBL.
- Added option to specify whether registration is blocked or allowed to complete.
- Added option to automatically ban registrations that are allowed to complete but have a positive IP match.
- Added option to specify user who is "notifier".
- Added option to specify a forum where a notification thread will be created.
- Added option to supress notification PM / Thread when an IP matches blacklist or known proxy list.
- Added customized error codes for notifications - notification now indicates whether a registration IP has matched the RBL, blacklist, or predefined list of anonymizers.
- Reworded Phrases.
- Removed 10.x.x.x IP from known proxy/anonymizer list.

version 2.0
- Added configuration options under vboptions > DM-RBL Check on Registration.
- Added PM on Block.
- Added option to select RBL.
- Added Custom Whitelist.
- Added Custom Blacklist.
- Added list of free proxies.
- Changed default RBL to sbl-xbl.spamhaus.org
- Added option to enable/disable checking.

version 1.0
- added plugin to check against opm.tornevall.org
- added custom phrase to be reported as error on registration start.


Using this Hack?
If you install this hack please click "Installed" to receive updates.

If you find this hack useful you can always hit that paypal button too...

[StevenTN]

Hey Daniel... thanks for all the work you've done. I don't think we've mentioned that You've helped make our forums quieter.

Here's all the BLs I use...

dnsbl.ahbl.org
list.dsbl.org
sbl-xbl.spamhaus.org
cbl.abuseat.org
bl.spamcop.net
dnsbl-1.uceprotect.net
dnsbl-2.uceprotect.net
dnsbl-3.uceprotect.net
zen.spamhaus.org

[Tom1234]

I don't understand why people are using spam blacklists to block proxy servers. I think this post needs to be read again:

Quote:

Originally Posted by falter

Guys, I'd recommend against using dnsbl.ahbl.org or sbl-xbl.spamhaus.org. Their primary function is to provide a list of Open Mail Relays and email spamming sources, which are an ENTIRE different world than Open Proxies. I don't think that fact is illustrated enough in this thread.

AHBL is particularly aggressive in that they are willing to list blocks of ip addresses. That is, if you have users on a Seattle Area DSL network, and an open mail relay shows up on their network, both that mail relay and your users (or potential users) will be blocked by AHBL.

You guys really need to read and understand the purpose and the usage of these blacklists before slapping them in. Many of these blocklists prohibit the usage of their services in this way. You're unnecessarily hitting services that have finite resources. Don't be so eager to block IPs willy nilly and think you're making a difference. You're not. If your goal is to block users coming through anonymizers, proxies, or even the TOR network, then use blacklists whose function is to only report anonymizers, proxies, and TOR networks. The fact of the matter is that you're not going to see a lot of hits with a blacklist like this simply because not many people are going to register with your site who are actually using proxies.

Here's what I'm using currently:
proxies.dnsbl.sorbs.net
tor.ahbl.org

I don't get many hits, but that's because I don't expect many hits (that's the reality of things).

Again, I like this add-on, I think it's very useful. I'm not criticizing it's usage. All I'm trying to do is help people understand what they're doing a little bit better.

[DaNIEL MeNTED]

proxies.dnsbl.sorbs.net
dnsbl.ahbl.org

I only use 2 lists... 99% of blocks are from proxies.dnsbl.sorbs.net...

As Tom said, you should make sure you avoid some aggressive SBLs. While its logical for mailservers (the primary users of SBLs) to block traffic from IP ranges assigned by ISPs to consumer addresses (DSL, Dial-up, etc.) as they're not legitimate sources of SMTP traffic its counter productive to do so with a forum...

Obviously you'll get a lot of matches. But a lot of them might be people who actually want to get on your forum.

You should also enable reporting - and check reports regularly. 99.9% of my blocks come from registration emails that are .ru (I run a small Canadian forum....) so its easy to see that those are spammers. (Usernames like 'cheapcigarettes' are a good hint too.)

You want to make sure that you don't tighten the screws down so tight you block legitimate users... especially if your board relies on donations.

[jeffmezick]

Will this mod continue to work with VB 3.7 or is there an upgrade?

[DaNIEL MeNTED]

Quote:

Originally Posted by jeffmezick

Will this mod continue to work with VB 3.7 or is there an upgrade?

I have not tested it but there has been at least 1 post in the thread confirming it does work with 3.7

[StevenTN]

It works in 3.7.0 for me no problem.

Also, with the size of our forum, using the other blacklists has helped a lot more than just sticking with two. Working in IT, I know that if you compromise any system (whether it'd be mail, proxy, web, or other server, along with desktops and laptops), you can do whatever you want with it, and that includes forum spam. Since I deal primarily with security at work, I've seen it.

[tfw2005]

Working in 3.7

However, I have the 5 threads created per action. I tried switching the hook location so they were both _complete, but when I do that I get an error upon registration. Reg goes thru, but the user gets the DB error page, not redirected to thanks message.

I have it set to complete, then ban, then alert me in staff forum. No blocking of registration.

Can I disable the register hook, or will that make it lose functionality?

Also, is there a central blacklist for web based anonymizers that we can plug into? (hidemyass.com, etc). Thats where most of my trolls are coming from, and keeping that up to date by hand is going to be a pain.

Thanks for the great hack!

[StevenTN]

I don't have that problem at all with the multiple threads. Of course, mine is set to deny registration.

As far as the proxies, I would love to see an RBL for it.

[webspider]

I have found that it does not work fully on 3.7. I have it set to allow then ban and the ban part never seems to work.

[tfw2005]

Only proxy based one i see in any of the ones mentioned here is proxies.dnsbl.sorbs.net. Not sure how good it is. Putting it at front of my list, with zen.spamhaus.org after it. See what picks up.

While the spam reduction is good, the HTTP, web based anonymizers is what needs to be blocked consistently. Most trolls don't understand full proxy programs or situations, they just use the web based ones found in google searches.

As for "Feature Requests"

- It would be good so that if you allow registrations, with automatic banning, if you then review the situation and decide to unban the person, you can send them an altered Email with reactivation codes. Something like:

Banning Information
Banned by RBL DoubleCheck XYZ [LIFT BAN]

Lift Ban does -
--Removes Custom User Title we just put there.
-- Moves to "Users Waiting Email Confirmation" usergroup.
-- Sends email with new activation codes
-- Additional lines in that email state (template it up so we can adjust i guess)
---- that they were originally banned due to their IP being on a Blacklist,
---- due to further review, staff has decided to approve their registration.
---- please click the link to re-confirm their account.
---- their account will be watched for X amount of time to double check for spam, trolling, or alt id abuse.

Also might be good to add links in the Edit User Page under the banned box directly to link pages for dnsstuff.com, and/or google searches on the username. That way you can quickly see if that person exists on other sites/forums, etc.

Possibly parse their email to do a search for whatever they entered before the @ symbol, and do a google search for that too. That sometimes brings up useful data.

All those searches and the data that can come back can help you discern if the person is real and/or a trouble maker elsewhere, therefore allowing a false-positive to be reversed easily.