Go Back   vb.org Archive > vBulletin Modifications > vBulletin 3.8 Modifications > vBulletin 3.8 Add-ons
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools
Hidden Image Checker by BOP5 for VB 3.x and VB 4.x (Stop Cookie Stuffing!) Details »»
Hidden Image Checker by BOP5 for VB 3.x and VB 4.x (Stop Cookie Stuffing!)
Version: 1.02, by BirdOPrey5 (Senior Member) BirdOPrey5 is offline
Developer Last Online: Aug 2023 Show Printable Version Email this Page

Category: Moderators Functions - Version: 3.8.x Rating:
Released: 03-31-2012 Last Update: 04-11-2012 Installs: 28
Supported Uses Plugins Auto-Templates
Translations  



Version 1.02 - Compatibility fix for dbtech Advanced Thanks/Like mod
Version 1.01 - Bugfix for post counts over 1000
Version 1.0 - Initial Release

Also available on Qapla.com.

For some time now a new type of "Spammer" has been hitting forums. These "spammers" are not as obvious as those trying to make links or sell cheap Viagra. These new spammers use a technique called "Cookie Stuffing" which can make them a lot of money if you don't notice what they've done.

Cookie stuffing is when a malicious user posts a hidden (clear) image in a post. Although you may never see the image it actually links to a location that will set a cookie on the browser of everyone viewing the post. In the cases of cookie stuffing this is almost always a cookie that contains their affiliate code for a site like Amazon or eBay. If anyone on your forum should go on to buy something from Amazon.com later in the day the spammer will get a credit from Amazon because your user has the spammer's cookie on their computer.

At best this allows the spammer to make money off your unsuspecting users. At worst it is taking money away from you if you had your own affiliate cookie (legitimate) it may get over-ridden by the spammer's cookie.

There is no built in means for detecting small transparent images in vBulletin. This mod will show a banner notice under every post by a "new" user reporting the number of images in the post (if any). It only takes a second to scan the post and make sure the number of images reported, matches the number of images you see.

So next time a spammer tries to hide a small clear image in a post you or your mods will see a big yellow notice below the post that it contains an image- allowing you or your staff to take appropriate action. (Usually deleting the post and banning the user.) [Mod functions not part of this modification.]

However since it would get annoying to see these big yellow banners under every post that contains images the mod lets you limit seeing banners to only "new" users- You can choose a minimum post count or # of days registered before the user who posted is not considered new anymore.

In addition you can choose trusted usergroups that will never have their images counted regardless of their number of posts or days registered.

This mod contains both the VB 3.x and VB 4.x version in the same .xml file. It has been tested on VB 3.8.7 and VB 4.1.10 and VB 4.1.11 but it should work on all VB versions from at least 3.7 through 4.1.x and beyond. Feel free to try on earlier versions and let me know if you run into an error.

This mod DOES NOT count attachments or smilies as images since they are safe from cookie stuffing. Only remotely linked images using the [img] BBCode will be counted.

See screenshots for examples.

Please Mark as Installed if you use this.
Donations always appreciated. :up:

Download Now

File Type: zip Hidden Image Check by BOP5v102.zip (5.1 KB, 70 views)

Screenshots

File Type: jpg hiddden_img_check_settings_short.jpg (114.9 KB, 0 views)
File Type: jpg hiddden_img_check_vb3_post.jpg (54.7 KB, 0 views)
File Type: jpg hiddden_img_check_vb3_prepost.jpg (69.2 KB, 0 views)

Show Your Support

  • This modification may not be copied, reproduced or published elsewhere without author's permission.
2 благодарности(ей) от:
cstreater, vijayninel

Comments
  #12  
Old 05-06-2012, 03:28 PM
cstreater cstreater is offline
 
Join Date: May 2010
Posts: 48
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

This has become a huge problem in the last few months. I've been using another technique to auto moderate these posts, because if this "image" displays before the mods see it, the stuffer has already accomplished what they set out to accomplish, to at least some victims. I have the mods clear their cookies and cache after they've reviewed the moderated post, because doing so stuffs their browser too. I might add your plugin as another layer of protection.

If I'm reading your description correctly, you cannot add an additional option to auto moderate these, is that correct? Despite what I said about having my own technique, I think your mod + that capability would work even better.

Some others notes:

If this hooks into new post_process, does it see the quoted portion of a post as well? They are quoting valid posts and inserting them there.

They don't always use broken image links. They are embedding a link that resolves to a standard looking vBulletin smiley, and displays as such, but there's actually a PHP script that's being run in the process. Tip: don't use standard vBulletin smilies and convert what you have to PNG's. <some domain>/happy.gif is the most common. I believe the use of the GIF extension is what is enabling them to run scripts via these images.

Use relevant replacements to replace known cookie stuffer domains with something else. Not only will this block future attempts from these domains, it will also clean up existing posts.

They will try to get this on one page of every thread. That increases the possibility that a Google click through will be successful in the event what the searcher is looking for is on a specific page of your thread (other than page 1)

There's another technique that's being used to inject this in these into these into the footer template.
If you want to stay on top of their techniques, read the places they hang out. Search Google for blackhatseo and cookie stuffing. Their are even YouTube instructional videos on how to cookie stuff.

Edit your reportpost_newthread phrase to wrap quoted posts with no parse tags. This will help you see the domain better, so the URL tag doesn't mask it. Do the same with infraction_thread_post. Otherwise, the mods can't see the offending link without editing the post.

If you're an admin, create new infraction types (e.g., cookie stuffing) That way you can quickly look through the reports and infractions forum and review these yourself. I have a pretty large board, so this makes it easier for me to manage.

This article best describes every technique under the sun:
[url]http://www.esrun.co.uk/blog/cookie-stuffing/[/url]

If you run a large board, and are just reading this for the first time, there's a good chance your forum already has a lot of these. Once you clean them up, and put some protection mechanisms in place, it's unlikely you will see these show up in someone who has more than a 15 posts.

Use BOP's plugin to block members with less than <x> posts from using signatures. They are sticking them there too. I would link everyone, but I'm typing all this from a phone.

At one point, I think they were using spam bots to cookie stuff. The posts would often consist of only text that said "great information" or something of not much substance. Now there are live human beings that are on topic and are fitting in with regular members.

I have some more insightful tips info, and what I do to control this, but I actually think they read these forums and I'm not giving my secrets to them

Keep in mind, this problem doesn't just exist in your forum. It's all over blogs, and even sites that might look legitimate. I clear my cookies constantly now.

Sorry for hijacking your thread, but this has been a huge nuisance.
Reply With Quote
Благодарность от:
BirdOPrey5
  #13  
Old 05-06-2012, 03:48 PM
BirdOPrey5's Avatar
BirdOPrey5 BirdOPrey5 is offline
Senior Member
 
Join Date: Jun 2008
Location: New York
Posts: 10,610
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

cstreater,

Thanks for the detailed info. You are correct this mod will NOT auto-moderated a post.

It requires a human to make sure the count of images matches the number of images the user sees.

What is that if someone does use a fake smiley that smiley will count as an image and this mod will display it's warning banner. If they had used a real forum smiley this mod will ignore it and there would be no banner.

So, in summary, if you see the warning banner and only a default smiley in the post- that is very suspicious and should probably be deleted.
Reply With Quote
  #14  
Old 05-07-2012, 08:54 PM
Webdude? Webdude? is offline
 
Join Date: Jan 2002
Posts: 48
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Back in the day, they used to hide warez within images and put them on a webhost. Most of the time they were broken images, but if they took enough time, would be a tiny image like a smiley, but which had a huge file size. We had a script on cron that would scan real late at night, find and report these images. It is possible to have php review the code of the actual image and look for domains in that code. No image should have any domain such as 'amazon' within it's code. Take any image and open it with wordpad. Now find a cookie stuffer image and do the same. You will know what your addon needs to do after seeing that. All it really has to do is look for certain words in the image code, or you can give that option to the forum owner to insert what keywords he would like the addon to check for in the image code.
Reply With Quote
  #15  
Old 05-07-2012, 10:11 PM
BirdOPrey5's Avatar
BirdOPrey5 BirdOPrey5 is offline
Senior Member
 
Join Date: Jun 2008
Location: New York
Posts: 10,610
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

That's a good idea for a mod Webdude... it won't be part of this one as it would involve very different code and setup but I will do some investigation and see what can be done.
Reply With Quote
  #16  
Old 06-11-2012, 10:13 AM
Spinball's Avatar
Spinball Spinball is offline
 
Join Date: Feb 2002
Location: Telford, England
Posts: 705
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Is it possible to only show this alert to certain user groups? I don't want regular members seeing it.
Reply With Quote
  #17  
Old 06-11-2012, 10:20 AM
BirdOPrey5's Avatar
BirdOPrey5 BirdOPrey5 is offline
Senior Member
 
Join Date: Jun 2008
Location: New York
Posts: 10,610
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Yes, the built in option Show Report Usergroups controls what usergroups see the notices.
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 01:15 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04545 seconds
  • Memory Usage 2,305KB
  • Queries Executed 22 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)modsystem_post
  • (1)navbar
  • (4)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (1)pagenav_pagelink
  • (7)post_thanks_box
  • (3)post_thanks_box_bit
  • (7)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (2)post_thanks_postbit
  • (7)post_thanks_postbit_info
  • (6)postbit
  • (4)postbit_attachment
  • (7)postbit_onlinestatus
  • (7)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • fetch_musername
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • post_thanks_function_fetch_thanks_bit_start
  • post_thanks_function_show_thanks_date_start
  • post_thanks_function_show_thanks_date_end
  • post_thanks_function_fetch_thanks_bit_end
  • post_thanks_function_fetch_post_thanks_template_start
  • post_thanks_function_fetch_post_thanks_template_end
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_attachment
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete