Miscellaneous Hacks - Check Proxy RBL on New User Registration.

Check Proxy RBL on New User Registration Version 4.1

Version 4.1 includes remains unchanged from version 4.0 with the exception of a code fix to deal with an SQL injection security hole in the code.

What does this hack do?

Hooking in at register_addmember_process and register_addmember_complete this hack compares the IP address of the person registering with the Realtime Block List(s) of your choice. Based on your configuration the RBL Checker will then perform one of these actions:

1. Nothing, the registration continues as normal.
2. Registration continues as normal, but the user is automatically moved into the "Pending Moderation" group of your choice.
3. Registration continues as normal, but the user is automatically permanently banned.
4. Registration is blocked, an error message is displayed to the user.

Please Note: It is strongly recommended that you configure PM or Thread based notification so that you may monitor registrations that are from IPs that are a positive hit on the RBL. Especially if you configure the checker to allow registrations to complete normally.

These options are configurable in AdminCP > Options > DM-RBL Check on Registration.


Why Block Proxies?

Banned and Spammers users often get around IP bans by simply using an open proxy - of which there are thousands - to get around the IP ban. Very few legitimate users slow their surfing by using an anonymous proxy.


How do you Install?

1. Create a user from which PMs, Posts, etc. will be generated.
2. In your adminCP obtain values for the "banned" and "pending moderation" groupIDs (Defaults are 8 and 4).
3. Install the attached product.

IMPORTANT NOTE:You must specify a username if you plan on configuring the AUTOBAN or NOTIFICATION options. Otherwise you WILL get errors.


What is the default config?
By default the RBLChecker will check the IP of a new registration, allow registration to complete, but add the new user to the "COPPA Members Awaiting Moderation" usergroup. You can then approve/reject those members depending on whether you think they are/aren't spammers/trolls.

You can modify the settings in the AdminCP to Ban or Block as you like.


Hack History:

Version 4.1
- Fixed SQL Injection security hole.
- Fixed some minor typos in automatically generated messages.

Version 4.0
- Added ability to specify error reported on blocks.
- Added ability to specify ban reason and custom title.
- Added ability to move users to "pending moderation" group if registration is allowed.
- Updated list of RBLs checked based on testing with lists of "anonymous" proxies.
- Fixed IP address of Notification Posts equalling IP of blocked user. (Now Notification IP = 1.2.3.4)

Version 3.2
- Fixed typo causing blocked registrations to be reported as allowed.

Version 3.1
- change in variable name in v3.0 broke RBL checking. Corrected error.
- match notification now includes the name of the RBL that matches the IP.

Version 3.0
- plugin now fires at "register_addmember_process" allowing the user to completely fill in the form.
- Added the ability to specify more than one RBL.
- Added option to specify whether registration is blocked or allowed to complete.
- Added option to automatically ban registrations that are allowed to complete but have a positive IP match.
- Added option to specify user who is "notifier".
- Added option to specify a forum where a notification thread will be created.
- Added option to supress notification PM / Thread when an IP matches blacklist or known proxy list.
- Added customized error codes for notifications - notification now indicates whether a registration IP has matched the RBL, blacklist, or predefined list of anonymizers.
- Reworded Phrases.
- Removed 10.x.x.x IP from known proxy/anonymizer list.

version 2.0
- Added configuration options under vboptions > DM-RBL Check on Registration.
- Added PM on Block.
- Added option to select RBL.
- Added Custom Whitelist.
- Added Custom Blacklist.
- Added list of free proxies.
- Changed default RBL to sbl-xbl.spamhaus.org
- Added option to enable/disable checking.

version 1.0
- added plugin to check against opm.tornevall.org
- added custom phrase to be reported as error on registration start.


Using this Hack?
If you install this hack please click "Installed" to receive updates.

If you find this hack useful you can always hit that paypal button too...

[The Finman]

Quote:

Originally Posted by DaNIEL MeNTED

Thanks... I'll look at adding that for the next version.

So far, I've had ten blocks of a persistent troll who appears to be using "Hide My IP" or "Multi-Proxy" to try and get back in as his proxy IPs have been rotating. So far so good...but he's apparently not giving up yet as he spent the entire day yesterday trying to reregister using various proxies without success. All I can say is that he has waaay too much time on his hands.

Thank you to both you and Paul M for your mods!

[MimeSong Erk]

Hi Daniel, hope this is as awesome as it sounds. It looks great as it stands, and should solve my recurring proxy issues... I don't think my members are too creative with their proxy choices, but I guess I am about to find out

I too would really like to see a blocked-ip-to-post feature, if another signature on the list helps any.

Ed; Knowing nothing about proxy RBLs, I have to ask - why not make it possible to list multiple RBLs, so we don't have to rely on just spamhaus or just another one, when we could just stick multiple servers up? I don't claim to be a pro, but I would expect that blocking the same IP twice because of duplicate entries would not have any effect.

[DaNIEL MeNTED]

Quote:

Originally Posted by MimeSong Erk

Hi Daniel, hope this is as awesome as it sounds. It looks great as it stands, and should solve my recurring proxy issues... I don't think my members are too creative with their proxy choices, but I guess I am about to find out

I too would really like to see a blocked-ip-to-post feature, if another signature on the list helps any.

Ed; Knowing nothing about proxy RBLs, I have to ask - why not make it possible to list multiple RBLs, so we don't have to rely on just spamhaus or just another one, when we could just stick multiple servers up? I don't claim to be a pro, but I would expect that blocking the same IP twice because of duplicate entries would not have any effect.

Hey there... I will be adding a "post a thread" option when I update the hack (probably after the holidays as I'm insanely busy with real work (tm) and life in general). I will also be adding an "email" option as well for those that want it.

I haven't considered multiple RBLs but can... It shouldn't be that much effort to code.

The main reason I haven't is that most of the larger RBLs amalgamate the data from smaller ones... so listing 3 or 4 RBLs will get you the result of listing the biggest, most inclusive one.

[MimeSong Erk]

Hi Daniel! No rush vB modding is a hobby after all. I might see if I can cobble something together myself, because my PM box is cramping up a lot.

For people curious about the efficiency of this mod, I have had a reasonable amount of trouble with people from obscure ISP's, particularly one large one in Italy, getting blocked. However, it is very easy to ask them their ISP when they complain, then google the ISP and find out that it is not a proxy. Then I manually create their account via the adminCP, making sure to set the "IP on Registration" as well so it is no trouble to ban them if they act up. It takes about 5 minutes of my time, and it has happened 3 times since I installed. Of those three times, two of the new users bought subscriptions to my site because they were so impressed with the care I took to help them out

If you have an Italian board, I don't recommend this mod. There is a big Italian ISP that is marked by spamhaus because its dynamic IP system can be used by spammers (or something like that. Don't ask me, I'm an English teacher, not an IP person.)

[The Finman]

Hey Daniel,

Thought you users might get a chuckle out of the way I set it up.

I created a user called "Troll Stomper" and he's set up as the chosen "informant" member for both your Proxy RBL Checker and the Multiple account login detector (AE Detector).

Now whenever your Proxy RBL Checker detects either someone using a proxy, or a spam bot trying to register...our Mods get this PM.



He also shows up in the Private Forum if the Multiple Account (AE) Detector gets tripped and posts the alert as a thread.

My Mods also had a suggestion that doesn't seem that relevant to me, but they said they would like to know what username the person or bot tries to use. I don't see how that info would be very relevant, but they indicated they would like it as it would help them recognize a problem user if they do manage to switch their IP into one that was not listed (basically recognizing them if they try using the same username).

Anyway, it's been great as it is not only stopping trolls trying to use proxies to bypass bans, but it's also stopping the spam bots right at the door as well.

[MimeSong Erk]

I really want the username and email the blocked IP tried to register from to be included in the PM. Actually, the way I want it to work is for a new thread to be created in a specified forum. In the first post of the thread would be the IP as well as the hostname the IP resolves to, the username and email address the IP tried to register with, and the blacklist that pegged the IP.

Subsequent registration attempts from the same IP would appear as replies in the thread and would only list the username and email the IP tried to use.

Some of this is within my abilities so if I ever get time (hahahahahaahaha) I will try to set it up myself, but I am at best a no-talent hack at this stuff. I'm not even sure I can get it to detect the name and email

[The Finman]

Quote:

Originally Posted by MimeSong Erk

I really want the username and email the blocked IP tried to register from to be included in the PM. Actually, the way I want it to work is for a new thread to be created in a specified forum. In the first post of the thread would be the IP as well as the hostname the IP resolves to, the username and email address the IP tried to register with, and the blacklist that pegged the IP.

Subsequent registration attempts from the same IP would appear as replies in the thread and would only list the username and email the IP tried to use.

Actually that does make a lot of sense.

That would be awesome!

I think that was what my Mods were asking for...they just didn't state it as clearly as you just did.

[DaNIEL MeNTED]

Hi Guys --

I can look into adding that as a feature for the next run - right now the hack hooks in to register_start which means for anyone who is registering from a blocked IP they don't get to enter ANY information before being blocked.

Now that you mention it... it might be a good idea to let them get far enough to enter a username/email so they can be tracked.

Also - I love the Troll Stomper thing, can you shoot me a link to that avatar?

[sross]

This is just what I was looking for, thanks so much and I hope it helps me a bit..

[MimeSong Erk]

Quote:

Originally Posted by DaNIEL MeNTED

Hi Guys --

I can look into adding that as a feature for the next run - right now the hack hooks in to register_start which means for anyone who is registering from a blocked IP they don't get to enter ANY information before being blocked.

Now that you mention it... it might be a good idea to let them get far enough to enter a username/email so they can be tracked.

Also - I love the Troll Stomper thing, can you shoot me a link to that avatar?

Hooking it later would also make it take longer for people to get to the blocked screen, so they could stop trying 70 times per hour and filling my inbox or the report thread, whichever.