Go Back   vb.org Archive > vBulletin Modifications > Archive > vB.org Archives > vBulletin 3.6 > vBulletin 3.6 Add-ons
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools
Check Proxy RBL on New User Registration. Details »»
Check Proxy RBL on New User Registration.
Version: 4.1, by DaNIEL MeNTED DaNIEL MeNTED is offline
Developer Last Online: Jul 2014 Show Printable Version Email this Page

Category: Miscellaneous Hacks - Version: 3.6.2 Rating:
Released: 11-17-2006 Last Update: 12-21-2007 Installs: 282
Uses Plugins
 
No support by the author.

Check Proxy RBL on New User Registration Version 4.1

Version 4.1 includes remains unchanged from version 4.0 with the exception of a code fix to deal with an SQL injection security hole in the code.

What does this hack do?

Hooking in at register_addmember_process and register_addmember_complete this hack compares the IP address of the person registering with the Realtime Block List(s) of your choice. Based on your configuration the RBL Checker will then perform one of these actions:
  1. Nothing, the registration continues as normal.
  2. Registration continues as normal, but the user is automatically moved into the "Pending Moderation" group of your choice.
  3. Registration continues as normal, but the user is automatically permanently banned.
  4. Registration is blocked, an error message is displayed to the user.
Please Note: It is strongly recommended that you configure PM or Thread based notification so that you may monitor registrations that are from IPs that are a positive hit on the RBL. Especially if you configure the checker to allow registrations to complete normally.

These options are configurable in AdminCP > Options > DM-RBL Check on Registration.


Why Block Proxies?

Banned and Spammers users often get around IP bans by simply using an open proxy - of which there are thousands - to get around the IP ban. Very few legitimate users slow their surfing by using an anonymous proxy.


How do you Install?
  1. Create a user from which PMs, Posts, etc. will be generated.
  2. In your adminCP obtain values for the "banned" and "pending moderation" groupIDs (Defaults are 8 and 4).
  3. Install the attached product.
IMPORTANT NOTE:You must specify a username if you plan on configuring the AUTOBAN or NOTIFICATION options. Otherwise you WILL get errors.


What is the default config?
By default the RBLChecker will check the IP of a new registration, allow registration to complete, but add the new user to the "COPPA Members Awaiting Moderation" usergroup. You can then approve/reject those members depending on whether you think they are/aren't spammers/trolls.

You can modify the settings in the AdminCP to Ban or Block as you like.


Hack History:

Version 4.1
- Fixed SQL Injection security hole.
- Fixed some minor typos in automatically generated messages.

Version 4.0
- Added ability to specify error reported on blocks.
- Added ability to specify ban reason and custom title.
- Added ability to move users to "pending moderation" group if registration is allowed.
- Updated list of RBLs checked based on testing with lists of "anonymous" proxies.
- Fixed IP address of Notification Posts equalling IP of blocked user. (Now Notification IP = 1.2.3.4)

Version 3.2
- Fixed typo causing blocked registrations to be reported as allowed.

Version 3.1
- change in variable name in v3.0 broke RBL checking. Corrected error.
- match notification now includes the name of the RBL that matches the IP.

Version 3.0
- plugin now fires at "register_addmember_process" allowing the user to completely fill in the form.
- Added the ability to specify more than one RBL.
- Added option to specify whether registration is blocked or allowed to complete.
- Added option to automatically ban registrations that are allowed to complete but have a positive IP match.
- Added option to specify user who is "notifier".
- Added option to specify a forum where a notification thread will be created.
- Added option to supress notification PM / Thread when an IP matches blacklist or known proxy list.
- Added customized error codes for notifications - notification now indicates whether a registration IP has matched the RBL, blacklist, or predefined list of anonymizers.
- Reworded Phrases.
- Removed 10.x.x.x IP from known proxy/anonymizer list.

version 2.0
- Added configuration options under vboptions > DM-RBL Check on Registration.
- Added PM on Block.
- Added option to select RBL.
- Added Custom Whitelist.
- Added Custom Blacklist.
- Added list of free proxies.
- Changed default RBL to sbl-xbl.spamhaus.org
- Added option to enable/disable checking.

version 1.0
- added plugin to check against opm.tornevall.org
- added custom phrase to be reported as error on registration start.


Using this Hack?
If you install this hack please click "Installed" to receive updates.

If you find this hack useful you can always hit that paypal button too...

Supporters / CoAuthors

Show Your Support

  • This modification may not be copied, reproduced or published elsewhere without author's permission.

Comments
  #32  
Old 12-12-2006, 09:06 PM
The Finman's Avatar
The Finman The Finman is offline
 
Join Date: Jun 2006
Posts: 78
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by DaNIEL MeNTED View Post
Also - I love the Troll Stomper thing, can you shoot me a link to that avatar?
Reply With Quote
  #33  
Old 12-13-2006, 06:03 PM
funkmeister funkmeister is offline
 
Join Date: Oct 2004
Posts: 95
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Can you consider adding an option that when you add an IP address to the Blacklist, you are no longer notified about that IP as attempting to register.

I'm getting bombarded by a few persistant and consistant IP's and since they're now in my Blacklist, I don't care to know about their registration attempts via the PM notifications.

One of them is 216.145.49.15 which resolves to 'snv-global1.corp.yahoo.com' - anyone know if that is a legit one - if so I can add it to my Whitelist. I'm suspicious that it's a bot or something tripping up on it, but I'm not sure.

Thanks in both cases!
Reply With Quote
  #34  
Old 12-13-2006, 07:26 PM
falter falter is offline
 
Join Date: Oct 2004
Posts: 24
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Feature Request: The ability to do the checking for DNS BL upon registration, but in a non-blocking mode. That is, give the option for what to do to the admin. I would very much like to do a dry run to see how things lie for me, prior to enabling this in full blocking mode. I had the plugin installed, and it was rejecting some users at login. Yes, they were using proxies, and I can easily add them to the white list, however I'd like to get a baseline without blocking out a lot of users right off the bat.

Until then, I've had to uninstall the plugin.
Reply With Quote
  #35  
Old 12-13-2006, 08:03 PM
DaNIEL MeNTED DaNIEL MeNTED is offline
 
Join Date: Sep 2006
Posts: 152
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

It shouldn't block people at login as it only fires at register_start.

I'll look at adding a report/block option.
Reply With Quote
  #36  
Old 12-14-2006, 01:38 AM
falter falter is offline
 
Join Date: Oct 2004
Posts: 24
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I couldn't reproduce my users' problem. It might be useful to include the URL that the user was getting blocked on, that way if there is a user who is having a problem, we can better help them.

Also, in the default list of "Known Proxies" is "10.237.44.144", which is an RFC1918 Non-routable ip address (as are 192.168.x.x addresses). It'll never trip, but it's also probably not a good idea to include ip addresses that often exist in corporate private networks.

One more thing (sorry sorry, i know that you do this in your free time, but I want to help you make it the best it can be), The "RBL Match Mask" only allows to match against the first octet (I haven't tested this, but it's what it says). It would be useful if we could provide a list of things to match against. Different DNSBL's return different 127.0.0.x addresses, which indicate the type of host that is matching. From http://www.spamhaus.org/sbl/howtouse.html,
Quote:
127.0.0.2 - Direct UBE sources, verified spam services and ROKSO spammers

127.0.0.4-6 - Illegal 3rd party exploits, including proxies, worms and trojan exploits
and for NJABL (dynablock.njabl.org):
http://www.njabl.org/use.html
Quote:
# 127.0.0.2 - open relays
# 127.0.0.3 - dial-up/dynamic IP ranges *
# 127.0.0.4 - Spam Sources
This will include both commercial spammers as well as some dial-up direct-to-mx spammers and open proxies as it's not always possible to differentiate between these sources. For commercial spammers, once we have spam on file from some of their IPs, we may add their entire IP range if it can be reliably determined.
# 127.0.0.5 - Multi-stage open relays
Before adding multi-stage open relays to our list, we make an attempt to notify the NIC contacts for their IP space and give them at least one week to fix their systems. This type is deprecated. We no longer list multi-stage open relays.
# 127.0.0.6 - Passively detected "bad hosts"
These hosts have done things a proper SMTP server should not do. They're very likely to be spam proxies. We can't say much more about this. No supporting evidence is made available for listing these IPs.
# 127.0.0.8 - Systems with insecure formmail.cgi or similar CGI scripts which turn them into open relays
This includes the output IP when a server with an insecure formmail CGI smarthosts outgoing email through another server or servers.
# 127.0.0.9 - Open proxy servers
I'm only interested in blocking Open proxies/relays, and not spam hosts (127.0.0.4) nor dial-up/dynamic IP ranges (127.0.0.3).

I think it's dangerous just to blindly use a DNSBL without making sure that you want to block everything it has to offer. In the context of a bulletin board system, you might not want to block the same hosts that you'd block in the context of an anti-spam system.
Reply With Quote
  #37  
Old 12-14-2006, 05:15 PM
DaNIEL MeNTED DaNIEL MeNTED is offline
 
Join Date: Sep 2006
Posts: 152
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I have removed the 10. IP from the list of "known proxies" .. I suspect that was a typo on my part. The RBL mask currently only matched the first octet because various RBLs have various return codes - all varieties of 127.0.0.x

If you want to be granular to the point of the last octet then the benefit of using more than one RBL - which was requested by several people - goes out the window as no 2 RBLs tend to use the same definitions.

I - for one - am looking at a more "inclusive" matching pattern. That being I would rather block people that shouldn't be than allow trolls in... the function of a whitelist allows you to specify IPs that are erroneously getting blocked.
Reply With Quote
  #38  
Old 12-14-2006, 05:45 PM
DaNIEL MeNTED DaNIEL MeNTED is offline
 
Join Date: Sep 2006
Posts: 152
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by funkmeister View Post
Can you consider adding an option that when you add an IP address to the Blacklist, you are no longer notified about that IP as attempting to register.
Added... see v3.

Quote:
Originally Posted by The Finman View Post
My only recommendation would be maybe an option that let you designate a post notification in the forum choice of the Admin (such as a Private Forum for mods and/or admins), instead of the PM notifiications. The AE multiple account detector does that.
Added... you can now have a PM, a new thread, or both...

Quote:
Originally Posted by MimeSong Erk View Post
I too would really like to see a blocked-ip-to-post feature, if another signature on the list helps any.

Ed; Knowing nothing about proxy RBLs, I have to ask - why not make it possible to list multiple RBLs, so we don't have to rely on just spamhaus or just another one, when we could just stick multiple servers up? I don't claim to be a pro, but I would expect that blocking the same IP twice because of duplicate entries would not have any effect.
Multiple RBLs added as well... bear in mind it has to do a reverse IP lookup at each one you list...

Quote:
Originally Posted by The Finman View Post
Hey Daniel,

Thought you users might get a chuckle out of the way I set it up.

I created a user called "Troll Stomper" and he's set up as the chosen "informant" member for both your Proxy RBL Checker and the Multiple account login detector (AE Detector).

Now whenever your Proxy RBL Checker detects either someone using a proxy, or a spam bot trying to register...our Mods get this PM.

My Mods also had a suggestion that doesn't seem that relevant to me, but they said they would like to know what username the person or bot tries to use. I don't see how that info would be very relevant, but they indicated they would like it as it would help them recognize a problem user if they do manage to switch their IP into one that was not listed (basically recognizing them if they try using the same username).
I like that VERY much. Will be configuring the same thing on my forum. Added the option to select a "source" user for notifications by username. The alerts now include the username and email as well as the IP.

Quote:
Originally Posted by MimeSong Erk View Post
I really want the username and email the blocked IP tried to register from to be included in the PM. Actually, the way I want it to work is for a new thread to be created in a specified forum. In the first post of the thread would be the IP as well as the hostname the IP resolves to, the username and email address the IP tried to register with, and the blacklist that pegged the IP.

Subsequent registration attempts from the same IP would appear as replies in the thread and would only list the username and email the IP tried to use.
I may look at that for an extra "feature release" ... say v3.5. Right now it will create a thread or PM with the username and IP.

Thanks for all the positive feedback guys... what started as a quick and dirty hack for my own forum is actually getting to be a decent hack.
Reply With Quote
  #39  
Old 12-14-2006, 06:06 PM
falter falter is offline
 
Join Date: Oct 2004
Posts: 24
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by DaNIEL MeNTED View Post
I have removed the 10. IP from the list of "known proxies" .. I suspect that was a typo on my part. The RBL mask currently only matched the first octet because various RBLs have various return codes - all varieties of 127.0.0.x

If you want to be granular to the point of the last octet then the benefit of using more than one RBL - which was requested by several people - goes out the window as no 2 RBLs tend to use the same definitions.

I - for one - am looking at a more "inclusive" matching pattern. That being I would rather block people that shouldn't be than allow trolls in... the function of a whitelist allows you to specify IPs that are erroneously getting blocked.
First, I appreciate the update, I'll give it a try as soon as I get a chance.

How about this idea:
It could come, preconfigured, with a good number of common SBLs. For each of these, the admin has the ability to choose open proxies, spammy servers, dial-up networks, etc etc. Additionally, give the ability to add their own SBLs with their own options for matching against there.

I think it might give many admins a false-sense of accomplishment once they install this and start blocking lord knows what, but believe that they're only bad things (The plugin name says block proxies, but in reality it is blocking far more than just proxies). It's widely known that large American broadband networks are responsible for a great deal of spam, and a good number of these block-lists include those subnets. I'm afraid of doing a disservice to the users if we choose to just blindly block everything. I think that for this plugin to truly be successful, the admin should be able to finely tune what is and isn't blocked. If you've got a forum with tens of thousands of users, with hundreds of signups a day, whitelisting things would be almost certainly unmaintainable.

As for trolls and whitelisting, how are you going to know if someone is a troll or not before they've even posted anything? What indicators should be used to go ahead and whitelist one IP over another? I think that in order for our individual communities to grow, it's like dealing with spam in that it's important that we make sure that all the good guys can get in, even if that means some cruft gets in on occasion. I'd rather ban 2 or 3 trolls a month, than waste my time trying to figure out if 233.44.23.XX is going to be a troll or not, over and over and over again.
Reply With Quote
  #40  
Old 12-14-2006, 08:20 PM
The Finman's Avatar
The Finman The Finman is offline
 
Join Date: Jun 2006
Posts: 78
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by DaNIEL MeNTED View Post
Added... see v3.



Added... you can now have a PM, a new thread, or both...



Multiple RBLs added as well... bear in mind it has to do a reverse IP lookup at each one you list...



I like that VERY much. Will be configuring the same thing on my forum. Added the option to select a "source" user for notifications by username. The alerts now include the username and email as well as the IP.



I may look at that for an extra "feature release" ... say v3.5. Right now it will create a thread or PM with the username and IP.

Thanks for all the positive feedback guys... what started as a quick and dirty hack for my own forum is actually getting to be a decent hack.
WhoHoo!!

Thanks Daniel!
Reply With Quote
  #41  
Old 12-14-2006, 09:19 PM
funkmeister funkmeister is offline
 
Join Date: Oct 2004
Posts: 95
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by DaNIEL MeNTED View Post
Added... see v3.
Thanks for adding my requested feature. Installing now!
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 01:43 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.05395 seconds
  • Memory Usage 2,340KB
  • Queries Executed 26 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (11)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)modsystem_post
  • (1)navbar
  • (6)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (4)pagenav_pagelink
  • (1)pagenav_pagelinkrel
  • (11)post_thanks_box
  • (11)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (11)post_thanks_postbit_info
  • (10)postbit
  • (11)postbit_onlinestatus
  • (11)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete