Miscellaneous Hacks - Check Proxy RBL on New User Registration.

Check Proxy RBL on New User Registration Version 4.1

Version 4.1 includes remains unchanged from version 4.0 with the exception of a code fix to deal with an SQL injection security hole in the code.

What does this hack do?

Hooking in at register_addmember_process and register_addmember_complete this hack compares the IP address of the person registering with the Realtime Block List(s) of your choice. Based on your configuration the RBL Checker will then perform one of these actions:

1. Nothing, the registration continues as normal.
2. Registration continues as normal, but the user is automatically moved into the "Pending Moderation" group of your choice.
3. Registration continues as normal, but the user is automatically permanently banned.
4. Registration is blocked, an error message is displayed to the user.

Please Note: It is strongly recommended that you configure PM or Thread based notification so that you may monitor registrations that are from IPs that are a positive hit on the RBL. Especially if you configure the checker to allow registrations to complete normally.

These options are configurable in AdminCP > Options > DM-RBL Check on Registration.


Why Block Proxies?

Banned and Spammers users often get around IP bans by simply using an open proxy - of which there are thousands - to get around the IP ban. Very few legitimate users slow their surfing by using an anonymous proxy.


How do you Install?

1. Create a user from which PMs, Posts, etc. will be generated.
2. In your adminCP obtain values for the "banned" and "pending moderation" groupIDs (Defaults are 8 and 4).
3. Install the attached product.

IMPORTANT NOTE:You must specify a username if you plan on configuring the AUTOBAN or NOTIFICATION options. Otherwise you WILL get errors.


What is the default config?
By default the RBLChecker will check the IP of a new registration, allow registration to complete, but add the new user to the "COPPA Members Awaiting Moderation" usergroup. You can then approve/reject those members depending on whether you think they are/aren't spammers/trolls.

You can modify the settings in the AdminCP to Ban or Block as you like.


Hack History:

Version 4.1
- Fixed SQL Injection security hole.
- Fixed some minor typos in automatically generated messages.

Version 4.0
- Added ability to specify error reported on blocks.
- Added ability to specify ban reason and custom title.
- Added ability to move users to "pending moderation" group if registration is allowed.
- Updated list of RBLs checked based on testing with lists of "anonymous" proxies.
- Fixed IP address of Notification Posts equalling IP of blocked user. (Now Notification IP = 1.2.3.4)

Version 3.2
- Fixed typo causing blocked registrations to be reported as allowed.

Version 3.1
- change in variable name in v3.0 broke RBL checking. Corrected error.
- match notification now includes the name of the RBL that matches the IP.

Version 3.0
- plugin now fires at "register_addmember_process" allowing the user to completely fill in the form.
- Added the ability to specify more than one RBL.
- Added option to specify whether registration is blocked or allowed to complete.
- Added option to automatically ban registrations that are allowed to complete but have a positive IP match.
- Added option to specify user who is "notifier".
- Added option to specify a forum where a notification thread will be created.
- Added option to supress notification PM / Thread when an IP matches blacklist or known proxy list.
- Added customized error codes for notifications - notification now indicates whether a registration IP has matched the RBL, blacklist, or predefined list of anonymizers.
- Reworded Phrases.
- Removed 10.x.x.x IP from known proxy/anonymizer list.

version 2.0
- Added configuration options under vboptions > DM-RBL Check on Registration.
- Added PM on Block.
- Added option to select RBL.
- Added Custom Whitelist.
- Added Custom Blacklist.
- Added list of free proxies.
- Changed default RBL to sbl-xbl.spamhaus.org
- Added option to enable/disable checking.

version 1.0
- added plugin to check against opm.tornevall.org
- added custom phrase to be reported as error on registration start.


Using this Hack?
If you install this hack please click "Installed" to receive updates.

If you find this hack useful you can always hit that paypal button too...

[The Finman]

Quote:

First, I appreciate the update, I'll give it a try as soon as I get a chance.

How about this idea:
It could come, preconfigured, with a good number of common SBLs. For each of these, the admin has the ability to choose open proxies, spammy servers, dial-up networks, etc etc. Additionally, give the ability to add their own SBLs with their own options for matching against there.

I think it might give many admins a false-sense of accomplishment once they install this and start blocking lord knows what, but believe that they're only bad things (The plugin name says block proxies, but in reality it is blocking far more than just proxies). It's widely known that large American broadband networks are responsible for a great deal of spam, and a good number of these block-lists include those subnets. I'm afraid of doing a disservice to the users if we choose to just blindly block everything. I think that for this plugin to truly be successful, the admin should be able to finely tune what is and isn't blocked. If you've got a forum with tens of thousands of users, with hundreds of signups a day, whitelisting things would be almost certainly unmaintainable.

As for trolls and whitelisting, how are you going to know if someone is a troll or not before they've even posted anything? What indicators should be used to go ahead and whitelist one IP over another? I think that in order for our individual communities to grow, it's like dealing with spam in that it's important that we make sure that all the good guys can get in, even if that means some cruft gets in on occasion. I'd rather ban 2 or 3 trolls a month, than waste my time trying to figure out if 233.44.23.XX is going to be a troll or not, over and over and over again.

You know, I had the exact same concerns when I first installed this hack almost a month ago, and I have carefully examined EVERY alert.

I would take the IP address and I would go over to DnsStuff.com and run it through WHOIS and the Spam Database Lookup, to get a clearer picture of who or what was trying to register.

I run a 10,000+ member board and the only IP denial from the RBL Checker I have ever recieved that was questionable, was an IP address that was of a grade school that that was apparently running a proxy. However the DnsStuff.com Spam Database Lookup had multiple reports from the many various spam moniter services that tended to indicate that even if if the school was legit (as it seemed to be), what the school's proxies had been used for apparently wasn't. It's very possible that the schools proxy servers may have been infiltrated and they were being abused without the school even being aware of it.

I also modified the xml file to include a link to the "Contact Us" section of the board I run.

I haven't had anyone contact me except for the troll for which I primarly installed it for...and yes, he was hoping mad that he couldn't get back in using the rotating proxy software he had been able to use to bypass our ban. He literally spent almost two days of what seemed like non-stop trying. That is why I asked Daniel to be able to change the notification system from PMs to a thread (preferably in the private forum for Mods & Admins) notification, as some of my Mods that aren't always around were having their PM boxes filled to the brim, as it took this idiot several days to finally give up.

I actually figured that once I got rid of him that I would disable it...until if I got another problem poster using proxies to bypass our ban again.

Anyway, like I said I monitored the alerts very closely, and from that most of the blocked IPs were from places like India, China, Brazil, Hungary, Saudi Arabia, Russia Etc. Now then you may have members from those countries, but out of our 10,000+ members...none of ours that are legitimate are from those countries. Could there be?...of course, but very doubtful. Now I have several alerts a day from those countries as they are spam bots who normally made it to the Captcha system before getting denied. The Proxy RBL checker now was stopping them at the front door instead, thus triggering an alert.

Also, seeing the sheer amount caused by spam bots was also a real eye opener, as since the new vBulletin 3.6+ version we haven't been getting many spam bots as the new Captcha system has made a big difference.

Anyway, even though it was interesting seeing just how many spam bot attempts were actually made, it was starting to get annoying which is also why I'm glad that Daniel moved the RBL checker back a little bit to "register_addmember_process", thus allowing the Captcha system to deny them...thus cutting down on the alerts.

Anyway, like I said I only installed this mod because of a very determined troll who was using rotating proxies to get back in. I was having to go into either the AdminCP or the server itself (to access my .htaccess forwarding to another place based on IPs) two or three times a day to add whatever new proxy address he was using. It was a real "cat and mouse" game, as I woud block him and then he would simply switch IPs and re-register and not only was it annoying, but it was taking up a good bit of my time, as I had to verify that the IP was a proxy or spam IP, and then login to the either the AdminCP or the .htaccess file on the server to ban that IP. Once I got rid of him, I planned to disable this mod, but I decided to leave it on (mostly if he back) and monitor it closely. With that one questionable denial, the other have been shown to be either spam or proxy registration attempts.

I think the changes in this updated version of the RBL checker will really give Admins the necessary controls to be either agressive or leniant in the registration process.

I suggest people who are skeptical like I was, to try it and monitor it and verify the registration information against WHOIS, known proxy and spam lists (such as those at DnsStuff.com). If after examinning the RBL Checker Alerts, you think that legitimate users are being denied, then either disable it (like I had planned to do) or simply uninstall it.

I honestly am not trying to be a cheerleader for Daniel or this mod, but I think this approach on an old problem is fresh and unique (I also like Paul M's Real IP Detection for a 1, 2 punch).

[DaNIEL MeNTED]

Indeed ... I recommend anyone who isn't sure the RBL is granular enough to not block legitimate users configure the first three options YES - YES - NO and give the blocker a forumid to post reports.

We have not had problems with trolls as yet... although our site has only been open less than 2 months and only has about 1000 users. I'm using the multiple login detector to track when we have more than 1 user @ a given IP but my experience on other boards is that trolls use proxies to get around IP bans... I have seen the same person banned 5 or 6 times in a day, and I have seen registration turned off temporarily to stop trolls from registering... this is much more intrusive than banning their IP and blocking registration from proxies.

I'm a bit of a prick so I have the RBL Blocker configured to block registration... you could easily configure it to allow registration and only change it to block if you start to get a lot of hits in association with troll activity on the board.

In part, allowing the person to get to the "submit" portion of registration also captures and hotmail/etc. addresses they have setup to get around IP/email address bans.

Of course... you will have to manually add those email addresses to the email banning options. The other option would be to enable auto-banning.

[DementedMindz]

nice mod i was wondering they had a nice way to block anonymous proxy's in phpbb via a mod which was pretty nice would you be able to see if you can work any of that into this? you can take a look on how its written here and what it does. http://web-professor.net/wp/2005/05/...mod-for-phpbb/

[falter]

Quote:

Originally Posted by The Finman

You know, I had the exact same concerns when I first installed this hack almost a month ago, and I have carefully examined EVERY alert.

Oh, believe me, I'm understand the full potential of this plugin, in addition to how I might use it effectively (I work in computer security, and actually make use of DNSBL's). My only problem is that the plugin enables people to blindly use DNSBL's, assuming that they are blocking just open proxies, as the title of this entails. I, as an admin, do not want to prevent people coming from IPs associated with SPAM (or other non-proxies), as I am well aware of the fact that the majority of spam in the world comes from hosts and networks that have been compromised by worms.

My suggestion is that if you are going to create a plugin that purports to block Open proxies, and, while it does block open proxies, it also blocks lots of other things, then that's a disservice. I'm erring on the side of caution, here. Upon further investigation of my user who had a problem the other day, according to the DNSBL, she was coming from an IP that had been known to be compromised by a worm. Do I care about that? Not particularly. I only really care about whether or not it's a proxy.

After looking at the link provided by "DementedMindz", I've found that SORBs actually does something right. Check out the link, http://www.us.sorbs.net/using.shtml. I've opted to enable http.dnsbl.sorbs.net, socks.dnsbl.sorbs.net, and misc.dnsbl.sorbs.net, as they are only related to proxies, and nothing else.

Here's the deal: I don't really want to babysit my messageboard by investigating every hit that comes through. If I know definitively that a particular IP is only matching because it hosts an open-proxy, I'm fine with that. I just think that if you're going to do that, you'll end up chasing a lot of wild geese, seeing as the DNSBL that come enabled by default, and have otherwise been recommended, do a lot more than just monitor for open proxies. It's a mis-use of these DNSBLs.

[DementedMindz]

ok so you just added them to the Target RBL also is there suppose to be a space between each or a line break? also check out http://www.us.sorbs.net/using.shtml#largesites for more options it seems

[falter]

Quote:

Originally Posted by DementedMindz

ok so you just added them to the Target RBL also is there suppose to be a space between each or a line break?

I did put them in the Target RBL with a newline between each one.

So, for me, it's as follows:

http.dnsbl.sorbs.net
socks.dnsbl.sorbs.net
misc.dnsbl.sorbs.net

[falter]

alternatively, you can use:
proxies.dnsbl.sorbs.net

which points to all three of those systems (it'd also mean one query as opposed to three).

[DementedMindz]

yeah my main thing that i really want to block is anonymous proxys as well as other proxies too. hopefully this will work in doing that. im going to try and test it out and see. cause i have another script in thats suppose to only work on proxies but anonymous get right by it.

[DaNIEL MeNTED]

Quote:

Originally Posted by DementedMindz

ok so you just added them to the Target RBL also is there suppose to be a space between each or a line break? also check out http://www.us.sorbs.net/using.shtml#largesites for more options it seems

One on each new line...

Quote:

Originally Posted by falter

alternatively, you can use:
proxies.dnsbl.sorbs.net

which points to all three of those systems (it'd also mean one query as opposed to three).

Hmmm... I'll look into SORBS, I might make it the default.

[DementedMindz]

ok so is that just going to block all proxies with proxies.dnsbl.sorbs.net and also is there any way at all to block anonymous proxies?