Administrative and Maintenance Tools - vbStopForumSpam

At the point of user registration, the mod checks if the IP number / provided username / email addresses appear on a block list and can block the registration. This queries the StopForumSpam database (where I am a coder and administrator) to see if a new users IP address/email address/IP number are listed as known spammer sources.

Whilst this isnt the most perfect way to stop all forum spam, its another step that spammers have to overcome.

What it does

It checks with a remote database of known forum spammers. Their IP number, email address and forum username are tested and based on your configuration, you can reject / log / accept user registrations based on what you get back.

This version doesnt have
- whitelisting or the ability to submit users to the database but it will within the next week.
- automatic user deletion / post / PM purging. There are good tools out there already, this does something else.

Currently, I would say this is an beta codebase. Please treat it as such.

Instructions are included in the installation.txt file - PLEASE read it first and dont forget to actually upload the files in the upload folder, otherwise it WILL kill your registration progress and you wont see the log file options in admincp.

This is the exact same version that is on the 3.6 forums because it works with 3.54 to 3.84 (at time of wriing, the latest version)

Changes to vB
- 3 new database tables
- 2 database table alternations
- No new templates.
- 2 Hook (register_addmember_process & register_addmember_complete)

Known to work - tested by me
- vBulletin 3.6.8 on Apache 2.2 / PHP 5.1.2 on Linux using cUrl
- vBulletin 3.7 Gold on Apache 2.0 / PHP 4.4.3 on Windows without cUrl (template changes wont work on 3.7 - thats in the next version with auto template changes)

For code to submit spammers to the database, check this post for code changes
https://vborg.vbsupport.ru/showp...&postcount=288

Reported in the thread to work
- 3.5.4 3.6.1, 3.6.2, 3.6.9, 3.6.10, 3.7.0, 3.7.1, 3.7.2, 3.7.3, 3.74, 3.80, 3.81, 3.82, 3.83, 3.8.4

Installers should remember to refresh their ACP navigation window when they first install it so they can see the new log file menu item.

REQUIRES MySQL 4.1.1+

If you want to submit data directly from the user admincp to the database, then you can install an addon mod (Coded by Wired1) here https://vborg.vbsupport.ru/showpost....&postcount=288

You need to have an API key from www.stopforumspam.com in order to submit data, its free and easy to get... The code above is a quick hack that changes the pages "form" so that it submits to the database. As its a quick hack, this relies 100% on javascript being enabled and makes no tests that it is enabled.

Please click Installed

[noj75]

Installed this last night.
Checked the log this morning and 31 spammers had been blocked. I am so very impressed with this mod.

Thank you Pedigree, excellent work!

Nominated for MOTM!

[Dunhamzzz]

I've had this mod for a while now (almost a year), but over the last few days I've had quite a few emails from real people who have been unable to register because the plugin has blocked them, this is happening on all my forums.

I'm temporarily removing it...

[DanGarion]

It appears that the www.StopSpamLinks.com is dead...

[pforums]

Thats cause it's http://www.stopforumspam.com/

[bobnv]

Have an interesting issue. We have this installed on two separate forums, all seems to work well a far as programs operation but on one install "Prune vbStopForumSpam Logs" was installed under the log section and on the other forum, it was not installed. The installations were done by two separate people, could it be that something was missed in the uploads on the one missing the prune section?

BTW, have had this mod installed on one forum for about 6-7 weeks and the log is up to 3300+ the only spammers that get through are the ones that have fresh clean emails and IP's, but that's not many.

[Zookie]

REALLY NICE! Just installed to my vBulletin 3.8.5 and looks like a real winner. However...

I was thinking that leaving the User name check enabled would be a problem as I suspected that common user names would get flagged. For instance, if someone tries to use "Fred" they should get flagged according to http://www.stopforumspam.com/api?username=Fred. I tried testing this by registering a new user with the name Fred and it was allowed even though I have User name checking enabled and the above URL suggests that it should have been blocked. So maybe I'm not understanding how this works...

[Cindyl10]

We have been being attacked for the last month and now they have begun to try and hack into our board since they haven't been able to get through our registration blocks to prevent spammers and trolls. I am running vBulletin 3.8.6 Patch Level 1 and I have spoken to our host and they have suggested I contact vbulletin which I'm trying to do but I also thought I should let you all know what's going on too as if they are able to hack me, they can then hack anyone with this mod. Here is all the info I have on it which I gave to my host

Quote:

We've been being spammed a lot and had to install a program that rejects spammers registrations as we were getting something like 100 a day. Well one person who was rejected keeps coming back to the board and when I look to see what he's doing, it says "modifying his profile". I wasn't to worried about it since I didn't think there was anything he could do to cause the site to accept his registration anyway, but each time he does it I get a database error and it looks to me like he is trying to force the board to add him as a member. This is what the error says:

Database error in vBulletin 3.8.6:

Invalid SQL:
SELECT DATEDIFF(NOW(), '2010-07-27 20:18:50') AS DAYS;;

MySQL Error : MySQL server has gone away
Error Number : 2006
Request Date : Tuesday, July 27th 2010 @ 09:56:19 PM
Error Date : Tuesday, July 27th 2010 @ 09:57:14 PM
Script : http://www.fresh-hope.com/forums/reg...p?do=addmember
Referrer : http://www.fresh-hope.com/forums/register.php?
IP Address : 94.23.18.220
Username : Naramoria
Classname : vB_Database
MySQL Version :

***************

In the line that says script is a link and at the end of the link it says: " do=addmember" which is what made me think this... Is this troll a possible hack attempt do you think or am I being paranoid?

Quote:

Hello Cynthia,

Thank you for contacting support.

It does appear that he may be attempting to use SQL Injection, however as long as your forum software is up-to-date and the latest version is installed you should certainly be safe. However, if you would like we can ban 94.23.18.220 from the server, so this way it will ensure he can't access the site or attempt any further malicious injections.

regards,
Melissa

I had them go ahead and do that. But it happened again today:

Quote:

It's happening again I'm afraid. The people who are attacking us seem very stubborn. The biggest problem is that they're pro's and constantly switch their IP's. That's why we had to install the two programs we did to intercept them. We installed them a week ago on July 23rd and since then the programs have rejected 409 registrations as spammers.

This error message is slightly different though. Here is a copy of it:

Database error in vBulletin 3.8.6:

Invalid SQL:
INSERT HIGH_PRIORITY IGNORE INTO vbstopforumspam_remotecache (date, data, spambot, field) VALUES (now(), 'martinkiday', '0', 'username');;

MySQL Error : MySQL server has gone away
Error Number : 2006
Request Date : Friday, July 30th 2010 @ 05:31:02 AM
Error Date : Friday, July 30th 2010 @ 05:32:20 AM
Script : http://www.fresh-hope.com/forums/reg...p?do=addmember
Referrer : http://www.fresh-hope.com/forums/register.php?
IP Address : 89.212.200.113
Username : martinkiday
Classname : vB_Database
MySQL Version :

I meant to add that one thing that concerns me now is that they've obviously figured out what the main program we're using to defeat them is: vbstopforumspam

Quote:

Hello Cynthia,

Thank you for your reply.

From the SQL code, it appears they are attempting to inject into the caching system. Honestly, I would strongly suggest providing those results to vBulletin, as the developers would be the best people to tell you whether you are safe from those specific attacks or not. I know from experience that vBulletin is kept up to date regularly and is protected by these type of attacks, however it certainly doesn't hurt to get a second opinion from the source itself .

Please let us know if there is anything further we may assist you with from here.

regards,
Melissa

Please let me know if perhaps you guys can help me and if my board is safe...

[Cindyl10]

Quote:

Originally Posted by Cindyl10

We have been being attacked for the last month and now they have begun to try and hack into our board since they haven't been able to get through our registration blocks to prevent spammers and trolls. I am running vBulletin 3.8.6 Patch Level 1 and I have spoken to our host and they have suggested I contact vbulletin which I'm trying to do but I also thought I should let you all know what's going on too as if they are able to hack me, they can then hack anyone with this mod. Here is all the info I have on it which I gave to my host

Quote:

Quote:

I had them go ahead and do that. But it happened again today:

Quote:

Quote:

Please let me know if perhaps you guys can help me and if my board is safe...

Just this morning I discovered that I had yet another database error like the above one and when I checked the "member" who had just registered seems to be legit according to everything I can find out about them, so now I am really really confused! I know for a fact that the above two times were spammers/potential hackers but this time this person seems to be a perfectly legit registration and I doubt if they'd know how to do this... I'll share a copy of the error but I'm just very confused and don't understand any of this as this one looks more like the vbstopforumspam program itself might be responsible for these errors....

Database error in vBulletin 3.8.6:

Invalid SQL:
INSERT HIGH_PRIORITY IGNORE INTO vbstopforumspam_remotecache (date, data, spambot, field) VALUES (now(), 'mr_nazarene', '0', 'username');;

MySQL Error : MySQL server has gone away
Error Number : 2006
Request Date : Friday, July 30th 2010 @ 09:32:00 PM
Error Date : Friday, July 30th 2010 @ 09:32:54 PM
Script : http://www.fresh-hope.com/forums/reg...p?do=addmember
Referrer : http://www.fresh-hope.com/forums/reg...hp?do=register
IP Address : 64.134.158.177
Username : mr_nazarene
Classname : vB_Database
MySQL Version :

Please help me to determine if my board is safe and what is causing this database error.

[KProjects]

Have you looked in the logs that vbstopforumspam keeps (bottom of your admincp in statistics and logs) to see if there are others that aren't causing this error?

Are you getting the 'mysql server has gone away' errors for other pages on your site also?

If it let the last one - mr_nazarine - register, try PMing him to see if he's real..

[Cindyl10]

Yes I have looked through the logs. Nothing seems to cause this error. The first two errors were made by a person who's registration was denied (a lot of times lol) and he was obviously trying to bypass it. When I would look to see what he was doing on the board after his registration was denied it would show him "modifying or editing his profile". It would be at that time that I would get those first two error messages I posted.

As for this last error message, the username is shown twice in a row in the log:

Quote:

mr_nazarene 2010-07-30 21:33:59 MDCassens@email.nbc.edu 64.134.158.177 Allowed registration
mr_nazarene 2010-07-30 21:33:09 MDCassens@email.nbc.edu 64.134.158.177 Allowed registration

but only shows up as once in the members list and the new registrations list. I checked them out very thoroughly and can't find anything to indicate that they are trolls or spammers or anything other then a regular person who wants to join us... in fact they appear to be a pastor.

The only other "oddity" that was somewhat like this that I've seen happened yesterday. Again someone registered and seemed "normal". (they have since posted and are fine) This is how their registration shows up in the logs:



What is weird is that the only thing that showed up in my member list or new registrations was the last one; none of the other three did...

It has let through only two that I determined were trolls and banned, but those two were only listed once when on the logs such as:

Quote:

Tanichi 2010-07-28 17:49:29 acneinfo@zenmed.eu 188.153.53.2 Allowed registration

Yet when I looked in new registrations that name isn't there; when I do a search they don't exist. I assumed for lack of a better explanation that when vbStopForumSpam approved them that my other program Auto-Moderate Evading Banned Members caught them and disallowed them... but I have no way of knowing as there are no logs for that program...at least none that I can find... Thank you for your help!