Stop Spammer

[Kindred]

I Use BadBehavior, HttpBL/HoneyPot and StopSpammer all combined.
I have also banned all mail.ru addresses

As I said, after the initial surge/catch, we're down to 3-4 a month

[snoopy_virtual]

I don't use BadBehavior because I started to see how it works (reading the code) and I saw there was some things inside it that make it not fully compatible with mod httpBL and I really like that one a lot more.

The author of mod BadBehavior (butchs) has already pointed out to me inside my personal forum one of this problems, but (as I already told him in my forum) I haven't got time just now to sort it. If I ever have some spare time I will do my own version of mod BadBehavior, because I think that's the one that need to be modified to make them compatible.

In the mean time (as I also told butchs in my forum), if he thinks is mod httpBL the one needing a change and it's so easy to do as just adding a die() somewhere, he should do his own version of mod httpBL instead.

Sorry I should have been more clear: we're getting 50+ registration attempts that are being blocked.

That's exactly what I was saying. Getting 50+ registration attempts a day is too much. I only get 2 or 3 a month.

I have in all my web sites CrawlTrack as a first firewall to stop hackers attempts (the best one I know so far). But the real version from the official site: http://www.crawltrack.net/ Not any of the modified versions I have seen in other places. The real version works perfect with SMF (as it does with Mambo, WordPress, Joomla, etc) and don't need any modification at all.

And then to stop spammers I use mod httpBL, mod StopSpammer and a couple of good Anti-spam questions.

We've not really done much more than hard Captcha which I hate, but it's a necessary evil.

I don't like captchas at all.

All the spam-bots I know can sort all the known captchas very easy and they are only a nuisance for humans.

[lextalionis]

Okay, something weird went wrong today.

First the details:
http://www.motleypixel.com
SMF 1.1.13
TP 1 beta 4
Below are packages installed:



**Note, I installed Fight Spam version .1  about a month before Stop Spammer (well over a year ago).  Yes I know it shows running, but I honestly can't say that it's enabled or not.  Basically I have forgotten all it every did and have just ignored it (it wasn't very good to put it politely).  Just understand that Stop Spammer has worked flawlessly until today.   My last major update or change to the forum was about 6 weeks ago when I jumped from SMF 1.1.11 to 1.1.13.

Installed this mod about a year ago (haven't updated it at all and in my installed packages it just says 2.3).  Up until today it has worked flawlessly...I get about 10 spammers per day.  About twice a week I'll receive a spam post and I'll head to admin center and report these members, delete all posts/topics, and delete their accounts.  Another thing that happens often is that registered spammers in the DB are marked and put into "awaiting approval" so I will clean up that queue weekly too.

So today I received a spam post...actually about 10 spam post from this user:

cunaa123 Posts: 8 (N/A per day) Position: Newbie IP: 60.177.204.84 Hostname:  84.204.177.60.broad.hz.zj.dynamic.163data.com.cn

So I found the user w/in admin center, check the checkbox next to the name and reported this user as a spammer...the popup window came up asking if I'm sure I want to do this and I clicked OK.  Then suddenly I was logged out as admin and my account was awaiting admin approval...yep...that's right.  See screen shot below of my account in smf_members table...issue I found is that I, along with all 682 members are now tagged yellow "awaiting approval" which I suspect is a value of 3 in "is_activated".  I changed my value back to 1, repeated the process with user cunaa123 and bam, it happened again.  Now here's the issue, I can reset everyone back to is_activated=1 but I'm unsure if all 682 members are good members...hummm...my initial thought is they should be because all spammer accounts are 1. Reported 2. Posts deleted and 3. Account is deleted.  Here's what's seems worrisome...seems anytime I report a member or muck with Stop Spammer, is seems to bounce the used account (admin or moderator) into an awaiting approval state...bad!

Wow, sorry for all the detail.  Would like to ask, what is value 8 for is_spammer?  The screen shot below is my admin account and right now my account shows as white (not spammer) so I assume value 8 is good.  But interestingly enough I check one of the 682 "now" yellow "suspect" members  and their value is 8 too?

Help please

[snoopy_virtual]

@lextalionis

What you are describing there is something we called more than a year ago "the yellow bug" because, under some special conditions, it change the value for "is_spammer" of all your members to 8 (suspicious) with yellow colour and the value of "is_activated" to 3 (waiting approval).

This bug has been there since M-DVD did originally the mod in 2008 but, as the conditions for it to occur are very rare, nobody had seen it before until I discovered it in February 2010, so it was present in all the mod versions from 1.0 until 2.3.6

Of course that bug is not present in the versions I have done since then, from 2.3.7 until the more recent 2.3.9

You can find more information about it in my personal forum:

http://www.snoopyvirtualstudio.com/foro/index.php?topic=296.msg1263#msg1263

Anyway, the first thing you need to do is to change (in all your members) the value of "is_activated" to 1 (normal member) and the value of "is_spammer" to 0 (not spammer).

As it is too slow to do that manually inside the DB one by one, and as (back in Feb 2010) when I was trying to find what was causing this bug I had to do that hundreds of times (every time I checked something new), I created a small script to do that in just a second (with only one click).

You can find that script (called "yellow_bug_medicine") in my forum, but I have also attached it here for you (so you can do it faster).

Just unzip it and read the readme.txt inside it to see how to use it.

After that un-install the version 2.3 you have in your forum and install the new one 2.3.9

[lextalionis]

Excellent, thanks for the prompt reply.  I will do as you say and report back later.

Okay I'm back up...2.3.9 seemed to install properly...I registered a new API since I didn't know how to retrieve my original one.  Only thing that seems different is now when I report that member it gets submitted fine because I see the member in my stop forum spam account, but the member details in my from in admin/members didn't update to red right away (automatically), instead I had to then click "check members" and that went out and update the user to red...is this normal?

I will also install and use httpBL as it seems good as a secondary backup.

Thanks,
Roy

[busterone]

I can affirm httpBL as a good move. The two mods work fantastic together, and I have never seen a conflict between them.

As a second bonus, by installing a honeypot(to use with httpBL, the honeypot helps catch all kinds of nasties. Just blocking spammers from your forum is a good thing, but helping catch them is even better. 

[snoopy_virtual]

Only thing that seems different is now when I report that member it gets submitted fine because I see the member in my stop forum spam account, but the member details in my from in admin/members didn't update to red right away (automatically), instead I had to then click "check members" and that went out and update the user to red...is this normal?

Read from reply #1192 to reply #1195

We are still testing the file I attached there, so I am not sure if it's good enough, but it seems to sort that problem.

[żεχเ๏ภ]

I would like to thank the creator of this mod and all those to have done work and continue to do work on it!


A spambot got past my hard captcha, random security questions, and forum firewall! But wasn't able to sneak past stop spammer! 

Thank you stop spammer.

[Angie on Dialysis]

What you are describing there is something we called more than a year ago "the yellow bug" because, under some special conditions, it change the value for "is_spammer" of all your members to 8 (suspicious) with yellow colour and the value of "is_activated" to 3 (waiting approval).

This bug has been there since M-DVD did originally the mod in 2008 but, as the conditions for it to occur are very rare, nobody had seen it before until I discovered it in February 2010, so it was present in all the mod versions from 1.0 until 2.3.6

Of course that bug is not present in the versions I have done since then, from 2.3.7 until the more recent 2.3.9

Looks like I wasn't the only one to get that "Yellow Bug" in March this year.

Like the name (medicine) by the way

Also thanks to you Snoopy I am getting more confident in uninstalling old versions and putting in the latest. I upgraded one of the forums with the version susceptible to the big just today and all went fine.

[snoopy_virtual]

@Angie

As you saw when we were doing it through TeamViewer, it's very easy to update a mod using the Packages Manager when there are no errors.

And even when there are errors, it tells you what file is the one with the problem.

If you get any errors when updating a mod in any of your forums give a call again through Skype and we will sort it.

[Angie on Dialysis]

@Angie

As you saw when we were doing it through TeamViewer, it's very easy to update a mod using the Packages Manager when there are no errors.

And even when there are errors, it tells you what file is the one with the problem.

If you get any errors when updating a mod in any of your forums give a call again through Skype and we will sort it.

Gracias Snoopy (Did I spell thank you correctly this time? lol)

[butchs]

I don't use BadBehavior because I started to see how it works (reading the code) and I saw there was some things inside it that make it not fully compatible with mod httpBL and I really like that one a lot more.

That is not true.  There is no incompatibility.  They work fine together it is just that BB is catching some of your table scraps.

BB code is now loaded after you mod in SMF, so if there was a bad bot your mod should block them and the bot should never be seen in that hit.  Since the bot you try to block makes it to BB mod that means you mod is not being fully blocking what it should block every time.

I tried to explain that it seems that you failed to stop code execution in your warning page.  Hence your mod will try to block and log a spammer, the code will still execute and BB just may catch it (if it meets the criterion).  This could be a bot trick but I was not the first one to see it and will not be the last.

"die();" the line before "?>" is all I recommend you try.  How hard is that?

The author of mod BadBehavior (butchs) has already pointed out to me inside my personal forum one of this problems, but (as I already told him in my forum) I haven't got time just now to sort it. If I ever have some spare time I will do my own version of mod BadBehavior, because I think that's the one that need to be modified to make them compatible.

I am not the core author of BB.  I am simply the port author.  Bad Behavior core is used by thousands of sites world wide.  Most of the code especially the BB warning page has been taken from the tried and true core.

In the mean time (as I also told butchs in my forum), if he thinks is mod httpBL the one needing a change and it's so easy to do as just adding a die() somewhere, he should do his own version of mod httpBL instead.

If that is what you want the next release of BB will have httpBL feature available for public use.  I will not take it much further than the core author though.   No, I will not re-write your mod.

The feature has been tested since I stopped using your mod.

[naitram]

i have updated to 2.3.9 and applied for my API key

the MOD passes its internal check

Your host can make remote connection with the DB

when i try and report a spammer the screen just reloads and does not appear to submit anything

[Wizzlefits]

If you check your "My Spammers" page a Stop Forum Spam you'll see the ones you just submitted. (might have to login first)

[rthrash]

@naitram
With 2.3.9 you have to check the person you just reported. I had the same issue, and Snoopy provided a replacement file somewhere in this thread that fixed it for me.

[rthrash]

I have in all my web sites CrawlTrack as a first firewall to stop hackers attempts (the best one I know so far). But the real version from the official site: http://www.crawltrack.net/ Not any of the modified versions I have seen in other places. The real version works perfect with SMF (as it does with Mambo, WordPress, Joomla, etc) and don't need any modification at all.

...

And then to stop spammers I use mod httpBL, mod StopSpammer and a couple of good Anti-spam questions.

Thanks for the reference to Crawltrack; we'll definitely try that out. When you prevent registrations on an IP based on httpBL, how long before you expire the IP Address block? Or is that even the right question?

[naitram]

@naitram
With 2.3.9 you have to check the person you just reported. I had the same issue, and Snoopy provided a replacement file somewhere in this thread that fixed it for me.

if i check them its like they have never been reported.

[rthrash]

Hmmm ... something else must be wrong then. You'll have to wait for a better answer from someone else. Sorry I couldn't be of assistance.

[naitram]

thats ok, i appreciate the response

[Wizzlefits]

i have updated to 2.3.9 and applied for my API key

the MOD passes its internal check

Your host can make remote connection with the DB

when i try and report a spammer the screen just reloads and does not appear to submit anything

The member should turn red when the page reloads and be put into "Awaiting Approval".
Is the reported member in there?
Also, what version of SMF are you running?