Bad Behavior for SMF mod

Started by butchs, April 12, 2010, 05:23:56 PM

Previous topic - Next topic

butchs

Quote from: HiramAbif on April 21, 2010, 05:15:33 PM
I have a question.  I have guest posting enabled and there is one dude who is maliciously spamming my board using what I believe to be imacros.  Would this stop someone who floods the board with the same topic over and over again?  Thank you.

More clarification:
I use guest posting on my forum.  Besides this mod I use the standard smf "Anti-Spam Verification" (there are posts about this somewhere in this community that tell you how to set it up) for every non-member post in the guest area.  I do not have a spam problem in my guest area.
O:)
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

Wizzlefits

QuoteBlock china in your htaccess file!

Dp something like this list for your htaccess file.

Not  necessary for RC3, Bad Behavior stops the riffraff soooo very well.  ;D
Now 1.1.11, htaccess works to some degree, but still have spammers trying to use the quick reply with random IPs. ie: never use the same IP more than twice.


butchs

Quote from: Wizzlefits on May 04, 2010, 09:04:17 PM
QuoteNot  necessary for RC3, Bad Behavior stops the riffraff soooo very well.

Thanks for the feedback.  I am interested to know how it works on other sites besides my own.
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

Wizzlefits

Well, here's some feedback for ya.  ;)
Site Mods
Stop Spammer 2.3.7 (current state--On) Has caught nothing with BB turned on
httpBL 2.3.4 (current state--Off, but shows Honeypot trap link) will turn full on later
Bad Behavior 1.0.0 (current state---On)

176 spammers stopped in last 9 days
154 in last 7 days
2 spammers permitted to load 1 page then denied from then on.

METHOD: GET
URI: /index.php?board=24.0
PROTOCOL: HTTP/1.0
HEADERS: GET /index.php?board=24.0 HTTP/1.0 Accept: */* Host: www.xxxxx.com Referer: http://www.xxxxx.com/index.php?board=24.0 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90)
AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90)
ENTITY:
KEY: 00000000
PERMITTED REASON: Permitted
EXPLANATION:
ERROR: 200

xxxxx'd site out because it is not for public consumption, just for messing with spammers.  8)

Mod suggestions....
Just 1 so far, the option to sort logs by IP.

If there's anything else you'd like to know let me know. :)

butchs

Interesting.  Thank you for the info.  :)

I will look into the sort for the next version.  O:)

Permitted users are questionable and may not be real spammers.  The reason they are listed is because they should be watched.  If you find one please email me the details.   ???

Bad Behavior (BB) should be used in along with httpBL mod.   The current release version of BB includes honeypot but it does not have all the nice forum features as httpBL so I left that portion out.  A feature that I added that is not in the origional is that when you enable httpBL the Bad Behavior warning page includes a present in the form of the Honeypot trap link from httpBL.  The other unique feature is the optional SMF caching.   :o

Here is what happened on my site:
Stop Spammer 2.3.7 (current state--On) Has caught nothing since BB was turned on.
httpBL 2.3.4 (current state--ON, shows Honeypot trap link)
Bad Behavior 1.0.0 (current state--On, strict mode enabled)
avatar_verification_1.0 (current state--On, over 100 verification images)  Gets 5-10 hits a day but nothing has passed it.  The hits seem to be spammers who are getting caught by other means.

The trend I have seen is that with Bad Behavior in strict mode is that it blocks their proxies and other bad things.  I saw around 180-190 in my first week.  Then the humans tried turning off the proxy to get past BB but then the httpBL Mod caught them.

They were not happy with my site so they decided to assault me with a DOS -- over 300 hits/ day several times.  Every attempt failed with BB and httpBL enabled.  fyi - I made a lean httpBL warning screen that is like the BB warning screen just for my site to reduce bandwidth usage during these attacks.

After a several months they seem to have mostly given up.  Now I see only a few hits a day from both mods - Spam free!
8)
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

kaamaru

Mine says <!-- Bad Behavior 2.1.2 run time: 0.000 ms -->. Does that mean it's not running at all? Also, will this allow google bots to browse the forum?

kaamaru

I am not sure, it says ms in my source code. Thanks for the help, It seems to have stopped some spam :).

Quote1523     91.214.44.233     2010-05-08 12:50:06     /     DENIED
#b7830251
1520    91.214.44.233    2010-05-08 12:50:03    /iphone/index.php    DENIED
#b7830251
494    78.26.187.42    2010-05-08 12:32:52    /    DENIED
#b7830251
485    78.26.187.42    2010-05-08 12:32:49    /iphone/index.php    DENIED
#b7830251

kaamaru

Quote from: butchs on May 07, 2010, 01:25:31 PM
Interesting.  Thank you for the info.  :)

I will look into the sort for the next version.  O:)

Permitted users are questionable and may not be real spammers.  The reason they are listed is because they should be watched.  If you find one please email me the details.   ???

Bad Behavior (BB) should be used in along with httpBL mod.   The current release version of BB includes honeypot but it does not have all the nice forum features as httpBL so I left that portion out.  A feature that I added that is not in the origional is that when you enable httpBL the Bad Behavior warning page includes a present in the form of the Honeypot trap link from httpBL.  The other unique feature is the optional SMF caching.   :o

Here is what happened on my site:
Stop Spammer 2.3.7 (current state--On) Has caught nothing since BB was turned on.
httpBL 2.3.4 (current state--ON, shows Honeypot trap link)
Bad Behavior 1.0.0 (current state--On, strict mode enabled)
avatar_verification_1.0 (current state--On, over 100 verification images)  Gets 5-10 hits a day but nothing has passed it.  The hits seem to be spammers who are getting caught by other means.

The trend I have seen is that with Bad Behavior in strict mode is that it blocks their proxies and other bad things.  I saw around 180-190 in my first week.  Then the humans tried turning off the proxy to get past BB but then the httpBL Mod caught them.

They were not happy with my site so they decided to assault me with a DOS -- over 300 hits/ day several times.  Every attempt failed with BB and httpBL enabled.  fyi - I made a lean httpBL warning screen that is like the BB warning screen just for my site to reduce bandwidth usage during these attacks.

After a several months they seem to have mostly given up.  Now I see only a few hits a day from both mods - Spam free!
8)

Awesome, so should I install httpBL 2.3.4 too (will it conflict with this mod?) and how do I enable strict mode? Also I don't understand the cache thing. Mine is set to 0. Could you explain?

Thanks!

butchs

Quote from: Calumks on May 08, 2010, 08:12:13 AMAwesome, so should I install httpBL 2.3.4 too (will it conflict with this mod?)

You can install httpBL with no conflicts.

Quote from: Calumks on May 08, 2010, 08:12:13 AMand how do I enable strict mode?

Check "strict" under the security option in the admin panel.  See attached.

Quote from: Calumks on May 08, 2010, 08:12:13 AMAlso I don't understand the cache thing. Mine is set to 0. Could you explain?

If you click on the i next to cache duration the help will say: 
QuoteThe buffer time in seconds that the SMF Caching System is allowed to keep information for a readable IP address between Bad Behavior look-ups.  Because bots can look at multiple pages in your forum in a short amount of time this setting will allow either them or a visitor to view the forum or see the banned message within the duration using the least amount of processing effort.

If the SMF Caching System is not enabled you will get a warning message in the error log.

The time delay can be set between 0 and 99 seconds.  Zero disables this feature and prevents error log messages.  This number should be adjusted as low as possible based on server load.  Default is 0 seconds.
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

butchs

Quote from: Calumks on May 08, 2010, 07:17:05 AM
Mine says <!-- Bad Behavior 2.1.2 run time: 0.000 ms -->. Does that mean it's not running at all? Also, will this allow google bots to browse the forum?

That is because you are the admin and you are bypassed.  It does not check admins.  If your IP is not whitelisted, log out to see the speed.
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

butchs

More on caching duration since I am complicated.   Say you look at your cpanel and find the following bad bot hit your site:

Quote/smf/index.php?topic=724.0            
   Http Code: 302   Date: Mar 15 15:06:37   Http Version: HTTP/1.0   Size in Bytes: -
   Referer: http://www.yourwebsite.com/smf/index.php?topic=724.0         
   Agent: Opera/7.54 (Windows NT 5.1; U) [pl]         
/            
   Http Code: 200   Date: Mar 15 15:06:45   Http Version: HTTP/1.0   Size in Bytes: 18214
   Referer: http://www.yourwebsite.com/         
   Agent: Opera/7.54 (Windows NT 5.1; U) [pl]         
/smf/index.php?board=7.0            
   Http Code: 302   Date: Mar 15 15:06:52   Http Version: HTTP/1.0   Size in Bytes: -
   Referer: http://www.yourwebsite.com/smf/index.php?board=7.0         
   Agent: Opera/7.54 (Windows NT 5.1; U) [pl]         
/smf/index.php?board=24.0            
   Http Code: 302   Date: Mar 15 15:06:55   Http Version: HTTP/1.0   Size in Bytes: -
   Referer: http://www.yourwebsite.com/smf/index.php?board=24.0         
   Agent: Opera/7.54 (Windows NT 5.1; U) [pl]         
/smf/index.php?board=8.0            
   Http Code: 302   Date: Mar 15 15:06:58   Http Version: HTTP/1.0   Size in Bytes: -
   Referer: http://www.yourwebsite.com/smf/index.php?board=8.0         
   Agent: Opera/7.54 (Windows NT 5.1; U) [pl]         
/smf/index.php            
   Http Code: 302   Date: Mar 15 15:07:02   Http Version: HTTP/1.0   Size in Bytes: -
   Referer: http://www.yourwebsite.com/smf/index.php         
   Agent: Opera/7.54 (Windows NT 5.1; U) [pl]         
/smf/index.php?action=forum            
   Http Code: 302   Date: Mar 15 15:07:04   Http Version: HTTP/1.0   Size in Bytes: -
   Referer: http://www.yourwebsite.com/smf/index.php?action=forum         
   Agent: Opera/7.54 (Windows NT 5.1; U) [pl]         
/smf/warning.php            
   Http Code: 500   Date: Mar 15 15:07:07   Http Version: HTTP/1.0   Size in Bytes: 646
   Referer: http://www.yourwebsite.com/smf/warning.php         
   Agent: Opera/7.54 (Windows NT 5.1; U) [pl]      

Now look at the times:
15:06:37
15:06:45
15:06:52
15:06:55
15:06:58
15:07:02
15:07:04
15:07:07

The total duration of this bots rampage is 30 seconds (58-37+7+2).  So if you set cache duration to 8 Bad Behavior will check the bot 3 times during it's visit.  The remaining hits will be a repeat of the last check.

If the bot failed at "15:06:37" every hit on your site will be immediately rejected for 8 seconds.  After that it will check again at "15:06:45".

To date I have not seen a bot fail the first hit and ever pass a second hit.  But someday that may happen.

Standard Bad Behavior does not include this feature.  It is fast enough to check every hit.  This feature should only be used when you have a really bad bot problem or your site is large.
:o
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

butchs

Quote from: Calumks on May 08, 2010, 07:53:26 AM
I am not sure, it says ms in my source code. Thanks for the help, It seems to have stopped some spam :).

Quote1523     91.214.44.233     2010-05-08 12:50:06     /     DENIED
#b7830251
1520    91.214.44.233    2010-05-08 12:50:03    /iphone/index.php    DENIED
#b7830251
494    78.26.187.42    2010-05-08 12:32:52    /    DENIED
#b7830251
485    78.26.187.42    2010-05-08 12:32:49    /iphone/index.php    DENIED
#b7830251

Yes it did.  If you do not have IE click within the highlighted area for more details.  If you have ie click on the underlined denied text to see the details.
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

butchs

<!-- Bad Behavior 2.1.2 run time: 0.000 ms -->

Quote from: Arantor on May 08, 2010, 07:18:22 AM
No, that means it ran so quickly it didn't even taken 1/1000 of a second (I think ms is wrong here, unless you're really measuring 1/1,000,000th of a second)

I really did not look at that part too much since it was part of the std BB package.  EDIT  :)
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

butchs

EDIT:
Now I am soooo confused.   :-[

ms was correct.  It multiplies 1000 to the number before displaying it.


having a bad bad day...  ;)

and yes, that time measurement code does display in slower blogs/ forums.
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

butchs

Bla, you tell me...

start:
$bb2_mtime = explode(" ", microtime());
$bb2_timer_start = $bb2_mtime[1] + $bb2_mtime[0];


end:
$bb2_mtime = explode(" ", microtime());
$bb2_timer_stop = $bb2_mtime[1] + $bb2_mtime[0];
$bb2_timer_total = $bb2_timer_stop - $bb2_timer_start;


display:
echo "\n<!-- Bad Behavior " . BB2_VERSION . " run time: " . number_format(1000 * $bb2_timer_total, 3) . " ms -->\n";

:)
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

giveaway365.com

I have httpbl & stopspammer... and not getting any problem. Do I need to use this mod also?

in fact let me know which is the best combination of mods?

butchs

I use all three:
:D

My list:

  • Stop Spammer 2.3.7 (current state--On)
  • httpBL 2.3.4 (current state--ON, shows Honeypot trap link)
  • Bad Behavior 1.0.0 (current state--On, strict mode enabled)
  • avatar_verification_1.0 (current state--On, over 100 verification images)
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

Lou69

Installed and working withour errors on RC3.

Followed the instructions, edited what needed to be edited and did the two part install.

Other than needing to chmod a few items ( my fault ), the install went without any problems.

Thanks

Lou  :)


butchs

It has been six(6) months since I have deleted a spammer!
8)
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

kaamaru

Mods still working well with my site too! The only spam I have got is from humans.

Thank You very much!!!

Advertisement: