1
Olorin
Anti-Spam Operation
  • 2005/2/12 21:39

  • Olorin

  • Just popping in

  • Posts: 50

  • Since: 2003/7/5 1


Referrer-Spaming(or Comment-Spam) is hot thesedays, which is a growing headache for webmasters in many ways:

1. It abuses your web server severely.
2. It's not just annoying to delete the spams everytime you check your web site, but just... GIVE ME A BREAK!!!!

Thanks to the appearance of "Protector", Headache-1 can be dealt with automatically since it can restrict the simultaneous accesses from the same IP.

Headache-2 is not that problematic for the community sites where all the comments are posted by registered users like here. But for the web sites where comments are open to public, it is.

Possible solutions:

1. .htaccess
SetEnvIf Referer "(.*)(ronnieazza|future-200|loan|loans|6q|diet-pills|sex|freakycheats|psxtreme|learnhowtoplay|online-deals-4u|poker|gambling|chat-nett|fidelityfunding|terashells|casino|crescentarian|yelucie|smsportali|viagra|blackjack|porn|nude|naked|adult|anal)(.*).(.*)" ToTheDeepestAbyssOfHELL
<Files *>
Order allow,deny
Allow from all
Deny from env
=ToTheDeepestAbyssOfHELL
</Files>
So called "Referrer Spams" contain banal referrer information to entice webmasters into their crappy web sites. I know that none of them may well click such feeble links, though they seem to think it works, somehow...lol Anyway, we can exploit this poor information.

2. xoops_refcheck()
include/comment_post.php

line232
if ($uid == 0) {
+            if ( ! 
xoops_refcheck() ) {
+                
redirect_header($redirect_page.'='.$com_itemid.'&com_id='.$com_id.'&com_mode='.$com_mode.'&com_order='.$com_order1_NOPERM);
+                exit();
+            }
            switch (
$xoopsModuleConfig['com_rule']) {
            case 
XOOPS_COMMENT_APPROVEALL:

Given that no registered user commits spammming, it can block "referrer-spams" as long as they hold external referrer infomation. It would also block legitimate comments because many people simply have no idea what the firewall software in their computer does. To avoid this unintended inconvenience, you can disable referrer-check only when the empty referrer is recognised. Please search "Xoops FAQ" for the detailed information about it.

Btw, this function is accessible from all the modules. So this hack can be applied to those modules that use their original commenting system: B-wiki, WordPress, and etc..., too.

3. g_ticket
Maybe, it's not that difiicult to implement GIJOE's ticket system to Xoop's commenting system... But I DON'T KNOW HOW TO do it!!! lol

4. A unique attribute and its correspong value to comment forms.

This technique is widely adopted by many blog softwares to confirm if the comments are sent from your comment form.. But how can I implement this function to Xoops? That's the question. As far as I know, "Comment Callback Function" seems to be the one. But, again, I DON'T KNOW HOW TO assign an extra parameter with the provided xoops-form class... lol

Maybe, instead of assigning it, I can set a certain attribute and its value as an default extra-parameter by hacking core files in class/xoopsform, and insert "if ( A!==B){exit;}" into include/comment_post.php...

IMHO, I want this feature to be available from the admin panel in the future: Webmasters can define their original attribute and its corresponding value for the comment forms in their web site.

2
Mithrandir
Re: Anti-Spam Operation

To me it sounds like 3. and 4. have the same approach.

Kazu is working on implementing a ticket system for the upcoming XOOPS 2.0.10

3
Olorin
Re: Anti-Spam Operation
  • 2005/2/18 8:33

  • Olorin

  • Just popping in

  • Posts: 50

  • Since: 2003/7/5 1


Quote:

4. A unique attribute and its correspong value to comment forms.
Well, I've figured it out.

include/comment_post.php
line 233
-if( ! xoops_refcheck() ) {
+if( ! 
xoops_refcheck() || $_POST['jfophmledf'] !== 'hgembaec' || $_POST['tzkrcekn'] !== 'qkspoflx' ) {
include/comment_form.php
line 103
$cform->addElement(new XoopsFormHidden('com_mode'$com_mode));
+
$cform->addElement(new XoopsFormHidden('jfophmledf''hgembaec'));
+
$cform->addElement(new XoopsFormHidden('tzkrcekn''qkspoflx'));


Quote:

To me it sounds like 3. and 4. have the same approach.
Kazu is working on implementing a ticket system for the upcoming XOOPS 2.0.10
Sounds promissing. Well, I agree with you that 3 & 4 have the same approach. Maybe I should have listed them up as 3a & 3b...

4
sudhaker
Re: Anti-Spam Operation
  • 2005/6/17 20:39

  • sudhaker

  • Not too shy to talk

  • Posts: 117

  • Since: 2003/2/6 2


Why not human-verification using image with random text technique?

5
Herko
Re: Anti-Spam Operation
  • 2005/6/17 22:06

  • Herko

  • XOOPS is my life!

  • Posts: 4238

  • Since: 2002/2/4 1


because this has to do with EVERY form you use on the site, like forum posts, login, comments, basically every interaction with your users. If they have to verify every little thing they do, they would leave.

Herko

6
Marco
Re: Anti-Spam Operation
  • 2005/6/18 8:59

  • Marco

  • Home away from home

  • Posts: 1256

  • Since: 2004/3/15


Could/should we implement such a system to prevent spambots from getting email adresses

http://www.php-help.net/search.php?q=spam

I looked for such a functionnality in XOOPS core code, but didn't find the same feature.

The main objective is to prevent mail adresses, written in articles for example, from being leeched too easily.

I don't know which system mambo has implemented. Could be great if someone investigated over there their solution (if any)

marco

7
peacearena
Re: Anti-Spam Operation
  • 2005/7/20 23:10

  • peacearena

  • Just popping in

  • Posts: 9

  • Since: 2005/1/5 2


Below is a plugin for Wordpress. Can this be adapted for Xoops?



/*
Plugin Name: Email Obfuscator
Plugin URI:http://blackbird.casaparrina.it/programmazione/progetti/25
Description: Obfuscate email address in post body
Version: 1.0
Author: Michele Ferretti
Author URI:http://blackbird.casaparrina.it
*/


if (function_exists('add_filter')) {

function __obfuscate_email_action($email){

$email_outpunt = "";

for( $i=0 ; $i<strlen($email) ; $i++ ){
$email_outpunt .= "&#". ord(substr($email, $i, 1)) .";";
}
return $email_outpunt;
}

function __obfuscate_email($content) {
$content = preg_replace("/([\\w\\d\\.\\_]+@[\\w\\d\\.\\_]+)/e", "__obfuscate_email_action('\$1')", $content);
return $content;
}

add_filter('the_content', '__obfuscate_email');
}

8
macmend
Re: Anti-Spam Operation
  • 2006/2/16 16:15

  • macmend

  • Quite a regular

  • Posts: 285

  • Since: 2004/2/27


this guys site although on a different cms has some interesting thoughts

here

http://www.i-marco.nl/weblog/archive/2005/08/17/bye_bye_referrer_spammers_21

and here

http://www.i-marco.nl/weblog/archive/2005/08/24/trackback_spam_eliminated
Free Mac Support

Ordinary Wisdom

apache server with php sshexec turned on
xoops version 2.0.18.1 & 2.3.1
php version 5.2.5
mysql version 5.0.45

9
kyraha
Re: Anti-Spam Operation
  • 2006/8/21 21:39

  • kyraha

  • Just popping in

  • Posts: 4

  • Since: 2005/7/2 2


I have implemented a very simple approach with one of my phpbb boards. Maybe we could use something similar here too. The point is: all the spammers need are href links. On the other hand, most of anonymous posters don't want to post such links. What I did is just deny the entire post if it is anonymous and it contains a href link in any form - [ url ] or < a href= > or just http substring. A human poster can read the error message and edit his/her post to match the requirements or go ahead and register to be able to post links if links are so important to him/her. Spam-bots can not do that and just bounce back with no success (bye-bye). So far it works great. I tried to implement the same with my XOOPS site but got confused with all that spaghetti of the modules/includes structure. But you guys got the idea. Please let me know if anyone succeeds with the coding. Thank you.

10
kyraha
Re: Anti-Spam Operation
  • 2006/9/15 22:30

  • kyraha

  • Just popping in

  • Posts: 4

  • Since: 2005/7/2 2


Finally I got it. I have implemented my idea that I explained above.
If anyone is interested in my aproach here is the hack (pretty rough though, but well... let's clean it up together). In the file 'include/comment_post.php' at the line about 240 make the code to look close to this:
if (!empty($com_id)) {
// [ skipped ]
        
} else {
// [ skipped ]
                
if (is_object($xoopsUser)) {
// [ skipped ]
                
} else {
                        
$dohtml 0;
                        
$uid 0;
                        if (
$xoopsModuleConfig['com_anonpost'] != 1) {
                                
redirect_header($redirect_page.'='.$com_itemid.'&com_id='.$com_id.'&com_mode='.$com_mode.'&com_order='.$com_order1_NOPERM);
                                exit();
                        }
                        
$myts =& MyTextSanitizer::getInstance();
                        if (
eregi('<A ',$myts->sanitizeForPreview($com_text,1))) {
                                
redirect_header($redirect_page.'='.$com_itemid.'&com_id='.$com_id.'&com_mode='.$com_mode.'&com_order='.$com_order1"No URLs permitted for unregistered users");
                                exit();
                        };
                }

The addition is actually this:
$myts =& MyTextSanitizer::getInstance();
                        if (
eregi('<A ',$myts->sanitizeForPreview($com_text,1))) {
                                
redirect_header($redirect_page.'='.$com_itemid.'&com_id='.$com_id.'&com_mode='.$com_mode.'&com_order='.$com_order1"No URLs permitted for unregistered users");
                                exit();
                        };

I have been using it for a month. So far no spam at all. And users have not noticed any change in the interface. Even the anonymous ones. They're happy and so am I.

Login

Who's Online

162 user(s) are online (104 user(s) are browsing Support Forums)


Members: 0


Guests: 162


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Mar 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits