header 'warning'
Posted: May 5th, 2006, 2:03 pm
no, we're not being hacked. i screwed up the header somehow - am trying to fix it...
-bill
-bill
Bill,
How can we be sure this is you!
Page 1 of 1
Posted: May 5th, 2006, 4:49 pm
Posted: May 6th, 2006, 10:23 pm
We may not have been hacked, but there are a lot of spam posts all of a sudden. 
Posted: May 8th, 2006, 11:08 am
re spam- we're moving to an 'email confirmation' system - so all posters will have to have a valid email address - this tends to slow (but not stop) spam posts. on another funny note i'm starting to get requests from advertisers to 'sell space' on the forum - we're a victim of our own popularity!
bp
bp
Posted: May 10th, 2006, 1:02 am
Hello Bill,
I've been lurking for a while and finally joined. I'm greatly enjoying my C2 and keeping motivated as a member of the AZ Outlaws. Schenley (MomofJBN in the post above) is my better 7/8.
This thread caught my eye -- I run a PHPbb forum myself, and the email confirmation plus capcha should help with the spam...it did for us. But even with that, I did have enough problems that I finally had to hack it to (1) remove the member list and (2) change the "agree to terms" registration variable to something the bots couldn't recognize. #1 eliminates the incentive for bots to harvest email addresses, or to get trackbacks for their own email and web sites when legitimate crawlers come through, and #2 really constipates them...I haven't had a single automated registration since.
I'm not suggesting you axe the user list; I have no idea how many members of this forum use it, and as the proud owner of one post I hardly imagine I know what's best for these boards. But if you get bizarre registrations with .pt and .ru addresses, that might be what's going on. I looked at the various content options you have now, and it does look like you have things reasonably locked down. So hopefully this will work better than IPB (which I have never had trouble with, but I guess nothing's perfect).
And you know, you could replace that stock phpBB banner with a nice C2/erging logo!
Thanks for your efforts in providing this forum for everyone.
I've been lurking for a while and finally joined. I'm greatly enjoying my C2 and keeping motivated as a member of the AZ Outlaws. Schenley (MomofJBN in the post above) is my better 7/8.
This thread caught my eye -- I run a PHPbb forum myself, and the email confirmation plus capcha should help with the spam...it did for us. But even with that, I did have enough problems that I finally had to hack it to (1) remove the member list and (2) change the "agree to terms" registration variable to something the bots couldn't recognize. #1 eliminates the incentive for bots to harvest email addresses, or to get trackbacks for their own email and web sites when legitimate crawlers come through, and #2 really constipates them...I haven't had a single automated registration since.
I'm not suggesting you axe the user list; I have no idea how many members of this forum use it, and as the proud owner of one post I hardly imagine I know what's best for these boards. But if you get bizarre registrations with .pt and .ru addresses, that might be what's going on. I looked at the various content options you have now, and it does look like you have things reasonably locked down. So hopefully this will work better than IPB (which I have never had trouble with, but I guess nothing's perfect).
And you know, you could replace that stock phpBB banner with a nice C2/erging logo!
Thanks for your efforts in providing this forum for everyone.
Posted: May 10th, 2006, 9:51 am
Jeff,
Can you explain the option 2 you mention? It would be great to have the details in case we need it.
Cheers, Paul
Can you explain the option 2 you mention? It would be great to have the details in case we need it.
Cheers, Paul
Posted: May 10th, 2006, 5:22 pm
Option #2 is one of the better bot-killers I have seen. The bots come in and supply “true” wherever the variable “agreed” appears in the reg forms – the TOS, the COPPA rules, and so on. There are three files in your phpBB directory structure where this variable appears: admin/admin_users.php, includes/usercp_avatar.php, and includes/usercp_register.php.
Go into these files and do a global search and replace of “agreed” with something else, like “yep_thats_fine”, or something mixed case like “OkeYDoKey.” The PHP won’t care what you use (as along as you've made sure to change all instances of the variable!), and the bots won’t have any idea what you’ve changed it to. I recommend taking the characters “a-g-r-e-e” out of the name entirely (i.e., don’t use “yep_i_agree”) since a few bots now seem to be on to this and appear to be smart enough to search substrings, or even to try to deduce the variable name via offsets from other known strings. (Some programmers have way too much free time!
)
Since I hacked our boards in this way, I have occasionally had manual registrations from casino hucksters and the like, but the obvious auto signups (particularly porn-related) have been greatly reduced.
I see that besides a couple of legit signups, there are two obvious spam members here just since I joined last night! I feel your pain...
Go into these files and do a global search and replace of “agreed” with something else, like “yep_thats_fine”, or something mixed case like “OkeYDoKey.” The PHP won’t care what you use (as along as you've made sure to change all instances of the variable!), and the bots won’t have any idea what you’ve changed it to. I recommend taking the characters “a-g-r-e-e” out of the name entirely (i.e., don’t use “yep_i_agree”) since a few bots now seem to be on to this and appear to be smart enough to search substrings, or even to try to deduce the variable name via offsets from other known strings. (Some programmers have way too much free time!
)Since I hacked our boards in this way, I have occasionally had manual registrations from casino hucksters and the like, but the obvious auto signups (particularly porn-related) have been greatly reduced.
I see that besides a couple of legit signups, there are two obvious spam members here just since I joined last night! I feel your pain...
Posted: May 10th, 2006, 5:32 pm
You could put "I don't agree" for one of the choices, then they would click that one.
Many sign up pages have letters to retype in prior to signup approval.
I don't know how effective this is, but it seems would cause more of a problem to the robots.
Many sign up pages have letters to retype in prior to signup approval.
I don't know how effective this is, but it seems would cause more of a problem to the robots.
Posted: May 10th, 2006, 7:14 pm
A slightly more involved hack, but it would be doable, and you're right, it might indeed fool some of the scripts...and might be necessary if enough of them seem to have "adapted" to the trick above.John Rupp wrote:You could put "I don't agree" for one of the choices, then they would click that one.
Yep, that's a "captcha," which C2 is using (I had to type one in last night). Many flavors of these exist, and though they do indeed help, they're far from bulletproof. The one used by these boards is probably not hard for character recognition software to defeat. The best solution for this whole problem of auto-registrations is several layers of security -- captcha, code hacks, user list and email list control, etc. Quite the annoyance, these folks, but that's life on the Net.Many sign up pages have letters to retype in prior to signup approval.
Posted: May 13th, 2006, 3:08 pm
More spam posts popping up in the General section.
Schenley
Schenley