The Tank › OT: Forum spam
- March 2, 2006 at 12:03 pm #4702coreParticipant
Totally out of hand, in fact.
As a veteran computer programmer I’d be glad to offer my services free of charge to write a simple solution here-and-there. It’s the least I could do for all the help you guys have given me.
Otherwise, simplest thing you can do yourself (but too late for this batch) is to eliminate all references to “WowBB” and any messages unique to it. (For example change “Notify me by e-mail when replies are posted to this topic” to “Watch this topic”.) Check your referer logs and you just _might_ see what string they were searching for when their bot found these pages. Then eliminate it.
-Tearing my few remaining hairs out trying to follow the boardMarch 2, 2006 at 12:56 pm #4703Randy SchuylerKeymaster
Quite so. Do you know what is happening here? It looks as if someone found an open door and wedged it open.
Initially, we had the board open to everybody. Registering is a pain for everybody. More passwords, fear of spam, all that. We got the odd bit of spam from time to time, but deleted it. Then all this started: clearly automated and so far, unstoppable.
WOW said that even with the board closed to guest postings, anybody could reply to a guest post. Yesterday, they said they fixed that. Doesn’t make any difference. I tried turning the board off. Didn’t make any difference. I tried locking out by IP address. They’re somehow spoofing those.
What is the solution, and what do you mean by “this batch?” Do the posts they’re using have to be deleted?
Randy SchuylerMarch 2, 2006 at 6:15 pm #4704coreParticipant
Certainly I know what is happening here. I’m afraid I’ve been on the “dark side” once or twice when the price was right, but my creations NEVER sent two messages to the same site. This bot is very rude. Essentially they’re doing google searches like this:
“notify me by email when replies are posted” home improvement
“notify me by email when replies are posted” house
“notify me by email when replies are posted” plumbing
“notify me by email when replies are posted” sink
You get the idea. They don’t mean to target you nor plumbing sites in general, they just need keywords and plumbing was probably one of them. They know that your forum software allows them to reply to an existing thread as a guest, so they are exploiting google and searching for sites using your exact forum software. You can only get I believe it was 1,000 results per google search which is the reason we use random keywords as described above.
And no, there is no open door that they “wedged open”. Your forum just allows guests to reply to existing threads, period, even if you don’t see that option as a human. You said WoW fixed it yesterday? They very well may have, but not necessarily for _you_. I’m assuming you don’t have an expensive support contract with them, so any fixes they make you would need to download and install yourself (or have it done for you). It most certainly is not an automatic update.
As far as you trying to lock them out by IP: That was a valiant attempt, and would have been the first thing to try. They’re not really “spoofing” their IPs, they’re just using what are called “proxy servers”. Basically they’re using other people’s IPs with or without their permission. Lots of info about proxies on the ‘net, and http://www.publicproxyservers.com is my favorite place to find them. One thing to keep in mind: For certain users, proxy servers are an absolute necessity. Consider folks in China who want to research things that their government would rather they not see. The only way for these individuals to see the information that you and I can get to freely is to go thru a proxy server. Could go on and on about proxies but that info is explained better in existing pages on the web already.
What I meant by “this batch” was: This robot (‘bot) has already found all your posts via google, so you are likely to get spammed a WHOLE lot more over the coming hours/days. I did recommend that you examine the referer logs to see if they were dumb enough to include the search engine referring URL, as then you can see what they searched for. If they did, then that’s easy — be sure to eliminate that phrase from these pages. But I’m assuming they were not so dumb.
No, deleting the existing posts will not help.
The best immediate fix would be to download the update from WoW that you said they have. Again this is assuming they have not already installed it for you. I would be glad to do it as well.
The second immediate (and SUREFIRE) fix requires at least some level of programming ability or _careful_ editing. What I’d do is change the “message” variable to “messagehwh” or something, in reply.php. A simple find&replace will not do… you need to search & replace for both ‘message’ (single quotes) and “message”, etc. This is a guaranteed way to cease all spam immediately but is very easy to screw up — back up all files before attempting anything. Basically find&replace ‘message’->’messagehwh’ and “message” -> “messagehwh” (INCLUDING QUOTES) should do the trick. But still this is dicey if you’re not used to at least reading PHP.
What this basically does is prevents bots from being able to post to your board just because they know what forum software you’re using. Some bots are more clever, yes, but these are few and far-between.
Either of those two suggestions should do it. If for some reason neither are possible (not likely), my suggestion would be to disallow posts in which more than 50% of text is linked. I’d be happy to whip that up for you, but sounds like WoW is getting themselves straightened out.
-JasonMarch 2, 2006 at 8:36 pm #4705Randy SchuylerKeymaster
Thank you for taking the time to explain all that. There is a possibility this is fixed. I won’t know until I’ve cleaned up the first page a bit and see if more posts pop up. WOW is both my ISP and the host for the board. That’s what they do. I had a PHP board before that I paid to have installed. I knew zero about PHP and had to trust others. They kind of screwed me. I got hacked three times and finally realized that I had to upgrade every time the PHP forum came out with a new version, which is about once a month.
Anyway, WOW did close off the guest reply option, but as I said, that didn’t work. The programmers went back and decided there was a problem with the legacy PHP database and did something or other that they say will stop the problem. We’ll see.
Meantime, I tracked down the company doing the spamming — or at least the host for all those URLs, so I might have a legal option if this round fails, too.
Thanks again for your help and offer to help. I hope I won’t need it…..
- You must be logged in to reply to this topic.