Posts Tagged ‘spam’

Akismet catches a lot of spam, but there is a lot it won’t catch. Therefore I decided to put together a hack to catch some more. The hack has 2 options:

• One for you to put in spam words that if they are in the comment, the whole comment will be considered spam. Just be careful, if you add cialis you will block the word specialist also.
• The other option lets you set the maximum number of links you will allow in a comment.

It will catch links that start with http://, https://, http://www., https://www. and www.. WordPress doesn’t convert text like example.com into a link.

The hack also checks to see if there is more content in the comment than just A tag(s), if there isn’t it’s considered spam. I recommend to use this with the Akismet plugin because it won’t prevent all spam. Keep in mind this hack may not work with other spam prevention plugins.

Open up wp-comments-post.php and after these lines

if ( '' == $comment_content )
wp_die( __('Error: please type a comment.') );


Add the following:

else /*MODIFIED - added this else to filter strings and count links*/
{
//OPTIONS
$link_limit = 3;//set the maximum number of links we allow
$disallowed_strings = array('[url', '[/url]', 'zithromax', 'levaquin');//add any strings you wont allow, make them lowercase, we test for case insensitivity later
//END OPTIONS
$temp_comment = strtolower($comment_content);//lowercase text so we can be case insensitive, php4 doesnt have stripos
$total_disallowed_strings = count($disallowed_strings);
//look for disallowed strings
for ($temp_counter = 0; $temp_counter < $total_disallowed_strings; $temp_counter++)
{
if (strpos($temp_comment, $disallowed_strings[$temp_counter]) !== false)
{
wp_die( __('Sorry, that looks like spam.') );
}
}
$comment_links = 0;
//regex would be better
$link_strings = array('http://www.', 'https://www.', 'http://', 'https://', 'www.');//order is important here
$temp_comment = str_replace($link_strings, '[LINK]', $temp_comment);
$comment_links = substr_count($temp_comment, '[LINK]');
//test for number of links
if ($comment_links > $link_limit)
{
wp_die( __('Sorry, that looks like spam.') );
}
//weed out all A tags and see if anything is left
$temp_comment = preg_replace('/<a[^\<]{1,}\<\/a\>/', '', $temp_comment);
$temp_comment = trim($temp_comment);
//see if the comment is nothing but links
if (empty($temp_comment))
{
wp_die( __('Sorry, that looks like spam.') );
}
}


I still see a lot of forms require email address to post comments or for simple verification. It doesn’t stop spam at all.

You should only ask for a person’s email address if:

• You require registration to access part of the site.
• They have a password and will need to be able to reset it.
• You will have an option to notify them of new comments or a response to their comment.
• It’s an email form (then you need it, because how else will you respond).
• It’s for a newsletter.
• It’s an online purchase.

I’m probably forgetting a few other instances where its needed, but I think you get the idea. Using a email address to send a user a link to click on to verify it is inconvenient as well. You might as well just have them register and send them a initial verification link.

I understand spam is out of hand, but I’ve written an email form awhile back that gets very little.

Here are some things I do to prevent spam:

• Filter HTML.
• Filter any unsafe characters.
• Prevent blank fields not only with JavaScript but on server side also.
• Check field lengths not only with JavaScript but on server side also, don’t let them try to send a longer text than what your form is set to, this should be a red flag that they are trying to do something fishy. You can trim whitespace characters with JavaScript.
• Look for any attempts of e-mail injection. Often times spammers try to trick your email form to spam others by putting in CC:, Content-Type:, To: and so on.
• If its a email form and the email address is required, make sure the email address is in a valid syntax. Also make sure the domain part of the email address is one that really exists (PHP can do this).
• Check the email address thats supposedly sending it and see if it is on my ban list.
• Check the ip address thats supposedly sending it and see if it is on my ban list.
• Check the words in the title and subject and see if they are on my censor list. Censored words will be let through but will be filled with asterisks.
• Check the words in the title and subject and see if they are on my ban list. Bots are dumb and sometimes will send UBB code like [url=http://example.com]my nasty site[/url] because they thought the form was part of a forum. Just makes it easier for me to filter.
• I like to filter out @ with (a) and replace any http://, https://, http://www. or https://www. with LINK: because often email clients will render these as links and I don’t want to accidentally click on them.
• Count how many links are being sent and compare it to my limit. Some spam bots go insane and try to send 50 links per email.
• Compare what domain the form was referred from with my allowed list, helps prevent cross-site scripting. For example, if your form on http://example.com/email.php sends data to http://example.com/processor.php, it should only allow http://example.com and http://www.example.com to do that. You could add more subdomains if you want to. I’ve seen server logs coming form some pretty nasty sites and the pages with forms get the most hits, so I know what they are doing.
• Check the token, helps prevent cross-site scripting. Chris Shiflett has a good tutorial on this. It’s in PHP but you can use the principles for any language.
• I usually ban the emails from the domain the form is on. For example, if your domain is example.com, a lot of bots will simply just fill out the email form as bob123@example.com because they assume you would never ban your own domain.
• Check the timestamp, any forms that are older than X minutes wont be sent.
• See if the same email address or IP address sent an email recently (flood protection).

I also log things at the end of my email, so I can monitor what is going on, incase I get a spammer that is getting through. Often I can see what pattern they follow, such as using the same IP address, email address, words, etc. and I can modify my filters accordingly.

Since the last time I’ve noticed a few little things spammers have been doing and some things I forgot to mention. So here is Part 3 on Spam Prevention for PunBB.

Prevent Guests from Seeing Profiles
Before the following line

// Load the profile.php/register.php language file


Add this

if ($pun_user['is_guest'])
message($lang_common['No permission']);


I’ve also gotten some people that register and put their spammy sites in their signature, but its easy to disable signatures. Just put multiple line comments around the following lines in viewtopic.php

// Do signature parsing/caching
if ($cur_post['signature'] != '' && $pun_user['show_sig'] != '0')
{
if (isset($signature_cache[$cur_post['poster_id']]))
$signature = $signature_cache[$cur_post['poster_id']];
else
{
$signature = parse_signature($cur_post['signature']);
$signature_cache[$cur_post['poster_id']] = $signature;
}
}


Now it should look like this. They can still enter links in their signature from their profile page but it won’t show up on any posts.

/*
// Do signature parsing/caching
if ($cur_post['signature'] != '' && $pun_user['show_sig'] != '0')
{
if (isset($signature_cache[$cur_post['poster_id']]))
$signature = $signature_cache[$cur_post['poster_id']];
else
{
$signature = parse_signature($cur_post['signature']);
$signature_cache[$cur_post['poster_id']] = $signature;
}
}
*/


There is another field in a person’s profile for them to put in a value for their web site, so you might prevent that from showing up as well. I just turn it off in Administration -> Options and under Display and User info in posts.

Show information about the poster under the username in topic view. The information affected is location, register date, post count and the contact links (e-mail and URL).

Want to use rel="nofollow" for links? Open up include\parser.php and modify the return line of the function handle_url_tag to look like this.

return '<a href="'.$full_url.'" rel="nofollow">'.$link.'</a>';//MODIFIED


I now prevent members from registering with URLs or @ in their member name. The only way PunBB could prevent this otherwise is to use the censor feature but that isn’t a good idea since the members that prove they are real will need to be allowed to post links later on.

Open lang\English\prof_reg.php and add the following near the top

'Username spam' => 'Usernames may not look like a URL or email address. Please choose another username.',/*MODIFIED*/


Now open up register.php and after the following lines

else if ((strpos($username, '[') !== false || strpos($username, ']') !== false) && strpos($username, '\'') !== false && strpos($username, '"') !== false)
message($lang_prof_reg['Username reserved chars']);


add

else if (strpos($username, 'http://') !== false || strpos($username, 'https://') !== false || strpos($username, 'www.') !== false || strpos($username, '.com') !== false || strpos($username, '@') !== false)/*MODIFIED*/
message($lang_prof_reg['Username spam']);


That should prevent anyone from registering a spammy username.

Since my last post I’ve now started filtering for “.com” in the message field on some forums I run (its an easy addition to the code I posted last time). However I’ve noticed that a few bots/people were typing these into the Name (if you have guests enabled) and Subject fields. Even though PunBB won’t render that as a link, it still could promote someone’s spammy site. So I wrote some more hacks to prevent this from happening.

This assumes you added some variables to lang/English/post.php but I’ll post the code again. Feel Free to skip this part if you already did it.

Open up \lang\English\post.php and after

'Edit redirect' => 'Post updated. Redirecting . . .'


Add a comma at the end of that line and then add

'New Member spam protection' => 'New Members can not post links, images or email addresses until they become more active.',
'Guest spam protection' => 'Guests can not post links, images or email addresses.'


Ok, now for the new stuff… We are going to filter out the subject for guests and members that have less than 6 posts

Now open up post.php (the one at the root of your forums) and after this line

else if ($pun_config['p_subject_all_caps'] == '0' && strtoupper($subject) == $subject && $pun_user['g_id'] > PUN_MOD)
$subject = ucwords(strtolower($subject));


add the following:

if (($pun_user['is_guest']) || ($pun_user['num_posts'] <= 5))
{
$temp_subject = strtolower($subject);//lowercase it so we can be case insensitive, stripos is php5 only
if ((strpos($temp_subject, 'http://') !== false) || (strpos($temp_subject, 'https://') !== false) || (strpos($temp_subject, 'www.') !== false) || (strpos($temp_subject, '@') !== false) || (strpos($temp_subject, '.com') !== false))
{
if ($pun_user['is_guest'])
$errors[] = $lang_post['Guest spam protection'];
else if ($pun_user['num_posts'] <= 5)
$errors[] = $lang_post['New Member spam protection'];
else
$errors[] = $lang_post['Post errors'];//this message already exists
}
}


Now we need to prevent guests from using a spam-ilicious name, so again in post.php look for:

if (preg_match('#\[b\]|\[/b\]|\[u\]|\[/u\]|\[i\]|\[/i\]|\[color|\[/color\]|\[quote\]|\[quote=|\[/quote\]|\[code\]|\[/code\]|\[img\]|\[/img\]|\[url|\[/url\]|\[email|\[/email\]#i', $username))
$errors[] = $lang_prof_reg['Username BBCode'];


Now after that add:

$temp_username = strtolower($username);//lowercase it so we can be case insensitive, stripos is php5 only
if ((strpos($temp_username, 'http://') !== false) || (strpos($temp_username, 'https://') !== false) || (strpos($temp_username, 'www.') !== false) || (strpos($temp_username, '@') !== false) || (strpos($temp_username, '.com') !== false))
$errors[] = $lang_post['Guest spam protection'];


Now we need to protect edit.php from spam-otrocious subjects by members with less than 6 posts (guests can’t edit pages so no need to worry about them). So look for:


else if ($pun_config['p_subject_all_caps'] == '0' && strtoupper($subject) == $subject && $pun_user['g_id'] > PUN_MOD)
$subject = ucwords(strtolower($subject));


And add this afterwards

if ($pun_user['num_posts'] < = 5)
{
$temp_subject = strtolower($subject);//lowercase it so we can be case insensitive, stripos is php5 only
if ((strpos($temp_subject, 'http://') !== false) || (strpos($temp_subject, 'https://') !== false) || (strpos($temp_subject, 'www.') !== false) || (strpos($temp_subject, '@') !== false) || (strpos($temp_subject, '.com') !== false))
{
if ($pun_user['num_posts'] <= 5)
$errors[] = $lang_post['New Member spam protection'];
else
$errors[] = $lang_post['Post errors'];//this message already exists
}
}


The war on spam continues. So far my hacks have been made it so I get no spam, even with allowing guests to post. I’ve noticed in my logs that they are trying though, some of my top ranked pages are register.php and post.php.

However if you are using any kind of these hacks, you will notice that you will get tons of registrations still. I recommend you set the option to require validation.

When enabled, users are e-mailed a random password when they register. They can then log in and change the password in their profile if they see fit. This feature also requires users to verify new e-mail addresses if they choose to change from the one they registered with. This is an effective way of avoiding registration abuse and making sure that all users have “correct” e-mail addresses in their profiles.

The best way to deal with too many registered users from bots is to use one of the following Captcha plugins/hacks for PunBB.

• Image Verification
• Captcha Box
• RegKey Plugin to work with 1.2.15
• Math Registration Check (code near bottom of page 1)

One of the main problems with PunBB is that its very prone to spam. While there are some plugins out there that deal with this, I prefer to use my own little hacks instead.

Open up post.php and find some code that looks like this:

// Validate BBCode syntax
if ($pun_config['p_message_bbcode'] == '1' && strpos($message, '[') !== false && strpos($message, ']') !== false)
{
require PUN_ROOT.'include/parser.php';
$message = preparse_bbcode($message, $errors);
}


Below that code add the following


if ($pun_user['is_guest'])
{
$temp_message = strtolower($message);//lowercase it so we can be case insensitive, stripos is php5 only
if ((strpos($temp_message, 'http://') !== false) || (strpos($temp_message, 'https://') !== false) || (strpos($temp_message, '[url') !== false) || (strpos($temp_message, '[img]') !== false) || (strpos($temp_message, '[email') !== false) || (strpos($temp_message, 'www.') !== false) || (strpos($temp_message, '@') !== false))
$errors[] = $lang_post['Guest spam protection'];
}
else if ($pun_user['num_posts'] < = 5)
{
$temp_message = strtolower($message);//lowercase it so we can be case insensitive, stripos is php5 only
if ((strpos($temp_message, 'http://') !== false) || (strpos($temp_message, 'https://') !== false) || (strpos($temp_message, '[url') !== false) || (strpos($temp_message, '[img]') !== false) || (strpos($temp_message, '[email') !== false) || (strpos($temp_message, 'www.') !== false) || (strpos($temp_message, '@') !== false))
$errors[] = $lang_post['New Member spam protection'];
}


If you allow guests to post it will look to see if they are posting a link, image or a email address. It might seem like double work to test for http:// and [url but a lot of spam bots are stupid and will attempt to put bbcode on blogs, email forms and all over the web. I've found sometimes they wont even put the http:// but put in the bbcode [url]. Don’t ask me why, but thats how some spam bots were programmed and so you might as well filter them all. Its a good idea to filter for the @, I’ve gotten some spam where a bot put up a work at home post and had their email address for a contact. Sometimes they will just try to put in www. hoping the forum will pick it up and turn it into a link. You might also add a test for some TLDs (top-level domains, such as .com, .net, .org), incase they leave off all the prefixes. I’ve yet to see bots do that, but I’m sure they probably will, good thing is, that its a easy addition.

If you don’t allow guests don’t worry, this code will still work. The code also tests for registered users and sees if they have more than five posts (feel free to increase or decrease that amount) and if so they will be allowed to post links, images and email addresses. Most bots out there sign up once and spam the message board one time. And later on they will re-register and put up another post, I’ve yet to see any spam bots use the same login to spam some more.

Open up \lang\English\post.php and after

'Edit redirect' => 'Post updated. Redirecting . . .'


Add a comma at the end of that line and then add


'New Member spam protection' => 'New Members can not post links, images or email addresses until they become more active.',
'Guest spam protection' => 'Guests can not post links, images or email addresses.'


You will want to add the spam protection to edit.php also, so open that up and after


// Validate BBCode syntax
if ($pun_config['p_message_bbcode'] == '1' && strpos($message, '[') !== false && strpos($message, ']') !== false)
{
require PUN_ROOT.'include/parser.php';
$message = preparse_bbcode($message, $errors);
}


Add the following (its pretty much the same as the post.php uses except there is no test for guests since guests can’t edit posts anyway).


if ($pun_user['num_posts'] < = 5)
{
$temp_message = strtolower($message);//lowercase it so we can be case insensitive, stripos is php5 only
if ((strpos($temp_message, 'http://') !== false) || (strpos($temp_message, 'https://') !== false) || (strpos($temp_message, '[url') !== false) || (strpos($temp_message, '[img]') !== false) || (strpos($temp_message, '[email') !== false) || (strpos($temp_message, 'www.') !== false) || (strpos($temp_message, '@') !== false))
$errors[] = $lang_post['New Member spam protection'];
}


And now you have spam control. Granted its a hack and not a plugin, it works pretty good.