XMB Forum Software

Spam Hammer?

Joana - 11-15-2013 at 09:15 AM

Hi guys,
I'm having a lot of trouble with bots registering to my forum and posting stupid messages. I went on the hacks page and found Spam Hammer. Will that help my case? What does it actually do?
Thanks.

Mouser - 11-18-2013 at 05:38 PM


Taken out of the ZIP file;
Quote:

Mod Description: Provides a custom button in the profile editor so that Super Admins can instantly ban and move all posts for a specific member.



There were a few modifications that can be used.

This is one of them.
Best is to combine a few. Like passwords sent upon registration , CAPTCHA , etc.

I'm looking for a post from miqrogroove where he explained his own setup.

Joana - 11-21-2013 at 01:01 PM

Thanks! I think Captcha would help!

bfgadmin - 5-7-2020 at 01:06 PM

We had the same problem, and I eventually found a workaround. Edit member.php and find this code:

Code:
$email = postedVar('email', 'javascript', TRUE, TRUE, TRUE); if ($SETTINGS['doublee'] == 'off' && false !== strpos($email, "@")) { $email1 = ", email"; $email2 = "OR email='$email'"; } else { $email1 = ''; $email2 = ''; }


add the following code:

Code:
$cSession = curl_init(); curl_setopt($cSession,CURLOPT_URL,"http://api.stopforumspam.org/api?username=".$username."&email=".$email."&f=xmldom"); curl_setopt($cSession,CURLOPT_RETURNTRANSFER,true); curl_setopt($cSession,CURLOPT_HEADER, false); $result=curl_exec($cSession); curl_close($cSession); $confidencecheck = explode("<confidence>",$result); $confidencefinal = explode("</confidence>",$confidencecheck[1]); $cutoff = 80; //change this to any value you want but higher means fewer false positives $confidence = $confidencefinal[0]; if($confidence == "") $confidence = '0'; if($confidence > $cutoff) { setcookie("spammer", "true"); header("Location: http://some-annoying-site.com"); exit; //echo "would not proceed with reg"; }elseif($confidence == "" || $confidence == NULL){ //echo "would proceed with reg due to fail-safe reg"; //left this here for future expansion such as further scrutiny required for unknown reg }else{ //echo "would proceed with reg pass check"; //left this here for future expansion }


Next, edit header.php and place this code pretty much anywhere. Since the account was rejected, there is no user to ban but we can still use that cookie we set in their browser to redirect them away again.

Code:
$isspammer = $_COOKIE['spammer']; if(isset($_COOKIE['spammer']) && $isspammer == "true"){ header("Location: http://another-redirect-to-an-annoying-place.com/"); }


There's another part to this that uses behavior analysis but I'd rather not post it since spammers likely read these.

bfgadmin - 5-7-2020 at 07:57 PM

Quote: Originally posted by Mouser  

Taken out of the ZIP file;
Quote:

Mod Description: Provides a custom button in the profile editor so that Super Admins can instantly ban and move all posts for a specific member.



There were a few modifications that can be used.

This is one of them.
Best is to combine a few. Like passwords sent upon registration , CAPTCHA , etc.

I'm looking for a post from miqrogroove where he explained his own setup.


Do you want something like this? For instance, I gave my super mods a button for each user in viewthread_post to give a Post/U2U ban. But even this is still reactive when it comes to dealing with spammers.

The thing you should know about forum spammers is that they are paid pennies everytime they spam a link in your forum. They are paid to do this as part of sketchy SEO techniques, and disrupting them for even a minute or two will change their calculus (ie: losing more money than earning).

One good trick is to catch their behavior and then redirect them to an endless stream of "are you a human?" tests. For instance, it starts with simple math and ends with questions about nuclear physics. Regardless of how they answer, every answer is wrong.

Another good tactic is to use my code (above) to redirect them to a dummy forum where they can spam to their heart's content. Simply return every week or so to clear all posts/delete new accounts/etc.

If you have an active XMB forum I'll share my behavior analysis code. Also, on our site, we require 5 posts before a member can edit any part of their profile besides their avatar and non-text input fields (avatar, topics per page, DOB, etc)

EDIT: One other option would be to create a means by which suspected spammers could "shadow post" (ie: a column in your posts table called visible) until you see they aren't a spammer.

Unfortunately, on this very site (XMB) I saw a user who registered and posting seemingly legitimate material only to start link spamming at a later date.

AlwaysLosingPasswords - 3-6-2023 at 04:35 PM

Happy to report that reCAPTCHA v2 and v3 appear to defeat the bots that required all this convoluted analysis!

Mixing both methods should eliminate automatic registration with the same inconvenience as a reCAPTCHA.

lottos - 3-7-2023 at 11:37 PM

Quote: Originally posted by AlwaysLosingPasswords  
Happy to report that reCAPTCHA v2 and v3 appear to defeat the bots that required all this convoluted analysis!

Mixing both methods should eliminate automatic registration with the same inconvenience as a reCAPTCHA.


Does the registration script (member.php) need updating to take advantage of reCAPTCHA v2 and/or v3 ?

AlwaysLosingPasswords - 3-9-2023 at 05:28 PM

lottos, the latest version has v2 incorporated into the Admin CP->Settings now. :)

V3 can be implemented in a number of ways (including with v2), but here is how I did it:

Code:
if(isset($_POST['g-recaptcha-response'])) { $validate_trick = $_POST['validate']; if($validate_trick != "viper3"){ die; //fail } //form submitted $reCAPTCHA_secret_key = "YOUR_SECRET_KEY_HERE"; $g_recaptcha_response = $_POST['g-recaptcha-response']; $g_recaptcha_allowable_score = "0.9"; $ip = $_SERVER['REMOTE_ADDR']; $url = 'https://www.google.com/recaptcha/api/siteverify?secret=' . urlencode($reCAPTCHA_secret_key) . '&response=' . urlencode($g_recaptcha_response) . '&remoteip=' . urlencode($ip); $response = file_get_contents($url); $responseArray = explode(",", $response); if(isset($responseArray[0]) && str_contains($responseArray[0], ": true")) { if(isset($responseArray[3])) { $score = explode(": ", $responseArray[3]); $score_value = str_replace('"score": ', '', $score[1]); if(trim($score_value) >= $g_recaptcha_allowable_score) { //pass spam check echo "SUCCESS!"; }else{ //fail spam check echo "FAILED SPAM CHECK!"; } } }else{ //fail for some other reason echo "FAILED FOR OTHER REASON!"; } exit; } ?>


There is also a hidden input field that presents a random value by default. When an actual browser opens the page, this JS is run:

Code:
<script> document.getElementById("validate").value = "viper3"; </script>


We no longer use Stop Forum Spam, although their service is top tier and works quite well too. The Google technology is more mature/stable (in my humble opinion) so that is where I have put most of my focus with anti-spam efforts.