Help catch this spammer

kolla · New Member Joined: Apr 20, 2008 Posts: 17

Hello friends,

I just found this wonderful place when I was trying to install NukeSentinel
latest version first time install. I tried the install on my local server
to make sure I can do this clean before attempting on the real server.
Local install went OK and now I'm going to read the userguide to help me
understand what I can do with NukeSentinel.

Someone is creating a problem in my phpnuke site by spamming the forums.
This guy/gal is appearing with different usernames (so far 7 I think)
all of which have changing IPs (Real IP appeared masked)
Right now I'm helpless trying to ban this idiot.

Do you have suggestions on how to handle this situation ? Rolling Eyes

Susann · Posted: Tue Apr 22, 2008 5:59 pm

Well there are many, many options to block. For example you could add his e-mail addresses or names, words into the the string blocker a la
@mail.ru
@bk.ru
Viagra
You could use the proxy block option too.
You could ban IPs in NukeSentinel or directly in your .htaccess with cidr. You could ban a complete country.
Every situation is a bit different. Is it a human spammer ?
What kind of spam is it ?

kolla · New Member Joined: Apr 20, 2008 Posts: 17

Thanks for the reply Susann. Yes this is a human spammer for sure.
he's posting other site names and asking to leave
and join other sites. I get the feeling he's trying to target
another member in the site in particular but I just don't care.
I simply want to stop this pest.

Yes I'm thinking of the proxy block .. not sure what impact
it'll have on others though..
yet to learn about the string blocker... he has many e-mails..
and most seems to point to @live.com

When I check his IP's tracked by the nuke ip_tracking they
point to all over the world.. and there's nothing
unique about them. I guess I can't ban this by IP..

Have to install NukeSentinel and see..

Gremmie · Posted: Tue Apr 22, 2008 9:07 pm

Have to ask, but are your forums set up so that anyone can post? Or registered users onl? If anyone can post then you will definitely see stuff like this.

kolla · New Member Joined: Apr 20, 2008 Posts: 17

Registered users only.
He comes in, registers and posts. 7 different usernames and
7 different E-mail addresses so far. But the IP I'm seeing for a particular ID
is different each time he logs back in so normal IP ban in phpnuke is not effective.

I'm not an expert on IPs and am frustrated by this.

montego · Posted: Wed Apr 23, 2008 7:14 am

Can you tell from NukeSentinel's tracking whether this really is a real human vs. a machine? Sometimes you can tell by the spacing out of their various registration request transactions. Also, do you have the registration captcha turned on? (Although, if you are still using the original PHP-Nuke captcha, its almost no use anymore.)

You might want to try using my Approve Membership Lite or maybe CNBYA so that you can at least review your registrations and have a chance to decline.

Susann · Posted: Wed Apr 23, 2008 10:58 am

This sounds they are using proxies.The proxy blocker in NukeSentinel highest level will possible block other services like AOL so to use a membership add-on isn´t a bad idea. We don´t know your NukeVersion or your forums version ? Maybe insecure. Can new users only register through your account ? @live.com is known for referer spam.
With a own server I would always use the service from:

Only registered users can see links on this board!
Get registered or login to the forums!

To hide the memberlist, the groups and links within the forum is recommended but it will not solve completely your problem.

Btw: Don´t hestitate fo fight back. Report spam everywhere.

kolla · New Member Joined: Apr 20, 2008 Posts: 17

Montego:
I haven't fully installed Sentinel on the site
yet (will do so shortly). so don't know full details on this person/machine yet..
Thanks also for the suggestion on the Approve Membership Lite.
Is there a version available for regular phpnuke ?
I'm running v8.0.

Susann:
Yes I also feel proxy blocker will work here.
Will let you know..

montego · Posted: Wed Apr 23, 2008 11:36 am

kolla, well, there is your first problem (running PHP-Nuke... lol), why not RavenNuke???

Anyways, regarding your question about "is there a version for regular phpnuke?", I personally do not provide nor support the lite version for this - ONLY for RavenNuke. However, you can get the full version, which also includes the ability to add fields, over at

Only registered users can see links on this board!
Get registered or login to the forums!

.

Guardian2003 · Posted: Wed Apr 23, 2008 11:39 am

May I ask how long you have been using nuke 8.0?
May I also mention RavenNuke (available here) has Nuke Sentinel built in along with other security and speed improvements/enhancements.
If you are using the original nuke 8.0 your security image is easily bypassed and registration can be automated through the forum registration (as against nukes normal 'Your Account' registration) process.
Approve Membership Lite is certainly a very helpful tool and Nuke Sentinel will certainly help you combat this spammer but please remember that virgin nuke is very flawed from a security perspective.
It is one thing to chase them all over the site and eventually get them banned, it is another thing entirely to not have the problem in the first place Wink

kolla · New Member Joined: Apr 20, 2008 Posts: 17

Montego...I actually do this as a hobby...and just only
recently learned all what I know about phpnuke to volunteer
and help run this online community. What this means is
there are lot of things I don't know yet.. Embarassed

and frankly
I didn't know about RavenNuke when we built the site.
I'm gathering my knowledge from good folks like you here
only now. Not sure what my options are now...

sting · Posted: Thu Apr 24, 2008 1:24 pm

Approve Membership - especially if you are running this as a hobby. . .

-sting

Susann · Posted: Fri Apr 25, 2008 4:05 am

Another option is to downgrade and switch over to RavenNuke.
Guyys did this in the past:
For example:

Only registered users can see links on this board!
Get registered or login to the forums!

kolla · New Member Joined: Apr 20, 2008 Posts: 17

Here's an update of what happened today..
I installed NukeSentinel on the site with no errors
and set the Proxy IP block to highest setting and went to sleep.

Woke up in the morning to find this guy came again with a new ID
and posted two messages in the forums laughing at the staff calling us
stupid. I checked the IP tracking for him and here's what I see:

How is it possible that he's showing different IPs within seconds apart ??
(all over the world too)
I'm frustrated by equally determined to improve my knowledge on this subject..
Hoping someone can shed some light..

dad7732 · Worker Joined: Mar 18, 2007 Posts: 213

FWIW: Every one of those IP's have accessed my site but haven't made it past Sentinel *.17 Smile

I have manually added each to the block list after which, no more attempts. Definitely running a script of sorts.

Cheers, Jay

kolla · New Member Joined: Apr 20, 2008 Posts: 17

dad7732:

I can add these manually to the block list. Are these auto generated somehow ?
If so.. adding this 5 may not stop this right ?

Guardian2003 · Posted: Fri Apr 25, 2008 11:45 am

Looks like an automated process he is using, are your Forums up to date? There were several fixes in the last two BBtoNuke updates to help address this type of problem.

Susann · Posted: Fri Apr 25, 2008 12:23 pm

Kolla can you tell me whats the user agent of this 5 IPs ?
Btw:The black list status of these IPs is clear.

kolla · New Member Joined: Apr 20, 2008 Posts: 17

Susann: Here's what I found as the user agent.
All the previously listed IPs (and more) are here..

Susann · Posted: Fri Apr 25, 2008 1:02 pm

Thought it could be only "User-Agent" because I found out IPs with this UA also changed the IPs within seconds and this user agent is now banned via .htaccess on my site. I seldom ban user-agents but there are some exeptions.
But I´ll try to find out something about your "User Agent".

montego · Posted: Fri Apr 25, 2008 1:13 pm

Problem is that it is way too easy to spoof the user agent... among other header values unfortunately.

kolla · New Member Joined: Apr 20, 2008 Posts: 17

Thanks for looking into this guys. I checked all activities for this user agent
and it seems to me there are 2 new IDs also registered using using this.
(in addition to what he used today)
I'm sure he's going to come back and post with those IDs later.
(consistant with his past behavior.. I changed PWs in DB for every
account he had so he needs new accounts every time)

Pardon my ignorance... but what exactly is a user agent ?
How does it work ?

If I click the "Block" icon for this user agent is that better or using .htaccess
is recommended ? What should I put in .htaccess ?

I'll also wait to see if Susann found any more info..

Thanks again guys.

evaders99 · Moderator Joined: Apr 30, 2004 Posts: 2749

User agent is sent by your browser. It basically tells the server what kind of browser you are using and its compatibility. However, there isn't a standard way to do it. Nor can you verify someone's ID.

My guess is that they are using some kind of anonymous proxy service, that will give them different IPs.

.htaccess is preferred, they won't get access to anything on the server that way.

kolla · New Member Joined: Apr 20, 2008 Posts: 17

Just as we speak this guy used one of the IDs I suspected and made a post
and left.. (same user agent).. this kind of shows we have a unique user agent
here...

Is there a way to use NukeSentinel to write to .htaccess to block this user agent ?
(I didn't see a user agent blocker)
If not can someone tell me the exact line to put in .htaccess..
(pardon my ignorance please)

montego · Posted: Fri Apr 25, 2008 5:41 pm

If you block this user agent, you could very well block many, many regular legitimate users of your site. I see nothing with this user agent that isn't generic. You can block via NukeSentinel's Harvester settings, but, again, would be tough because you'd end up blocking a lot of people I suspect.