I just got comment spammed

registered · Posted: Thu Aug 09, 2007 5:47 pm

For the first time ever. It was done by a user. It looks like he had a script that just walked through all the news articles (increased the sid by one) and blasted away.

What do you suggest I do? And how to clean up about 400 comments? Evil or Very Mad

Posted: Thu Aug 09, 2007 6:00 pm

Well since it was all done by a single user it was easy to delete them all.

DELETE FROM nuke_comments WHERE name = 'grytner'

Posted: Thu Aug 09, 2007 6:08 pm

Well I banned his 2 IP's in sentinel, and put his username and email address in the string blocker. Anything else? Sad

registered · Posted: Thu Aug 09, 2007 6:10 pm

Yeah, see this: http://www.ravenphpscripts.com/postp105243.html#105243

He only got through the first page. Did you have the spam captcha from 2.10.x turned on for news? The guy I ran into in the above post was definitely manually spamming.

Posted: Thu Aug 09, 2007 6:12 pm

I guess I am going to write a script to display the last x new news comments and watch for this kind of crap now.

Posted: Thu Aug 09, 2007 6:14 pm

I have comments set so that only members can make them, but no captcha.

I can see someone paying someone in a 3rd world country to manually spam websites. grrrrrr.

Posted: Thu Aug 09, 2007 6:16 pm

Most of the comments were about a second apart, so I think he had a script.

Posted: Thu Aug 09, 2007 6:17 pm

Guardian has already done this. Its on http://www.code-authors.com.

Posted: Thu Aug 09, 2007 6:18 pm

Gremmie wrote:

I have comments set so that only members can make them, but no captcha.

I can see someone paying someone in a 3rd world country to manually spam websites. grrrrrr.

Yep. This is why this other person didn't get very far. He had to hand enter them and the captcha. I only had to delete 5 comments. It is worth it IMO turning on the spam captcha.

Posted: Thu Aug 09, 2007 6:23 pm

Yes I reluctantly agree. It is on now.

Thanks for the tip for Guardian's script.

Posted: Thu Aug 09, 2007 7:19 pm

I use Guardian's comments module and will endorse it too.

Quote:

Well since it was all done by a single user it was easy to delete them all.

DELETE FROM nuke_comments WHERE name = 'grytner'

Unfortunately this only gives you half of a result. After I did something like that I found out that the stories table also stores the number of comments. I had to write an ad hoc that went something like this to clean up. (This was some time ago so I forget all the gory details).

Code:

require("config.php");


require("db/db.php");


$justreport = true;


$fixit = true; // set to true to set comments in stories table to number found in comments


$result = $db->sql_query('SELECT title, sid, comments FROM '.$prefix.'_stories');


while ($row = $db->sql_fetchrow($result)) {


        $counter = 0;


         $sid = intval($row['sid']);


         $comments = intval($row['comments']);


$counter = intval($db->sql_numrows($db->sql_query('SELECT sid FROM '.$prefix.'_comments WHERE sid =\''.$sid.'\'')));


if ($justreport) {


echo $sid . ' ' . $row['title'] . ' --comments table=  ' .  $counter . ' --stories table = ' . $comments . '<br>';   }


if ($fixit) {


    if ($comments != $counter) {


    $result2 = $db->sql_query('UPDATE '.$prefix.'_stories SET comments=\''.$counter.'\' WHERE sid=\''.$sid.'\'');


    if (!$result2) {


        echo mysql_errno($result2) . mysql_error($result2) ; }


    echo 'fixing comments field in ' . $row['title'] . '<br>';


    }


}


}

Use at your own risk ... there's a report only flag you can set to see what the results would be before you do any updating. You might want to verify what I'm saying using PHPmyadmin before proceeding too and make a backup of your tables first. I guess ideally the two scripts (deleting all comments by a user and decrementing the number in the story table) should be integrated.

Posted: Thu Aug 09, 2007 7:22 pm

Ah....that's dumb to store the number of comments in the story table. It is totally redundant and can get out of sync, as in a case like this.

Thanks for the tip though.

Posted: Thu Aug 09, 2007 7:24 pm

It might be easier to write a script that updated the story table based on how many comments are actually in the comment table for that story. I'll look into that since I already blew away the spam.

Posted: Thu Aug 09, 2007 8:04 pm

Ok, I'm sure there is like one whiz-bang SQL statement that would do this, but I couldn't figure it out, so here is a PHP script that gets the comment counts back in sync. Smile

Code:




<?php


include 'mainfile.php';


include 'header.php';


OpenTable();





$sql = "SELECT sid, comments FROM {$prefix}_stories ORDER BY sid";


$result = $db->sql_query($sql);


while ($row = $db->sql_fetchrow($result))


{


   $sid = $row['sid'];


   $comments = $row['comments'];





   $sql = "SELECT COUNT(*) FROM {$prefix}_comments WHERE sid = '$sid'";


   $result2 = $db->sql_query($sql);


   $row2 = $db->sql_fetchrow($result2);


   $actComments = $row2[0];





   if ($comments != $actComments)


   {


      echo "Updating story $sid because it thinks it has $comments comments, but it really has $actComments<br />";


      $sql = "UPDATE {$prefix}_stories SET comments = '$actComments' WHERE sid = '$sid'";


      if (false === $db->sql_query($sql))


      {


         echo "Oops it didn't work for story $sid<br />";


      }


   }


}





CloseTable();


include 'footer.php';


?>

Posted: Thu Aug 09, 2007 8:10 pm

fkelly, wow...I'm so rattled I didn't even read your posting thoroughly. I just reinvented what you already wrote.

Embarassed

Posted: Thu Aug 09, 2007 8:48 pm

Gremmie: LOL. That's okay. You got me concerned enough that I just went in and verified that there is a comments field in the stories table. From a design point of view you are perfectly right of course, it's redundant and subject to error. I guess from a programming point of view it's easier to just pull the story table up and look at the comments field for a value rather than going to the comments table and counting the number for a given sid. But that's neither here nor there.

Posted: Fri Aug 10, 2007 6:22 am

Hey, BTW, any improvements upon the comments module would most definitely be appreciated by Guardian. He has a lot on his plate right now. Some of what I was thinking:

1. Allow for multiple select of comments to delete.
2. Finish up the Poll comments.
3. Possibly add one for Forum posts.
4. Now, given Gremmie's recent "adventure", possibly add a delete by user.

Just thought I'd get it documented somewhere and if anybody felt a strong need for one of these and wanted to pick it up for their own benefit... I've had 1 - 3 on my personal list for months now and you see how far I have gotten? Laughing

Posted: Fri Aug 10, 2007 6:43 am

fkelly wrote:

Gremmie: LOL. That's okay.

Yeah I wasn't thinking straight. This was the first time something like this has happened to my site since it was started 1.5 years ago. I've been lucky I guess. LOL. I'm a little more rational now. Smile

fkelly wrote:

You got me concerned enough that I just went in and verified that there is a comments field in the stories table. From a design point of view you are perfectly right of course, it's redundant and subject to error. I guess from a programming point of view it's easier to just pull the story table up and look at the comments field for a value rather than going to the comments table and counting the number for a given sid. But that's neither here nor there.

A database purist would laugh at Nuke I think. Having a redundant comments field in the stories table may make it easier for one thing, but now you have two tables to update whenever you add or delete a comment. Can we change that?

Posted: Fri Aug 10, 2007 6:44 am

montego wrote:

Hey, BTW, any improvements upon the comments module would most definitely be appreciated by Guardian. He has a lot on his plate right now. Some of what I was thinking:

1. Allow for multiple select of comments to delete.
2. Finish up the Poll comments.
3. Possibly add one for Forum posts.
4. Now, given Gremmie's recent "adventure", possibly add a delete by user.

Just thought I'd get it documented somewhere and if anybody felt a strong need for one of these and wanted to pick it up for their own benefit... I've had 1 - 3 on my personal list for months now and you see how far I have gotten? Laughing

I'm interested now. Smile

Posted: Fri Aug 10, 2007 7:40 am

Quote:

A database purist would laugh at Nuke I think. Having a redundant comments field in the stories table may make it easier for one thing, but now you have two tables to update whenever you add or delete a comment. Can we change that?

We can change ANYTHING; the only question would be do we want to fix it for the next patch release or wait for a major release. Then we'd have to search for any place where the comments field in the stories table is used and change it to do a count on the comments table. And test the heck out of the results ... a lot of the news screens pull comments and there's inconsistencies in how various themes handle this (I vaguely recall) so we'd need to make sure we didn't unhinge anything there. Probably we'd want to look at Guardian's module too, though that's not part of the distribution currently, and make sure we didn't mess that up.

I suppose the appropriate way to do this would be to put an issue in Mantis and see how and when Raven wants to handle interweaving it with the rest of the work.

Smile

I guess that since M. wrote the specs for the larger revision here he doesn't have to do the programming.

Posted: Sat Aug 11, 2007 5:30 pm

Just a comment about "database purist". That would be the full normalization camp. However, there are trade-offs. For example, let us just say that we have a site which has loads of activity, especially in the reading category. One does not mind taking a little extra time to post something right? But, you might want your readers to have the fastest speed possible (not to mention be able to serve up many of these at the same time). Which is faster and less resource usage?

1. Pulling in a counter off the main comment table, or

2. Pull the comment table information and then go get the count for the comments.

Everything in my mind boils down to the objectives and situation at hand. Hmmmm, sounds like requirements and design. Laughing

Posted: Sat Aug 11, 2007 7:38 pm

Why can't you do both in one query? This works:

SELECT s.title, count(*) FROM nuke_stories AS s, nuke_comments AS c WHERE s.sid = 1 AND c.sid = 1 GROUP BY s.title

I think this is still better than storing the same data in two places.

Posted: Sat Aug 11, 2007 7:51 pm

Yes, of course that works, functionally, but the point is not can you combine this all into one SQL. The point is that if the goal is to reduce resource utilization and performance on a very head loaded site, it can actually be better to store redundant data.

Again, these are "trade-offs" that every good designer must make for him/herself based on the requirements.

I am not disagreeing with you guys on the original premise of this post/thread. Gremmie made a comment about "database purist" and I wanted to elaborate with some practical experience.

Posted: Sun Aug 12, 2007 9:13 am

I certainly agree that you can loosen your database scheme if performance shows that it needs it. In the absence of that data it is just premature optimization and making trouble for yourself. Given Nukes other famous notorious inefficiencies, I'd wager this little feature was just the author not knowing any better. Smile

Anyway.....the vandal came back, but he was blocked by the string blocker I set up on his user name.

Posted: Sun Aug 12, 2007 9:18 am

Forgot to add: I am so grateful for NukeSentinel. Smile