Toss a user offline

Posted: Sat May 09, 2009 11:27 am

No problem here in Firefox and keeping the session on another tab. Click click gone. Smile

Cheers

Involved Joined: Nov 19, 2003 Posts: 282

After reading all of this I still am not sure what the point of this was Dad? Why are you doing this? Do tell Smile

Involved Joined: Jul 03, 2006 Posts: 273

He just doesn't understand. He thinks there is some downside to them showing as logged in. He doesn't realize that if anything there is more positive than negative to the matter. He might learn though when people stop coming?

Posted: Tue May 12, 2009 6:37 am

My server has been up since 1994 and there is a lot that I understand. There has recently been a flurry of registrations for the sole purpose of posting ad links in the forums which is prohibited by my TOS. The posts are nonsense posts and only made for the purpose of adding the links. This is not productive in a support oriented venue. The harder I can make it for these users the better. I have "admin approval" enabled but I let some obvious malcontents through for the sole purpose of letting them post and then deactivating and removing their accounts with a note as to why. This is in the hopes that word will spread in that community. So far, it seems to be working as the number of attempted registrations has decreased 75+ percent. My theory, based on many years of experience is the more you can disrupt an activity the better.

For just a fleeting moment, Duck, I was put off by your comment but in reality I understand it based on my indirect sort of replies. Cool

The folks involved with the production of Sentinel and RNYA, and of course RN in general, have done a marvelous job and very much appreciated.

Cheers, we trudge on.

registered · Posted: Tue May 12, 2009 7:38 am

Speaking of those spam linkers.... I have been doing a little test of sorts to see if spam poison or honey pot helps keep them away. What I have found is that the site with both Spam Poison and Honey Pot have far less "Spam Visitors" than the site that does not have SP and HP.... Not a scientific study mind you, just a direct comparison of two sites with same content minus the SP and HP.

Posted: Tue May 12, 2009 7:44 am

My son has been a member of the dshield community for quite some time and runs a honey pot on a corporate network. HP's can be quite amusing as long as the intruder doesn't "catch on". Very Happy

Posted: Tue May 12, 2009 9:54 am

Ahh see now we are getting somewhere. So the real issue is the spam linkers then. See that's a whole different ball game. It's like the person who's say I need a hammer and chisel to the store without explaining why so he goes home with a hammer and chisel to open a can of soup when what he really needed was can opener.

See the point I was trying to make about the session thing is that them sitting there really will not cause you harm (unless as stated before it could be an issue if you have some sort of active pages where data continues to flow.) if anything has more positives than negatives.

For instance your kicking people out of logged in if they are legitimate users can get very frustrating and annoying to them. I myself will tend not to visit sites that I have to continually login all the time and I am not the only one who feels this way. So this is something you should be keeping in mind.

What you need to be looking at is better ideas to reduce the spammers and concerning less about people showing up logged in. Your son seems knowledgeable and it's obvious you trust his opinion you should ask him what I am talking about and maybe he can confirm what I am saying for you so you can relax and enjoy your site more instead of feeling like you have to micro manage it (and I mean that in a positive way not to offend).

Know to approach the real issues spammers. There is a lot of different techniques you could employ to deal with them. The email registration approval seems to be a favoured method amongst many but unless a site has restrictive content and community nature it is one I try to avoid cause I don't think it necessary to force user to jump too many hoops to join a site at least just to look around. So I may include that before the can post to things but then I won't hide the content usually so at least this way they can see what the site has to offer before making them work a little to be part of it.

But Human testing is the best method for stopping the spam bots. They do evolve from time to time so you may need to update your system with further tactics but here's a couple suggestions that can be done. For them there may be some things that exists already but for others they may be needed to be built be someone but they shouldn't be too hard.

1. Extra human confirmation when signing up. If captcha seems to be failing have a human readable question on top. IE ask a question like what color is the sky? with a multiple choice answer.

2. Admin approval before posting links. It could be quite easy to Mod things to require approval before you have the ability to post links on a site.

3. Change Values of ToS form variables when applying. The bots are designed to recognize certain pages to expect Certain responses and will either autopost certain variable and/or try to decipher the response sent from server to appropriately answer a question. So if you change form element names and or variable output then this can confuse them.

4. Block certain IP ranges and referrers if you notice a trend.

5. Add filters for certain types of link words or posting words.

If you do any or all of those the chances you'll continue to get spam are extremely slim. If you still get a lot then something else more serious is wrong I would think but still you shouldn't even need to go that deep. Take Ravens site as an example. Although I am sure he may still get the very occasional piece of spam you hardly ever see any here and when it comes to nuke driven sites his is one of the biggest. He ranks well in the search engines so the spam botters would be well aware of him yet his sites not difficult to join and does not have a lot of restrictions or extra custom hoops like the ones I mentioned. But I can affirm that his google reach is strong cause the link I added for a friend showed up in the first page within a couple hours of posting. My friends site is not even indexed yet so that's alot of help. When you search their site name you don't find a link to them on the front of google yet but you will find Ravenscripts post about it.

So Raven would have to be one concerned about spammers but as you can see he's not. so I think following his footsteps might be a good thing.

Posted: Tue May 12, 2009 10:18 am

A little TMI .. However, I am not kicking out legitimate users either manually or automatically, that's not the point or the issue.

BOTS is not a problem, "spamlinkers" manually registering IS the problem. Configuring my "server" has nothing to do with this issue. My server has 1,000+ users in over 30 domains - all of which are my clients. We reject over 20,000 spams daily either by SpamAssassin or by using the BL's in the sendmail.cf configuration file. We DO have some idea of what we're doing in this respect ... Wink

The issue that I am addressing is ONLY regarding the "spamlinkers" on only one support site of mine. What I am doing is called "user intimidation". The more I can disrupt their experience the better. The idea is to intimidate them enough so that they will hopefully report their bad experience back to whatever forums they visit that encourage the posting on certain forums.

Something must be working because three weeks ago when this all of a sudden started, I was getting over 100 registration requests daily, 99.9% were from "spamlinkers". After employihng some intimidation routines, this percentage has dropped dramatically, down to only 2 or 3 in the last few days.

It is usually easy to spot the "spamlinker" vs the "good user" by domain/username.

I had one yesterday: @penis-enlargement.com
and jimsmith@common.domain.name

Which one you think is the "bad guy"? Very Happy

Cheers and thanks for the comments all of which are taken into consideration.

Posted: Tue May 12, 2009 12:21 pm

dad7732 wrote:

I had one yesterday: @penis-enlargement.com
and jimsmith@common.domain.name

Which one you think is the "bad guy"? Very Happy

But like duck said, isn't there a trend visible amongst those 'spamlinkers'? Domain names, user agents, ip ranges, mail addresses etc.?

Must admit though, that some time ago I had 2 people/bots who registered and spammed down some of the articles (comments) on my site, but only the news articles and nothing in the forums. Fortunately their names alone were 'strange' enough to ring my alarm bells Wink

Even though everything is patched, NukeSentinel is doing its job, and .htaccess rewrites are already blocking 99% of the junk originally caught by NS, they still managed to get through.

Posted: Tue May 12, 2009 12:52 pm

Yes, there certainly is a trend and you can easily spot 'em by the domain names MOST of the time. Sometimes one gets through as "joe@verizon for instance and is a spamlinker. My mission is for the spamlinkers to "get the message" that my site isn't the one to post free ads to. By intimidating some of them by knowingly letting them register seems to be working so far. No takers yet today and the "takers" are getting exponentially fewer and fewer each day. Above all I am NOT going to risk losing my paid linkers. There is a waiting line, when one leaves, one comes aboard within hours. Users (registered) on my system can only write to the forum. Keeping it clear of debris wasn't a challenge until a month ago and the site has been up since 1998 as a domain and 1995 as a sub.

Cheers

Posted: Tue May 12, 2009 4:21 pm

But I am still at a loss at what all that has to do with "tossing a user Offline" or is that part of you annoy them tactic? Why not simply deactivate them after they register? I mean if they sitting there logged in and you want to annoy them simply deactivate there account and as soon as they go to do something uhoh no can do Then they gotta o through the hassle of reregistering rather than just simply loging back in?

But clearing a session from the DB seems sort of pointless honestly. Of course if you're bored and have the time to sit there watching who's logged in and bump them off the server over and over again I guess it could be somewhat amusing like playing that bop the groundhog on the head arcade game or something? lol

Posted: Tue May 12, 2009 4:36 pm

Pointless and useless to anyone not having the problem(s). What I do is to let "some" of them go all the way through the process of registration, then watch them as they post their link(s) and then immediately do one of two things. I either delete the post and add them to my posted blacklist, deactivate/remove .. OR .. I let the post stay there but change the link to my main production site as well as deactivate/remove them and so on. It's all a game and I am in total control. Smile

And so far it seems to be having the desired effect.

This topic has gone beyond the original request so that I am no longer interested in going in that direction. But yeah, tossing them OFFline while they are in the middle of posting is doable/annoying/intimidating, etc. So far I have not had one single re-register attempt.

Cheers

BTW: I am past full retirement age and yes, have a ball being quite intimidating to these people. "Bop the spammer" is a much better passtime. Very Happy

registered · Posted: Tue May 12, 2009 6:22 pm

Well, what I am thinking is that although we can't really do anything about this "session" (in quotes so not confused with true session handling), but, since mainfile.php is pretty much loaded up almost with every site request, and I believe the user's info is being pulled from the DB, maybe we do need to add a quick check to make sure an admin hasn't just deactivated them.

This request still has merit IMO, but I say this without a review of code to know for sure.

Posted: Tue May 12, 2009 7:58 pm

montego wrote:

Well, what I am thinking is that although we can't really do anything about this "session" (in quotes so not confused with true session handling), but, since mainfile.php is pretty much loaded up almost with every site request, and I believe the user's info is being pulled from the DB, maybe we do need to add a quick check to make sure an admin hasn't just deactivated them.

This request still has merit IMO, but I say this without a review of code to know for sure.

I am not sure I am following what you mean here? I mean if if a person is idley logged in then the Calls were already done so nothings happening. If the Admin then deactivates the user and they refresh or otherwise visit a page mainfile.php then runs the checks again. No? Again I haven't looked at the files to double check myself but isn't the cookie compared with the db upon mainfile load to validate the user? And I can only assume that any function that accepts user input will check before saving the user has rights to do so?

Posted: Tue May 12, 2009 8:28 pm

Not sure, haven't tried it, but it may be the same as ending the session which blinks the screen and you're back at a login screen.

Posted: Wed May 13, 2009 1:13 am

I still maintain a spamlist for my old Spam Blocker module if it is of any use.
http://www.code-authors.com/update.php
Of course you would need to parse it to be able to use the data as I withdrew Spam Stopper as no one could be bothered to click one button to send me any 'catches' they made on their own sites to keep the data current.

Posted: Wed May 13, 2009 6:37 am

Ok, here is something interestng and of concern. I had a spamlinker with the username "teamspeak" that registered, was "approved", posted a spamlink and was "removed" via RNYA.

This, in my server log this morning:

Quote:

sshd[14693]: Failed password for invalid user teamspeak from 121.52.217.160 port 35301 ssh2

Attempted breakin. The IP is the same as the spamlinker. My concern has been taken to a new level now.

I might add that this wasn't the only line in the log from this IP. The rest was typical dictionary attack.

Cheers

Posted: Wed May 13, 2009 6:40 am

Thats not a concern. They tried to login but you removed account so they can't. Means they have to reregister. It is good news means its working.

Posted: Wed May 13, 2009 6:41 am

dad7732, how did you "remove" them? Was it "Suspend" or "Deactivate"?

Posted: Wed May 13, 2009 6:48 am

RNYA - deactivate and then removed.

"duck", right, not of concern as the server is quite well protected. I get these attempts every day from at least a dozen IP's. It's just "of concern" that they are taking different tacks to "get in" that raises a little flag.

When a user attempts to register and I get the email for approval, I always check the IP for location as well as for being on any BlackLists.

I let in one of those "joe@verizon" types and sure enough, a spamlinker. Getting to the point of just WHO and who isn't now ... bummer.

Posted: Wed May 13, 2009 7:15 am

May be a good idea to cease the intimidation factor and just begin denying any user listed on the Black Lists that are listed for anything other than a dynamic IP which is "usually" not the user's fault or problem. Verizon for example has never taken steps to tackle the dynamic IP's being blacklisted. COX eliminated this anomaly years ago. So did BellSouth IIRC.

Cheers