Spam

Ye' old general discussion board. Basically, for everything that isn't covered elsewhere. Come here to shoot the breeze, shoot your mouth off, or whatever suits your fancy.
This forum is not for asking programming related questions.

Moderator: General Moderators

User avatar
Syntac
Forum Contributor
Posts: 327
Joined: Sun Sep 14, 2008 7:59 pm

Re: Spam

Post by Syntac »

Well, it isn't fatal, but it sure isn't in the top ten list of best-coded applications.

I imagine there's an ACP option to change the CAPTCHA difficulty?
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: Spam

Post by alex.barylski »

It's not that bad... Nothing xdebug and grep won't overcome.
There ya go Mods...you have yourself a volunteer... :P
User avatar
volomike
Forum Regular
Posts: 633
Joined: Wed Jan 16, 2008 9:04 am
Location: Myrtle Beach, South Carolina, USA

Re: Spam

Post by volomike »

Y'all don't get what I'm saying. No -- no Javascript. Nada. It's all on the server. Are you kidding me?

We generate a 20 digit random ID. We make an md5 of it. We use setcookie() to write that md5 value when the form loads. The other number? Yeah, it goes in a session object cached in shared memory, and I mean session session, not persistent session. On the form receipt page where the $_POST is read, we read the cookie with $_COOKIE. We then grab our session value again from $_SESSION. We run an md5 on that value. If the cookie value and the md5'd $_SESSION['23adsfwe'] value do not match up, the user gets a header of 500 and a die(). I wouldn't care what they typed into the message field of posting.php -- if I don't get the proper cookie alignment, there's nothing but a 500 and a die().

Okay, let's say I'm going to hack that with curl or various tools. It's almost impossible. The only weakness it has is that I could run down a list of all the permutations of a 20 digit number, run an MD5 hash on it, and repeat an attack on a submit form for a registered user's forum post until I finally, by luck, strike a breakthrough. But even then, look at what you have to do that. You have an error log filling up with 500 events. You have sessions that have unique numbers each time you come to that posting.php form in phpBB. At most you might be able to squeeze out, after several hundred thousand attempts, just one forum post. And try to post forum messages too fast -- phpBB blocks that automatically.
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Re: Spam

Post by josh »

volomike wrote:We generate a 20 digit random ID. We make an md5 of it. We use setcookie() to write that md5 value when the form loads. The other number? Yeah, it goes in a session object cached in shared memory,...
Okay, let's say I'm going to hack that with curl or various tools. It's almost impossible.
Ok when you call setcookie() with the md5 hash, what if my program stores that hash in a variable and just submits it with the next request, along with the session id which is also given to me for the cookie. When I make the subsequent request the hash and session will match up. There is no mechanism that differentiates my scripted browser from a real user. The real user's browser is just setting the value in a text file and including it with the next request, that's all a scripted browser would do. To help you realize this, consider if I wrote a macro that used firefox or IE, and actually clicked my cursor and simulated keystrokes. Your trick wouldn't catch that, just like it wouldn't catch someone using cURL.
volomike wrote: At most you might be able to squeeze out, after several hundred thousand attempts, just one forum post. And try to post forum messages too fast -- phpBB blocks that automatically.
From what I can derive, the spammers are manually registering 1 off accounts and then disguising their messages as calls for help, for instance one spammer recently asked if anyone had experience with a proprietary solution, the mods were able to tell this was a spam attempt. Could a statistical / AI based spam filter stop this? Maybe, but most likely not. Setting cookies definitely won't though, since apparently they've already mastered setting and retrieving cookies, since they are able to log in and post.

And I'd be willing to consider helping write the plugin, in the unlikely event one doesn't already exist.
Syntac wrote:I imagine there's an ACP option to change the CAPTCHA difficulty?
Given the intelligence of the messages themselves, I'm going to wager we have a human, not a bot. A bot wouldn't be clever enough to post the message I just alluded to, in the testing form nonetheless, disguised as a question. Any potential bot would have to be aimed towards more then just these forums. I dont see anyone taking the effort to write a bot to just spam us
User avatar
volomike
Forum Regular
Posts: 633
Joined: Wed Jan 16, 2008 9:04 am
Location: Myrtle Beach, South Carolina, USA

Re: Spam

Post by volomike »

Yeah, jshpro2, after some thought, I think you're right. The curl routine would receive an accurate cookie, the cookies would line up. Dumb idea unless one is going right after posting.php without first traversing its calling page, which was where I was thinking about for this thing. You see, I was thinking it would target posting.php directly, and in that case, my routine that I mention with the md5 would break it for sure.

So, yeah, it looks like a captcha is necessary. But a captcha for every forum post for an already registered and validated user? Wow -- not only is that an extra load on a taxed server, it's an extra load on the end user.

I suppose you could target users. So, for the first couple months, or 20 posts, which ever comes later, every new user gets the captcha. After that, the captcha is no longer there.

And then yeah, if you rename 'message' in posting.php to 'idmsg' or something, and change the $_POST logic on the receiving end, you could defeat any tool the hacker may have gotten. Or, you could rename posting.php and then grep all the links connecting to it and change those -- but the dumb geniuses who made phpBB cached part of the files in the database, so you'd have to export the database one night and then do a search and replace on 'posting.php' with this new file name, and then re-import the database again and cross your fingers that it worked. I mean, I'd bet that 50% of what's going on with this spam stuff is through pre-made tools meant to target forums left in their defaults. Those who change those defaults will probably thwart much of the attacks.
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Spam

Post by VladSun »

What some spammers do:
1. They had a site with a huge collection of "free" downloads (that is, a relatively big number of users per minute).
2. Every download link is "protected" by a CAPTCHA image

Now... guess where the CAPTCHA image is "stolen" from and what they use the user input for? ;)
There are 10 types of people in this world, those who understand binary and those who don't
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Re: Spam

Post by josh »

Or the spammer just types the captchas, they're often getting paid anyways but yeah I've seen the "download" sites. @volomike yeah didn't consider they could just hit the pages in sequence, hah ;-)

Even with a bayes classifier plugin / service they're going to get past the filter, this is what only an open ID system would truly solve, in theory
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Re: Spam

Post by matthijs »

Can you imagine, in a year or so from now, the spammers are getting so far that they will be disguised as respectable forum members, being able to post hundreds of posts and be involved in countless threads, before they start to slowly drop in their spam links. Indistinguishable from real members. At some point, we will not know whether we're talking to humans or machines. Or something in between.

Maybe some of you are already one of "the others", without me knowing it 8O
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Spam

Post by VladSun »

matthijs wrote:Maybe some of you are already one of "the others", without me knowing it 8O
Buy me! :P
There are 10 types of people in this world, those who understand binary and those who don't
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: Spam

Post by alex.barylski »

Buy me!
I always wanted a human pet...

$5000 and thats my final offer. :P
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Re: Spam

Post by josh »

damn you got ripped off, last week he was offering to pay us to adopt him and noone took him up ;-) just kidding man
Post Reply