Spam
Moderator: General Moderators
-
alex.barylski
- DevNet Evangelist
- Posts: 6267
- Joined: Tue Dec 21, 2004 5:00 pm
- Location: Winnipeg
Re: Spam
There ya go Mods...you have yourself a volunteer...It's not that bad... Nothing xdebug and grep won't overcome.
- volomike
- Forum Regular
- Posts: 633
- Joined: Wed Jan 16, 2008 9:04 am
- Location: Myrtle Beach, South Carolina, USA
Re: Spam
Y'all don't get what I'm saying. No -- no Javascript. Nada. It's all on the server. Are you kidding me?
We generate a 20 digit random ID. We make an md5 of it. We use setcookie() to write that md5 value when the form loads. The other number? Yeah, it goes in a session object cached in shared memory, and I mean session session, not persistent session. On the form receipt page where the $_POST is read, we read the cookie with $_COOKIE. We then grab our session value again from $_SESSION. We run an md5 on that value. If the cookie value and the md5'd $_SESSION['23adsfwe'] value do not match up, the user gets a header of 500 and a die(). I wouldn't care what they typed into the message field of posting.php -- if I don't get the proper cookie alignment, there's nothing but a 500 and a die().
Okay, let's say I'm going to hack that with curl or various tools. It's almost impossible. The only weakness it has is that I could run down a list of all the permutations of a 20 digit number, run an MD5 hash on it, and repeat an attack on a submit form for a registered user's forum post until I finally, by luck, strike a breakthrough. But even then, look at what you have to do that. You have an error log filling up with 500 events. You have sessions that have unique numbers each time you come to that posting.php form in phpBB. At most you might be able to squeeze out, after several hundred thousand attempts, just one forum post. And try to post forum messages too fast -- phpBB blocks that automatically.
We generate a 20 digit random ID. We make an md5 of it. We use setcookie() to write that md5 value when the form loads. The other number? Yeah, it goes in a session object cached in shared memory, and I mean session session, not persistent session. On the form receipt page where the $_POST is read, we read the cookie with $_COOKIE. We then grab our session value again from $_SESSION. We run an md5 on that value. If the cookie value and the md5'd $_SESSION['23adsfwe'] value do not match up, the user gets a header of 500 and a die(). I wouldn't care what they typed into the message field of posting.php -- if I don't get the proper cookie alignment, there's nothing but a 500 and a die().
Okay, let's say I'm going to hack that with curl or various tools. It's almost impossible. The only weakness it has is that I could run down a list of all the permutations of a 20 digit number, run an MD5 hash on it, and repeat an attack on a submit form for a registered user's forum post until I finally, by luck, strike a breakthrough. But even then, look at what you have to do that. You have an error log filling up with 500 events. You have sessions that have unique numbers each time you come to that posting.php form in phpBB. At most you might be able to squeeze out, after several hundred thousand attempts, just one forum post. And try to post forum messages too fast -- phpBB blocks that automatically.
Re: Spam
Ok when you call setcookie() with the md5 hash, what if my program stores that hash in a variable and just submits it with the next request, along with the session id which is also given to me for the cookie. When I make the subsequent request the hash and session will match up. There is no mechanism that differentiates my scripted browser from a real user. The real user's browser is just setting the value in a text file and including it with the next request, that's all a scripted browser would do. To help you realize this, consider if I wrote a macro that used firefox or IE, and actually clicked my cursor and simulated keystrokes. Your trick wouldn't catch that, just like it wouldn't catch someone using cURL.volomike wrote:We generate a 20 digit random ID. We make an md5 of it. We use setcookie() to write that md5 value when the form loads. The other number? Yeah, it goes in a session object cached in shared memory,...
Okay, let's say I'm going to hack that with curl or various tools. It's almost impossible.
From what I can derive, the spammers are manually registering 1 off accounts and then disguising their messages as calls for help, for instance one spammer recently asked if anyone had experience with a proprietary solution, the mods were able to tell this was a spam attempt. Could a statistical / AI based spam filter stop this? Maybe, but most likely not. Setting cookies definitely won't though, since apparently they've already mastered setting and retrieving cookies, since they are able to log in and post.volomike wrote: At most you might be able to squeeze out, after several hundred thousand attempts, just one forum post. And try to post forum messages too fast -- phpBB blocks that automatically.
And I'd be willing to consider helping write the plugin, in the unlikely event one doesn't already exist.
Given the intelligence of the messages themselves, I'm going to wager we have a human, not a bot. A bot wouldn't be clever enough to post the message I just alluded to, in the testing form nonetheless, disguised as a question. Any potential bot would have to be aimed towards more then just these forums. I dont see anyone taking the effort to write a bot to just spam usSyntac wrote:I imagine there's an ACP option to change the CAPTCHA difficulty?
- volomike
- Forum Regular
- Posts: 633
- Joined: Wed Jan 16, 2008 9:04 am
- Location: Myrtle Beach, South Carolina, USA
Re: Spam
Yeah, jshpro2, after some thought, I think you're right. The curl routine would receive an accurate cookie, the cookies would line up. Dumb idea unless one is going right after posting.php without first traversing its calling page, which was where I was thinking about for this thing. You see, I was thinking it would target posting.php directly, and in that case, my routine that I mention with the md5 would break it for sure.
So, yeah, it looks like a captcha is necessary. But a captcha for every forum post for an already registered and validated user? Wow -- not only is that an extra load on a taxed server, it's an extra load on the end user.
I suppose you could target users. So, for the first couple months, or 20 posts, which ever comes later, every new user gets the captcha. After that, the captcha is no longer there.
And then yeah, if you rename 'message' in posting.php to 'idmsg' or something, and change the $_POST logic on the receiving end, you could defeat any tool the hacker may have gotten. Or, you could rename posting.php and then grep all the links connecting to it and change those -- but the dumb geniuses who made phpBB cached part of the files in the database, so you'd have to export the database one night and then do a search and replace on 'posting.php' with this new file name, and then re-import the database again and cross your fingers that it worked. I mean, I'd bet that 50% of what's going on with this spam stuff is through pre-made tools meant to target forums left in their defaults. Those who change those defaults will probably thwart much of the attacks.
So, yeah, it looks like a captcha is necessary. But a captcha for every forum post for an already registered and validated user? Wow -- not only is that an extra load on a taxed server, it's an extra load on the end user.
I suppose you could target users. So, for the first couple months, or 20 posts, which ever comes later, every new user gets the captcha. After that, the captcha is no longer there.
And then yeah, if you rename 'message' in posting.php to 'idmsg' or something, and change the $_POST logic on the receiving end, you could defeat any tool the hacker may have gotten. Or, you could rename posting.php and then grep all the links connecting to it and change those -- but the dumb geniuses who made phpBB cached part of the files in the database, so you'd have to export the database one night and then do a search and replace on 'posting.php' with this new file name, and then re-import the database again and cross your fingers that it worked. I mean, I'd bet that 50% of what's going on with this spam stuff is through pre-made tools meant to target forums left in their defaults. Those who change those defaults will probably thwart much of the attacks.
Re: Spam
What some spammers do:
1. They had a site with a huge collection of "free" downloads (that is, a relatively big number of users per minute).
2. Every download link is "protected" by a CAPTCHA image
Now... guess where the CAPTCHA image is "stolen" from and what they use the user input for?
1. They had a site with a huge collection of "free" downloads (that is, a relatively big number of users per minute).
2. Every download link is "protected" by a CAPTCHA image
Now... guess where the CAPTCHA image is "stolen" from and what they use the user input for?
There are 10 types of people in this world, those who understand binary and those who don't
Re: Spam
Or the spammer just types the captchas, they're often getting paid anyways but yeah I've seen the "download" sites. @volomike yeah didn't consider they could just hit the pages in sequence, hah 
Even with a bayes classifier plugin / service they're going to get past the filter, this is what only an open ID system would truly solve, in theory
Even with a bayes classifier plugin / service they're going to get past the filter, this is what only an open ID system would truly solve, in theory
Re: Spam
Can you imagine, in a year or so from now, the spammers are getting so far that they will be disguised as respectable forum members, being able to post hundreds of posts and be involved in countless threads, before they start to slowly drop in their spam links. Indistinguishable from real members. At some point, we will not know whether we're talking to humans or machines. Or something in between.
Maybe some of you are already one of "the others", without me knowing it
Maybe some of you are already one of "the others", without me knowing it
-
alex.barylski
- DevNet Evangelist
- Posts: 6267
- Joined: Tue Dec 21, 2004 5:00 pm
- Location: Winnipeg
Re: Spam
I always wanted a human pet...Buy me!
$5000 and thats my final offer.