| View previous topic :: View next topic |
| Author |
Message |
Sigg3
Joined: 03 Jul 2003
Posts: 643
Location: Oslo, Norway
|
 Posted: Tue Sep 14, 2004 12:54 pm Post subject: Comment SPAM |
 |
|
How does the SPAM bots hijacking b2 comments work?
I think it is essential to know this before trying to get rid of the problem.
Today I've recieve 1-3 SPAM comments (using b2commentspopup.php) every hour. It's too much even if I had been using WP's comment query.
So I'm looking for a working solution, and I need all the help I can get.
I first thought the problem could be related to b2commentspopup.php
The Submit button's default tag is:
| Code: |
<input type="submit" name="submit" class="buttonarea" value="ok" tabindex="5" />
|
If the SPAM bots are "climbing" an unparsed (bots can't parse, can they?) php file "chronologically", it may be possible to fool it using a second submit button.
If, in b2comments.post.php a 'spam-safe' variable was added, one could have two buttons:
| Code: |
<input type="submit" name="submit" class="display: none" value="ok" tabindex="5" />
<input type="spam-safe" name="submit" class="buttonarea" value="ok" tabindex="5" />
|
In other words a "dummy-button" that would, by some nifty coding, just lead to a blank.html where bots had no chmod priviliges.
But is this possible when the form method is set to ="post" ?
I doubt so. (Btw, what is tabindex?)
I also thought about having an un-checked box saying "Check for approval [SPAM SAFE]" which the b2comments.post.php would have to check with before either storing the message or showing an error.
Or even have a password field, which referred to small imagefile below the form, 'cause bots can't read images.
Any ideas?
I've looked at some of the WP hacks on this, but they are too dependant on the WP system. I don't want to upgrade to WP now that my b2 has been tweaked to suit my needs, but I also can't be expected to delete SPAM all day:p If it was possible to make a b2 hack out of the WP system, it'd be cool.
Thanks for any input and help!
_________________
Sigg3 dot net - because you're worth it! | b2 Cafelog Resource Center |
|
| Back to top |
|
 |
Sigg3
Joined: 03 Jul 2003
Posts: 643
Location: Oslo, Norway
|
| Posted: Tue Sep 14, 2004 1:35 pm Post subject: |
|
|
For those of you with a little knowledge in b2 and php, does this make any sense?
(and more important: do you think it would help solving the SPAM issues?)
In this list in the b2comments.post.php file:
| Code: | $author = trim($HTTP_POST_VARS["author"]);
$email = trim($HTTP_POST_VARS["email"]);
$url = trim($HTTP_POST_VARS["url"]);
$comment = trim($HTTP_POST_VARS["comment"]);
$original_comment = $comment;
$comment_autobr = $HTTP_POST_VARS["comment_autobr"];
$comment_post_ID = $HTTP_POST_VARS["comment_post_ID"]; |
I thought about adding a new value, for instance $spam_verif (what should be after a following '=' then?)
Around line 200 in b2config.php, I thought about adding:
| Code: | # set this to 1 to require that the box named spam verification needs to be checked manually
$require_spam_verif = 1; |
Before the end of b2commentspopup.php (I use pop-up), I'd add the line in the middle:
| Code: |
<p class="commentfield">
<input type="checkbox" name="comment_autobr" value="1" <?php if ($autobr)
echo " checked=\"checked\"" ?> tabindex="6" /> Auto-BR (line-breaks become <br> tags)<br />
<input type="checkbox" name="spam_verif" value="0" /> Check for SPAM filtering (required) <br />
<input type="submit" name="submit" class="buttonarea" value="ok" tabindex="5" />
</p>
|
and finally change the following in lines 38-40
| Code: |
if ($require_name_email && ($email == "" || $email == "@" || $author == "" || $author == "name" || $spam_verif == "0")) { //original fix by Dodo, and then Drinyth
echo "Error: please fill the required fields (name, email, spam verification)";
exit;
|
.. and I'm still wondering wether tabindex have any relevance. It seems to, but what is it? Haven't encountered before in html forms.
_________________
Sigg3 dot net - because you're worth it! | b2 Cafelog Resource Center |
|
| Back to top |
|
|
shellorz
Guest
|
| Posted: Tue Sep 14, 2004 9:27 pm Post subject: |
|
|
I don't think bots use buttons. They rather use the php files used to post with convenient parameters (depending on the method used (GET or POST - b2comments.post.php and POST parameters in our case)).
I think a better way to stop this might be to change the b2commentspost.php file to an unusual file name (changing it in the code as well).
As for changing the type of the input button, the types of INPUT tags are reserved words and you can't invent one .
Tabindex is the order the fields/buttons are passed from one to another with the tab key. So no relevance here.
And I don't think your check box would stop bots, also it was a good idea.
The POST values passed are :
comment id (hidden)
redirect_to (hiddden)
author
email
url
comment
comment_autoBR
It's easy for a bot to launch http://yoursite.com/yourblog/b2commentspost.php with a POST including the parameters above.
So changing the names of the parameters or the name of the file might come off as a solution.
[/code] |
|
| Back to top |
|
|
Sigg3
Joined: 03 Jul 2003
Posts: 643
Location: Oslo, Norway
|
| Posted: Wed Sep 15, 2004 10:13 am Post subject: |
|
|
Thanks alot:)
I was just wondering; if I change the name of the parameters, which seems to be the most sensible solution, what files do I need to edit (and how)?
like in b2functions.php line 505-512:
| Code: |
$myrow['comment_ID']=$rowc->comment_ID;
$myrow['comment_post_ID']=$rowc->comment_post_ID;
$myrow['comment_author']=$rowc->comment_author;
$myrow['comment_author_email']=$rowc->comment_author_email;
$myrow['comment_author_url']=$rowc->comment_author_url;
$myrow['comment_author_IP']=$rowc->comment_author_IP;
$myrow['comment_date']=$rowc->comment_date;
$myrow['comment_content']=$rowc->comment_content; |
How do I proceed?
_________________
Sigg3 dot net - because you're worth it! | b2 Cafelog Resource Center |
|
| Back to top |
|
|
shellorz
Joined: 14 Sep 2004
Posts: 12
Location: France
|
| Posted: Wed Sep 15, 2004 8:35 pm Post subject: |
|
|
Really : the most sensible solution is to change the name of the file cuz it doesn't appear that many times. Actually I think it appears only once in b2commentspopup.php and b2commennts.php.
So you have to change the name there.
If you wanna stick to the parameter change you have to change them in the forms but also in the form analyze and saving in the base.
_________________
Make yourself at home but DON'T touch my Porn. |
|
| Back to top |
|
|
Sigg3
Joined: 03 Jul 2003
Posts: 643
Location: Oslo, Norway
|
|
| Back to top |
|
|
Sigg3
Joined: 03 Jul 2003
Posts: 643
Location: Oslo, Norway
|
|
| Back to top |
|
|
Sigg3
Joined: 03 Jul 2003
Posts: 643
Location: Oslo, Norway
|
|
| Back to top |
|
|
shellorz
Joined: 14 Sep 2004
Posts: 12
Location: France
|
| Posted: Tue Sep 28, 2004 7:07 pm Post subject: |
|
|
All for the better, then. 
Now I have to do that on my own site (indeed, I have time to analyze,create code but no time to update my site, geez)
_________________
Make yourself at home but DON'T touch my Porn. |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
