WordPress.org

Ready to get started?Download WordPress

Forums

Stop Spammers
Not working to block email domains (21 posts)

  1. jmorrow
    Member
    Posted 1 year ago #

    I've been using this plugin for a month.

    I've had a few people complain that they were blocked from registering which is not a big issue for me.

    However, I have a never ending stream of people from @ eproactolreviews(dot)org that keep registering for my site and submitting content.

    I've added that domain to my blocked email domains and more and more new users from that domain keep registering.

    http://wordpress.org/extend/plugins/stop-spammer-registrations-plugin/

  2. kpgraham
    Member
    Plugin Author

    Posted 1 year ago #

    I will check the code. The TLD list should work for this. I will see if it is working correctly or if something I did broke it.

    Keith

  3. photoman856
    Member
    Posted 1 year ago #

    I can "me-too" that issues. At http://www.swapyourmama.com we've had a heavy flood of spammers registering and posting bogus ads. It appears they all are using xxx@hotmail.com, so I put hotmail.com on the list.

    While they may be getting blocked, the new user still gets created. I tested this with a bogus hotmail account. Naturally I never got a confirming email, but the user WAS created. It would see that if any entity on your blacklist is found, their user should not even be created.

    The site is using the Classipress theme/addon for ad-creation, but they offer no help in this area. thanks for having SOMETHING to address this.

    =Alan R.

  4. photoman856
    Member
    Posted 1 year ago #

    More input on this: I checked the MySql database and the new users (xxx@hotmail.com) not only get created, but get their default password generated. Dunno they are getting this and can log in again, or if your blocking prevents the email from going out. I have gone in and simple cleared the password column on bogus users - that def keeps them from getting in again! Wonder if you could add that sort of feature?

    =Alan R.

  5. kpgraham
    Member
    Plugin Author

    Posted 1 year ago #

    photoman856,
    There is a check on email sends that should prevent anyone from getting an email confirmation, even if their registration was not blocked.

    I don't know why registrations are not blocked on some sites. I wrote the Stop Spammer Fix plugin for bbPress that I think fixes some problems with bbPress, but some registration plugins and some themes find alternate ways to register users, so that the plugin can miss them.

    I will google Classipress and see if there is something there that I can do something about.

    Keith

  6. rcain
    Member
    Posted 1 year ago #

    Hi Keith

    Am using V 4.0 (latest) of your plugin with WP 3.4.2 (latest) + BP 1.6.1 (latest).

    Tested (via a proxifier), having added hotmail.com to 'blacklisted email domains' in plugin setup.

    Can confirm:
    - '403 Forbidden' returned from BP registration page upon submit - OK
    - NO confirmation email received at my hotmail.com acct - OK
    - thus (forbidden) user cannot login - OK

    BUT - user id is STILL registerd on wp backend (admin, users).

    Q: is there any way to get your plugin to PREVENT the actual registration itself - we get shed loads of spammers registering and they clutter up the system making it hard to manage. As currently written, your otherwise excellent plugin doesnt really help.

    Any thoughts?

    Best regards

    Rob

  7. kpgraham
    Member
    Plugin Author

    Posted 1 year ago #

    Try latest beta test. I added another test for registrations and login. I also fixed a bug in the 4.0 version (non fatal).

    One interesting thing is that I am checking more login attempts and I am seeing large numbers of dictionary attacks on the 'admin' user id. I am now getting rid of all my admin user ids. I have a good password, but if I keep admin, someone will figure it out.

    I think WordPress should enforce that user id admin must be changed to something else.

    Keith

  8. rcain
    Member
    Posted 1 year ago #

    Thanks for swift reply Keith,

    Will try the 4.1 beta - though suspect it will still not PREVENT Buddpress/Wordpress registrations themselves.

    Have been digging through latest Buddypresss code and think I have found the hooks you might need to get that working:

    Take a look at:

    file: plugins/buddypress/bp-members/bp-members-screens.php
    function: bp_core_screen_signup

    2/3 ways to acheieve it I think - either:

    1) completely remove and replace add_action( 'bp_screens', 'bp_core_screen_signup' ) with your own registration func based on it
    OR
    2) add_action( 'bp_signup_validate', 'your_func' ) - this is called in the above func JUST before user regisratation details are saved, etc
    OR
    3) bp_core_validate_user_signup() func (in bp-members-functions.php) called from above func near top - also has hooks/filters which could be used - eg: apply_filters( 'bp_core_validate_user_signup', $result ).

    Of these options 2 would be my fave. Just need to return your own (spammer) error message in $bp->signup->errors and bp/wp will do rest.

    This way, the method of spammer (registration) rejection becomes much more logivcal and inline with existing wp/bp user validation process.

    Seems from your code you might need to put some sort of simple switch in/around end of your kpg_sfs_checkfunc - to make sure it plays nice (returns) with wp/bp hook rather than simply dying/redirecting - ubt thats about it i think.

    Was literally about to attempt a patch to your plugin myself, but I think you might be able to achieve it much faster/more reliably.

    Any chance of sometthing like this? Is it sensible suggestion do you think?

    All best

    Rob

  9. kpgraham
    Member
    Plugin Author

    Posted 1 year ago #

    In the 4.0 version I got rid of all the special actions in comment and login forms. The only one left is the send email hook. This makes the plugin simple and much more stable. It is less likely to misbehave and lock out users. It is also more efficient in the use of resources as it doesn't load up much of itself until actually needed.

    I don't want to start hooking bbpress forms unless there is no other way.

    Instead I use an early hook (in bbpress it is 'bbp_loaded', otherwise 'init') and check the $_POST array for the fields that might be a comment or a login. I was not checking "log", until the 4.1 beta so I was missing the login and registration attempts.

    The current version now sees all of these, but I am concerned that bbPress grabs the POST before my plugin gets to it. I had a complicated set of routines that reordered the plugins and ran the checks even before all other plugins were loaded, but I gave that up as too dangerous.

    bbpress is very aggressive about loading first, I don't know why this should be, but it makes for a complicated environment. My limited tests show that I am getting to the the POST now before bbpress hits it.

    I do not seem to able to attract spammers to my two bbPress installs. They are wide open and allow anonymous posts, so I am not sure what is going on.

    Keith

  10. rcain
    Member
    Posted 1 year ago #

    Thanks for the explanation Keith - your code makes much more sense to me now. I'll give the new 4.1 beta a go and let you know how it fares.

    All best

    Rob

  11. kpgraham
    Member
    Plugin Author

    Posted 1 year ago #

    My code makes sense???????

    I am a stream of consciousness programmer and I am well aware that my code reads like Finnegan's Wake.

    This plugin grew organically over the years and was not planned or designed, it just got bigger and more complicated.

    Recently I have started an attempt to clean it up.

    I just moved the spam checking to its own include because 99% of the time it is not needed. This breaks out 38k and only loads it on form submission. The core is still 40k.

    Keith

  12. rcain
    Member
    Posted 1 year ago #

    'stream of conciousness programming' - dont think i wamnt to go there - bad enough when i find myself 'dreaming code'. simple clases/objects for me any day. small is beautiful.

    just tested your latest 4.1 beta downloaded from http://www.blogseye.com/beta-test-plugins/ - repeated test above - same problem i'm afraid: (although rejects it now due to cached badip as expected (so that bit works ok)). but user still gets registerd.

    will trace through & see what i can determine.

    Rob

  13. rcain
    Member
    Posted 1 year ago #

    FIXED!

    after tracing through plugin + buddypress signup the problem was actually quite simple - plugin was NOT recognising the form fields used by my (buddypress) signup form.

    Solution is:

    file: stop-spammer-registrations.php
    function: kpg_load_all_checks
    lines: around 56 - add following lines:

    !array_key_exists('signup_email',$_POST) &&
    		!array_key_exists('signup_username',$_POST) &&

    lines: around 99 - add following lines:

    } else if (array_key_exists('signup_username',$_POST)) {
    		$author=$_POST['signup_username'];

    complete new file (based on V4.1 beta - though would be similar fix for earlier versions), is here:

    http://pastebin.com/pZH9jx1M

    - see my mod marks 'mod jrc 171112'

    (not sure is the 'signup_username' is really required but i added it for completeness/consistency anyway.

    All now seems to work fine - proper checks are performed on all new buddypress registrations AND anyone failing those checks does NOT get registerd. HURRAH!

    Thanks for a great plugin Keith. Happy days! :)

    Rob

  14. kpgraham
    Member
    Plugin Author

    Posted 1 year ago #

    Thanks Rob,

    I knew about that one, but somehow it did not make it into the code. I think this is the final fix needed for bbPress. Registrations, signups and logins are now filling the log.

    I am amazed at the dictionary attacks on all of my blogs that are now showing up. The plugin is blocking hundreds per hour. I am bumping up the delay time in the deny section to 10 seconds to slow them a bit.

    Everyone! Your blog is under assault - change you login and get rid of the admin user. Change your password to mixed upper and lower case and be sure to throw in a few numbers and some punctuation.

    Keith

  15. rcain
    Member
    Posted 1 year ago #

    Hi Keith,

    No worries, pleased to help.

    It would be good to have it confirmed whether this also fixes the original problem of jmorrow and photoman856 above also.

    Re: 'Dictionary Attacks' - I know what you mean - our BP sites (also WP, in fact our servers generally) are constantly under attack, have been for a long time. (the numbers can get so high in fact that they consttitute as DOS attack in their own right, slowing performance).

    Its one of the reasons why I think your plugin is so CRITICAL.

    I installed Fail2Ban on our servers a few years ago to help combat SSH, FTP and Mail attacks and it does reduce those numbers greatly - though not altogether. Have been wondering about trying to extend it's config to cover WP/BP attacks also - since it is pretty efficient.

    I am assuming your attackers are mostly using bots/rootkit probes and rotating proxy IP's?

    I am loath to suggest adding an (anti-robot) capture field on ALL WP/BP forms, but it might have to be the next move.

    I have also found it necessary to ban all hotmail, gmail, aol, yahoo email addresses also - (as well as the usual .ru and .cn, etc) since these are INVARIABLY (in fact almost exclusively) used by hackers. Luckily our main sites are for professional users only who should have their own legitimate company email domains (we make manual exceptions for VIP's who insist on using gmail). I realise such a blanket ban is not suitable for other sites aimed at general public.

    We have also made it MANDATORY for registrants to fill in additional extended profile fields INCLUDING a special one asking for 'Reasons why you would like to become a member of this site?' - which we inspect manually and ONLY if its well written do the users get activated by admin. (Though this doesnt catch all since many SEO blackhat operators employ real humans in Philipines, elsewhere, to mass-register - but it does help at the cost of extra admin)

    (Long term i think we need better legal enforcement internationally and stiff sentences for script kiddies/hackers - but i dont see that happenning anytime soon - unless you are the US DOD or Mossad).

    Couple of suggestions to improve your plugin perhaps:

    1) the 'time-out' parameter(s) - could you make these settable via admin options?
    2) additional filters or actions to make it possible to add EXTRA fields for validation - this would help future plugin developers utilise your plugin functionality without having to mod the code its self.
    3) space for bigger list of blacklisted IP addresses supported - separated from email addresses - including support for wildcards/ip adress ranges - (i have noticed that bot proxies often eventually start to rotate their lists, (within limited time frames), so gives you a fighting chance so long as you keep on top of it).

    Anyway, sorry about slight thread-drift - maybe we need a new thread for this subject.

    All best

    Rob

  16. kpgraham
    Member
    Plugin Author

    Posted 1 year ago #

    Great ideas. I will put in the time-out parameter in the next few days, since that is easy. I am also going to make the sleep parameter an option. I notice that it does slow the spammers down when they have to wait before they can try the next password.

    The extra fields for logins or comments should be a separate plugin. It is a useful idea in its own right, and is not necessarily a stop spam thing. I think there must be a dozen or so plugins already that do this.

    I try to keep the bad ip list short because it is loaded every time you check and could possibly cause resource issues. I will make the size a separate option. I regret even including emails in the checks because the spammers rotate them and IP is a much better way of identifying the culprits.

  17. MickeyRoush
    Member
    Posted 1 year ago #

    Keith, thanks for all your work on this plugin. It seems like it can be very useful on community sites. But if you're really interested, you may want to check out ZBBlock. It may provide you with some useful ideas.

    http://www.spambotsecurity.com/zbblock.php

    Also if you're interested in speedy up things using preg_match or just any PCRE, I could provide you with the most efficient regex.

  18. rcain
    Member
    Posted 1 year ago #

    Great stuff. Thanks.

    re: 'timeout' I actually meant to say 'sleep' parameter - as you say.
    re: 'extra fields' maybe some confusion - i didnt mean to suggest adding extra fields, but instead, a filter ie: in function kpg_load_all_check, around line 50-70 rearrange slightly to read eg: ::

    ...
    $is_a_supported_field = ( array_key_exists('akismet_comment_nonce',$_POST) || array_key_exists('bbp_anonymous_email',$_POST) ||
    ... etc );
    
    $is_a_supported_field = apply_filters('ssr_supported_field', $is_a_supported_field, $_POST);
    
    if (!$is_a_supported_field) {
     $_SESSION['kpg_stop_spammers_time']=time();
     return;
    }
    ...

    - plus, similar constructs to set $em and $author variables just after that.

    this way, if someone writes a plugin to say 'upload_my_cv' - then they can easily add full SSP support for any extra forms they use via a simple invocation of:

    add_filter('ssr_supported_field', 'my_new_ssr_support_func', 1, 2);
    function my_new_ssr_support_func($val, $post_arr) {
     return( $val || array_key_exists('my_new_post_field_name',$post_arr));
    }

    ( + similar filter calls for: 'ssr_set_em' and 'ssr_set_author' )

    - and same can be achieved by theme writers by adding same to functions.php

    (in fact dont even need to pass $_POST to the filters since its available globally anyway).

    i think this will ultimatelyy reduce downstream maintenance effort associated with your plugin.

    make sense?

    re: checks on email addresses (vis a vis just ip's) - please do KEEP the email checks as well - though separate options field would be helpful - since we do get some persistent ones - and in fact people rotate/change ip addresses via proxies just as much as they rotate email addresses - in my experience anyway.

    re: overhead of big ip list - yep, agreed. but, so long as its only scanned upon forms POST, rare, relatively speaking, so a small price to pay i think (the remote akismet, SFS, honypot checks, etc are much slower by comparison).

    Look forward to the next release.

    All very best

    Rob

  19. kpgraham
    Member
    Plugin Author

    Posted 1 year ago #

    Changes from last night and this morning (Nov 19, 2012):

    Separate email, IP and good cache sizing.

    Sleep time option.

    Session speed test option.

    Also an option to not check anything IP related. This is for people behind firewalls, proxies, or routers that hide the incoming IP address and do not use XFF to provide the original IP.

    Aggresively check XFF header information whenever getting IP address, This may help users who have trouble with the IP and start denying themselves.

    Next is the custom fields, but before I do that I want to make a "protected by" widget with a spam count. Maybe use as advertising so I could double my book sales. I am hoping to break that $1.00 a month ceiling.

    Beta seems to be working well on blogseye.com and two other sites.

    Keith

  20. rcain
    Member
    Posted 1 year ago #

    Great news Keith! Nicely done. :)

    One more idea/requirement I've just discoverd:

    - Ability to remove individual email's and/or ip's from the backlist (cache).

    Discoverd that I had one or two false positives in the backlist - either legitimate users who just happend to be using email domains I had previously banned, else had been unfortunate enough to have their (dynamic) IP's added to a public blacklist through no fault of their own.

    At present, I the only way I can see of allowing them access to my site again is either a) to clear the entire blacklist cache and/or b) add them to the whitelist (which gets checked first, iirc).

    Unless there is another way of achieving this I am unaware of?

    Thanks again for all your brilliant work! :)

    (btw: on one of our clients sites your plugin has so far pevented 45,247 spammers since 2012/07/04 and counting!.Fantastic! And now no registrations clogging up the db either. I would be very happy to make a donation towards this plugin - I'm sure many other people would also (eg: the buddydev site is currently rammed full of spammer registrations, so are most other BP sites i have come across in the wild - they could sure use your plugin!)).

    Rob

  21. kpgraham
    Member
    Plugin Author

    Posted 1 year ago #

    I added a trashcan to items in the cache.

    Be sure to add the new widget to the bottom of your side panel. I will make it customizable in the future, but for now the widget just shows the number of spam attempts stopped and links to the plugin (and a tiny "buy-the-book").

    Keith

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags

No tags yet.