Sciencemadness Discussion Board - abuse of member registration

abuse of member registration

Polverone - 21-11-2003 at 19:38

In the last few days usernames dominguez69, asercca, and xamarton1 have been registered. None of the three usernames has been used to post any comments. All have porn sites for their homepages; two of the three also have postmaster@NAME_OF_PORNSITE.tv e-mail addresses.

When I search Google for the usernames dominguez69 and xamarton1, I find a bunch of user registrations under those names on other XMB message boards. It looks like someone is using a script to automate fake member registrations on XMB messageboards to promote their porn sites. Goodbye, all three users. I couldn't find evidence of asercca being an automatically created account, but the timing is suspicious.

If I've deleted anyone's account in error, please register again and this time don't use a porn site for your home page. Madscientist, Vulture, I'd appreciate it if you'd also look at new member registrations and delete ones that seem to fit this pattern.

EDIT: Oh, one more casualty: yatamous18, who fit the profile perfectly except he had an online gambling site instead of a porn site.

[Edited on 11-22-2003 by Polverone]

BromicAcid - 19-3-2004 at 13:20

1freesex joined today, their personal website opens up with three or so pop ups and a "YOU WON!" message and is basically a porno site. You can guess that the name made me suspicious.

vulture - 19-3-2004 at 13:34

Taken care of.

Thanks for the warning.

Quantum - 19-3-2004 at 13:36

I guess they are trying to increase hits from google by having lots of places where the email addresses are. Can you make a robots.txt file that prevents google from spidering the place where names are shown so it will make this useless? Or will that create other problems?

Polverone - 19-3-2004 at 14:27

I could make a robots.txt, but that doesn't prevent automated account signups. The person running the script won't know that sciencemadness is useless and therefore ignore it. We get few enough of these that deleting them manually isn't a problem so far.

ziqquratu - 19-3-2004 at 16:53

I dont know much about it, but can't you do what so many places do these days and have a little picture with a code you have to type in when you sign up, which prevents automated sign-ups (because the automated script can't read the code)?

Or is this too tricky to be worth the effort?

IgnorantlyIntelligent - 24-3-2004 at 18:30

LOL porn advertisments here too? Oh Mankind, shame on you!
Isn't the greed of people amazing? Porn has singel handedly ruined AIM, emails, and now is encroching on forums. I feel another complaint about the stupidity of man thread coming on....

axehandle - 26-3-2004 at 16:12

What you feel is a reaction to the allowed stupidity of men coming at you.

Blind Angel - 26-3-2004 at 16:18

I think einstein said something like that:
"There are two things that are infinite, universe and stupidity. I just don't have proof about the universe"

axehandle - 26-3-2004 at 17:02

Aaaah, it was Einstein. I thought it was me

New member today

BromicAcid - 12-4-2004 at 15:26

0 Manga X

Links to a German hentai anime porn site. The profile looked messed up on my computer so maybe someone already took down the member?

The_Davster - 10-5-2004 at 15:37

New member amatlu lists his homepage in his profile as a porn site.

BromicAcid - 10-5-2004 at 15:54

Lately there has been a large flux of members using porno sites in their profiles. I was U2U'ing the moderators to tell them but it looks like they have been keeping a more vigiant outlook lately as they get deleted before most people see them. I've seen about 8 different members register in the last weeks using porno sites as their hompage URL. Possibly it could be set up that URL's have to be approved ?

8 members in the last few weeks?

Polverone - 10-5-2004 at 16:47

Don't I wish! I have been deleting more than 5 a day for the last few days. I wish I knew of a trustworthy, PHP-savvy member that I could task with making minor improvements to the board code (like setting up a bot-defeating registration page). Any volunteers? I would need you to modify/test a copy of XMB on your own server, then I would look over your changes, try it out, and update sciencemadness if/when your changes look good.

axehandle - 10-5-2004 at 17:54

Pity I'm Perl-but-not-php-savvy!

Otherwise I'd been glad to help.

Blind Angel - 10-5-2004 at 17:58

Make a list of the most used word then make a if statement or add something like this

Still looking for something else

[Edited on 11-5-2004 by Blind Angel]

Polverone - 10-5-2004 at 18:46

"Wife" is a common component of the pornspam user names. Other than that the names seem pretty random. That XMB hack wouldn't help because the bot just registers; it never tries to log in and post.

Blind Angel - 11-5-2004 at 03:26

i'm still looking for one of those hack where you need to fill in a random number for registring. Or maybe you could just change one of the field name used, like change "login" to "log-in" or something like that, they put all the data in the adresse after the ? (like /member.php?action=reg&login=xxx&password=zzzz....) so i you change the name of one of the essential field and the forum return an error you wont get any fake registration since it's mostly automatic bot which do that.

[Edited on 11-5-2004 by Blind Angel]

Organikum - 11-5-2004 at 04:33

Change the settings in a way that the "www" is not shown on every post, same for E-Mail and perhaps also the instant messenger.
Then block the members profile pages unaccessible for robots.

This should solve the problem as not every registered pornpage-user automatically generates hits at Google. Also automated mail collectors have it not so easy anymore. (I really dont need a bigger penis by now...)

Somebody interested to contact a member may go to the profile, on the board U2U suffices. (+ messenger maybe) Who wants his homepage visible may integrate it into his signature.

No information for the users is lost, a jump to the profile is the minimum I expect from somebody who wants to contact me by mail. (+ a certificate of mental health which suffices my definition of the matter)

Blind Angels suggestions are wellthought although as it is probably a robot made for generating searchengine/Google hits by abuse of XMB boards. Changing some small parameters should fool the robot.

Polverone - 11-5-2004 at 09:35

I have considered doing exactly what Blind Angel suggests, just changing a few variable names on the registration page. Then I have to make sure that doesn't interfere with the rest of the board; who knows what dependencies that page might have? That is one reason it would be nice to delegate the task to someone who really knows PHP. Perhaps I must take it on myself, though.

I don't think setting a robots directive will help. Spammer address-harvesters can just ignore the robots directive. I could keep the members page hidden from Google, and that would ensure that it doesn't boost someone's porn or gambling or cigarette site, but the bots wouldn't know that and would still flood the members page with crap.

One old trick

axehandle - 11-5-2004 at 15:13

is to replace the email addresses, the "Login" text etcetera with auto-generated JPEGs or GIFs et al of the text. There are several open source tools that do just that.

I think most spambots lack image-to-text capabilities...

[Edited on 2004-5-11 by axehandle]

sure

Polverone - 11-5-2004 at 16:10

But who's going to integrate it with the existing board software? I'm not. A good administrator is motivated to efficiency by laziness. I'm not yet good/lazy enough to think it's worth investing hours in modifying/testing the board code to defeat spambots or signup-bots.

I tried editing the signup thing this morning, but apparently the XMB templates file also needs to be edited and then somehow re-loaded (editing it in place didn't work).

Blind Angel of course

Organikum - 12-5-2004 at 04:51

He is obviously jeavily interested in the boards software, bugs, flaws and glitches that I can think of nobiody better for the job.

axehandle - 12-5-2004 at 07:17

Don't look at me, I'm not very keen on modifying a non-open source product.... ok ok ok, I admit it, I'm just too lazy to do it

Polverone - 20-5-2004 at 12:53

I will be online only a little bit for a few days. Madscientist, please take a look at the members list and clean out the spambot accounts if you have time (Vulture, can you do this or do your powers not permit user deletion?)

vulture - 21-5-2004 at 06:10

I've deleted about three over the past week. So yes, I have the p0w4h!

Polverone - 1-6-2004 at 22:05

The spamming signups have been very strong the last couple of days! In addition to the usual porn and gambling sites, there's one site that's registering repeatedly to promote plain-text reviews of video games. If harm were to befall this site (www.kahovsky.com) it would bring me satisfaction.

Does anyone have an idea of how much bandwidth costs in bulk, and therefore how much (say) an automated script that repeatedly sucks down a spamming porn site might eventually cost said site?

axehandle - 2-6-2004 at 01:43

Quote:

Does anyone have an idea of how much bandwidth costs in bulk, and therefore how much (say) an automated script that repeatedly sucks down a spamming porn site might eventually cost said site?

Not really, but I volunteer to DDOS the site since I have a flat rate, and perhaps even to write the download script.

I know one price though: I know the the look in the site owner's face when he sees the bill: Priceless.

Esplosivo - 6-6-2004 at 06:30

Admins check out this user: coriho1sa
He's a new member. Well check out his homepage

. He seems another of those automated subscriptions from porn-sites.

[Edited on 6-6-2004 by Esplosivo]

vulture - 6-6-2004 at 06:46

He wasn't the only one. Deleted three users.

Reverend Necroticus Rex - 5-7-2004 at 12:17

I have my suspicion about these users, they all have similar porn sites for their homapage :mad:

I agree with the earlier statement that URLs should maybe need approval from a mod, although as the bots never log in, I'm not too sure if it would work.

tuzik
sauna
korole
damerq
gymgym
syber3
rainerz
krasotkax

[Edited on 5-7-2004 by Reverend Necroticus Rex]

We seem to be getting many bogus users from the site teen-hard-porno.com and affiliates/subsections thereof, of all the bogus users I have noticed, 100% of them are coming from here, would it be possible to filter the string "teen-hard-porno" or something like in the users sites in the profiles so as to dissallow this site from clogging up the board?

[Edited on 7-7-2004 by Reverend Necroticus Rex]

JC - 1-8-2004 at 12:15

Hi all.

I could mod the page so that there was a simple extra code to enter that would have to be entered to get the registration to work. Something simple, like "To register, enter the answer to the following sum. 4+3=" and have the answer checked against whatever random number was added to 4.

It would keep some of the Kewls out too, I guess.

I would need to be sent a copy of the registration page, as well as the new user creation script, both of which are going to be .php files.

/talk/member.php seems to be the one, actually.

JC

vulture - 1-8-2004 at 12:25

And this would be the perfect cloak for a hacker to get his way into MSDB....

Certainly if this is your only post...

Blind Angel - 1-8-2004 at 13:17

PHP code isn't that hard to read, you just have to look or ask to someone who can code in PHP (if i can, surely some admin too) to detect fail

Type in the number you see

MadHatter - 1-8-2004 at 15:05

Blind Angel, you referred to the method that keeps out automatic
registration. I think it's a good idea if it can be implemented. It's bad
enough that my e-mail gets flooded with a rash of these damn things
along with the scams and other crap spam that no one cares about !
Now they want access to all forums ?

JC - 3-8-2004 at 13:55

I stand by my offer. I'm trustworthy. It would be a simple matter to tweak a few lines, but as for stealing passwords, well, I could put a mailto: into the code and trap any new registrations, sending them to somewhere else, but why would I bother?

Besides, all you do is a comparison of the before and after versions. Anything I changed would be really obvious, but I would comment it properly, and, since it's a trivial change and PHP is easy to read, I would be wasting my time to "try" anything.

Is this just because I never got banned from RS, unlike some people?

Edit: Actually, it's quite complex, this one. I can't find the exact place that generates the actual HTML output part, as it is built up from so many places. I've got the testing of the answer done, and the "error bounce" too. I just can't quite work out where to get the HTML inserted to ask the question!

I d/l'd the BB last night and it's installed on my laptop now, under Apache and MySQL.

[Edited on 4-8-2004 by JC]

Chemleo, well, Vulture seems very harsh, since I offered free help. He seems very upset that he got banned from RS, but it isn't anything to do with me. I objected to a few bans, then NBK2000 said that if I mentioned it again, I would be banned too. At that point, I left it alone.

As for quiz questions, well, I could ask anything - what are the suggestions? I would rather only have one or two smple questions, though - none of this "name this with DEAC Rules - W3F5OH3CH" stuff!

[Edited on 4-8-2004 by JC]

chemoleo - 3-8-2004 at 14:33

Well, you can download the forum software from xmb, do the modifications as you deem necessary, and then send it to Polverone.
It's then up to him whether to implement it or not, and to decide whether the code is safe or not.

But why bother? In my opinion the abuse of member registrations is not a problem enough to require immediate attention. Most members are still genuine.
And the spam I get... well it's my spam account anyway. A few more or less won't make a difference

>Is this just because I never got banned from RS, unlike some people?

I don't see the relevance. Surely little snides like that are not helpful to the discussion.. are they?

[Edited on 3-8-2004 by chemoleo]

Ramiel - 3-8-2004 at 16:46

I like the idea of a quiz like JC suggested. If I could put in my two pence, how about a chemistry related quiz, such as: "what is the name of this functional group ...". That would stop bot-registrations I guess, and also stop people who would register only to let us all in on a few secrets on making black powdar (sic).

- D

Mission completed

JC - 4-8-2004 at 08:00

Right, the edit is done.

I eventually sussed it out, the templates are actually stored in the database.

Right, here goes:

In "member.php" you want to insert the following code, on line 239 (after the bit about the username):

Code:


// JC edit to stop bot registrations
// Added few lines to registration page (in database, Table xmb_templates, id= 87) to ask what is 3 + 4)

if($botcheck != '7') {	   // If not '7' then tell them they got the password test wrong     
   
            end_time();
            $message = "< b>$lang_error:< /b> ".$lang_pwnomatch."";

            eval("$header = "".template("header")."";");
            eval("$error = "".template("error")."";");
            eval("$footer = "".template("footer")."";");

            echo $header;
            echo $error;
            echo $footer;
            exit();
        }

// End of JC edit

and then in the db, go to your forum database, and table xmb_templates. Select row 87, with name = member_reg (The name is important, rather than the number)
Hit edit, and scroll down to the line above $pwtd, then insert the following:

Code:


< !-- JC edit start -->
< !-- bot jammer -->

< tr>
< td bgcolor="$altbg1" width="22%" class="tablerow" >Bot jammer - What is 3 + 4?< /td>
< td bgcolor="$altbg2" class="tablerow">< input type="text" name="botcheck" size="2" maxlength="2" />< /td>
< /tr>

< !-- JC edit end -->

is the new entry.

Copy both sections into your editor of choice, and remove the spaces after every < or the code will not run (it was the only way to get it to display right here - I think the XMB code has a bug in the [ code] implementation) then it will work.

Obviously you can change the question to whatever you like, as long as the answer is 7. If you want to change that, the
if($botcheck != '7') {
bit should have the 7 changed to whatever. (Put it in single quotes for safety)
JC

[Edited on 4-8-2004 by JC]

[Edited on 4-8-2004 by JC]

vulture - 4-8-2004 at 08:41

Quote:

Chemleo, well, Vulture seems very harsh, since I offered free help. He seems very upset that he got banned from RS, but it isn't anything to do with me. I objected to a few bans, then NBK2000 said that if I mentioned it again, I would be banned too. At that point, I left it alone.

Getting personal are we? First of all, I don't know any E&W member called JC, furthermore if I did, there are many other people here that aren't banned from RS and I don't throw vicious comments at them everyday like you just did.

Take a look at my post count at RS, then take a look why I was banned. Then kindly STFU before you say something that you might regret.

You really seem thrustworthy to me now, yes...*rolleyes* certainly because your loyalty to RS.

[Edited on 4-8-2004 by vulture]

JC - 4-8-2004 at 14:42

No, just saying what I see.

Rightly or wrongly, you got banned. A hell of a lot of people did, many for no obvious reason. If it ever comes back, I might find myself not welcome there for saying this, on this board.

I nearly got banned when I suggested that if NBK disliked a certain thread about the issues that America seems to have with itself and others, he should just skip reading that thread. He didn't appreciate it.

I feel this place is a little more enlightened when it comes to people talking freely, in some ways.

I have seen your post count, and I am not trying to offend anyone.

I offered a little help with modding the board, which took me a few hours last night trying to get to grips with, and half an hour today when I realised what I had missed at 1am. I have offered my help in the most transparent way I can, that of clearly visible public review. Anyone who can read code can tell what the two small changes I made do, and that they are not harmful.

Besides, why would I want to fight a Belgian? I used to date a very pretty Belgian girl, and once took a *great* roadtrip there.

I only registered on this site after RS bought the farm, but I had visited a few times before. Regardless, I am not one to pick fights. Please accept my apologies. I perhaps ascribed incorrect motives to your response to my original post. Sorry.
----
I am Jack's Complete lack of suprise...

Sarevok - 4-8-2004 at 14:47

Don't be unjust, JC. Vulture is not upset about being banned from Roguesci. From ALL the people who got banned from there, he is one of the few who accepted it without getting upset.

[Edited on 4/8/2004 by Sarevok]

JC - 4-8-2004 at 14:52

That's why I apologise.

I realise that I ascribed the wrong motives to his comment about how I was untrustworthy.

I feel that is still unfair - I am unproven, not untrustworthy. I feel the difference is important.

vulture - 5-8-2004 at 03:49

Ok, ok let's forget this little incident and carry on.

If the code works, fine. It's just that there are so many possible exploits for PHP code that I'm always a bit paranoid about such things.

Also, we once got hacked by a PHP (although remote) exploit. I like to err on the safe side.
It's just that a new poster to the board directly offering such help is usually too good to be true.

JC - 5-8-2004 at 15:15

Ok, cool.

To go through the code really carefully:

The conditional statement if($botcheck != '7'

{
simply means that if the variable $botcheck is not equal to 7, run the code between the { } brackets.
The ' (single quotes) are to ensure nothing "clever" gets sent in and evaluated, should anyone hack the page.

The actual code between the curly braces is actually the password comparison code from just next to it in the script.

For the next part, that's just normal HTML. The < tr>< td> is a new table cell, and
< input type="text" name="botcheck" size="2" maxlength="2" />
is just the usual HTML for a new input cell. It's limited to a maximum length of 2 characters, in a length 2 box.
The < /td>< /tr> is just closing off the HTML.

For the record, the code for this board omits one important thing in the input sections checking code, which is rather dangerous, and on a mis-configured server could allow arbitary code to be executed. Of course, it would also allow me to get my proper username, since the single quote isn't allowed, but now I can, except my email address is bound to the username...

Who should I email/u2u about it?

Also, there is a slight oddity, in that I simply added the new variable, and didn't have to tweak any declarations. I'm not sure whether that's a problem or not. I can see that some variables are passed via the URL string, and so, now, someone looking at this bit of code could perhaps use that variable name to attack the system.

Of course, just tweak both the variables so they are the same, but new and hidden from everywhere else. :cool:

The code is freely available, as pointed out above, of course!

Haggis - 8-8-2004 at 21:56

Woo Woo!

Looks we got a 'maturehousewife' looking for some sweet chem action. Get her while she's still here!.

http://www.sciencemadness.org/talk/member.php?action=viewpro...

Esplosivo - 15-9-2004 at 06:29

Vulture, check out the latest guest - freepasswords. Seems to be another with those pretty websites.

vulture - 15-9-2004 at 10:03

freepasswords, xxxxxx69, xxxfree, nfsof4r, rreettt, bbw_lucker and nylonfeet have been deleted.

ArrrrgggghhH!!!!

axehandle - 20-9-2004 at 11:16

EDIT: Deleted

[Edited on 2004-9-20 by axehandle]

BromicAcid - 20-9-2004 at 13:51

I've come to the conclusion that it is really not necessary to tell the moderators when an automated service puts up a sex site. They all check though the list periodically and delete them without me adding to this thread.

And axe, wouldn't posting their web address in this thread serve the same purpose as them making their own profile, you know, by increasing the number of pages the adress is on and therefore increasing their google ranking?

axehandle - 20-9-2004 at 14:53

Yes.

I've deleted it. Sometimes I do really stupid things.