The Official Anti-Spam Tutorial

Can't get it installed? Not sure how a feature works? Then post here.

The Official Anti-Spam Tutorial

Postby Jeremy » 2007-06-17 07:07 pm

I wrote an outline for this a couple weeks ago, but just got around to fleshing it out today. I apologize for not being a very good writer, but hopefully I get the idea across. If anyone has any suggestions, don't hesitate to reply.

The Official Anti-Spam Tutorial

As many of you are well aware, spam is not just something you get in emails. It is everywhere from forums to blogs to topsites. In recent months, it has been an increasingly annoying problem for people using Aardvark Topsites PHP to run their topsites. In this article I am going to describe the current best practices in stopping topsites spam.

Keep your software up to date
Upgrade to version 5.2.0, which has much better anti-spam features than previous versions.

Word verification (CAPTCHA)
CAPTCHAs were developed with the goal of stopping bots from completing a form by presenting a distorted image that a human can read and a bot cannot. However, as bots become more sophisticated, CAPTCHAs become less efficient. Aardvark Topsites PHP introduced a new, more complex CAPTCHA that might buy us a little time, but it will undoubtedly be cracked like all of the other common CAPTCHAs. Despite the limited effectiveness of CAPTCHAs, it is recommended that you leave the CAPTCHA enabled to at least make it a little harder for people to write spam bots.

There are ways you can improve the security of your CAPTCHA. When a spammer attacks topsites lists, their bot expects to see the default CAPTCHA and it can probably solve it with a decent level of accuracy. But what happens if they expect the default Aardvark CAPTCHA, and something else is there? If it is not a sophisticated bot, it may not be able to proceed. So here are some things you can do to change your CAPTCHA:

Change the settings
In captcha.php from lines 31-40 (version 5.2.0), you will find some parameters that you can tune to change how the CAPTCHA is generated. You can rotate the characters more, change their size, make it longer or shorter, and add more noise. The comments in captcha.php describe how to edit these settings in detail.

Change the fonts
The CAPTCHA can use several different fonts to display characters. You might be able to confuse bots by changing the default fonts. Delete the current files in the fonts folder and replace them with some other TTF fonts.

Roll your own CAPTCHA
If you know some PHP, this would be the best option. Just make your own CAPTCHA that is significantly different than the default one.

Security question
Security questions have gained popularity recently as an alternative to CAPTCHAs. Users must answer a simple text question to proceed. By default, this feature is disabled in Aardvark Topsites PHP because it relies on the administrator asking a unique question. To enable it, log into the admin and go to the settings page.

You must take care not to ask a question that will be hard for real users to answer. Simple math questions (What is 2+5?) are popular, but I think that it is only a matter of time until bots will be able to parse math questions. This will lead to the same problems CAPTCHAs have faced: as bots become smarter, questions become harder, and users become frustrated. However, this cycle has not yet happened and security questions are currently a very effective way of stopping bots.

Changing the join form
Bots expect to see the same join form on every topsites list. But what if they don't?

Adding a hidden field
If you add a hidden field to your join form that contains some predefined value, you can check for that field in join.php and assume that any form submitted without that hidden field is from a bot.

First, you need to add the hidden field to your join form in join_form.html (I recommend that you change "secret" something unique):
Code: Select all
<input type="hidden" name="secret" value="1" />

Then, in join.php, find this code:
Code: Select all
  function process() {
    global $CONF, $DB, $FORM, $LNG, $TMPL;

After that, put this (change "secret" here as well):
Code: Select all
if (!isset($FORM['secret'])) { die('Spammer!'); }


Change the name of a field
Similarly, if you change the name of one of the default form fields, bots will not recognize this change. When they submit something with the original field names, you can block them.

Pick one of the fields (title, url, etc.) in join_form.html and change its name to something else. Then, in join.php, find this code:
Code: Select all
  function process() {
    global $CONF, $DB, $FORM, $LNG, $TMPL;

After that, put this:
Code: Select all
if (isset($FORM['title'])) { die('Spammer!'); }
elseif (isset($FORM['new_title'])) { $FORM['title'] = $FORM['new_title']; }

The above code is what you would use if you renamed the "title" field to "new_title". Modify it to suit your needs.

Admin approval of new members
This feature has been around for a while, but it has only been enabled by default in version 5.2.0. I wanted to not even make it an option, but some people complained. No matter what anti-spam measures you take, it is imperative for you to enable admin approval of new members. Even if you are using an old version of the script, you can enable this on the settings page in the admin.

Why is this so important? Even if you implement all of the methods above, a sufficiently complex bot still might make it through. However, more importantly, we must consider the fact that many spam submissions are done not by bots, but by real people. Admin approval of new members is really the only way to stop people who are manually spamming your topsites.

Will it ever end?
Probably not. Even if a website never makes it to the front page, it still could make it to your admin approval list. The spammers might not be spamming your visitors, they might be spamming you personally. But if you follow the instructions above, you can at least stop bots from spamming you and stop all spam from reaching your visitors.

But I've already been spammed!
First, delete all the spam sites and implement some of the security measures detailed above. That might not be enough though. Spammers hitting your button.php repeatedly can be a huge drain on server resources. Jim Westergren details how to deal with this problem.
Jeremy
Supreme Diety
 
Posts: 8922
Joined: 2003-05-05 04:41 pm
Location: NJ, USA

Postby kamranrocksit » 2007-07-27 03:18 pm

Jeremy, i have some topsites which have members like "good game site" or something like this..

and their email is quite different..

Do u think this can stop that spam?
kamranrocksit
Advanced Member
 
Posts: 120
Joined: 2007-02-26 08:58 pm

Postby Jeremy » 2007-07-27 06:29 pm

what?
Jeremy
Supreme Diety
 
Posts: 8922
Joined: 2003-05-05 04:41 pm
Location: NJ, USA

Postby kamranrocksit » 2007-07-27 06:34 pm

16. build good resume site - internet filter
17. design example good site web - internet filter
18. good web site guide - My first site
19. good proxy site - My first site
20. good free site - My first site
21. good guest inurl site thank very - Set of the interesting information
22. good looking web site - My first site


i was talking about these sites..

http://digital.photographer-s.com/.

do u think thats been spammed!!
kamranrocksit
Advanced Member
 
Posts: 120
Joined: 2007-02-26 08:58 pm

Postby Jaap » 2007-07-30 03:13 pm

Some people have serious trouble to be clear :lol:
Jaap
Member
 
Posts: 23
Joined: 2006-03-19 03:47 am

sohbet

Postby Joe H » 2007-08-22 09:15 pm

I have had some serious problems with sohbet

Even after deleting my topsites

tousands of requests to apache from GET/topsites/button.php?u=

I tried the rewrite with .htacces....and the deny. Nothing helped

The techs finally disabled the ip's using apaches firewall

My site hasn't been this fast in a long time

but there are still hits from button.php and the ip addresses are legit...with the spammers user id

any idea how to eliminate that?
Joe H
Newbie
 
Posts: 3
Joined: 2006-12-20 03:11 pm

Postby ZiNg » 2007-08-22 10:43 pm

I just changed all my ?a= to ?TSS=
ZiNg
Advanced Member
 
Posts: 36
Joined: 2006-09-27 12:40 am
Location: King, N.C.

Postby Joe H » 2007-08-22 10:46 pm

How and where?
Joe H
Newbie
 
Posts: 3
Joined: 2006-12-20 03:11 pm

Postby deny » 2007-10-10 03:48 am

Solution for anti-spam is very simple but so many newbies did not know and i think that this is best topic to reply.
This is method to prevent it calling button.php by modifying 2 files join_email.html and link_code.html and deleting button.php from your server.

Simple editing both file above and instead of giving your user link to button you will replace it with link to your site.
So delete this line into join_email
Code: Select all
<a href="{$list_url}/{$verbose_link}"><img src="{$list_url}/button.php?u={$username}" alt="{$list_name}" border="0" /></a>


and replace it with

Code: Select all
<a href="http://www.yoursite.com"> Yoursite Title</a>


and modify link_code
Code: Select all
<a href="http://www.yoursite.com"> Yoursite Title</a><br /><br />
<script type="text/javascript">
function select_all() {
  var text = document.code.code;
  text.focus();
  text.select();
}
</script>
<form name="code">
<textarea readonly="readonly" name="code" rows="6" style="width: 100%;" onclick="select_all();">&lt;a href="http://www.yoursite.com">Yoursite Title&lt;/a></textarea>
</form>


What we have done is simple completely eliminated evil button.php from our server so linking to button.php will give 404 file not exist fault and we do not give anymore new members to use code that link to button.php.
Instead of that we use simple static link. Everything is same except only one thing and it is that pageviews will not be counted anymore.

This works actually best if you would like to install topsite for first time but works excellent and for people who use toplist for a longer time because with this way we eliminate button.php and with eliminating button.php you will get not trouble with server, high CPU etc...

Hope this help to someone.
deny
Advanced Member
 
Posts: 66
Joined: 2006-03-31 03:35 am

Postby raredog » 2007-12-12 06:19 pm

Hello there,

Im having CPU overload problem with my host and I think I can use your method here.

Can I let them (members) still use the button.png? Or it may still cause CPU overload?

BTW can I view your topsite please?
the rarest of them all

http://websaytko.com
raredog's chronicle
raredog
Advanced Member
 
Posts: 31
Joined: 2007-06-11 12:31 am
Location: Philippines

Postby deny » 2007-12-20 02:45 pm

You can not use button.png because it is reason for high load of your server.
Method above exclude using of button.php and give people use only text link as option.
You need also to delete button from your files and make into .htaccess forbidden access for button.
deny
Advanced Member
 
Posts: 66
Joined: 2006-03-31 03:35 am

Postby raredog » 2007-12-20 08:03 pm

You can not use button.png because it is reason for high load of your server.
Method above exclude using of button.php and give people use only text link as option.
You need also to delete button from your files and make into .htaccess forbidden access for button.


You mean delete button.php and all the button.png (1 - 200) from my server completely? If I use the text link as option, will it still be directed to gateway .html when click by the user? If not how can they vote?
the rarest of them all

http://websaytko.com
raredog's chronicle
raredog
Advanced Member
 
Posts: 31
Joined: 2007-06-11 12:31 am
Location: Philippines

Postby deny » 2007-12-21 08:06 pm

Yep. I mean button.php
I have never use gateway but it will probably works because everything is same. Only another site does not 'call' anything anymore from your server (button.php) because it will use static link and topsite still count every vote because voting system check referers. Only pageviews will not be counted anymore.
deny
Advanced Member
 
Posts: 66
Joined: 2006-03-31 03:35 am

Re: The Official Anti-Spam Tutorial

Postby 24orange » 2008-02-05 11:16 am

Thanks for the excellent how-to!! Is there any possibility for pageviews?

Thanks Again!!
24orange
Newbie
 
Posts: 5
Joined: 2008-02-05 10:52 am
Location: 24orange.nl

Re: The Official Anti-Spam Tutorial

Postby deny » 2008-02-08 07:27 am

Not that i know.
deny
Advanced Member
 
Posts: 66
Joined: 2006-03-31 03:35 am

Next

Return to Support

Who is online

Users browsing this forum: No registered users and 3 guests

cron