[geeklog-devel] Home-made problems with forum spam

Dirk Haun dirk at haun-online.de
Fri Feb 11 12:45:06 EST 2005

Okay, part of yesterday's spam DDoS problem was home-made:

Exhibit #1:

Thu Feb 10 15:11:52 2005 - Found Spam Comment [...] posted by user  from
Thu Feb 10 15:11:55 2005 - Found Spam Comment [...] posted by user  from

2 Posts from the same IP address within 3 seconds? This shouldn't happen.

Reason: The forum's speed limit defaults to 1(!) second.

Suggested fix: In public_html/forum/include/config.php replace

    $forumSpeedLimit = 1;


    $forumSpeedLimit = $_CONF['commentspeedlimit'];

Exhibit #2: - - [10/Feb/2005:15:11:55 -0500] "POST /forum/
createtopic.php HTTP/1.0" 200 15328 "http://www.geeklog.net/forum/
createtopic.php?method=postreply&forum=9&id=20921" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.1.4322)" - - [10/Feb/2005:15:11:56 -0500] "GET /index.php?
msg=8&plugin=spamx HTTP/1.0" 200 47376 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"

So our friend's spamming scripts have started following the redirect to
display the "Spam detected" message, causing additional load.

Not sure what the best solution would be for this. On the one hand, I
think we should display a message in case a regular user accidentally
posted something that is considered spam (and be it only excerpts from
his logfiles containing blocked URLs). On the other hand, there's no need
to display the entire Geeklog framework page. So maybe just display a
plain-text message and let the script exit?

So instead of

    if ($result > 0) {
        echo COM_refresh($_CONF['site_url'] . '/index.php?

do something like
    if ($result > 0) {
        $var = 'PLG_spamx_MESSAGE' . $result;
        global $$var, $MESSAGE;
        if (isset ($$var)) {
            $message = $$var;
        } else {
            $message = sprintf ($MESSAGE[61], 'spamx');
        header ('Content-Type: text/plain');
        echo $message;

... which is pretty much what COM_showMessage would do as a result of the
above redirect, but without all the surrounding framework. Maybe hiding
that ugly bit of $$var code and echo'ing out in a new COM_ function ...


bye, Dirk


More information about the geeklog-devel mailing list