[geeklog-devel] Home-made problems with forum spam
Dirk Haun
dirk at haun-online.de
Fri Feb 11 12:45:06 EST 2005
Okay, part of yesterday's spam DDoS problem was home-made:
Exhibit #1:
Thu Feb 10 15:11:52 2005 - Found Spam Comment [...] posted by user from
IP 218.89.189.241
Thu Feb 10 15:11:55 2005 - Found Spam Comment [...] posted by user from
IP 218.89.189.241
2 Posts from the same IP address within 3 seconds? This shouldn't happen.
Reason: The forum's speed limit defaults to 1(!) second.
Suggested fix: In public_html/forum/include/config.php replace
$forumSpeedLimit = 1;
with
$forumSpeedLimit = $_CONF['commentspeedlimit'];
Exhibit #2:
218.89.189.241 - - [10/Feb/2005:15:11:55 -0500] "POST /forum/
createtopic.php HTTP/1.0" 200 15328 "http://www.geeklog.net/forum/
createtopic.php?method=postreply&forum=9&id=20921" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.1.4322)"
218.89.189.241 - - [10/Feb/2005:15:11:56 -0500] "GET /index.php?
msg=8&plugin=spamx HTTP/1.0" 200 47376 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
So our friend's spamming scripts have started following the redirect to
display the "Spam detected" message, causing additional load.
Not sure what the best solution would be for this. On the one hand, I
think we should display a message in case a regular user accidentally
posted something that is considered spam (and be it only excerpts from
his logfiles containing blocked URLs). On the other hand, there's no need
to display the entire Geeklog framework page. So maybe just display a
plain-text message and let the script exit?
So instead of
if ($result > 0) {
echo COM_refresh($_CONF['site_url'] . '/index.php?
msg='.$result.'&plugin=spamx');
exit;
}
do something like
if ($result > 0) {
$var = 'PLG_spamx_MESSAGE' . $result;
global $$var, $MESSAGE;
if (isset ($$var)) {
$message = $$var;
} else {
$message = sprintf ($MESSAGE[61], 'spamx');
}
header ('Content-Type: text/plain');
echo $message;
exit;
}
... which is pretty much what COM_showMessage would do as a result of the
above redirect, but without all the surrounding framework. Maybe hiding
that ugly bit of $$var code and echo'ing out in a new COM_ function ...
Thoughts?
bye, Dirk
--
http://www.haun-online.de/
http://www.handful-of-sparks.de/
More information about the geeklog-devel
mailing list