[geeklog-devel] Home-made problems with forum spam

Tom Willett tomw at pigstye.net
Fri Feb 11 12:55:42 EST 2005


On 2/11/2005 12:45 PM, Dirk Haun wrote:

>Okay, part of yesterday's spam DDoS problem was home-made:
>
>Exhibit #1:
>
>Thu Feb 10 15:11:52 2005 - Found Spam Comment [...] posted by user  from
>IP 218.89.189.241
>Thu Feb 10 15:11:55 2005 - Found Spam Comment [...] posted by user  from
>IP 218.89.189.241
>
>2 Posts from the same IP address within 3 seconds? This shouldn't happen.
>
>Reason: The forum's speed limit defaults to 1(!) second.
>
>Suggested fix: In public_html/forum/include/config.php replace
>
>    $forumSpeedLimit = 1;
>
>with
>
>    $forumSpeedLimit = $_CONF['commentspeedlimit'];
>
>
>Exhibit #2:
>
>218.89.189.241 - - [10/Feb/2005:15:11:55 -0500] "POST /forum/
>createtopic.php HTTP/1.0" 200 15328 "http://www.geeklog.net/forum/
>createtopic.php?method=postreply&forum=9&id=20921" "Mozilla/4.0
>(compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.1.4322)"
>218.89.189.241 - - [10/Feb/2005:15:11:56 -0500] "GET /index.php?
>msg=8&plugin=spamx HTTP/1.0" 200 47376 "-" "Mozilla/4.0 (compatible; MSIE
>6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
>
>So our friend's spamming scripts have started following the redirect to
>display the "Spam detected" message, causing additional load.
>
>Not sure what the best solution would be for this. On the one hand, I
>think we should display a message in case a regular user accidentally
>posted something that is considered spam (and be it only excerpts from
>his logfiles containing blocked URLs). On the other hand, there's no need
>to display the entire Geeklog framework page. So maybe just display a
>plain-text message and let the script exit?
>
>So instead of
>
>    if ($result > 0) {
>        echo COM_refresh($_CONF['site_url'] . '/index.php?
>msg='.$result.'&plugin=spamx');
>        exit;
>    }
>
>do something like
>    
>    if ($result > 0) {
>        $var = 'PLG_spamx_MESSAGE' . $result;
>        global $$var, $MESSAGE;
>        if (isset ($$var)) {
>            $message = $$var;
>        } else {
>            $message = sprintf ($MESSAGE[61], 'spamx');
>        }
>        header ('Content-Type: text/plain');
>        echo $message;
>        exit;
>    }
>
>... which is pretty much what COM_showMessage would do as a result of the
>above redirect, but without all the surrounding framework. Maybe hiding
>that ugly bit of $$var code and echo'ing out in a new COM_ function ...
>
>Thoughts?
>
>bye, Dirk
>
>
>  
>
It seems to me by the time you get here you have already done most of 
the processing (when lib-common is included), about all you would save 
is the template processing and a small portion of the bandwidth.

-- 

Tom Willett
tomw at pigstye.net




More information about the geeklog-devel mailing list