[geeklog-devtalk] geeklog-devel digest, Vol 1 #212 - 5 msgs
geeklog-devel-request at lists.geeklog.net
geeklog-devel-request at lists.geeklog.net
Tue Oct 28 11:51:05 EST 2003
Send geeklog-devel mailing list submissions to
geeklog-devel at lists.geeklog.net
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.geeklog.net/listinfo/geeklog-devel
or, via email, send a message with subject or body 'help' to
geeklog-devel-request at lists.geeklog.net
You can reach the person managing the list at
geeklog-devel-admin at lists.geeklog.net
When replying, please edit your Subject line so it is more specific
than "Re: Contents of geeklog-devel digest..."
Today's Topics:
1. Re: [geeklog-security] profiles.php (Vincent Furia)
2. Section 508 (Tony Bibbs)
3. Anti Spam Features (Tony Bibbs)
4. Re: Anti Spam Features (Tom Willett)
5. Re: Anti Spam Features (Vincent Furia)
--__--__--
Message: 1
Date: Mon, 27 Oct 2003 10:41:19 -0800
From: Vincent Furia <vmf at abtech.org>
To: geeklog-security at lists.geeklog.net
Cc: Geeklog Development <geeklog-devel at lists.geeklog.net>
Subject: [geeklog-devel] Re: [geeklog-security] profiles.php
Reply-To: geeklog-devel at lists.geeklog.net
This is a multi-part message in MIME format.
--------------090304080204050805030809
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
I've attached a fix to profiles.php that corrects all the errors posted
below. I've patched my changes on top of cvs latest, so it should be
able to be place right on top of the current profiles.php. The only
other thing that needs to be taken care of is error messages for
incorrect permissions to send the email and the speed limit check. For
the timing being I've just placed in COM_refresh, as the error message
will require changes to the language files... The changes made were
primarily to the contactemail and mailstory functions.
Enjoy,
Vinny
Dwight Trumbower wrote:
> So when are you going to announce this to Full disclosure? :) :)
>
>
> At 10:32 AM 10/16/2003, you wrote:
>
>> Versions: Alll 1.3.x versions (at least back to 1.3.5)
>>
>> Allows the attacker (anonymous or registered) to send emails to users
>> regardless of their allow email account setting and regardless of
>> site settings allowing anonymous users to use the email utility (i.e.
>> $_CONF['loginrequired'] or $_CONF['emailuserloginrequired']).
>>
>> Also there is no speedlimit for sending emails in this way. While
>> fixing these problems, I'd also recommend all emails going to the
>> site admin (uid = 2) be allowed for website contact purposes.
>>
>> This could, theorectically be used to spam all of a site's users.
>>
>> The problem is in profiles.php, the contactemail function is called
>> without checking (either within the function or before the function
>> is called) the $_CONF variables or the user being emailed's preferences.
>> These are only checked when creating the email form. The exploit
>> simply by-passes using the form by doing a HTTP POST to profiles.php.
>>
>> This seems to me to be a pretty minor bug as no personal information
>> is at risk and there is not opportunity to promote an attacker's
>> rights. I do think a fix should be released with 1.3.9. I'll code
>> up a fix if you'd like, it should be very straight forward.
>>
>> -Vinny
>>
>> Example Exploit:
>> > telnet site_url 80
>>
>> POST /profiles.php HTTP/1.1
>> Host: site_url
>> Content-Type: application/x-www-form-urlencoded
>> Content-Length: 98
>>
>> author=Hacker&authoremail=hack%40hack.org&subject=Testing&message=Testing+2+4+6&what=contact&uid=2
>>
>>
>>
>>
>> _______________________________________________
>> geeklog-security mailing list
>> geeklog-security at lists.geeklog.net
>> http://lists.geeklog.net/listinfo/geeklog-security
>>
>>
>>
--------------090304080204050805030809
Content-Type: text/html;
name="profiles.php"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="profiles.php"
<?php
/* Reminder: always indent with 4 spaces (no tabs). */
// +---------------------------------------------------------------------------+
// | Geeklog 1.3 |
// +---------------------------------------------------------------------------+
// | profiles.php |
// | This pages let's GL user communicate with each other without risk of |
// | their email address being intercepted by spammers. |
// | |
// +---------------------------------------------------------------------------+
// | Copyright (C) 2000-2003 by the following authors: |
// | |
// | Authors: Tony Bibbs - tony at tonybibbs.com |
// | Mark Limburg - mlimburg at users.sourceforge.net |
// | Jason Whittenburg - jwhitten at securitygeeks.com |
// | Dirk Haun - dirk at haun-online.de |
// +---------------------------------------------------------------------------+
// | |
// | This program is free software; you can redistribute it and/or |
// | modify it under the terms of the GNU General Public License |
// | as published by the Free Software Foundation; either version 2 |
// | of the License, or (at your option) any later version. |
// | |
// | This program is distributed in the hope that it will be useful, |
// | but WITHOUT ANY WARRANTY; without even the implied warranty of |
// | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
// | GNU General Public License for more details. |
// | |
// | You should have received a copy of the GNU General Public License |
// | along with this program; if not, write to the Free Software Foundation, |
// | Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. |
// | |
// +---------------------------------------------------------------------------+
//
// $Id: profiles.php,v 1.25 2003/09/01 12:53:06 dhaun Exp $
include('lib-common.php');
/**
* Mails the contents of the author contact form to that author
*
* @uid int User ID of person to send email to
* @author string The name of the person sending the email
* @authoremail string Email address of person sending the email
* @subject string Subject of email
* @message string Text of message to send
*
*/
function contactemail($uid,$author,$authoremail,$subject,$message)
{
global $_CONF, $_TABLES, $_USER, $LANG08;
/* correct $_CONF permission */
if (empty ($_USER['username']) &&
(($_CONF['loginrequired'] == 1) || ($_CONF['emailuserloginrequired'] == 1))
&& ($uid != 2)) {
return COM_refresh ($_CONF['site_url'] . '/index.php');
}
/* correct 'to' user preferences */
$result = DB_query ("SELECT emailfromadmin,emailfromuser FROM {$_TABLES['userprefs']} WHERE uid = '$uid'");
$P = DB_fetchArray ($result);
if (SEC_inGroup ('Root') || SEC_hasRights ('user.mail')) {
$isAdmin = true;
} else {
$isAdmin = false;
}
if ((($P['emailfromadmin'] != 1) && $isAdmin) ||
(($P['emailfromuser'] != 1) && !$isAdmin)) {
return COM_refresh ($_CONF['site_url'] . '/index.php');
}
/* check mail speedlimit */
COM_clearSpeedLimit($_CONF['speedlimit'], 'mail');
if (COM_checkSpeedLimit('mail') > 0) {
return COM_refresh ($_CONF['site_url'] . '/index.php');
}
if (!empty($author) && !empty($subject) && !empty($message)) {
if (COM_isemail($authoremail)) {
$result = DB_query("SELECT username,email FROM {$_TABLES['users']} WHERE uid = $uid");
$A = DB_fetchArray($result);
// Append the user's signature to the message
$sig = '';
if ($_USER['uid'] > 1) {
$sig = DB_getItem ($_TABLES['users'], 'sig', "uid={$_USER['uid']}");
if (!empty ($sig)) {
$sig = strip_tags (COM_stripslashes ($sig));
$sig = "\r\n\r\n-- \r\n" . $sig;
}
}
$subject = strip_tags (COM_stripslashes ($subject));
$subject = substr ($subject, 0, strcspn ($subject, "\r\n"));
$message = strip_tags (COM_stripslashes ($message)) . $sig;
$from = $author . ' <' . $authoremail . '>';
COM_mail ($A['email'], $subject, $message, $from);
COM_updateSpeedLimit('mail');
$retval .= COM_refresh($_CONF['site_url'] . '/index.php?msg=27');
} else {
$retval .= COM_siteHeader("menu")
.COM_errorLog($LANG08[3],2)
.contactform($uid,$subject,$message)
.COM_siteFooter();
}
} else {
$retval .= COM_siteHeader("menu")
.COM_errorLog($LANG08[4],2)
.contactform($uid,$subject,$message)
.COM_siteFooter();
}
return $retval;
}
/**
* Shows the email author form
*
* @uid int User ID of article author
* @subject string Subject of email
* @message string Text of message to send
*
*/
function contactform($uid, $subject='', $message='')
{
global $_TABLES, $HTTP_COOKIE_VARS, $_CONF, $LANG08, $LANG_LOGIN, $_USER;
$retval = '';
if (empty ($_USER['username']) &&
(($_CONF['loginrequired'] == 1) || ($_CONF['emailuserloginrequired'] == 1))
&& ($uid != 2)) {
$retval = COM_startBlock ($LANG_LOGIN[1], '',
COM_getBlockTemplate ('_msg_block', 'header'));
$login = new Template($_CONF['path_layout'] . 'submit');
$login->set_file (array ('login'=>'submitloginrequired.thtml'));
$login->set_var ('login_message', $LANG_LOGIN[2]);
$login->set_var ('site_url', $_CONF['site_url']);
$login->set_var ('lang_login', $LANG_LOGIN[3]);
$login->set_var ('lang_newuser', $LANG_LOGIN[4]);
$login->parse ('output', 'login');
$retval .= $login->finish ($login->get_var('output'));
$retval .= COM_endBlock (COM_getBlockTemplate ('_msg_block', 'footer'));
} else {
$result = DB_query ("SELECT emailfromadmin,emailfromuser FROM {$_TABLES['userprefs']} WHERE uid = '$uid'");
$P = DB_fetchArray ($result);
if (SEC_inGroup ('Root') || SEC_hasRights ('user.mail')) {
$isAdmin = true;
} else {
$isAdmin = false;
}
if ((($P['emailfromadmin'] == 1) && $isAdmin) ||
(($P['emailfromuser'] == 1) && !$isAdmin)) {
$username = DB_getItem ($_TABLES['users'], 'username',
"uid = '$uid'");
$retval = COM_startBlock ($LANG08[10] . ' ' . $username);
$mail_template = new Template ($_CONF['path_layout'] . 'profiles');
$mail_template->set_file ('form', 'contactuserform.thtml');
$mail_template->set_var ('site_url', $_CONF['site_url']);
$mail_template->set_var ('lang_description', $LANG08[26]);
$mail_template->set_var ('lang_username', $LANG08[11]);
$mail_template->set_var ('username', $_USER['username']);
$mail_template->set_var ('lang_useremail', $LANG08[12]);
$mail_template->set_var ('useremail', $_USER['email']);
$mail_template->set_var ('lang_subject', $LANG08[13]);
$mail_template->set_var ('subject', $subject);
$mail_template->set_var ('lang_message', $LANG08[14]);
$mail_template->set_var ('message', $message);
$mail_template->set_var ('lang_nohtml', $LANG08[15]);
$mail_template->set_var ('lang_submit', $LANG08[16]);
$mail_template->set_var ('uid', $uid);
$mail_template->parse ('output', 'form');
$retval .= $mail_template->finish ($mail_template->get_var ('output'));
$retval .= COM_endBlock ();
} else {
$username = DB_getItem ($_TABLES['users'], 'username',
"uid = '$uid'");
$retval = COM_startBlock ($LANG08[10] . ' ' . $username, '',
COM_getBlockTemplate ('_msg_block', 'header'));
$retval .= $LANG08[35];
$retval .= COM_endBlock (COM_getBlockTemplate ('_msg_block',
'footer'));
}
}
return $retval;
}
###############################################################################
# Sends the contents of the contact form to the author
#
# Modification History
#
# Date Author Description
# ---- ------ -----------
# 4/17/01 Tony Bibbs Code now allows anonymous users to send email
# and it allows user to input a message as well
# Thanks to Yngve Wassvik Bergheim for some of
# this code
#
function mailstory ($sid, $to, $toemail, $from, $fromemail, $sid, $shortmsg)
{
global $_CONF, $_TABLES, $LANG01, $LANG08;
/* correct $_CONF permission */
if (empty ($_USER['username']) &&
(($_CONF['loginrequired'] == 1) || ($_CONF['emailstoryloginrequired'] == 1))) {
return COM_refresh ($_CONF['site_url'] . '/article.php?story=' . $sid);
}
/* check mail speedlimit */
COM_clearSpeedLimit($_CONF['speedlimit'], 'mail');
if (COM_checkSpeedLimit('mail') > 0) {
return COM_refresh ($_CONF['site_url'] . '/article.php?story=' . $sid);
}
$sql = "SELECT uid,title,introtext,bodytext,UNIX_TIMESTAMP(date) AS day FROM {$_TABLES['stories']} WHERE sid = '$sid'";
$result = DB_query ($sql);
$A = DB_fetchArray ($result);
$shortmsg = COM_stripslashes ($shortmsg);
$mailtext = $LANG08[23] . LB;
if (strlen ($shortmsg) > 0) {
$mailtext .= LB . $LANG08[28] . LB;
}
$mailtext .= '------------------------------------------------------------'
. LB . LB
. COM_undoSpecialChars (stripslashes ($A['title'])) . LB
. strftime ($_CONF['date'], $A['day']) . LB;
if ($_CONF['contributedbyline'] == 1) {
$author = DB_getItem ($_TABLES['users'], 'username', "uid={$A['uid']}");
$mailtext .= $LANG01[1] . ' ' . $author . LB;
}
$mailtext .= LB
.COM_undoSpecialChars(stripslashes(strip_tags($A['introtext']))).LB.LB
.COM_undoSpecialChars(stripslashes(strip_tags($A['bodytext']))).LB.LB
.'------------------------------------------------------------'.LB
.$LANG08[24].LB.$_CONF['site_url'].'/article.php?story='.$sid.'#comments';
$mailto = $to . ' <' . $toemail . '>';
$mailfrom = $from . ' <' . $fromemail . '>';
$subject = COM_undoSpecialChars(strip_tags(stripslashes('Re: '.$A['title'])));
COM_mail ($toemail, $subject, $mailtext, $mailfrom);
COM_updateSpeedLimit('mail');
$retval .= COM_refresh ($_CONF['site_url'] . '/article.php?story=' . $sid);
// Increment numemails counter for story
$result = DB_query("SELECT numemails FROM {$_TABLES['stories']} WHERE sid = '$sid'");
$A = DB_fetchArray($result);
$numemails = $A['numemails'] + 1;
DB_change($_TABLES['stories'],'numemails',$numemails,'sid',$sid);
return $retval;
}
/**
* Sends the contents of the contact form to the author
*
* @sid string ID of article to email
*
*/
function mailstoryform($sid)
{
global $_TABLES, $HTTP_COOKIE_VARS, $_CONF, $LANG08, $_USER, $LANG_LOGIN;
$retval = '';
if (empty($_USER['username']) &&
(($_CONF['loginrequired'] == 1) || ($_CONF['emailstoryloginrequired'] == 1))) {
$retval = COM_startBlock ($LANG_LOGIN[1], '',
COM_getBlockTemplate ('_msg_block', 'header'));
$login = new Template($_CONF['path_layout'] . 'submit');
$login->set_file (array ('login'=>'submitloginrequired.thtml'));
$login->set_var ('login_message', $LANG_LOGIN[2]);
$login->set_var ('site_url', $_CONF['site_url']);
$login->set_var ('lang_login', $LANG_LOGIN[3]);
$login->set_var ('lang_newuser', $LANG_LOGIN[4]);
$login->parse ('output', 'login');
$retval .= $login->finish ($login->get_var('output'));
$retval .= COM_endBlock (COM_getBlockTemplate ('_msg_block', 'footer'));
return $retval;
}
if (!empty ($_USER['username'])) {
$result = DB_query("SELECT email FROM {$_TABLES['users']} WHERE uid = {$_USER['uid']}");
$A = DB_fetchArray($result);
$from = $_USER['username'];
$fromemail = $A['email'];
}
$mail_template = new Template($_CONF['path_layout'] . 'profiles');
$mail_template->set_file('form', 'contactauthorform.thtml');
$mail_template->set_var('site_url', $_CONF['site_url']);
$mail_template->set_var('start_block_mailstory2friend', COM_startBlock($LANG08[17]));
$mail_template->set_var('lang_fromname', $LANG08[20]);
$mail_template->set_var('name', $from);
$mail_template->set_var('lang_fromemailaddress', $LANG08[21]);
$mail_template->set_var('email', $fromemail);
$mail_template->set_var('lang_toname', $LANG08[18]);
$mail_template->set_var('lang_toemailaddress', $LANG08[19]);
$mail_template->set_var('lang_shortmessage', $LANG08[27]);
$mail_template->set_var('lang_warning', $LANG08[22]);
$mail_template->set_var('lang_sendmessage', $LANG08[16]);
$mail_template->set_var('story_id',$sid);
$mail_template->set_var('end_block', COM_endBlock());
$mail_template->parse('output', 'form');
$retval .= $mail_template->finish($mail_template->get_var('output'));
return $retval;
}
###############################################################################
# MAIN
switch ($what) {
case 'contact':
$uid = strip_tags ($HTTP_POST_VARS['uid']);
if (is_numeric ($uid)) {
$display .= contactemail ($uid, $HTTP_POST_VARS['author'],
$HTTP_POST_VARS['authoremail'], $HTTP_POST_VARS['subject'],
$HTTP_POST_VARS['message']);
} else {
$display .= COM_refresh ($_CONF['site_url'] . '/index.php');
}
break;
case 'emailstory':
if ($_CONF['hideemailicon'] == 1) {
$display = COM_refresh ($_CONF['site_url'] . '/article.php?story=' . $sid);
} else {
$display .= COM_siteHeader() . mailstoryform($sid) . COM_siteFooter();
}
break;
case 'sendstory':
$display .= mailstory($sid,$to,$toemail,$from,$fromemail,$sid,$shortmsg);
break;
default:
$uid = strip_tags ($uid);
if (!empty($uid) && is_numeric ($uid)) {
$display .= COM_siteHeader()
.contactform($uid)
.COM_siteFooter();
} else {
$display .= COM_refresh($_CONF['site_url']);
}
}
echo $display;
?>
--------------090304080204050805030809--
--__--__--
Message: 2
Date: Tue, 28 Oct 2003 08:06:08 -0600
From: Tony Bibbs <tony at tonybibbs.com>
To: Geeklog Development <geeklog-devel at lists.geeklog.net>,
Simon lord <slord at marelina.com>
Subject: [geeklog-devel] Section 508
Reply-To: geeklog-devel at lists.geeklog.net
Anybody know how hard it would be to make a Section 508 compatible theme
in Geeklog? For details go here:
http://www.section508.gov/index.cfm?FuseAction=Content&ID=12#Web
I have a project that would make a decent fit for a customer, Iowa Dept.
of Inspections and Appeals (http://www.dia-hfd.state.ia.us). At work we
have to redesign the entire site which is based on some ASP code and
Access databases. I think 70% of their content needs could be met with
Geeklog and the rest would either need to be plugins or, possibly, Java
applications.
Looking at the requirements for 508 compatibility is looks fairly
doable...I just want to make sure I'm not missing anything.
Simon, I cc'd you in explicitly as I haven't seen you lately ;-)
--Tony
+----------------------------------------------------------------------+
|Tony Bibbs |[R]egardless of what you may think of our penal |
|tony at tonybibbs.com |system, the fact is that every man in jail is one |
| |less potential fisherman to clutter up your |
| |favorite pool or pond. --Ed Zern |
+----------------------------------------------------------------------+
--__--__--
Message: 3
Date: Tue, 28 Oct 2003 09:09:17 -0600
From: Tony Bibbs <tony at tonybibbs.com>
To: Geeklog Development <geeklog-devel at lists.geeklog.net>
Subject: [geeklog-devel] Anti Spam Features
Reply-To: geeklog-devel at lists.geeklog.net
As noted in the forums of Geeklog.net it appears a growing trend is the
spamming of blogs. With Geeklog a big player in this arena I think we
would be wise to start thinking up ways to implement anti-spam measures.
I think the start would be to be able to mark comments as spam. When a
comment is identified as spam I think the IP should be logged. In the
config.php file I think we could then set a spam threshold at say 5.
What that means is if a an IP is tied to spamming the Geeklog site five
times then we would ban that IP. I know using IP's isn't the greatest
but my hunch is 99% of this sort of spam would come from static IP's and
not proxy IP's. However, we should still allow admins to turn this
feature on or off.
One other bit of useful logic would be to check if the source IP of spam
has been tied to comments which weren't identified as spam. If we did
that then in our logic we could basically check a) has the IP hit the
threshold, if so has it been used in non-spam comments. If it *has*
been used in non-spam comments then we could assume it is from a proxied
IP and not ban the IP.
I also think later versions of this could use MySQL's full text
searching capabilities.
To start, if we were to add the IP to the comment table I think we could
write a plugin to do all this. OF course this assumes that a plugin API
is called when a comment is submitted which may or may not be the case (
I can't remember).
I'm sure you guys may have other ideas too.
--
+----------------------------------------------------------------------+
|Tony Bibbs |[R]egardless of what you may think of our penal |
|tony at tonybibbs.com |system, the fact is that every man in jail is one |
| |less potential fisherman to clutter up your |
| |favorite pool or pond. --Ed Zern |
+----------------------------------------------------------------------+
--__--__--
Message: 4
From: "Tom Willett" <tomw at pigstye.net>
To: geeklog-devel at lists.geeklog.net
Subject: Re: [geeklog-devel] Anti Spam Features
Date: Tue, 28 Oct 2003 16:03:16 +0000
Reply-To: geeklog-devel at lists.geeklog.net
Add the ip to the comments in geeklog and my ban plugin could easily handle
the rest.
All I would have to do is add the logic to check for the repeated spam
comments.
--
Tom Willett
tomw at pigstye.net
---------- Original Message -----------
From: Tony Bibbs <tony at tonybibbs.com>
To: Geeklog Development <geeklog-devel at lists.geeklog.net>
Sent: Tue, 28 Oct 2003 09:09:17 -0600
Subject: [geeklog-devel] Anti Spam Features
> As noted in the forums of Geeklog.net it appears a growing trend is
> the spamming of blogs. With Geeklog a big player in this arena I
> think we would be wise to start thinking up ways to implement anti-
> spam measures.
>
> I think the start would be to be able to mark comments as spam.
> When a comment is identified as spam I think the IP should be
> logged. In the config.php file I think we could then set a spam
> threshold at say 5. What that means is if a an IP is tied to
> spamming the Geeklog site five times then we would ban that IP. I
> know using IP's isn't the greatest but my hunch is 99% of this sort
> of spam would come from static IP's and not proxy IP's. However, we
> should still allow admins to turn this feature on or off.
>
> One other bit of useful logic would be to check if the source IP of
> spam has been tied to comments which weren't identified as spam. If
> we did that then in our logic we could basically check a) has the IP
> hit the threshold, if so has it been used in non-spam comments. If
> it *has* been used in non-spam comments then we could assume it is
> from a proxied IP and not ban the IP.
>
> I also think later versions of this could use MySQL's full text
> searching capabilities.
>
> To start, if we were to add the IP to the comment table I think we
> could write a plugin to do all this. OF course this assumes that a
> plugin API is called when a comment is submitted which may or may
> not be the case ( I can't remember).
>
> I'm sure you guys may have other ideas too.
>
> --
> +--------------------------------------------------------------------
> --+ |Tony Bibbs |[R]egardless of what you may think of our
> penal | |tony at tonybibbs.com |system, the fact is that every man in
> jail is one | | |less potential fisherman to
> clutter up your | | |favorite pool or pond. -
> -Ed Zern | +----------------------------------------
> ------------------------------+
>
> _______________________________________________
> geeklog-devel mailing list
> geeklog-devel at lists.geeklog.net
> http://lists.geeklog.net/listinfo/geeklog-devel
------- End of Original Message -------
--__--__--
Message: 5
Date: Tue, 28 Oct 2003 08:50:30 -0800
From: Vincent Furia <vmf at abtech.org>
To: geeklog-devel at lists.geeklog.net
Subject: Re: [geeklog-devel] Anti Spam Features
Reply-To: geeklog-devel at lists.geeklog.net
One thing I'd recommend is rather than a total ban on an IP address, at
least initially, only ban anonymous users from posting comments. Then
you can ban from there based on email address/username. And then only
as a last resort ban all comments from an IP address.
-Vinny
Tom Willett wrote:
>Add the ip to the comments in geeklog and my ban plugin could easily handle
>the rest.
>
>All I would have to do is add the logic to check for the repeated spam
>comments.
>
>
>--
>Tom Willett
>tomw at pigstye.net
>
>---------- Original Message -----------
>From: Tony Bibbs <tony at tonybibbs.com>
>To: Geeklog Development <geeklog-devel at lists.geeklog.net>
>Sent: Tue, 28 Oct 2003 09:09:17 -0600
>Subject: [geeklog-devel] Anti Spam Features
>
>
>
>>As noted in the forums of Geeklog.net it appears a growing trend is
>>the spamming of blogs. With Geeklog a big player in this arena I
>>think we would be wise to start thinking up ways to implement anti-
>>spam measures.
>>
>>I think the start would be to be able to mark comments as spam.
>>When a comment is identified as spam I think the IP should be
>>logged. In the config.php file I think we could then set a spam
>>threshold at say 5. What that means is if a an IP is tied to
>>spamming the Geeklog site five times then we would ban that IP. I
>>know using IP's isn't the greatest but my hunch is 99% of this sort
>>of spam would come from static IP's and not proxy IP's. However, we
>>should still allow admins to turn this feature on or off.
>>
>>One other bit of useful logic would be to check if the source IP of
>>spam has been tied to comments which weren't identified as spam. If
>>we did that then in our logic we could basically check a) has the IP
>>hit the threshold, if so has it been used in non-spam comments. If
>>it *has* been used in non-spam comments then we could assume it is
>>from a proxied IP and not ban the IP.
>>
>>I also think later versions of this could use MySQL's full text
>>searching capabilities.
>>
>>To start, if we were to add the IP to the comment table I think we
>>could write a plugin to do all this. OF course this assumes that a
>>plugin API is called when a comment is submitted which may or may
>>not be the case ( I can't remember).
>>
>>I'm sure you guys may have other ideas too.
>>
>>--
>>+--------------------------------------------------------------------
>>--+ |Tony Bibbs |[R]egardless of what you may think of our
>>penal | |tony at tonybibbs.com |system, the fact is that every man in
>>jail is one | | |less potential fisherman to
>>clutter up your | | |favorite pool or pond. -
>>-Ed Zern | +----------------------------------------
>>------------------------------+
>>
>>_______________________________________________
>>geeklog-devel mailing list
>>geeklog-devel at lists.geeklog.net
>>http://lists.geeklog.net/listinfo/geeklog-devel
>>
>>
>------- End of Original Message -------
>
>_______________________________________________
>geeklog-devel mailing list
>geeklog-devel at lists.geeklog.net
>http://lists.geeklog.net/listinfo/geeklog-devel
>
>
>
--__--__--
_______________________________________________
geeklog-devel mailing list
geeklog-devel at lists.geeklog.net
http://lists.geeklog.net/listinfo/geeklog-devel
End of geeklog-devel Digest
More information about the geeklog-devtalk
mailing list