| Author |
Message |
Mine GO BOOM
Hunch Hunch
What What
Age:41
Gender:
Joined: Aug 01 2002
Posts: 3615
Location: Las Vegas
Offline
|
 Posted: Thu Sep 21, 2006 3:59 pm Post maybe stupid Post subject: Anti-spam harvesting |
 |
 |
|
|
Being a good server admin, I try to check the logs as often as I can to find weird things. Well, last night something weird happened, I got a browser who's useragent string was dragonfly(ebingbong@playstarmusic.com). A quick google search resulted in exactly what that user agent means.
Turns out that that it is a spam harvester. Wonderful. Do a full scan of any activity that this bot has done:
72.29.233.182 - - [25/Aug/2006:22:17:38 -0700] "GET /robots.txt HTTP/1.1" 200 464 "-" "dragonfly(ebingbong@playstarmusic.com)"
72.29.233.185 - - [15/Sep/2006:20:47:42 -0700] "GET / HTTP/1.1" 200 42550 "-" "dragonfly(ebingbong@playstarmusic.com)"
72.29.233.185 - - [20/Sep/2006:23:46:38 -0700] "GET /groupcp.php?g=5&sid=3dd0955fd6ca58328e8156a24a4128fa HTTP/1.1" 200 21694 "-" "dragonfly(ebingbong@playstarmusic.com)"
72.29.233.185 - - [20/Sep/2006:23:46:38 -0700] "GET /profile.php?mode=signup&sid=3dd0955fd6ca58328e8156a24a4128fa HTTP/1.1" 200 14963 "-" "dragonfly(ebingbong@playstarmusic.com)"
72.29.233.185 - - [20/Sep/2006:23:46:38 -0700] "GET /viewtopic.php?p=65284&sid=3dd0955fd6ca58328e8156a24a4128fa#65284 HTTP/1.1" 200 47409 "-" "dragonfly(ebingbong@playstarmusic.com)"
72.29.233.185 - - [20/Sep/2006:23:46:38 -0700] "GET /profile.php?mode=viewprofile&u=144&sid=3dd0955fd6ca58328e8156a24a4128fa HTTP/1.1" 200 14334 "-" "dragonfly(ebingbong@playstarmusic.com)"
72.29.233.185 - - [20/Sep/2006:23:46:39 -0700] "GET /profile.php?mode=viewprofile&u=241&sid=3dd0955fd6ca58328e8156a24a4128fa HTTP/1.1" 200 14333 "-" "dragonfly(ebingbong@playstarmusic.com)"
72.29.233.185 - - [20/Sep/2006:23:46:40 -0700] "GET /profile.php?mode=viewprofile&u=309&sid=3dd0955fd6ca58328e8156a24a4128fa HTTP/1.1" 200 14334 "-" "dragonfly(ebingbong@playstarmusic.com)"
72.29.233.185 - - [20/Sep/2006:23:46:40 -0700] "GET /profile.php?mode=viewprofile&u=1085&sid=3dd0955fd6ca58328e8156a24a4128fa HTTP/1.1" 200 13950 "-" "dragonfly(ebingbong@playstarmusic.com)"
72.29.233.185 - - [20/Sep/2006:23:46:40 -0700] "GET /profile.php?mode=viewprofile&u=824&sid=3dd0955fd6ca58328e8156a24a4128fa HTTP/1.1" 200 13950 "-" "dragonfly(ebingbong@playstarmusic.com)"
72.29.233.185 - - [20/Sep/2006:23:46:40 -0700] "GET /profile.php?mode=viewprofile&u=277&sid=3dd0955fd6ca58328e8156a24a4128fa HTTP/1.1" 200 14334 "-" "dragonfly(ebingbong@playstarmusic.com)"
72.29.233.185 - - [20/Sep/2006:23:46:40 -0700] "GET /profile.php?mode=viewprofile&u=955&sid=3dd0955fd6ca58328e8156a24a4128fa HTTP/1.1" 200 14334 "-" "dragonfly(ebingbong@playstarmusic.com)"
72.29.233.185 - - [20/Sep/2006:23:50:07 -0700] "GET /profile.php?mode=editprofile&sid=3dd0955fd6ca58328e8156a24a4128fa HTTP/1.1" 302 - "-" "dragonfly(ebingbong@playstarmusic.com)"
72.29.233.185 - - [20/Sep/2006:23:50:08 -0700] "GET /login.php?redirect=profile.php&mode=editprofile HTTP/1.1" 200 14842 "-" "dragonfly(ebingbong@playstarmusic.com)"
72.29.233.185 - - [20/Sep/2006:23:50:08 -0700] "GET /viewtopic.php?p=65286&sid=3dd0955fd6ca58328e8156a24a4128fa#65286 HTTP/1.1" 200 38543 "-" "dragonfly(ebingbong@playstarmusic.com)"
72.29.233.185 - - [20/Sep/2006:23:50:07 -0700] "GET /faq.php?sid=3dd0955fd6ca58328e8156a24a4128fa HTTP/1.1" 200 61091 "-" "dragonfly(ebingbong@playstarmusic.com)"
72.29.233.185 - - [20/Sep/2006:23:50:09 -0700] "GET /profile.php?mode=viewprofile&u=81&sid=3dd0955fd6ca58328e8156a24a4128fa HTTP/1.1" 200 14334 "-" "dragonfly(ebingbong@playstarmusic.com)"
72.29.233.185 - - [20/Sep/2006:23:50:09 -0700] "GET /profile.php?mode=viewprofile&u=225&sid=3dd0955fd6ca58328e8156a24a4128fa HTTP/1.1" 200 14333 "-" "dragonfly(ebingbong@playstarmusic.com)" |
As you can see, it did a check a long time ago to find out information about the site. Then last night, it make a quick attack and grabbed a bunch of email addresses, both from topic viewing, group listings, and then direct profiles on people posting in those topics. I assume it went into the profiles to grab IM account numbers/names.
To try my part at trying to prevent spam attacks, I disabled public viewing of anyone's email address. What does this mean? It means, if you are registered, nothing is different. Hover over an email link, and it is a real email link to that user. If you are a guest browsing, you are redirected to the forum's built-in emailing feature, which then forwards you to login. Thus, no bot will be able to view email addresses anymore, and search engine's caches of the site will no longer include email addresses.
Want this on your forums too? In includes\functions.php find the function named init_userprefs. Inside the first if statement checking $userdata['user_id'] != ANONYMOUS just throw in the following statement anywhere inside the brackets:
$board_config['board_email_form'] = 0;
Now go into the admin panel for your forums, the General Configuration section and set User email via board to enabled. Save files and settings and check your forums out as a user and as a guest.
This does not protect users from posting emails in messages or IM accounts. IM accounts I'm not going to bother protecting (unless you guys really get spammed, all mine are set to auto-block anything unless on my list already) and in messages I don't feel that it is being done very heavily. But it won't be hard to make the public's viewing of email accounts in text be non-linked and shown as [EMAIL: bob .at. blah .dot. com] or something equally as stupid and not used yet.
Server Help Forums - Protecting you when it may start to effect me |
|
| Back to top |
|
 |
Solo Ace
Yeah, I'm in touch with reality...we correspond from time to time.
Age:37
Gender:
Joined: Feb 06 2004
Posts: 2583
Location: The Netherlands
Offline
|
| Posted: Thu Sep 21, 2006 4:40 pm Post maybe stupid Post subject: |
|
|
|
|
So...
Chambahs is the only one who got screwed? |
|
| Back to top |
|
|
BDwinsAlt
Agurus's Posse
Age:34
Gender:
Joined: Jun 16 2003
Posts: 1145
Location: Alabama
Offline
|
| Posted: Thu Sep 21, 2006 5:25 pm Post maybe stupid Post subject: |
|
|
|
|
| Wow that's gay. What kind of retard would so something like that? I wouldn't waste my time making a bot that collects email address and sends people junk email. I only read emails from people I know. |
|
| Back to top |
|
|
Mine GO BOOM
Hunch Hunch
What What
Age:41
Gender:
Joined: Aug 01 2002
Posts: 3615
Location: Las Vegas
Offline
|
| Posted: Thu Sep 21, 2006 5:51 pm Post maybe stupid Post subject: |
|
|
|
|
Look at the user profiles, there are a bunch listed (see the userid=XXX?). As for who does it? There is lots of money in junk mail. Want evidence? Look at your spam in your own email box. If there wasn't money there, you wouldn't see that much junk.
In fact, there is so much money there, that a bunch of viruses now are designed to make your computer into relays for spam or into the harvesters themselves. Reach almost any research done into viruses that start up IRC bots and see what type of commands are very common; DDoS and Email. |
|
| Back to top |
|
|
Quan Chi2
Member of "Sexy Teenagers that Code" Group
Age:34
Gender:
Joined: Mar 25 2005
Posts: 860
Location: NYC
Offline
|
| Posted: Thu Sep 21, 2006 11:29 pm Post maybe stupid Post subject: |
|
|
|
|
Oh man. This is probably a new potential phpBB exploit. AWESOMNESS!!
No, but seriously, that must bite for Chambahs, but atleast I wasn't screwed, so we can all be happy.  The end. |
|
| Back to top |
|
|
Cerium
Server Help Squatter
Age:42
Gender:
Joined: Mar 05 2005
Posts: 807
Location: I will stab you.
Offline
|
| Posted: Fri Sep 22, 2006 12:05 am Post maybe stupid Post subject: |
|
|
|
|
The real question, is why these bots dont just report themselves as known browsers? I don't support the spammers in anyway, but if you're going to go through all the effort, why not atleast do that much? That way, people like MGB here aren't able to see and counter their activity as easily.
_________________
There are 7 user(s) ignoring me right now. |
|
| Back to top |
|
|
Mine GO BOOM
Hunch Hunch
What What
Age:41
Gender:
Joined: Aug 01 2002
Posts: 3615
Location: Las Vegas
Offline
|
| Posted: Fri Sep 22, 2006 12:18 am Post maybe stupid Post subject: |
|
|
|
|
| Quan Chi2 wrote: | | Oh man. This is probably a new potential phpBB exploit. AWESOMNESS!! |
You are just stupid. Bots have been harvesting for a long, long time. I just forgot about the fact that they still pick off these forums, and since I've added protection from bots registering, the email-protection I enabled will work wonderfully. And Cerium is right, this one was just a stupid one.
Take for example the email I use to post on shanky.com or Server Help's front page: thats just a honey pot and is loaded with junk. Not once has anyone actually sent a valid email address to it. So you guys are not in the clear, your email address has long ago been harvested. But in the days of '6 million valid email addresses' the market is demanding email addresses that are fresh. So, unless you've click links or had your client download off-site pictures in a message and your email address is not harvested for the next 3-6 months or so, you'll get slightly less spam because the age of your address will be too old that the big names will not add them to their latest sales. |
|
| Back to top |
|
|
Chambahs
Power attack
Joined: Jun 19 2005
Posts: 820
Offline
|
| Posted: Fri Sep 22, 2006 4:20 pm Post maybe stupid Post subject: |
|
|
|
|
| WTF? Nothing happend to me...what are you guys talking about? |
|
| Back to top |
|
|
K'
You can win any war if you start a year early
Gender:
Joined: Jul 13 2006
Posts: 271
Location: Southtown
Offline
|
| Posted: Fri Sep 22, 2006 6:11 pm Post maybe stupid Post subject: |
|
|
|
|
| Mine GO BOOM wrote: | | Take for example the email I use to post on shanky.com or Server Help's front page: thats just a honey pot and is loaded with junk. |
I still be paying for posting news on that page with me real email. |
|
| Back to top |
|
|
Chambahs
Power attack
Joined: Jun 19 2005
Posts: 820
Offline
|
| Posted: Sat Sep 23, 2006 4:11 am Post maybe stupid Post subject: |
|
|
|
|
| Right...so anyone wanna tell me why "I got fucked"? |
|
| Back to top |
|
|
Cerium
Server Help Squatter
Age:42
Gender:
Joined: Mar 05 2005
Posts: 807
Location: I will stab you.
Offline
|
| Posted: Sat Sep 23, 2006 4:20 am Post maybe stupid Post subject: |
|
|
|
|
| Well... Your father has an attraction to young boys and you like to sleep on your stomache. |
|
| Back to top |
|
|
Chambahs(lazy)
Guest
Offline
|
| Posted: Sun Jun 08, 2008 10:18 pm Post maybe stupid Post subject: |
|
|
|
|
I still dont get what happend here  |
|
| Back to top |
|
|
Dr Brain
Flip-flopping like a wind surfer
Age:39
Gender:
Joined: Dec 01 2002
Posts: 3502
Location: Hyperspace
Offline
|
| Posted: Sun Jun 08, 2008 10:28 pm Post maybe stupid Post subject: |
|
|
|
|
It took you 2 years to post how you didn't understand something?
_________________
Hyperspace Owner
Smong> so long as 99% deaths feel lame it will always be hyperspace to me |
|
| Back to top |
|
|
Chambahs (lazy)
Guest
Offline
|
| Posted: Sun Jun 08, 2008 10:45 pm Post maybe stupid Post subject: |
|
|
|
|
| Lmao, no, i was just revisiting the forums, (killing time) and i stumbled across this topic. Care to explain? |
|
| Back to top |
|
|
Samapico
No, these DO NOT look like penises, ok?
Joined: May 08 2003
Posts: 1252
Offline
|
| Posted: Mon Jun 09, 2008 8:44 pm Post maybe stupid Post subject: |
|
|
|
|
oh LOL
I thought this was a recent issue hahahaha
I presume you had made your email visible or something
_________________
(Insert a bunch of dead links here) |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Statistics
Register
Profile
Login to check your private messages
Login
SSC Biller Downage Explained 
