HTML Logo by World Wide Web Consortium (www.w3.org). Click to learn more about our commitment to accessibility and standards.

Moving forward with Composr

ocPortal has been relaunched as Composr CMS, which is now in beta. ocPortal 9 will be superseded by Composr 10.

Head over to compo.sr for our new site, and to our migration roadmap. Existing ocPortal member accounts have been mirrored.


[Resolved] Spam detection/IP ban systems questions

Login / Search

 [ Join | More ]
 Add topic 
Posted
Rating:
#94700 (In Topic #18867)
Avatar

Community saint

I keep receiving error messages in my email from the spam detection system.

Could not run spam check using the ######ppogww.*.dnsbl.httpbl.org service: 23.21.224.150. The action has been let through without a check.

It always involves the same IP number. I've done some searches and that IP seems to go back to an Amazon server hosting many sites and it seems this IP is blacklisted. I decided to permanently ban the IP but I'm still getting those error messages.

Two questions:
1. I know when an IP is checked against dnsbl.httpbl.org, it is in reverse-octet format. Is the IP number shown in those error messages in reverse or normal format?

2. Being I've permanently banned that IP and it's still getting through (at least to the join page), at what point does the banning function kick in and stop an IP? I always assumed an banned IP would just see a 404, 403, 500, or something like that and never see the actual site (or in this case, the join page).

Steve
Back to the top
 
Posted
Rating:
#94703
Avatar

Ah, I understand what is wrong here. 23.21.224.150 is a result code, not an IP. Because RBLs work over DNS, they reply in IP-format, but it actually means something. I will look into what it means and improving the error message.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#94705
Avatar

Community saint

Chris Graham said

Ah, I understand what is wrong here. 23.21.224.150 is a result code, not an IP. Because RBLs work over DNS, they reply in IP-format, but it actually means something. I will look into what it means and improving the error message.

Ah, ok!  :thumbs:  Well, that would explain why  that "IP" was still getting through!  :lol:

Steve
Back to the top
 
Posted
Rating:
#94708
Avatar

I have a theory that this was an IPv6 address, which HTTP:BL does not support. The result is meant to start 127, but yours started 23. They don't publish any kind of listing of error codes though.

To improve the error messages, to include the IP involved…

In lang/EN/critical_error.ini change:

Code

_ERROR_CHECKING_FOR_SPAMMERS=Could not run spam check using the [tt]{1}[/tt] service: {2}. The action has been let through without a check.
to:

Code

_ERROR_CHECKING_FOR_SPAMMERS=Could not run spam check using the [tt]{1}[/tt] service. The error message returned was: {2}. The action has been let through without a check. The IP involved was [tt]{3}[/tt].

In sources/antispam.php change:

Code

$error=do_lang('_ERROR_CHECKING_FOR_SPAMMERS',$rbl_domain,$_result);
to:

Code

$error=do_lang('_ERROR_CHECKING_FOR_SPAMMERS',$rbl_domain,$_result,$ip);


If it turns out to be due to an ipv6 address, I will post a simple fix.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#94709
Avatar

Community saint

Chris Graham said

I have a theory that this was an IPv6 address, which HTTP:BL does not support. The result is meant to start 127, but yours started 23. They don't publish any kind of listing of error codes though.

To improve the error messages, to include the IP involved…

In lang/EN/critical_error.ini change:

Code

_ERROR_CHECKING_FOR_SPAMMERS=Could not run spam check using the [tt]{1}[/tt] service: {2}. The action has been let through without a check.
to:

Code

_ERROR_CHECKING_FOR_SPAMMERS=Could not run spam check using the [tt]{1}[/tt] service. The error message returned was: {2}. The action has been let through without a check. The IP involved was [tt]{3}[/tt].

In sources/antispam.php change:

Code

$error=do_lang('_ERROR_CHECKING_FOR_SPAMMERS',$rbl_domain,$_result);
to:

Code

$error=do_lang('_ERROR_CHECKING_FOR_SPAMMERS',$rbl_domain,$_result,$ip);


If it turns out to be due to an ipv6 address, I will post a simple fix.

Changes made. I'll report back the results as they come in. Thanks Chris.  :thumbs:

Steve
Back to the top
 
Posted
Rating:
#94713
Avatar

Community saint

sholzy said

Chris Graham said

I have a theory that this was an IPv6 address, which HTTP:BL does not support. The result is meant to start 127, but yours started 23. They don't publish any kind of listing of error codes though.

To improve the error messages, to include the IP involved…

If it turns out to be due to an ipv6 address, I will post a simple fix.

Changes made. I'll report back the results as they come in. Thanks Chris.  :thumbs:

The results are coming in…  :thumbs:

Could not run spam check using the ######ppogww.*.dnsbl.httpbl.org service. The error message returned was: 23.21.224.150. The action has been let through without a check. The IP involved was 120.40.156.59.

Still getting the exact same return code, but the IP's are good. Of the 6 IP's returned, 1 is BingBot, 3 were spammers, and 2 checked out as "safe".


Steve
Back to the top
 
Posted
Rating:
#94724
Avatar

I think this is probably an HTTP:BL bug. I tried looking up the failing IP manually on the command line, and it failed. I tried with my own key, and with yours. I tried an IP they black-listed on their site, it worked. I looked up the failing IP manually on their site, it showed as a spammer. I tried looking up the failing IP through a third-party online DNS tool, it was erratic.

It beats me I'm afraid!


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#94726
Avatar

Community saint

Chris Graham said

I think this is probably an HTTP:BL bug. I tried looking up the failing IP manually on the command line, and it failed. I tried with my own key, and with yours. I tried an IP they black-listed on their site, it worked. I looked up the failing IP manually on their site, it showed as a spammer. I tried looking up the failing IP through a third-party online DNS tool, it was erratic.

It beats me I'm afraid!

Just having the IP show up is a major help. At least I can manually check, and ban if necessary.

One change I would like to see made to the spam detection system is changing the user name look-up to look-ups on email addresses. Usernames are too easy to create 1000's of unique entries for join pages, whereas the same email addresses tend to be used across multiple sites.

Even though this system is still in it's infancy, it has proven very useful at catching possible spammers and blocking them. Since using this from it's initial, unofficial release, I've had zero spammers get through the sign up procedure and have had no spam posts.  :)

So, if I have to manually check a few IPs that hit more than a few times, it's no big deal.  :thumbs:

Steve
Back to the top
 
Posted
Rating:
#94727
Avatar

Glad to hear.

The stopforumspam part does use email though (and IP, and username).


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#94728
Avatar

Community saint

I guess I'm a little fuzzy on the "Check usernames for known spammers" option.

Check usernames for known spammers said

Whether to check usernames during the Stop Forum Spam check. This may result in false-positives if spammers were using very generic usernames, and doesn't really work as a reliable filter (it is easy to use lots of different usernames).
The wording is a little confusing (at least to me) knowing that checks can be performed explicitly (IP, or email, or username) or in combinations (email and IP, or email, IP and username, etc.), so I was thinking you were performing an explicit username look-up during the join process, the reason for thinking it would be better to check email addresses instead of usernames. (And, at the same time confusing myself by thinking why would you perform an explicit username look-up if you're already looking up all three?)

But now that I look at the spammer detection settings as a whole (instead of individual pieces), I guess this check is performed during whatever the "Spammer checking level" option is set at?

I guess I'll need to go back and re-read all the old posts on this to refresh my memory as to how the checks are being made.

Steve
Back to the top
 
Posted
Item has a rating of 5 (Liked by sholzy)  
Rating:
#94729
Avatar

Yes it is based on the levels. This option only exists separately because of the false-positive reason described in it.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
There are too many online users to list.
Control functions:

Quick reply   Contract

Your name:
Your message: