If you are not registered or logged in, you may still use these forums but with limited features. Show recent topics
  [Search] Search   [Hottest Topics] Hottest Topics   [Members]  Member Listing   [FAQ]  FAQ 
[Register] Register / 
[Login] Login 
Spam on AdvancedGuestBook 2.3.3  XML
Forum Index » Advanced Guestbook Forum
Author Message
zaki
Newbie

Joined: 13/10/2005 06:55:07
Messages: 1
Location: Scotland
Offline

Hi,
Can someone help me plz,i am getting between 80 and 100 messages a day on my guestbook,i am using AdvancedGuestBook 2.3.3 version.
I have tried to block ip address but there are too many but some of them are like
Thanks in Advance
Carbonize
Master
[Avatar]

Joined: 12/06/2003 19:26:08
Messages: 4292
Location: Bristol, UK
Offline

I should hope none are localhost as that would mean the spam is coming from your own server. Read the very first thread in this forum.

Carbonize
I am not the maker of the Advanced Guestbook

get Lazarus
[Email] [WWW] [Yahoo!] aim icon [MSN] [ICQ]
kleinechris
Newbie

Joined: 08/11/2005 15:14:13
Messages: 1
Offline

Carbonize wrote:I should hope none are localhost as that would mean the spam is coming from your own server. Read the very first thread in this forum.


I'm sorry, I've searced for the first thread in this forum, but I really couldn't find it. Where can I find it? I have the same problem as zaki and I really want to solve it.....
markus56
Beginner

Joined: 11/11/2005 16:32:52
Messages: 9
Offline

There's a bug in Advanced Guestbook that allows spammers or hackers to use faked IP addresses (incl 127.0.0.1 localhost). I've released a new version of Guestbook that solves this and many more security issues. It can be downloaded from http://www.freerelationshipadvice.com/downloads/guestbook27.zip
Carbonize
Master
[Avatar]

Joined: 12/06/2003 19:26:08
Messages: 4292
Location: Bristol, UK
Offline

IP banning is not a way to stop spam. It will sto pa few prolific spammers but a lot come from a variety of IP's. That is why I made my anti spam modifications to stop the posts before they happen.

Carbonize
I am not the maker of the Advanced Guestbook

get Lazarus
[Email] [WWW] [Yahoo!] aim icon [MSN] [ICQ]
markus56
Beginner

Joined: 11/11/2005 16:32:52
Messages: 9
Offline

Yes, Carbonize, I am aware of that. I invite you to have a closer look at the whole package. Security features include:
- Distinguishing between real and fake IP
- enforced delay for posting
- protection against fake of significant form data (such as form load timestamp)
- 2 level human verification: User must enter a value shown in an randomly chosen image at display time. Plus optional approval mode (Guestbook Administrator must approve new incoming messages). All these options (and many more) can be turned off and on at any time through the Administration panel

Additional convenience feature for the Administrator:
- necessary database upgrades are automatically discovered upon upload of a new version (no matter which version you are on currently)
- /admin/config.inc.php no longer needs to be saved away and restored

Full list of features: http://www.freerelationshipadvice.com/guestbook/whatsnew.txt
Carbonize
Master
[Avatar]

Joined: 12/06/2003 19:26:08
Messages: 4292
Location: Bristol, UK
Offline

Yes I have already looked at your 2.7 code including the 255 premade images you have for your image verification which prevents your guestbook being used with any language other than English. You should of just made the image contain the characters and left the message as part of the lang file.

Any spammer who is actually going to go to the bother of spoofing the HTTP_X_FORWARDED_FOR header is not going to be stopped by IP banning. As you have now implemented you need to stop the spam from getting posted in the first place otherwise you will end up having to go in and delete the spam entries that get made before your auto ban kicks in.

Advanced Guestbook has come with a required field/time limit since version 2.3.3.

Carbonize
I am not the maker of the Advanced Guestbook

get Lazarus
[Email] [WWW] [Yahoo!] aim icon [MSN] [ICQ]
markus56
Beginner

Joined: 11/11/2005 16:32:52
Messages: 9
Offline

Yes, that's a good point, Carbonize. The images are not yet language sensitive. This will be included in an upcoming revision.

As the validation value is a mandatory field, spam posted by bots will be rejected. As an additional security feature, a validation mode is in place (as mentioned before), so that new posts will not show up unless they're authorized. Since the introduction of the user validation field, my spam rate dropped by 100% !!

Your comment re non-banning of spammers using the HTTP_X_FORWARDED_FOR header is not quite correct. In my version, users are banned based on their real IP address ($_SERVER['REMOTE_ADDR']) while the HTTP_X_FORWARDED_FOR address is kept in a separate variable. If acceptance of faked IP addresses is disabled (default), any difference between an existing HTTP_X_FORWARDED_FOR address and the real IP address will be rejected.
anibal
Newbie

Joined: 15/11/2005 13:27:54
Messages: 3
Offline

markus56 wrote:Yes, Carbonize, I am aware of that. I invite you to have a closer look at the whole package. Security features include:
- Distinguishing between real and fake IP
- enforced delay for posting
- protection against fake of significant form data (such as form load timestamp)
- 2 level human verification: User must enter a value shown in an randomly chosen image at display time. Plus optional approval mode (Guestbook Administrator must approve new incoming messages). All these options (and many more) can be turned off and on at any time through the Administration panel

Additional convenience feature for the Administrator:
- necessary database upgrades are automatically discovered upon upload of a new version (no matter which version you are on currently)
- /admin/config.inc.php no longer needs to be saved away and restored

Full list of features: http://www.freerelationshipadvice.com/guestbook/whatsnew.txt



Hi there i'm trying to install this version & i'm running in some problems at this page mydomien/guestbook/install.php :


Warning: main(/admin/ctl.inc.php): failed to open stream: No such file or directory in /home/sites/webhosting/jufkrista/jufkrista/www/guestbook/install.php on line 3

Warning: main(): Failed opening '/admin/ctl.inc.php' for inclusion (include_path='.:/usr/lib/php:/home/sites/webhosting/uvmb/uvmb/phpincludes:/home/sites/webhosting/vbp/vbp/phpincludes') in /home/sites/webhosting/jufkrista/jufkrista/www/guestbook/install.php on line 3


I'm installing from scratch.


Please help.. i really need a better version installed on my system.. too much spam.
markus56
Beginner

Joined: 11/11/2005 16:32:52
Messages: 9
Offline

Hi,

In file install.php, replace the 2nd line to read as follows:

include_once "./admin/ctl.inc.php";

Then it should work. Please give feedback.
anibal
Newbie

Joined: 15/11/2005 13:27:54
Messages: 3
Offline

Thank you.. i'm switching to http://lazarus.carbonize.co.uk

Looks better & is up to date
markus56
Beginner

Joined: 11/11/2005 16:32:52
Messages: 9
Offline

Yes, it's true, the first version (2.5) removed a lot of spam, but not all of it, it e.g. limited the # of messages per day to 9 (or a different value set in the preferences). It though already distinguished between faked and real IP addresses (faked ones no longer admitted)

The big break-through occurred with version 2.6 in which I added a 2 level human verification (by user and / or admin). From that time forward, the spam rate dropped to 0%.

Other than in Lazarus, the human verfication value in version 2.6 / 2.7 is not a static per site value; it is randomly chosen from a range of 255 values at display time. Also, the antibot value is not parsable by spammers, because it's displayed as a graphical image.

In version 2.7, I further added automated delta-checks for the database-structure. Any missing fields and/or tables will be added automatically, whereas existing columns and tables are NOT removed.

New in version 2.7.3:
- Language-safe: If a new value was not translated into the Advanced Guestbook target language, the English value will be displayed, along with the keyname between brackets. This helps the administrator to identify missing entries in their language file

- Graphic files for antibot values no longer contain surrounding text ("Please enter value..."). This text may now be configured via the language file

Get the latest version at http://www.freerelationshipadvice.com/downloads/guestbook27.zip
anibal
Newbie

Joined: 15/11/2005 13:27:54
Messages: 3
Offline

I have to say sinds using lazarus the SPAM was complet gone i have 3 sites runing LAZARUS & have less costumers contacting me everyday
markus56
Beginner

Joined: 11/11/2005 16:32:52
Messages: 9
Offline

This simple, stupid script will create spam entries into the lazarus.co.uk guestbook with an arbitrary name.



- It gets the entry form
- then it grabs the special value by parsing the source code and enters it into the bottest field
- then it waits for 30 seconds before it posts it to the forum

This is where the advantage of a picture display over a parsable text display shows up.
Carbonize
Master
[Avatar]

Joined: 12/06/2003 19:26:08
Messages: 4292
Location: Bristol, UK
Offline

So long as the persons host has GD compiled.
Also given that the question/answer can be anything
you have to visit the site to know what to parse.

I am flattered you went to such lengths to make
a script to spam my guestbook. Note I say MY guestbook
as your script will only spam my copy of Lazarus and
therefore is pointless.

Carbonize
I am not the maker of the Advanced Guestbook

get Lazarus
[Email] [WWW] [Yahoo!] aim icon [MSN] [ICQ]
 
Forum Index » Advanced Guestbook Forum
Go to:   
Based on the open source JForum