I just got comment spammed

Posted: Mon Aug 13, 2007 2:39 am

Feel, free to tweak Comments Module as you see fit, I just don't have time to play with it (or anything else for that matter) for the next couple of months or so. Raven has already tweaked it for XHTML Compliance ( v 0.02)

Posted: Mon Aug 13, 2007 7:51 am

I installed it on my test site and it looked good. My users have asked me for a "display the last X posts from the forums" so maybe we could add that too in addition to the surveys comments.

I found a define INDEX_FILE in the admin/index.php and it was making right blocks appear on not only it's admin section but some other modules too (I suppose because of the way Nuke include's everyone's case.php file or something -- I didn't look into it further). Removing that fixed it.

Thanks Guardian!

Posted: Mon Aug 13, 2007 11:22 am

Oops, yes Montego did advise me of that error some time ago, I must have missed fixing it somewhere down the line, my apologies!

Posted: Tue Aug 14, 2007 6:19 am

... and, as you can see, I had forgotten it also... otherwise I would have mentioned it as well. Embarassed

Posted: Tue Aug 14, 2007 6:30 am

Actually, in the original version, I had fixed it as follows:

=== OPEN ===

modules/Comments/admin/case.php

=== FIND ===

Code:




   if ($row2['radminsuper'] == 1 || $auth_user == 1) {


   $module_name = 'Comments';


   $inddex_file= dirname(__FILE__) .'/'. 'index.php'; //deliberate typo :)


   $language_location = dirname(__FILE__) .'/'. 'language/lang-'.$currentlang.'.php';


   include_once("$language_location");


   include_once("$inddex_file"); // no typo its deliberate





   switch($op) {


      case 'ca_comments_main':


      case 'ca_news_comments':


      case 'ca_reviews_comments':


      case 'ca_poll_comments':


      break;


         }


   }

=== REPLACE WITH ===

Code:




   if ($row2['radminsuper'] == 1 || $auth_user == 1) {


   $module_name = "Comments";


   $inddex_file= dirname(__FILE__) ."/". "index.php"; //deliberate typo :)


   $language_location = dirname(__FILE__) ."/". "language/lang-".$currentlang.".php";


   include_once("$language_location");





   switch($op) {


      case "ca_comments_main":


      case "ca_news_comments":


      case "ca_reviews_comments":


      case "ca_poll_comments":


      include_once("$inddex_file"); // no typo its deliberate


      break;


         }


   }

The include_one of the index file needed to be within the switches I think.

Posted: Thu Aug 16, 2007 9:26 am

The guy came back today, tried to log in. However his user agent was

Mozilla/5.0 (compatible; Yahoo! Slurp; [ Only registered users can see links on this board! Get registered or login! ]

and his IP address was 74.6.29.35, which according to dnsstuff.com is a Yahoo Inktomi address. Confused

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

Just as an fyi I received permission from John back on 6/28/2007 to include it in the next release. So, we can either include it as it is or someone can work on it to tweak it. Let me know. Actually, if someone takes ownership then just open up a Mantis issue.

Posted: Thu Aug 16, 2007 7:22 pm

I think I'd be interested in picking up the Comments module and running with it if it is okay with everyone.

Posted: Thu Aug 16, 2007 8:26 pm

Fine by me Smile

Posted: Fri Aug 17, 2007 12:23 am

Knock yourself out Smile

It would be a shame to let it stagnate and deprive RN users of it's usefulness until I can get the time to do anything more with it.

Posted: Fri Aug 17, 2007 6:15 am

Fine by me too. "G" can always pull the latest from the SVN repository when we gets settled down in his new country of residence and pick it up from there. Sounds like a win-win to me.

Posted: Fri Aug 17, 2007 6:54 am

I was thinking about having it display a form instead of showing comments when you enter it. The form would say: "Please show me the last X comments from Y" where X and Y would be drop down boxes. X would be something like 10, 20, 50, 100 and Y would be News, Reviews, Surveys, Forums.

Thoughts?

Posted: Fri Aug 17, 2007 12:11 pm

That might be beneficial for very busy sites where lots of comments might be made and save the possible need for pagination.
The only important aspect is to ensure 'ordering' is by the date the relevant comment was made and NOT the date of the data which the comment was made against as this would negate it's usefulness for spotting comments to old news items etc which spammers seem to have a penchant for.

Might also be good if there was also a search by username or something? For example you spot a spam comment in a review item by a user - might be useful to be able to then 'list' all comments or whatever for that user to see what else they have been up to.

Posted: Fri Aug 17, 2007 12:39 pm

It also occured to me that a search by user would be useful.

And yes, we are on the same page about searching by the date of the comment itself. I want to watch for new spam comments.

Posted: Fri Aug 17, 2007 2:56 pm

Sounds good to me. As you can see, I threw what's there together very quickly purely to address the problem of old news post comment spamming that the community was experiencing a while ago. Most of the code is just re-jigged existing core functions.

I look forward to your improvements Smile

Posted: Fri Aug 17, 2007 3:54 pm

I have been working on a Your Account hack to allow search by users. One place you may want to look is in the existing Search index.php. It is not apparent but there is a user search in there. I stripped some of the code out of that and am planning to use it in Your Account. I already have a drop down box that lists users (username and email) and you can pick one from the list (there was a hack like that posted here a while back). The drop down works fine even on a site with say 1000 users (like my own site) but I think that on something like Raven's with 14000 users it would get unwieldy. My thought is to also have a search icon which will open a search window and allow you to search on all or part of a username or email and maybe some other criteria.

It might be useful if we developed the user search so that it could be accessed "independently" from anywhere in the system ... I don't know if it should be an include file or a class or a function.

Code:

                  $res_n3 = $db->sql_query('SELECT user_id, username, name from '.$user_prefix.'_users where (username like \'%'.$query.'%\' OR name like \'%'.$query.'%\' OR bio like \'%'.$query.'%\') order by username ASC limit '.$min.','.$offset);


                $nrows = $db->sql_numrows($res_n3);


                $x=0;


                if (!empty($query)) {


                    echo '<br /><hr noshade="noshade" size="1" /><center><b>'._SEARCHRESULTS.'</b></center><br /><br />';


                    echo '<table width="99%" cellspacing="0" cellpadding="0" border="0">';


                    if ($nrows>0) {


                        while($rown3 = $db->sql_fetchrow($res_n3)) {


                            $uid = intval($rown3['user_id']);


                            $uname = stripslashes($rown3['username']);


                            $name = stripslashes($rown3['name']);


                            $furl = 'modules.php?name=Your_Account&amp;op=userinfo&amp;username='.$uname;


                            if (empty($name)) {


                                $name = _NONAME;


                            }


                            echo '<tr><td><img src="images/folders.gif" border="0" alt="" />&nbsp;<font class="option"><a href="'.$furl.'"><b>'.$uname.'</b></a></font><font class="content"> ('.$name.')';


                            if (is_admin($admin)) {


                                echo ' [ <a href="'.$admin_file.'.php?chng_uid='.$uname.'&amp;op=modifyUser">'._EDIT.'</a> | <a href="'.$admin_file.'.php?op=delUser&amp;chng_uid='.$uid.'">'._DELETE.'</a> ]';


                            }


                            echo '</font></td></tr>';


                            $x++;


                        }

That's the code I extracted from the search module. Obviously it's just a starting point but something is sometimes better than nothing.

Posted: Sat Aug 18, 2007 9:13 am

I, too, like where this is going. We also need the ability to select with checkboxes some or all the comments on a particular page of comments.

I LOVE the userid idea. Wish there was also a way to do this via IP address, but not easy (would it require NukeSentinel?). Also, this would only be necessary for those folks who refuse to put comments behind registered user and/or the spam captcha.

I was also thinking of a potential SPAM notifier type tool (NukeSentinel candidate?) that could spot unusual post behavior in comments, forums, etc., but that is probably a completely different topic for another day.

Posted: Sat Aug 18, 2007 11:24 am

I was going to add something like that to Spam Stopper whereby the POST var was checked for multiple links (e.g. checking for multiple instances of 'http' )but I believe Vin did something along these lines a while ago for an improved feedback module or something.

Posted: Sun Aug 19, 2007 10:26 am

For the admin part of the module, I am going to include a form with checkboxes by each comment so an admin can delete comments. I'm hesitant to do this for the forum posts....it might be a little tricky given all their tables and relationships. Since you can already admin the forums pretty well, should I punt on that or dig into it a little deeper? Or make it a rev 2 thing?

Posted: Sun Aug 19, 2007 10:30 am

Gremmie, you are right and probably a "rev 2" thing.

Guardian2003, what Vin did, I thought, was to render the links inoperable. In otherwords, removes the "incentive" to spam. However, I am going on ancient history memory here. Laughing

I hadn't really thought about the one spam message with multiple links in it. I was more concerned about getting NN number of comments being added in a short period of time or close in "pattern" to help spot "bot" behavior.

Posted: Sun Aug 19, 2007 10:35 am

phpBB may already have a "delete post" function that I could call, I suppose. I'll do a casual search and if I don't see anything obvious I'll leave it for rev 2. Wink

Posted: Sun Aug 19, 2007 10:41 am

yeah, it definitely does have it and I am pretty sure that even if other posts have been made, it gets the dependencies right. Actually, not even really sure there are dependencies other than the topic id. I think it will order the posts based on their IDs.

Posted: Sun Aug 19, 2007 10:46 am

Yes you are quite right M - I just thought that if someone is going to spam comments, to make it worth their while, they are highly likely to insert more than one link - though I do like the idea of some sort of 'flood' protection on the comments!!

You are right on Vin's approach too, I remember it now. While making the links useless does remove the incentive to spam, from a 'bot' perspective, the bot isn't going to know the links are useless (but it will stop crap from getting indexed by the SE's).

I have obviously been looking into anti-spamming techniques for a while and I'd just like to throw this thought of my 'nirvana' into the air to see what response there is;
How about an authentication for comments like the user registration?
e.g. User submits comment
comment data goes to a new table where it is held in 'pending'
script sends email with 'activation' link
link is clicked and 'pending' moves to the core table

That might be overly complicated and it's not exactly 'user-friendly' but comments are not really supposed to be used like a blog, there are forums for that, so a user is unlikely to make more than one comment I feel.

Gremmie - ypu I'd make forums a rev 2 (or whatever) thing.
There are already plenty of things a webmaster can use such as 'posts since last visit' , 'unanswered topics' etc and thats before you touch any admin stuff.

Posted: Mon Sep 03, 2007 4:43 pm

I've got some good time in on the new Comments module. You can see the last 10, 20, 50, 100, or 200 comments from Forums, News, Surveys, and Reviews. You can also show results by user with * wildcard. Smile

I just got to add the delete capability. Do you think I should build an admin section just to delete the comments, or just put the delete checkboxes right in the "user" part of the form (wrapped with is_admin() check)? Thanks.

Posted: Mon Sep 03, 2007 6:31 pm

The latter.