Search Results for 'bots'

Viewing 25 results - 251 through 275 (of 319 total)

← 1 2 3 … 10 11 12 13 →

Author

Search Results
May 8, 2010 at 4:35 am #77148

In reply to: Members only

Shnooka30
Participant

Thanks, I did install that and there is a load of info there. Maybe ill work on that and see how it is.

This plug-in works great, however it sends users to the backend login form and not the register page. Can’t figure out how to redirect to register page.

class RegisteredUsersOnly {
var $exclusions = array();
// Class initialization
function RegisteredUsersOnly ()
{
// Register our hooks
add_action( ‘wp’, array(&$this, ‘MaybeRedirect’) );
add_action( ‘init’, array(&$this, ‘LoginFormMessage’) );
add_action( ‘login_head’, array(&$this, ‘NoIndex’), 1 );

}

// Depending on conditions, run an authentication check
function MaybeRedirect() {
global $bp;
// If the user is logged in, then abort
if ( current_user_can(‘read’) ) return;

if ($bp&&($bp->current_component == BP_REGISTER_SLUG ))//buddypress
return;
#’wp-trackback.php’,
#’wp-app.php’,
$this->exclusions = array(
‘wp-login.php’,
‘wp-signup.php’,
‘wp-register.php’,
‘wp-activate.php’,
‘wp-cron.php’ // Just incase
);
// If the current script name is in the exclusion list, abort
if ( in_array( basename($_SERVER), apply_filters( ‘registered-users-only_exclusions’, $this->exclusions) ) ) return;

// Still here? Okay, then redirect to the login form
auth_redirect();
}

// Use some deprecate code (yeah, I know) to insert a “You must login” error message to the login form
// If this breaks in the future, oh well, it’s just a pretty message for users
function LoginFormMessage() {
// Don’t show the error message if anything else is going on (registration, etc.)
if ( ‘wp-login.php’ != basename($_SERVER) || !empty($_POST) || ( !empty($_GET) && empty($_GET) ) ) return;

global $error;
$error = __( ‘Only registered users can watch this site. Please register or login.’, ‘registered-users-only’ );
}

// Tell bots to go away (they shouldn’t index the login form)
function NoIndex() {
echo ” n”;
}

}

// Start this plugin once all other plugins are fully loaded
add_action( ‘plugins_loaded’, create_function( ”, ‘global $RegisteredUsersOnly; $RegisteredUsersOnly = new RegisteredUsersOnly();’ ) );

May 7, 2010 at 2:13 am #77018

In reply to: Here come the spammers!!!

5887735
Inactive

My BP site is fairly new. I had one PM spammer and I changed my register slug and added birth day to the required fields and so far no return spammers (about 1000 new members per month, 4,000 current). I’m sure this won’t end attacks, but hopefully it with stave off many of the BOTS.

May 6, 2010 at 10:50 pm #77001

In reply to: Here come the spammers!!!

5887735
Inactive

Maybe BP should require that you choose your own register slug after activating the plugin. Perhaps also require you name your required fields fields, instead of the default “name” or “base.” The less default settings BP has the harder it is for BOTS.

May 6, 2010 at 6:00 pm #76958

In reply to: Here come the spammers!!!

foxly
Participant

All About BuddyPress Spam

From what I’ve seen over the past few days, the range of knowledge about spam in the BP community ranges from zero to PhD research project. So, to get this thread off to a productive start, I’m going to give everyone some background info on why spammers target our installations, how they do it, and what we can do to reduce or eliminate these kinds of attacks.

1) Why do spammers attack BP communities?

-> Spam is 100% economically motivated. Spammers do what they do because it’s very profitable. Even if only 1 out of a million messages the spammer sends actually reaches somebody, if it cost $2 to send out those million messages and the spammer makes $50 by tricking one person into giving them a credit card number, the spammer is going to throw every resource they have into sending out more messages …because they’re getting a 2500% return on their investment.

-> Given the choice between multiple sites, a spammer will pick the one that gives the largest payout.

Gmail is a “hard” target, with users that are experienced with spam. If a spammer sent a billion spam messages to accounts on Gmail, 99.9% of them would be probably be deleted by automated filters at other ISP’s along the way before even arriving at Gmail. The first thousand messages that arrived at gmail would likely be delivered but would be put in user’s spam folders; and the remaining 999,000 messages would be flat-out refused by Gmail’s servers.

Because anyone with an email account is familiar with spam, probably 999 of those 1000 users would ignore the spam message and 1 user might act on it. So if it cost $20 to send those billion messages and the spammer made $50 by tricking the one person into giving them a credit card number, they’ve only made $30 for all that work.

BP communities are usually “soft” targets that are inexperienced with spam.

Once a spammer gets into a BP community, every single message they send is delivered to a member, and most members are NOT expecting to be attacked by other users on the site.

If a user called “site_news” sends everyone a message that says: “Our site just got featured on Oprah! check out the video! http://www.youtube.com/watch/dQw4w9WgXcQ.cn” every single member is going to get that message, and probably half of them are going to click on the link. (did anyone notice what’s wrong with that “YouTube video” … )

Then, assuming there are 50,000 members on the BP site, half of them click on the link, half of those people are using Internet Explorer, and the attack site the link points to installs a backdoor on computers running IE …at $2 / install the spammer has just made $25,000!

Now, if *you* were a spammer, which site would you attack?

2) How do spammers find BP communities?

Using Google.

Example: http://www.google.ca/search?hl=en&q=%2B”is+proudly+powered+by+WordPress+and+BuddyPress” (front page of every BP site on the net)
Example: http://www.google.ca/search?hl=en&q=inurl:%22/community/members/%22+%2Bbuddypress (members page of every BP site on the net)

3) How do spammers attack websites?

-> Most spam attacks are done using robots, because sheer volume of posts is usually the winning factor. In situations where there is a “captcha wall” or other defense blocking registration to a “high value” site (hint: yours), spammers will use people in low-wage countries to break the captcha and sign up on the site. The going rate is about $2 per 1000 captchas.

http://www.decaptcher.com/client/

Once inside the site, they will then use bots to post spam to all the members on the site.

-> There are literally *thousands* of different programs available that spam websites, and they all have *different* venerabilities.

For example, this program: http://forums.digitalpoint.com/showthread.php?t=1124949

a) Will DEFEAT a “hidden fields” challenge,
b) Will DEFEAT a “javascript proof of work” challenge,
c) Will FAIL a “captcha” challenge
d) Will FAIL an “Akismet” challenge
e) Will FAIL a “Hashed Form Field ID” challenge

But this program: http://www.botmasternet.com/more1/ , wikipedia: http://en.wikipedia.org/wiki/XRumer , video of it running: http://www.youtube.com/watch?v=AL2i4SNPJmg

a) Will DEFEAT a “hidden fields” challenge,
b) Will DEFEAT a “javascript proof of work” challenge,
c) Will DEFEAT a “captcha” challenge
d) Will DEFEAT an “Akismet” challenge (uses proxy networks, never sends the same message twice)
e) Will DEFEAT a “Hashed Form Field ID” challenge
f) Will FAIL a “enter the numbers with a triangle over them” challenge (as used by PlentyOfFish.com)
g) Will FAIL a “click on the photos of cats but not the photos of dogs” challenge

4) How do we stop spammers from attacking BP communities?

-> By making it frustrating and unprofitable (but not necessarily impossible) for spammers to target us; while making these tactics invisible to normal users.

I will cover how I propose to do this in the next post.

^F^

May 3, 2010 at 6:35 pm #76476

In reply to: Private Message Spam and Abuse

5887735
Inactive

I’m getting these on my own site. These are spam bots and they found a way into BP. This should be a number one priority for BP. I’ve seen this stuff with phpbb and other CMS. It very easy for these people to bring down your site.

April 30, 2010 at 7:12 pm #76190

In reply to: Avatar Upload issue

jay
Participant

are you hosted at godaddy? my programmer thought it had to do with the following:

• can you check the hosting company if they have GD library correctly installed- go daddy said everything was fine, but their email customer service seems to be done by robots as they never answer correctly, they said it had to do with folder permissions which was not the case.

April 27, 2010 at 6:14 pm #75514

In reply to: WPMU + BP + Robots.txt + ???

jwack
Participant

Thanks.

April 27, 2010 at 4:02 am #75407

In reply to: WPMU + BP + Robots.txt + ???

r-a-y
Keymaster

WP does generate a virtual robots.txt file, but I’m not sure if you can count BP in the mix as I’m not quite sure if BP does anything to it.

Try using this plugin to manage WP’s virtual robots.txt:
https://wordpress.org/extend/plugins/pc-robotstxt/

April 27, 2010 at 3:59 am #75406

In reply to: WPMU + BP + Robots.txt + ???

jwack
Participant

ne1?

April 24, 2010 at 6:19 am #74956

In reply to: How to control spam registration?

Michael J Challis
Participant

FYI, Today I updated SI CAPTCHA Anti-Spam for latest version of buddypress 1.2.3 compatibility

SI CAPTCHA Anti-Spam

https://wordpress.org/extend/plugins/si-captcha-for-wordpress/

This plugin adds CAPTCHA anti-spam methods to WordPress on the comment form, registration form, login, or all. In order to post comments or register, users will have to type in the code shown on the image. This prevents spam from automated bots. Adds security. Works great with Akismet. Also is fully WP, WPMU, and BuddyPress compatible.

March 31, 2010 at 8:54 pm #71137

In reply to: Spam, Spam and more spam

Gene53
Participant

The best trick I learned for fighting spam bots is to ask a question that only a human can answer and making them type it into a text box. If you change the question daily or randomize it, it makes it even tougher. Don’t do anything like math or captcha or something that a bot can calculate or decipher. Ask a question like “What color is snow?” or “How many sides does a triangle have?”

+1 for that idea, I had this on 2 SMF forums and it does work. While it doesn’t stop the odd human Spammer from registering, it stops bots dead in their tracks.

Maybe a coder would consider making such a BP plugin.

March 31, 2010 at 4:47 pm #71077

In reply to: E-mail domains blacklist doesn't work

David Lewis
Participant

There are multiple entry points for SPAM bots… so any one measure probably won’t accomplish much. I posted a list of everything I did in the “Spam, Spam and more Spam” thread. Worse case… you could try captcha.

March 27, 2010 at 12:41 am #70348

In reply to: Admin user management issues

snark
Participant

Still looking for help on this. My new BP site finally went live today — http://www.wordlab.com/ — and I’m getting a couple signups per hour that never click on the activation link. Some may be legit but can’t figure out the activation process, but from email correspondence I’ve only found one who fit that bill — the others never respond to me, so I’m guessing a fair percentage of them are spambots using fake email addresses.

So it would be great to have these improved User sorting options in the WP Admin, so I could track down bogus registrations, perhaps those that haven’t been activated after a set amount of time, and delete those users in batches. An alternate strategy would be to have the system auto delete (or delete en masse on command) any registrations that are never confirmed after a set period (10 days, 30 days, etc.)

March 16, 2010 at 12:16 pm #68578

In reply to: Spam, Spam and more spam
David Lewis
Participant
I just clued in that these bots are probably all using proxy servers… and compiling a big list of them all would be futile. So I found this htaccess code that blocks servers based on their methods. I know this topic has gone beyond specific BuddyPress fixes… but I’ve done all of the BuddyPress fixed (and more) and I’m STILL getting SPAM signups. So perhaps this will help someone else.
```
RewriteEngine On

# block proxy servers from site access

RewriteCond %{HTTP:VIA}                 !^$ [OR]

RewriteCond %{HTTP:USERAGENT_VIA}       !^$ [OR]

RewriteCond %{HTTP:FORWARDED-FOR}	!^$ [OR]

RewriteCond %{HTTP:FORWARDED}           !^$ [OR]

RewriteCond %{HTTP:X-FORWARDED-FOR}	!^$ [OR]

RewriteCond %{HTTP:X-FORWARDED}		!^$ [OR]

RewriteCond %{HTTP:PROXY_CONNECTION}    !^$ [OR]

RewriteCond %{HTTP:XPROXY_CONNECTION}   !^$ [OR]

RewriteCond %{HTTP:XROXY_CONNECTION}	!^$ [OR]

RewriteCond %{HTTP:HTTP_PC_REMOTE_ADDR} !^$ [OR]

RewriteCond %{HTTP:HTTP_CLIENT_IP}      !^$

RewriteRule ^(.*)$ - [F]
```
Credit goes to: http://perishablepress.com/press/2008/04/20/how-to-block-proxy-servers-via-htaccess/
March 15, 2010 at 3:30 pm #68432

In reply to: Spam, Spam and more spam

David Lewis
Participant

I’ll try. I just got a new registration from ANOTHER .info email address. Minutes ago. Ugh Unreal.

I’ve done everything mentioned in this thread and MORE. And no dice. Kind of at my wits end. How the heck are they signing up?! Unless it’s humans signing up. But I assume all SPAMers use bots. Even if it’s not a bot… I don’t know how you’d ever find the signup page with Google. It has a custom slug and I’ve gotten rid of the default BuddyPress text.

Anyway. Thanks Andrea.

I wonder if this would work in .htaccess

deny from .*\\.info.*

March 15, 2010 at 2:21 pm #68417

In reply to: Spam, Spam and more spam

David Lewis
Participant

@Andrea_r How do your say “SPAMbots please screw off” in Latin? LOL. Maybe Google can translate for me.

No more SPAM registrations since my last post. Fingers crossed.

Did you find out how to use regex in the WPMU “banned domains” setting?

March 15, 2010 at 12:48 am #68329

In reply to: Spam, Spam and more spam
David Lewis
Participant
Okay… I am STILL getting SPAM registrations. I’ve done the following:
- Changed signup slug
- Installed hashcash (works with BP now)
- Disabled “Allow blog administrators to add new users…”
- Deleted BuddyPress credit in footer.php
- Deleted wp-signup.php
- Created a robots.txt file to disallow robots from my signup slug
Any more ideas? Short of Catcha? Altho’ I’m thinking even that won’t work.
March 14, 2010 at 7:45 pm #68270

In reply to: Links Problem in header

kiwipearls
Participant

You might like to get some anti bot plugins from wordpress. I have WordPress MU and Buddypress and use the following plugins to prevent bots from joining my site.

WP-SpamFree – An extremely powerful anti-spam plugin that virtually eliminates comment spam. Finally, you can enjoy a spam-free WordPress blog! Includes spam-free contact form feature as well. http://www.polepositionmarketing.com/library/wp-spamfree/

WPMU Super Captcha – Custom captcha program made to stop spam bots cold in their tracks. Features audio, word files, or random text. You configure it! https://wordpress.org/extend/plugins/super-capcha/

Or go to http://www.wordpress.org, click on extend and find them there.

March 14, 2010 at 3:00 pm #68225

In reply to: Spam, Spam and more spam
David Lewis
Participant
So to sum up:
- Change your signup slug
- Add some required custom profile fields (or use the hashcash trick posted at the start of this thread)
- Disable “Allow blog administrators to add new users to their blog via the Users->Add New page”
- Delete BuddyPress credit in footer.php
- Delete wp-signup.php
- Create a robots.txt file with User-agent: * Disallow: /register/ (or whatever your slug is)
- If all else fails, use CAPTHCA or preferably a simple random question (what colour is snow)
Am I wrong or missing anything?

Also… all of my SPAM registrations were coming from .info domains. I added this to my .htaccess file but I’m not sure it’s correct. I found a million examples via Google search for how to ban full domains or subdomains… but nothing about blocking an entire extension (i.e… whatever.info). Anyway, this is what I wrote:
```
RewriteCond %{REMOTE_HOST} \\.info$

RewriteRule .* - [F]
```
March 13, 2010 at 2:17 am #68058

In reply to: How useful is the Site Wide Activity in SEO?

djsteve
Participant

I am seriously considering using a robots.txt file to noindex nofollow my sitewide activity page and members page.

Just to see what happens.. I have lost position for some keywords with the newer theme and setup now.. I also want to find where the alt-tage for my stie title is showing in the code so it is not alt-taged “home” – I think those things will help it get to where it was.

March 13, 2010 at 12:33 am #68052

In reply to: Spam, Spam and more spam

David Lewis
Participant

I’m starting to get hit now :o( I have had a custom slug for weeks. I added a robots file today disallowing bot access from /my-signup-slug/ and also installed invisible defender but I’m still getting spam registrations. I also just deleted my wp-signup.php file. I’m going to try hashcash. I’m also considering a htaccess file that simply bans ALL traffic to the entire website from Russia, China and any .info domains.

March 12, 2010 at 1:08 pm #67943

In reply to: Spam, Spam and more spam

Hugo Ashmore
Participant

Google ‘robots.txt file’ for starters

March 7, 2010 at 3:07 pm #67096

In reply to: new member registrations not showing on activity stream?

Jean-Pierre Michaud
Participant

the activity means someone who is active on the site… registrations have to be complete before being considered active… this is to avoid spam bots to be considered active on the site… so when the new members visit the site back and “do” something, they are tracked by the actvity stream.

March 2, 2010 at 1:44 pm #66327

In reply to: How to control spam registration?

Windhamdavid
Participant

All in all, here’s my approach that I use on MU/BP sites ~

1) modify the register/register.php wp-signup.php hardcoded default text and url slugs.

2) enable xprofile and require additional fields upon registration.

2) use a captcha ~ i’m fond of ReCatcha

3) make sure you and check the NO setting under “Allow blog administrators to add new users to their blog via the Users->Add New page. ” in wp-admin/wpmu-options.php “Admin > Site Options”

4) I ban or limit the registration domains (also in Admin > Site Options) so that the commonly used spammer domains are blocked from registration and then I add an email contact for owners of these addresses to manually request registration. I hide the email address from bots with HiveLogic EnKoder

5) I then firewall off entire blocks of IP’s from my servers from commonly used spammer IP ranges you can find at sources like spamhaus.org .. and considering that these are one language sites, the need for access for the IP blocks on the pan asia network or eastern europe are unlikely. If you have a multilingual site, this might cause issues to very few users. Cpanel, Plesk, BSD, etc have tools to do this.. if you’re on a shared server, ask your hosting provider if they can do it for you, and they may be likely doing it already.

6) I also recommend using Askimet.

March 2, 2010 at 10:30 am #66297

In reply to: How to control spam registration?

Hugo Ashmore
Participant

Definitely remove the footer link if you haven’t already.

I noticed a issue with spammers using CURL to download /registration so blocked that in .htaccess (It’s been mentioned on a thread somewhere how to)

renaming the slug ‘registration’ is supposed to help.

For me deactivating blog signup improved things significantly. Didn’t need users to be able to register for a blog at initial sign up they can take a blog once they are members.

Despite all efforts and much study and approaches instigated one after the other to gauge effectiveness before adding next one I still am not sure how a few of the automated bots get through, human signups there isn’t much you can do about them apart from delete manually.

All my efforts still result in around 10 signups daily that require dealing with manually.
Author

Search Results