Spam Hurdles Module (CAPTCHA's and other anti-spam tools)

Thank you for sending me the log martin72. I am very surprised about the results. Apparently, the following POST data was used for posting a message reply:

Array
(
     => 
    [subject] => Re: Thanks From Êèò Äàíí
    [forum_id] => 2
    [author] => Big Black [... rest of the body was removed to protect the innocent]
    [body] => Big Black .....
    [parent_id] => 186
    [thread] => 186
)

I do not see any way in which this would get through the posting script. Even without spam hurdles this data should not be accepted. One important thing that is missing, is for example the [finish] parameter in the request, which tells Phorum to load the actual message posting script (include/posting/action_post.php).

I did setup a simple webpage with a form on it that contained exactly the form data that was in the log and tried to post that to your website. As expected, the message did not get posted.

So something fishy's going on, but I do not yet know what. I need more extended logging for this. Please install the updated module from my previous message and send me additional logging. I included the $_SERVER environment in the new version, so I can see what URL is being called by the spammer.

*very curious* ;)

---

Maurice Makaay
Phorum Development Team
my blog linkedin profile secret sauce

Maurice,

I've sent you a new log and closed the guestbook because I'm tired of deleting spam. Please let me know if you have any thoughts about this situation.

Thanks.

Yes, I was able to track the problem using the log you created. The solution to all this was very simple after all. The old post.php script from Phorum 5.0 is still on your system (5.1 and up use posting.php instead) and that one is not protected by the Spam Hurdles since it's not considered to be available.

Two things were done:

1) A fix in the Spam Hurdles module, which checks if a script named post.php is called. If this is the case, then an error is displayed and processing is stopped. Even if an old script is installed, then it cannot be used anymore for posting spam.

2) A dummy post.php was added to the Phorum distribution to make future upgrades overwrite any existing post.php with an empty one.

If you install the new version of the Spam Hurldes module (see first post), then your problems should be fully over. Additionally, you could throw away the post.php script from your Phorum directory.

Thanks for providing the logs which solved this issue!

---

Maurice Makaay
Phorum Development Team
my blog linkedin profile secret sauce

Thank you very much, I've installed your new module and deleted the post.php from /phorum/ direcroty. Lets see if it helps.

Thanks.

Typical, I was expecting there to be a really sophisticated method of bypassing the module! :-)

/\dam

--
My notable Phorum sites:
Movie Deaths Database - "review comments" system mostly powered by Phorum
Learn Chinese! - integrated forum quiz

No, I seriously believe I made it really hard for spambots to bypass it ;-) But for those who do get a lot of spam past it, the logger module should be great to find out why. So for those who are still suffering from spam: install that module from this thread and send me the logfile after receiving some spam.

---

Maurice Makaay
Phorum Development Team
my blog linkedin profile secret sauce

Very nice module. I'm currently my own module which requires a captcha so I patched this one a bit by adding support for "generic" captcha type like this: I changed 'if' on line 127 to this:

    if ((!isset($PHORUM["SPAMHURDLES"]["captcha"]) &&
        (($type == "posting" && do_spamhurdle("posting_captcha")) ||
        ($type == "register" && do_spamhurdle("register_captcha")))) ||
        $type == "generic") {

and I integrate captcha in my own module like this

// show captcha
  phorum_mod_spamhurdles_init("generic");
  $GLOBALS["PHORUM"]["SPAMHURDLES"]["shown_form"] = "generic";
  phorum_mod_spamhurdles_build_form("generic");

/* . . . */
 
// check for captcha validity (in different hook)
  $error = phorum_mod_spamhurdles_run_submitcheck("generic");

seems working. of course it requires spamhurdles module to be enabled. do you think it's the right way ? maybe you could officially support something like this.

I think you're on the right track here to put the captcha in custom forms. I don't really like the fact that you would need to set the shown_form field yourself, so I changed the phorum_mod_spamhurdles_build_form() call a bit to let that one set that field. I also changed the term "generic" to "external_captcha" to describe a bit better what it does.

Please download the new version 1.0.9 and try if this way of integration works for you:

        // Show the CAPTCHA in one hook.
        phorum_mod_spamhurdles_init("external_captcha");
        phorum_mod_spamhurdles_build_form("external_captcha");

        /* . . . */

        // Check for CAPTCHA validity when posting the form.
        $error = phorum_mod_spamhurdles_run_submitcheck("external_captcha");

---

Maurice Makaay
Phorum Development Team
my blog linkedin profile secret sauce

Yeah, seems good... thnx...

I am having to cleanup the huge number of folders and files this modules generates via a cronjob that runs every hour.
ie:

rm -R /usr/local/tmp/big-long-key/mod_spamhurdles/*

I was trying to only delete directories that contain files older than 10 minutes, but the nested nature of the folders made this tricky.
I was trying things like

find /usr/local/tmp/big-long-key/mod_spamhurdles/ -type f -mmin +10 -name '*.php' | xargs rm -f

Maurice, what is your recommended method of cleaning up these files?

Thanks,

/\dam

--
My notable Phorum sites:
Movie Deaths Database - "review comments" system mostly powered by Phorum
Learn Chinese! - integrated forum quiz