Spam Bug Report

[utopiate]

My site has been getting hit with chinese spambots. Catchphas are enabled. SFS is installed but bots are able to post on any thread that is 'viewable' by the public. All my threads have post permissions restricted to members only but if the thread is set to viewable by the public then these bots are able to post without an account.

Ive now set my forum so only members can view which seems to of stopped it but obviously this isn't ideal.

Running latest github files. Not sure what other info you need?

[Moc]

@CaMer0n This is the forum issue I meant, will see if I can reproduce it.

Edit: unable to reproduce thus far. When manually trying to post without being logged in, I get the correct error message:

Error

You are not authorized to post to this forum.

[Jimmi08]

But these boots create account at first, so they are logged in before posting (going on 1.0.4.) @utopiate To block Chinese spam, look at this forum: http://www.e107.org/e107_plugins/forum/forum_viewtopic.php?233688.0 and MysterF htaccess: http://pastebin.com/rWESDyxw Plus combination with blocking known adress for spammers, somewhere on forum was list.

[Moc]

No there's another issue going on here, which has happened on multiple v2 websites now. I'm specifically referring to the situation where forum posts are created without having an account.

As quoted from the original report by @utopiate: then these bots are able to post without an account.

[willem010]

yeah, we noticed this too.. hard to delete spam, due to no linked account. i figured the bot creates an account, spams, and deletes the account again ? )

[Moc]

Users are not able to delete their own account (or shouldn't be... not sure where the bug is located).

[willem010]

XOBOTER 2014, a signature left in a lot of these spam messages.. but google doesnt seem to know it.. ?

edited: The problem only seems to exist in the v2 website. the old website does not seem to be affected.

I will try to see if i can post messages on another user account using direct POST request to the database handlers.

[willem010]

it could be a coincidence but my sites using cookies for authentication have this problem. the site using sessions didnt have this until changing to cookies.

[Moc]

cookies for authentication

Are we talking about the 'User Tracking method' preference in Security & Protection?

[willem010]

yep.

[willem010]

here we go again ..

non existing user posting.

and a [deleted] user posting..

[Moc]

What are the view/post permissions set for these forums?

[willem010]

view - everyone post - members

[willem010]

in fact, noone should be able to post .. ? looking at my users table, all users have been set to everyone (public) (the bug from the upgrade.. ) members isnt even an option.when i click the edituserclass link

[Moc]

@willem010 I'm curious, how does this show in the database? Can you show me a screenshot of the relevant row in phpMyAdmin of both the user table (if there is a new user row... which I don't think there is?) and of the forum table (of the forum topic the 'spambot' posted up).

As for the userclasses. I remember having a discussion about here on Github, I just cannot find the relevant issue at this point to look up what the outcomes were. They userclasses are set correctly but the naming of them are currently confusing ('members' UNDER everyone (public) is hierarchically confusing indeed)

[willem010]

we've just cleaned out the spam from our database, but i think there will be new spam within a day or so.

there seem to be 2 types of posts. (both show in the image posted earlier.) . the [deleted[ ones are the toughest, they leave no ip for me to find, so i can't ban those. if [deleted[ means the system deleted something, please make it log an ip, but i gues it shows this way because there is no related user account ?

the other posts are using a name in the post, and an ip shows in the posted message. for some reason there does not seem to be a related user record or the search in users isnt really working. (i will check )

on next spam i will check the tables.and post the info.

about the userclasses.. so the member class IS everyone ? i would think that everyone are users without an account as well ?

[Moc]

but i gues it shows this way because there is no related user account ?

Correct. It's not supposed to happen though.

the other posts are using a name in the post, and an ip shows in the posted message.

I'm very curious to see how this is represented in the database (both in the user table if present and in the forum table.

userclasses.. so the member class IS everyone ?

No. Everyone is supposed to be everyone, this means also the guests. You could say: a) Everyone (public) = members + guests b) Members = registered accounts on your website

However, the way it's currently hierarchically displayed in the new userclass system is confusing and should be looked into for sure. Like I said, there was some discussion about it already, I just cannot find the issue anymore to have it linked... Will try and dig deeper.

[willem010]

ok, then something is really wrong here.. like i saiud before, all my users are set to everyone (result from my upgrade.. ) so they should not even have member (=posting) rights on the whole forum. except for some of my admins noone should be able to post with currrent settings, yet spambots do get through

[Moc]

Note that I said this:

a) Everyone (public) = members + guests

If they are set to Everyone (public), they may also be 'member'. If they appear in the user table, they're 'member'. Everyone (public) also includes guests. As I said, the current naming and displaying is very confusing.

[willem010]

haha, yeah.. this is confusing. but i get it now.

thnx.

[willem010]

here's another spam message .

checking the database, post_user = 0 but post_anon_user has been set ..

[willem010]

here's 2 more records,

the record showing up as [deleted] does contain an ip, but it won't show in the message itself.

[willem010]

I think i found the problem ..

/e107_plugins/forum/forum_post.php?f=rp&id=294

you don't need to be logged in to post like this.

[Moc]

I think i found the problem .. /e107_plugins/forum/forum_post.php?f=rp&id=294 you don't need to be logged in to post like this.

When I tried this, I got an error message:

Looking into this further now.

[Moc]

I remember something about an 'anonymous posting' setting...I just cannot find it.

[willem010]

yeah, thats in the prefs :

and this are the settings for the forum topic where the post ends up.

but i just noticed it doesnt really matter, cause changing the number in that uri posts in another topic.. which also is set for member posting only.

[Moc]

And you are sure you are logged out when trying that link? When I do so, I get the error that says I'm not authorized... Will look into the anonymous posting thing, perhaps it's not applied properly.

[willem010]

pretty sure..

try it on my site, i think you know the url by now :P (i dont feel comfy posting the direct link now haha)

[willem010]

euhm....

when i set "Allow anonymous posting" to YES .. then this problem is gone..

AKA .. SOMEONE REVERSED THIS VAR //

now i get what i want to see :

this is clearly not the only setting that got reversed. i did report more of these. (comments posting.. same issue)

maybe someone with knowledge of the englsh language should check all this?

[willem010]

@MOC, can you check? i suspect in your setup this setting is set to YES ?

[Moc]

Will check asap, currently backlogged.

[willem010]

.. this morning again.. spam.

not the volume i got before.. instead of the usual 300 spam posts before .. only 3 managed to get through. but still .. posts by [deleted] and anonymous users.

btw, sometimes when i'm logged in as admin (chrome win7) i'm not able to post or create threads myself. i need to open the admin page first, and reopen the forum and all works again. in some way i feel this is a related issue. (or should i make another post for this? )

[willem010]

reading another issue it hits me .. could this be just another result of my upgrade going wrong?

.. after noticing another chinese spam session .. again hundreds of posts in a matter of minutes

i have decided.. to delete the forum .. it is not stable at all.

[Moc]

i suspect in your setup this setting is set to YES ?

Nope. When I set it to 'yes' and try the manual link, e.g. e107_plugins/forum/forum_post.php?f=nt&id=2, I get the same 'not authorized to post' error as I showed above. Not sure what's going on here.

this is clearly not the only setting that got reversed. i did report more of these. (comments posting.. same issue)

I don't think the setting is reversed though. The comments posting setting was fixed months ago. If there are any else, just submit a new issue for them and it will be looked into.

i have decided.. to delete the forum .. it is not stable at all.

The entire system (v2) is not stable yet, it's an alpha version which is a development version, not meant for a stable live website. Now most of the core is semi-stable, the plugins need far more work. Especially the forum plugin is broken atm.

[Moc]

However, the way it's currently hierarchically displayed in the new userclass system is confusing and should be looked into for sure. Like I said, there was some discussion about it already, I just cannot find the issue anymore to have it linked... Will try and dig deeper.

It's been over two weeks but I found it haha: https://github.com/e107inc/e107/issues/406