SPAM with no particular purpose??

[ozdolls]

Script URL:
Version of script: 1.6
Hosting company: Axishost
URL of phpinfo.php:http://www.beagleclubnsw.org.au/gbook
URL of session_test.php:
What terms did you try when SEARCHING for a solution: SPAM

Write your message below:

First of all I love this script. I am not a techie and was still able to install easily on a couple of my sites. So thank you!

I upgraded to V1.6 and all is working well but I keep getting these really silly entries like the following

Name: Viktorane
From: Viktorane
E-mail: Contact
Great site, enjoyed my stay, thanks for the cookies!
Added: September 9, 2008

It is obviously SPAM but I really don't get what they are doing it for. I find that when it appears in one, the same sort of thing appears in the other Gbook site as well.

I always delete the entry & ban the IP but a few days later, it happens again. It's more frustrating than annoying.

My apologies if this has been covered before but I did look through all the SPAM discussions and didn't see anything like this.

Is there some way I can stop this?

Thanks for any help.

Gwenda

[fneumeier]

This is how I solved this very same problem: I found that all these spams are coming from the same IP range in Poland (at least this is the case for my guestbook). So I'm now simply blocking these IP addresses from signing up to my guestbook with this code:

In gbook.php look for code:

Code: Select all

    if($a=='sign') {
        printSign();

insert the following code between these two lines (replace "79.184." with the IP range you'd like to block):

Code: Select all

# blocking 79.184.* ip range #
$ip = substr($_SERVER['REMOTE_ADDR'],0,7); 
if ($ip == '79.184.') {
problem($lang['e01'],0);
} 

Works fine for me.

Franz

[Klemen]

You can also try switching image colors for the security image (background to black and digits to white. Open secimg.inc.php in Notepad and change

Code: Select all

            $background_color = imagecolorallocate($im, 255, 255, 255);
            $text_color = imagecolorallocate($im, 0, 0, 0);

to

Code: Select all

            $background_color = imagecolorallocate($im, 0, 0, 0);
            $text_color = imagecolorallocate($im, 255, 255, 255);

[ozdolls]

Thank you Franz & Klemen

I have made both these changes. Fingers crossed that it will work for me.

As a matter of interest it is the same IP address range in Poland that is leaving the messages in my Guestbooks. You'd think they'd have something better to do with their time.

regards
Gwenda

[Klemen]

What IP range is that? If it's from a web host (server) we can report the abuse to the host.

[ozdolls]

Here's the IP address of the last message left

79.184.90.50

(adem150.neoplus.adsl.tpnet.pl)

I had a look in my banned_list file and most of them started with 79.184.*

Cheers
Gwenda

[terribleT]

I was experiencing the same problem from the same IP's. All listed blogspot.com as their website.

Thew Fneumeier fix seems to have conquered it.
Thanks!

[ozdolls]

Unfortunately it hasn't been completely fixed for me. I just had another message left. This time the IP address is

82.23.30.97

dbe97.neoplus.adsl.tpnet.pl

Still from Poland

Cheers
Gwenda

[fneumeier]

It seams that these spammers are changing their ip addresses as soon as they're get blocked. But still, all are coming from Poland.

I now switched to an other approach, i.e. looking up the top level domain for the IP address and blocking it if it's ".pl". Should work much better than just blocking specific ip ranges:

Code: Select all

$domainname = gethostbyaddr($_SERVER['REMOTE_ADDR']);
$topleveldomain = substr($domainname,-3);
if ($topleveldomain == '.pl') {
problem($lang['e01'],0);
} 

Franz

[ozdolls]

Hi Franz

Thanks for the new workaround.

Instead of blanket blocking of all .pl domains (because there could be a legit person from Poland wanting to sign a Guestbook) could a more specific range be used eg

' .neoplus.adsl.tpnet.pl'

which seems to be common to all of the SPAM IP addresses.

Cheers
Gwenda

[Klemen]

I personally wouldn't ban the entire .pl domain or an entire ISP. Just because one spammer is from there doesn't mean 99,9% of people from the same ISP shouldn't be allowed to visit a website, sign a guestbook, ...

For instance I get most spam attempts from US based IPs, should I ban everyone with a US IP from phpjunkyard.com?

[fneumeier]

Klemen,

I agree - it depends on your individual situation. My website traffic is coming 99,9% from the US and from 1,400 guest book entries (I'm using the script as an online petition tool, actually) there is not a single entry from Poland. So I think in this case it's reasonable to just block .pl from making a guest book entry just because any other solution simply costs me more time to maintain than it's worth it in relation to the benefit, i. e. the very unlikely situation that someone from poland wants to add a guest book entry.

Franz

[Russ_E]

Initially, I thought the only reason the spams were being received was to notify a website, so I changed the "Your website:" field for entries not to show the visitor's website. (I also swapped the security image colours as suggested by Klemen.) I have found these steps do not stop this particular source(s) of spam entries - two recent ones were:

83.23.28.241 (dbc241.neoplus.adsl.tpnet.pl)
79.186.33.93 (aebh93.neoplus.adsl.tpnet.pl)

I want to try a combination of Franz's code and Gwenda's solution. Should the code be as follows?:

Code: Select all

$domainname = gethostbyaddr($_SERVER['REMOTE_ADDR']);
$topleveldomain = substr($domainname,-3);
if ($topleveldomain == '*.neoplus.adsl.tpnet.pl') {
problem($lang['e01'],0);
} 

And where precisely in gbook.php should this code be inserted? (Should it go between the if($a=='sign') { and printSign(); lines?)

Russ

[Version of script: 1.6
Hosting company: 1&1
URL of phpinfo.php: http://clag.org.uk/comment-book/gbook.php ]

[fneumeier]

make it -22 instead of -3 and you should be fine.

Should it go between the if($a=='sign') { and printSign(); lines?

exactly; that's where it has to go. It only prevents these people from SIGNING your guestbook but they can still view the guestbook pages.

By the way: I'm not even using the "website" field and got the spam anyway.

Franz

[Russ_E]

Thanks, Franz. I've loaded the code up and will see how well it copes.

Russ