SPAM with no particular purpose??

Dr. GBooky is here to help you with your guestbook problems ...
Post Reply
Russ_E
Posts: 7
Joined: Thu Sep 18, 2008 4:24 pm

Post by Russ_E »

Franz - the new code did not perform the required blocking. I uploaded the revised gbook.php last night, but this morning I got a spam from:
79.186.34.193 (aebi193.neoplus.adsl.tpnet.pl) [renesilje@kupamasz.com]

To clarify, and to make sure I haven't made a mistake in your suggestions, the relevant section of my current gbook.php is:

Code: Select all

    if($a=='sign') {
    $domainname = gethostbyaddr($_SERVER['REMOTE_ADDR']);
    $topleveldomain = substr($domainname,-22);
    if ($topleveldomain == '*.neoplus.adsl.tpnet.pl') {
    problem($lang['e01'],0);
    } 
        printSign();
Any clues on why this might not be working?

Russ

P.S. Googling 'kupamasz.com' reveals the extent of the spam on various types of guestbook, including gbook.
Top
Russ_E
Posts: 7
Joined: Thu Sep 18, 2008 4:24 pm

Post by Russ_E »

Further to my previous message, I tried taking out the '*' in my posted section of code, and it now seems to be successful in stopping spam from the particular source. The revised section of code is:

Code: Select all

    if($a=='sign') {
    $domainname = gethostbyaddr($_SERVER['REMOTE_ADDR']);
    $topleveldomain = substr($domainname,-22);
    if ($topleveldomain == '.neoplus.adsl.tpnet.pl') {
    problem($lang['e01'],0);
    } 
        printSign();
Russ
Top
jdpalmer
Posts: 2
Joined: Tue Dec 23, 2008 7:48 pm

Post by jdpalmer »

Russ, Thanks for posting this. It solved my problem from this same spammer 100%, but now I am getting similar meaningless spam from
82.116.47.192 (nat-area00.dialup.renet.ru)

I'm sure I could use area00.dialup.renet.ru in the same code, but would I make two complete entries like the one you did, one with each domain or will the same code work, with just listing the two offening domains? And how would that be listed? I'm sorry I don't really understand the code, but know that it sure worked for me on the first one.

Jerry



Russ_E wrote:Further to my previous message, I tried taking out the '*' in my posted section of code, and it now seems to be successful in stopping spam from the particular source. The revised section of code is:

Code: Select all

    if($a=='sign') {
    $domainname = gethostbyaddr($_SERVER['REMOTE_ADDR']);
    $topleveldomain = substr($domainname,-22);
    if ($topleveldomain == '.neoplus.adsl.tpnet.pl') {
    problem($lang['e01'],0);
    } 
        printSign();
Russ
Top
Russ_E
Posts: 7
Joined: Thu Sep 18, 2008 4:24 pm

Post by Russ_E »

Jerry - I don't really understand the syntax of the code either. I assume two 'sections' of code would do the job, viz:

Code: Select all

    if($a=='sign') {
    $domainname = gethostbyaddr($_SERVER['REMOTE_ADDR']);
    $topleveldomain = substr($domainname,-22);
    if ($topleveldomain == '.neoplus.adsl.tpnet.pl') {
    problem($lang['e01'],0);
    }
        printSign();
    if($a=='sign') {
    $domainname = gethostbyaddr($_SERVER['REMOTE_ADDR']);
    $topleveldomain = substr($domainname,-26);
    if ($topleveldomain == 'nat-area00.dialup.renet.ru') {
    problem($lang['e01'],0);
    }
        printSign();
Unlike the existing Poland domain, note that the second part of the above code hasn't got a '.' in front of 'nat-area00.dialup.renet.ru', because nat-area00.dialup.renet.ru is I think the complete domain from which you are getting new spam. I think this may correctly identify the source of your new spam. The value of '26' in the previous line has to match the exact number of characters, including period marks, in the address domain you are citing.

Please advise if you get any success with the above, Jerry.

I expect the code could be combined in a better and/or more efficient way, but I'm not sure how it should be structured - as a completely wild guess, something like the following???:

Code: Select all

    if($a=='sign') {
    $domainname = gethostbyaddr($_SERVER['REMOTE_ADDR']);
    $topleveldomain = substr($domainname,-22);
    if ($topleveldomain == '.neoplus.adsl.tpnet.pl') {
    problem($lang['e01'],0);
    $domainname = gethostbyaddr($_SERVER['REMOTE_ADDR']);
    $topleveldomain = substr($domainname,-26);
    if ($topleveldomain == 'nat-area00.dialup.renet.ru') {
    problem($lang['e01'],0);
    }
        printSign();
Perhaps Franz or Klemen or one of the others more acquainted with coding can advise on a better way of concatenating the domain sources in the code. It would be a good idea to know this, because we're all likely to be subject to experiencing spam from multiple sources, and knowing the right methodology would be useful for everyone.

Russ
Top
jdpalmer
Posts: 2
Joined: Tue Dec 23, 2008 7:48 pm

Post by jdpalmer »

Russ,

Thanks so much. Right after I made the post, they quit making postings so I held off trying your suggestion. Must have taken a Holiday break! You would think these people would have better things to do with their time!! Anyway, I just started getting them again last night so I added the code per your suggestion with modifications. I had to try several variations since just duplicating all the lines broke the guest book. Anyway, here is what I now have that at least does not break the book. We'll see if the postings are blocked. Any variations of this code broke the guest book.

Code: Select all

    if($a=='sign') {
    $domainname = gethostbyaddr($_SERVER['REMOTE_ADDR']);
    $topleveldomain = substr($domainname,-22);
    if ($topleveldomain == '.neoplus.adsl.tpnet.pl') {
    	problem($lang['e01'],0);
    }
    $domainname = gethostbyaddr($_SERVER['REMOTE_ADDR']);
    $topleveldomain = substr($domainname,-26);
    if ($topleveldomain == 'nat-area00.dialup.renet.ru') {
    	problem($lang['e01'],0);
    }
        printSign();
I basically took your suggestions, but did not duplicate the: if($a=='sign') { and the: printSign();

I'll be sure and post any results I get. Thanks again, I would have had no idea on the number of digits field so I would have not been successful. Here is the guest book: http://guestbook.fdnytenhouse.com/gbook.php

Jerry
Top
b0bst3r
Posts: 5
Joined: Fri Apr 11, 2008 6:44 pm

Post by b0bst3r »

I am getting a similar thing but the spam is usually one word or two and looks like drug names (I've no idea really).

Is there anyway to not post to the guestbook unless there's a certain number of words in the post?
Top
Klemen
Site Admin
Posts: 10116
Joined: Fri Feb 11, 2005 4:04 pm

Post by Klemen »

You can try changing adding something like this

Code: Select all

$words = explode(' ',$comments);
if (count($words) < 5)
{
	printSign($name,$from,$email,$url,$comments,$sign_nosmileys,$sign_isprivate,'Your comment is too short');
}
after

Code: Select all

        if (empty($comments))
        {
            printSign($name,$from,$email,$url,$comments,$sign_nosmileys,$sign_isprivate,$lang['e06']);
        }
in gbook.php
Klemen, creator of HESK and PHPJunkyardWas this helpful? You can buy me a drink here Image

Image You should follow me on Twitter here

Help desk software | Cloud help desk | Guestbook | Link manager | Click counter | more PHP Scripts ...

Also browse for php hosting companies, read php books, find php resources and use webmaster tools
Top
b0bst3r
Posts: 5
Joined: Fri Apr 11, 2008 6:44 pm

Post by b0bst3r »

Works a treat thanks.
Top
Post Reply

Return to “GBook - guestbook”