Reducing SPAM registrations - ZBBLOCK

yazoo

After installing a new runup of Discuz, I started getting a lot of spam registrations.  My research found me a solution that has eliminated the problem.

There is a free service called stopforumspam.com that has over 43 million spam sources identified.  The service is run by volunteers.

A php script is available that looks for suspicious behaviour and also looks up the ip at stopforumspam.com.  It is available at http://www.spambotsecurity.com/zbblock.php

It is also free.

To install, expand the zbblock zip file in your www root.  It will create its own subdirectory.  Open setup.php in your web browser.  The script analyzes your environment and offers 7 options.  For me on a LAMP environment, the seventh choice was optimal.  After choosing it, I was given a php tag to put at the beginning of any php file I wanted to protect on the server.

I put the tag at the very beginning of my member.php and watched as my bandwidth dropped and my fake registrations dropped to zero.  I put it in front of some other php files as well, but haven't noticed them in the logs so they are probably not necessary.

You can configure logging in the ini file, here is an excerpt of what the killed_log looks like if you enable it.  If you do enable it, check in and truncate it every so often as it will grow quite big.

1. <font face="Arial" size="1">#: 16 @: Tue, 12 Feb 2013 15:31:37 -0800 Running: 0.4.10a1
   
2. Host: 137.7.207.91.unknown.steephost.net
   
3. IP: 91.207.7.137
   
4. Score: 1
   
5. Violation count: 1
   
6. Why blocked: No registrations, or logins, from hosts listed as hostile on http://www.stopforumspam.com/ (local).
   
7. Query: mod=register
   
8. Referer: http://strayingdogs.com/dx/member.php?mod=register
   
9. User Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.91 Safari/537.11
   
10. Reconstructed URL: http:// strayingdogs.com /dx/member.php?mod=register
    
11. 
    
12. #: 17 @: Tue, 12 Feb 2013 15:31:43 -0800 Running: 0.4.10a1
    
13. Host: 137.7.207.91.unknown.steephost.net
    
14. IP: 91.207.7.137
    
15. Score: 1
    
16. Violation count: 2
    
17. Why blocked: No registrations, or logins, from hosts listed as hostile on http://www.stopforumspam.com/ (local).
    
18. Query: mod=register
    
19. Referer: http://strayingdogs.com/dx/member.php?mod=register
    
20. User Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.91 Safari/537.11
    
21. Reconstructed URL: http:// strayingdogs.com /dx/member.php?mod=register
    
22. 
    
23. #: 18 @: Tue, 12 Feb 2013 15:31:49 -0800 Running: 0.4.10a1
    
24. Host: 137.7.207.91.unknown.steephost.net
    
25. IP: 91.207.7.137
    
26. Score: 1
    
27. Violation count: 3 BANNED
    
28. Why blocked: No registrations, or logins, from hosts listed as hostile on http://www.stopforumspam.com/ (local).
    
29. Query: mod=register
    
30. Referer: http://strayingdogs.com/dx/member.php?mod=register
    
31. User Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.91 Safari/537.11
    
32. Reconstructed URL: http:// strayingdogs.com /dx/member.php?mod=register
    
33. 
    
34. #: 19 @: Tue, 12 Feb 2013 16:23:48 -0800 Running: 0.4.10a1
    
35. Host: spider-199-21-99-82.yandex.com
    
36. IP: 199.21.99.82
    
37. Score: 2
    
38. Violation count: 1 INSTA-BANNED
    
39. Why blocked: Yandex is banned. INSTA-BAN (SPD-110). Yandex is banned. INSTA-BAN (HN-0110). You have been instantly banned due to extremely hazardous behavior!
    
40. Query: mod=redirect&tid=19&goto=lastpost
    
41. Referer:
    
42. User Agent: Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots)
    
43. Reconstructed URL: http:// strayingdogs.com /dx/forum.php?mod=redirect&tid=19&goto=lastpost
    
44. </font>

Copy the Code

vot

To install, expand the zbblock exe file in your www root.  It will create its own subdirectory.  Open setup.php in your web browser.  The script analyzes your environment and offers 7 options.  For me on a LAMP environment, the seventh choice was optimal.  After choosing it, I was given a php tag to put at the beginning of any php file I wanted to protect on the server.

I put the tag at the very beginning of my members.php

Please verify and edit this text!
1) what means "expand the zbblock exe file"
2) what the subfolders will be created
3) what the 7 options
4) members.php does NOT exist

yazoo

Hi Vot.  Sorry I was a little sloppy in my description.  To answer your questions:

1.  I should have said expand zbblock.zip. from your web root.
2.  It will create just one subfolder zbblock
3. I'm not sure what all the 7 options are.  They are explained in the manual, and are for systems with different configurations.  I think option 3 works for Windows and 7 works for Linux.  I've uploaded a copy of the manual.
4. Sorry not members.php but member.php.  Here's what mine looked like after I edited it:

1. <?php require('/home/straying/public_html/zbblock_0_4_10a1/zbblock.php'); ?><?php
   
2. 
   
3. /**
   
4. *      [Discuz!] (C)2001-2099 Comsenz Inc.
   
5. *      This is NOT a freeware, use is subject to license terms
   
6. *
   
7. *      $Id: member.php 20112 2011-02-15 07:10:53Z monkey $
   
8. */
   

Copy the Code

The first php require phrase is the text that I added.


Edit 02/18/2013.  Noted some more spam hits, so added the php header to forum.php as well.  That eliminated another source...

1. #: 108 @: Mon, 18 Feb 2013 06:03:42 -0800 Running: 0.4.10a1
   
2. Host: 91.236.74.103
   
3. IP: 91.236.74.103
   
4. Score: 1
   
5. Violation count: 1
   
6. Why blocked: Suspected spamtool mail.ru agent (UA-0135).
   
7. Query:
   
8. Referer: http://strayingdogs.com/forum.php
   
9. User Agent: Opera/9.80 (Windows NT 5.1; U; MRA 5.10 (build 5310); ru) Presto/2.10.289 Version/12.00
   
10. Reconstructed URL: http:// strayingdogs.com /dx/forum.php

Copy the Code

vot

To answer your questions:

Why NEW post???
Just EDIT the first post!
People want to see an instruction in a single post.