- Joined
- Aug 24, 2004
- Messages
- 4,066
- Solutions
- 17
- Reaction score
- 591
- Points
- 140
- Favorite Pinball Machine
- Titanic Hospital
We have another Spambot. I noticed that they use PHP Sequential Numbers.
This creates a Pseudo-Random set of replies, and then they Copy/Paste a New Reply.
Doesn't that strike you as unusual that they would open random threads in concise php numerical order and then always have something to say? For example, our current visitor:
The spambot is starting with a number, in this case, 94392. It scans the page for a reply, copies it, then it uses the Submit command without using the Post Reply button. I know this because I found in fooling around that I could assert my own Submit button as a Form in a thread, and when I clicked it, the next page stated that no textarea data was received, or to that effect.
So the bot is simply asserting the Submit command from its script without clicking any buttons, and doing so by copying a few lines from an existent post and them committing the copy to Paste in a textarea variable.
And when it is done posting to that thread, it then increases the p= number by 1 or more.
Fixes would be to block PHP sequential page number requests and / or posting in those sequential requests. Why? Because the resultant pages are numerically sequential, but totally random as to topic, and often pull up a sequential page that is in fact from an ancient post from several years ago on an off-topic which is after the previous php sequential page which may be from today or yesterday.
And then his location. Where is his location? Shouldn't that be enabled so that we can figure on Abu Dhabi?
Are you sure that the assigning of sequential numbers to random present/past posts is not a security device to detect the bots?
So, what might work is blocking the sequential search method linked to the IP Address or the User's system I.D. and/or monitoring the speed of the searches. Our current visitor is posting twice within the same minute, but that would not be the clue.
If it is posting twice a minute, then how many of its page requests are being requested within a minute? Maybe all 6 or 8 or 10+ pages, and nearly instantaneously, in which case that's a bot.
This creates a Pseudo-Random set of replies, and then they Copy/Paste a New Reply.
Doesn't that strike you as unusual that they would open random threads in concise php numerical order and then always have something to say? For example, our current visitor:
Code:
http://www.pinballnirvana.com/forums/showpost.php?p=94392The spambot is starting with a number, in this case, 94392. It scans the page for a reply, copies it, then it uses the Submit command without using the Post Reply button. I know this because I found in fooling around that I could assert my own Submit button as a Form in a thread, and when I clicked it, the next page stated that no textarea data was received, or to that effect.
So the bot is simply asserting the Submit command from its script without clicking any buttons, and doing so by copying a few lines from an existent post and them committing the copy to Paste in a textarea variable.
And when it is done posting to that thread, it then increases the p= number by 1 or more.
Fixes would be to block PHP sequential page number requests and / or posting in those sequential requests. Why? Because the resultant pages are numerically sequential, but totally random as to topic, and often pull up a sequential page that is in fact from an ancient post from several years ago on an off-topic which is after the previous php sequential page which may be from today or yesterday.
And then his location. Where is his location? Shouldn't that be enabled so that we can figure on Abu Dhabi?
Are you sure that the assigning of sequential numbers to random present/past posts is not a security device to detect the bots?
So, what might work is blocking the sequential search method linked to the IP Address or the User's system I.D. and/or monitoring the speed of the searches. Our current visitor is posting twice within the same minute, but that would not be the clue.
If it is posting twice a minute, then how many of its page requests are being requested within a minute? Maybe all 6 or 8 or 10+ pages, and nearly instantaneously, in which case that's a bot.
Last edited:
Upvote
0
