Myspammers deletion offline for a couple of days

pedigree · 2011-04-29 9:02 pm

Ive been looking over the logs (as I normally do, which is another anal story) and Ive noticed some strange activity which I need to investigate. Until then, Ive take the delete code completely out of the page. If you need to delete something, please post the details here and Ill remove them.

Wizzle · 2011-04-29 9:32 pm

Thanks for putting the warning on the my spammers page! Seriously!
I was about to play with some code, and would have had to email you a couple dozen times. lol!

pedigree · 2011-04-29 9:42 pm

It looks like adsense is doing something very screwy when someone deletes a spammer entry. Im seeing Mediapartners-Google reposting the same URL. I think its a non-issue but I want to be sure.

Im always going over the logs for strange things, SQL and shell code injections, things like that and this was just something that the scanner picked up on

pedigree · 2011-04-29 10:31 pm

Adsense is the culprit. When I get time tomorrow, Ill fix it.

Its been the cause of sites double/triple posting data when passing data as GET params to the page. Adsense then scans the page and ... double posts the data as the apikey is passed to adsense as the referrer.... great.

MacHeadCase · 2011-04-30 2:22 am

I get the occasional double entry and I'm not doing anything on my end to justify such a result. So I delete the double entry, hopefully I'm not screwing anything up though.

Alex Kemp · 2011-04-30 3:14 am

pedigree wrote:

Adsense is the culprit... been the cause of sites double/triple posting data when passing data as GET params to the page

I'm not sure about that.

When Modem-Help lists a spammer the info is POST, not GET (sent via cURL; thus, adsense cannot be involved). Yet, one of the most recent spammers is now listed 11 times! Last time I looked it was (from memory) 4 times. Those extra 7 are definitely spurious, and unrelated to anything from my end: all spammers are immediately cached when listed, and therefore cannot appear on the site again for (60 * 24 * 7) minutes (1 week), regardless of what happens on SFS.

email: bennett2442@email.com
IP: 24.129.7.12
un: juanita2442

most recent 12 listings:
30-Apr-11 01:39 AM
30-Apr-11 01:39 AM
30-Apr-11 01:39 AM
30-Apr-11 01:39 AM
30-Apr-11 12:16 AM
30-Apr-11 12:15 AM
30-Apr-11 12:15 AM
( 29-Apr-11 09:50 PM: 93.182.156.87 minorpuxs minorpuxs@hotmail.com)
(following are original entry - I think)
29-Apr-11 03:25 PM (4 copies)

PS
Date at my end when added to cache is: 2011-04-30 00:39:55 - no point in asking me what is going on!

Last edited by Alex Kemp (2011-04-30 3:36 am)

angie · 2011-04-30 7:37 am

Ah so this is why I have been noticing so many duplicates in the blacklist (same time submitted and same evidence) when I am checking IP's of new members visiting my forums?

pedigree · 2011-04-30 12:11 pm

Ill put in a simple detection to try to avoid the same api key posting the same data for a 60 second period.

pedigree · 2011-04-30 12:51 pm

All back online, it was Adsense causing this non-issue.

The add page will now detect when the same person adds the same data and will not allow it to be re-added in a 60 second period.

Alex Kemp · 2011-04-30 1:13 pm

pedigree wrote:

The add page will now detect when the same person adds the same data and will not allow it to be re-added in a 60 second period.

Ok - so you reckon that my page is now (somehow) submitting the same spammer data multiple times? I do not know of any changes that could result in this, although I obviously need to know if it is happening.

If you say `yes' then I'll turn on verbose logging to catch it (only errors at the moment). I want to know that I've got clean script at my end.

pedigree · 2011-04-30 1:27 pm

To date, its been adsense from what the server logs seem to show. If you find it adding dupes, copy/paste the line here and Ill go through my logs.

Katana · 2011-04-30 2:09 pm

Pedigree, have you also tossed in code that terminates the script/prevents the requested actions for requests that have the adsense useragent?

That may help.

pedigree · 2011-04-30 2:14 pm

Yup. It just ignores the action to add/delete if its a google/adsense useragent.

Alex Kemp · 2011-04-30 3:25 pm

pedigree wrote:

copy/paste the line here and Ill go through my logs.

Already done so in my earlier post. 11 entries where should be one.

pedigree · 2011-04-30 3:32 pm

... after I made the code changes

93.182.156.87 minorpuxs minorpuxs@hotmail.com
bennett2442@email.com and juanita2442
... only found once in the db

Alex Kemp · 2011-04-30 8:57 pm

pedigree wrote:

93.182.156.87 minorpuxs minorpuxs@hotmail.com
bennett2442@email.com and juanita2442
... only found once in the db

That's because I removed all the duplicates after you re-enabled the page. The original POSTs should still be in your logs.

Anyway, I will enable reporting at my end to d/check that these multiple entries are not coming from my server. I get very little spam now, so it may take a while.

Alex Kemp · 2011-05-02 3:38 pm

Alex Kemp wrote:

I will enable reporting at my end ... it may take a while.

Got one this morning (manuals report). No dupes with this one - you may need to check your server.

May  2 08:01:36 <removed> httpd: SFS: POST to http://www.stopforumspam.com/post.php with POST-fields email=yulyabeloglaz%40gmail.com&ip_addr=178.46.122.224&username=SvetaSilaeva&api_key=<removed>

The other dupes came from manually-reported spam. There are two places that that can happen with my admin system (forum spam or profile spam). The above was forum spam. I'll leave the reporting in place until it catches a profile spam.

pedigree · 2011-05-02 7:35 pm

2011-05-02 09:01:36 178.46.122.224 SvetaSilaeva yulyabeloglaz@gmail.com Russian Federation
2011-05-02 07:49:11 178.46.122.224 SvetaSilaeva yulyabeloglaz@gmail.com Russian Federation

I see these but with 72 minutes apart. The "dupe detector" (funky name) will only detect dupes when posted within 60 seconds.

Alex Kemp · 2011-05-03 1:01 pm

pedigree wrote:

2011-05-02 09:01:36 178.46.122.224 SvetaSilaeva yulyabeloglaz@gmail.com Russian Federation
2011-05-02 07:49:11 178.46.122.224 SvetaSilaeva yulyabeloglaz@gmail.com Russian Federation
I see these but with 72 minutes apart. The "dupe detector" (funky name) will only detect dupes when posted within 60 seconds.

Tain't me, gov.

# fgrep 'SvetaSilaeva' /var/log/messages
May  2 08:01:36 <removed> httpd: SFS: POST to http://www.stopforumspam.com/post.php with POST-fields email=yulyabeloglaz%40gmail.com&ip_addr=178.46.122.224&username=SvetaSilaeva&api_key=<removed>

(same as previous, and only one entry)

The `detect' code is placed within the (single) function that does the reporting. That code is available for you to peruse (currently v4.2.0). The additions are some quick'n'dirty code added to rblconfig.php--sfs_post():

// 2011-01-05 put some info in system log to check for multiple POST
ini_set('error_log', 'syslog');                // send errors to the system log
error_log("SFS: POST to $url with POST-fields $data\n");

As every post-to-SFS has to go through that function, it will *always* log it. It also is the only function used to log spammers to SFS (I've checked).

The log itself comes from web-pages within my admin site. No Adsense (I've checked!) nor any third-party coding. The admin site itself uses 2 layers of encryption to attempt to frustrate man-in-the-middle hacking & has 3 layers of cloaking to keep it private. Nothing is perfect, but as best as I can tell, your dupes are not coming directly from Modem-Help.

If this is *not* some artefact on your site, then we are experiencing a man-in-the-middle attack. Time for you to obtain a SSL certificate + renew all API keys.

pedigree · 2011-05-03 1:20 pm

Is anyone seeing their spammer entries duped anymore?

Alex Kemp · 2011-05-03 3:28 pm

pedigree wrote:

Is anyone seeing their spammer entries duped anymore?

I'm not seeing *my* spammer entries being duped anymore (did you remove the dupe?) (I did not remove it myself).

Last edited by Alex Kemp (2011-05-03 3:53 pm)

pedigree · 2011-05-03 3:38 pm

Nope, Im not removing anything

Alex Kemp · 2011-05-03 3:57 pm

(Just d/checked - I'm getting paranoid now)

Did not need to remove any dupes myself, and only one entry for my latest spammer report:

2-May-11 09:01 AM : 178.46.122.224 : SvetaSilaeva : yulyabeloglaz@gmail.com

Wizzle · 2011-05-03 10:53 pm

pedigree wrote:

Is anyone seeing their spammer entries duped anymore?

Nope.
Looking good so far.

Alex Kemp · 2011-05-06 12:49 am

Another chance to check for dupes:

6-May-11 02:39 AM : 182.64.88.69 : Manoj Kumar : nexusinstruments@gmail.com

(I'll check my logs in a couple hours to make sure no dupes my end)

#1 2011-04-29 9:02 pm

Myspammers deletion offline for a couple of days

#2 2011-04-29 9:32 pm

Re: Myspammers deletion offline for a couple of days

#3 2011-04-29 9:42 pm

Re: Myspammers deletion offline for a couple of days

#4 2011-04-29 10:31 pm

Re: Myspammers deletion offline for a couple of days

#5 2011-04-30 2:22 am

Re: Myspammers deletion offline for a couple of days

#6 2011-04-30 3:14 am

Re: Myspammers deletion offline for a couple of days

#7 2011-04-30 7:37 am

Re: Myspammers deletion offline for a couple of days

#8 2011-04-30 12:11 pm

Re: Myspammers deletion offline for a couple of days

#9 2011-04-30 12:51 pm

Re: Myspammers deletion offline for a couple of days

#10 2011-04-30 1:13 pm

Re: Myspammers deletion offline for a couple of days

#11 2011-04-30 1:27 pm

Re: Myspammers deletion offline for a couple of days

#12 2011-04-30 2:09 pm

Re: Myspammers deletion offline for a couple of days

#13 2011-04-30 2:14 pm

Re: Myspammers deletion offline for a couple of days

#14 2011-04-30 3:25 pm

Re: Myspammers deletion offline for a couple of days

#15 2011-04-30 3:32 pm

Re: Myspammers deletion offline for a couple of days

#16 2011-04-30 8:57 pm

Re: Myspammers deletion offline for a couple of days

#17 2011-05-02 3:38 pm

Re: Myspammers deletion offline for a couple of days

#18 2011-05-02 7:35 pm

Re: Myspammers deletion offline for a couple of days

#19 2011-05-03 1:01 pm

Re: Myspammers deletion offline for a couple of days

#20 2011-05-03 1:20 pm

Re: Myspammers deletion offline for a couple of days

#21 2011-05-03 3:28 pm

Re: Myspammers deletion offline for a couple of days

#22 2011-05-03 3:38 pm

Re: Myspammers deletion offline for a couple of days

#23 2011-05-03 3:57 pm

Re: Myspammers deletion offline for a couple of days

#24 2011-05-03 10:53 pm

Re: Myspammers deletion offline for a couple of days

#25 2011-05-06 12:49 am

Re: Myspammers deletion offline for a couple of days

Board footer