Recent Topics

1 Jun 12, 2006 00:50    

Cute name eh? I figured there had to be something easy we could do to outsmart evil trackback spammers. I know whoo made up a way to dynamically generate a trackback URL that expires, but I've no idea how she did it or if she shared it with the masses. I went for a simpler approach: I convert your post ID to hexadecimal then add a character of your choosing before and after the hexed post ID. Get it? So post ID '10' in decimal (normal numbers) converted to hexadecimal is post ID 'a'. If you tell it to have a 'z' before it and a 'p' after it then this particular post will have a trackback ID of 'zap'. By stripping the CORRECT preceding and trailing characters then converting hexadecimal to decimal we get back to a post ID of '10'. What's that you say? This seems quite phat? Indeed. Indeed it is!

You will modify your evo_settings table and hack 4 core files to get this baby running, and for the record I did this to an unmodified 0.9.2 installation. Applying it to other versions isn't promised or predicted, though I'm pretty sure it'll work as-is in 0.9.1.

--------

First modify your settings table. By doing this you will eventually be able to change your 'before' and 'after' characters in your back office, and you WILL need to do that from time to time... Using something like phpmyadmin add two shiny new fields with this:

INSERT INTO `evo_settings` ( `set_name` , `set_value` )
VALUES (
'trackback_aspm_before', 'z'
);
INSERT INTO `evo_settings` ( `set_name` , `set_value` )
VALUES (
'trackback_aspm_after', 'p'
);

--------

Now tell b2evolution that those fields exist and that you will want them to be available to you via your back office. Open admin/b2options.php and find something that looks like this, then make it be like this:

			$Settings->set( 'user_minpwdlen', $user_minpwdlen );

// this is for the hexaspammer hack
param( 'trackback_aspm_before', 'string', true );
$Settings->set( 'trackback_aspm_before', $trackback_aspm_before );
param( 'trackback_aspm_after', 'string', true );
$Settings->set( 'trackback_aspm_after', $trackback_aspm_after );
// end hexaspammer hack

			if( $Settings->updateDB() )

--------

Next you need to make your back office Settings tab show these values so you can change them when the spammers eventually cache a blog post with the tweaked trackback URL. Open admin/_set_general.form.php, find a bit that looks like this, then make it be like this:

	</fieldset>
			
<?php // this is for the hexaspammer hack ?>
<fieldset>
<legend><?php echo T_('Trackback Antispam') ?></legend>
<p>These two fields work together to further confuse the spammers.  Your trackback ID is your post ID converted to it's 
hexadecimal equivalent AND preceded by the first variable AND followed by the second variable.  By changing these you 
create a trackback ID that is unique for your blog.  When the spammers get you again, and they will, you simply change 
one or both of these values.</p>
<?php
form_text( 'trackback_aspm_before', $Settings->get('trackback_aspm_before'), 1, T_('Preceding character'), T_('Single character (0 - 9 or a - z or A - Z) that shows up before your hexadecimal trackback ID.'), 1 );
form_text( 'trackback_aspm_after', $Settings->get('trackback_aspm_after'), 1, T_('Following character'), T_('Single character (0 - 9 or a - z or A - Z) that shows up after your hexadecimal trackback ID.'), 1 );
?>
<p><strong>DO NOT leave both of these fields empty!</strong>  Having one empty is okay.  Both empty is b-a-d!!!</p>
</fieldset>
<?php // end hexaspammer hack ?>

	<?php if( $current_User->check_perm( 'options', 'edit' ) )

--------

Next you need to make your trackback URL convert your post ID to hexadecimal and take advantage of these new fields. To do that open b2evocore/_class_item.php, find the bit that looks like this, then make it be this:

	function trackback_url()
	{
		global $htsrv_url, $Settings;
		
// this is for the hexaspammer hack
$leading_adder = $Settings->get('trackback_aspm_before');
$trailing_adder = $Settings->get('trackback_aspm_after');
$this_id = $this->ID;
$this_id = $leading_adder.dechex($this_id).$trailing_adder;

		if( $Settings->get('links_extrapath') )
		{
			echo "$htsrv_url/trackback.php/$this_id";
		}
		else
		{
			echo "$htsrv_url/trackback.php?tb_id=$this_id";
		}
// end hexaspammer hack
	}

--------

Finally, you need to tell your installation to interpret trackback URLs correctly OR reject the spammer. To do this you need to open htsrv/trackback.php, find a bit that looks like this, then make it be this:

$show_statuses = array( 'published', 'protected', 'private' );

param( 'tb_id', 'string' ); // was 'integer' - changed for hexaspammer hack
param( 'url', 'string' );
param( 'title', 'string' );
param( 'excerpt', 'html' );
param( 'blog_name', 'string' );
if(empty($tb_id))
{	// No parameter for ID, get if from URL:
	$path_elements = explode( '/', $ReqPath, 30 );
	$tb_id = $path_elements[count($path_elements)-1];
}

// this is for the hexaspammer hack
$leading_adder = $Settings->get('trackback_aspm_before');
$trailing_adder = $Settings->get('trackback_aspm_after');

if( $leading_adder != '' ) {
	if ( $tb_id{0} == $leading_adder ) {
		$tb_id = substr( $tb_id, 1 );
		} else { // if it's not nothing and it doesn't match then this is a spammer
		die();
		}
	}

if( $trailing_adder != '') {
	if( $tb_id{strlen($tb_id)-1} == $trailing_adder ) {
		$tb_id = substr( $tb_id, 0, -1 );
		} else { // if it's not nothing and it doesn't match then this is a spammer
		die();
		}
	}

$tb_id = hexdec( $tb_id);
// should there be another "screw the spammer" check in here?
$tb_id = intval( $tb_id );
// end hexaspammer hack

if ((strlen(''.$tb_id)) && (empty($HTTP_GET_VARS['__mode'])) && (strlen(''.$url)))

--------

There you go! Sooner or later the spammers will have a version of your trackback ID that actually translates to a real post. As soon as that happens you should ban/delete/report the spammer via the antispam central feature AND change either your preceding character, or your following character, or both.

By the way you should always have at least one of those fields filled in. Having both empty means there is no forced check for a spammer, and every decimal number on the planet can be converted from hexadecimal to it's decimal equivalent. Thus you want to pervert your hexadecimal value with *at least* one of the available options. 23 in hex converts to 35 dec, but z23 hex doesn't convert to anything.

For the record I tested this on a private test installation. Hopefully someone out there running 0.9.2 that has trackbacks on and installs this can tell us if it helps or not in their real-world application.

EDIT: I removed the text from the "die()" function because someone who actually goes to your trackback link will die and see that text. On my blog I turned on trackbacks but made it be "right click / Copy Link Location to get trackback URL", which means someone can (and probably will) click on it.

2 Jun 20, 2006 15:04

Oopsie! Found a flaw in this hack and corrected it above. If you have "use extra-path info" checked then the trackback ID got figured out by this bit:

if( empty($tb_id) )
{ // No parameter for ID, get if from URL:
	$path_elements = explode( '/', $ReqPath, 30 );
	$tb_id = intval( $path_elements[count($path_elements)-1] );
}


The problem is that intval won't like your hexadecimal version, so it'll never work. The solution was to replace that bit with this:

if( empty($tb_id) )
{ // No parameter for ID, get if from URL:
	$path_elements = explode( '/', $ReqPath, 30 );
	$tb_id = $path_elements[count($path_elements)-1];
}

NOW I'll be able to tell how long it takes the spammers to grab a trackback URL with this hack applied. If it takes them till only tomorrow then the hack is no good. If it takes them a week or more then it's a good short-term defense. If it takes them more than a month it's a really good short-term defense. It'll NOT last forever though. That's why I made it be a back-office-configurable thing.

3 Jun 25, 2006 15:32

Ed,

I put it in on 9.1 and it is functioning as planned ... now I'm hoping the spammers will leave me alone for a bit. Thanks-

4 Jun 30, 2006 09:26

others who tried, is it working effectively??

Thanks.

(just dont have time left to do testing... preparing to go to hong kong for my new work)

5 Jul 01, 2006 11:02

You're not doing the testing: I did. It worked completely. Proof is the continual trackback spam I'm getting now that I 'upgraded' and don't have this hack in place. Which makes more sense: spammers decided to target me at the exact moment that I decided to upgrade, or, I defeated their plans with a (reasonably simple) hack?

6 Jul 05, 2006 16:15

Just an update - this hack works like a charm. Haven't had a single trackback spam hit since I changed it and the ability to update on demand in the backoffice just makes it that much easier to prevent trackback spammers.

Also, I changed the default lingo "Trackback to this address" to simply "Track it" as I found some people were searching for that specific phrase. I don't know if those folks were spammers, but better safe than sorry.

Thanks again EdB.

7 Jul 10, 2006 02:21

I installed this hack, but I was wondering if I should expect it to work for permalink names that are created from the post title rather than a number.

thanks much!

8 Jul 10, 2006 04:38

Got a couple one or two-time trackbacks from spammers this weekend - this was shortly after changing the first/last parts of the hexaspammer. In both cases, they were mostly a bunch of jibberish. I'm wondering if some spammers tried and failed because of the hexaspammer and then just out of spite did a couple one-off trackback spams. Probably not, but I can't figure it out.

Still a great hack, of course.

9 Jul 10, 2006 12:17

hmm... same. if the other trackback-spams are still getting through, then I safely say this anti-trackback-spam was defeated.... sadly.

it did work, trackback-spamming lessen to about 50% which is great, but the other spammers found a way...

I think they are reading the anti-spam here in the forums.

10 Jul 10, 2006 16:02

I wouldn't wave the white flag yet - for me, it's only been a couple of randoms getting through (literally, two at different times). So we'll see ...

11 Jul 10, 2006 16:13

EdB wrote:

Sooner or later the spammers will have a version of your trackback ID that actually translates to a real post. As soon as that happens you should ban/delete/report the spammer via the antispam central feature AND change either your preceding character, or your following character, or both.

Did you think I said that because I didn't know what I was talking about?

ALL spammers use indexed information to nail you. Referer spammers nail you by finding key words and phrases that tells them "this is a b2evolution blog". They google those key words is the thing. Comment and trackback spammers have to find a post ID (or two or three or ten) that has a trackback URL on it in order to spam. So let me repeat myself:
EdB wrote:

Sooner or later the spammers will have a version of your trackback ID that actually translates to a real post. As soon as that happens you should ban/delete/report the spammer via the antispam central feature AND change either your preceding character, or your following character, or both.

You install the hack, it works. Eventually a spammer gets through. You change either your leading or your trailing (or both) characters, it works again.

Guess what you do when they get through again?

12 Jul 10, 2006 19:40

EdB - have you had any trackback spams like I was referring to above? They were one-offs in my case, which led me to believe that some spammer searched for a keyword (like you were saying) and then tried to spam my blog, failed, and then got pissed and did a one-off trackback spam out of spite... yeah probably not what really happened, but I can't explain it any other way as I had changed the hexaspammer digits the night before I got the single spam attack ... so it was too soon for Google to have cached it.

13 Jul 11, 2006 00:31

When I had the hack installed I had no spams, but since upgrading to 1.8 beta I get lots of them. Some are 'normal' spams, some are the gibberish spams. BTW there is a thread about [url=http://forums.b2evolution.net/viewtopic.php?t=8349]the gibberish spam problem[/url] but since I'm seeing it on trackbacks there is no email ID to try to block. Haven't re-hacked it yet.


Form is loading...