Recent Topics

1 Aug 05, 2006 00:19    

This is a hack for version 1.8 instead of a plugin because I wanted to get 'er done now instead of someday several years from now when I have a vague understanding of how plugins work. This hack converts your post ID from a base-10 number to it's base-16 equivalent, then adds a character you select to the beginning and end of the hexadecimal ID. When you get a trackback this hack will check to see if the preceding and trailing characters match what you set them to, remove them if they match, then convert the hexadecimal number back to it's decimal equivalent. If the ID the trackbacker provides doesn't match your chosen characters the hack stops the trackback. After a while the spammers will have indexed (or googled) a post of yours with your chosen characters, so you'll be subjected to spam again. Not a problem because all you have to do is go to your 'App settings' tab and change your preceding or trailing or both characters.

1: Modify your database:
Much like [url=http://forums.b2evolution.net/viewtopic.php?t=8142]the original 0.9.2 version[/url] you need to add two fields to your settings table. Using phpmyadmin or something similar, and recognizing that you might not have 'evo_' table prefixes, add two new fields with this SQL statement:

INSERT INTO `evo_settings` ( `set_name` , `set_value` )
VALUES (
'trackback_aspm_before', 'z'
);
INSERT INTO `evo_settings` ( `set_name` , `set_value` )
VALUES (
'trackback_aspm_after', 'p'
);

2: Edit htsrv/trackback.php:
You will need to edit htsrv/trackback.php so that the hexadecimalized and modified trackback ID gets converted back into a real trackback ID. Find this bit:

param( 'tb_id', 'integer' );
param( 'url', 'string' );
param( 'title', 'string' );
param( 'excerpt', 'html' );
param( 'blog_name', 'string' );

if( empty($tb_id) )
{ // No parameter for ID, get if from URL:

Now make it be like this instead:

param( 'tb_id', 'string' ); // was 'integer' - changed for hexaspammer hack
param( 'url', 'string' );
param( 'title', 'string' );
param( 'excerpt', 'html' );
param( 'blog_name', 'string' );

// Begin hexaspammer hack
$leading_adder = $Settings->get('trackback_aspm_before');
$trailing_adder = $Settings->get('trackback_aspm_after');

if( $leading_adder != '' ) { // Did we use a preceding character?
	if ( $tb_id{0} == $leading_adder ) { // Is the first character the preceding character?
		$tb_id = substr( $tb_id, 1 );
		} else { // if the preceding character is not nothing and it doesn't match then this is a spammer
		die();
		}
	}

if( $trailing_adder != '') { // Did we use a following character?
	if( $tb_id{strlen($tb_id)-1} == $trailing_adder ) { // Is the last character the trailing character?
		$tb_id = substr( $tb_id, 0, -1 );
		} else { // if the trailing character is not nothing and it doesn't match then this is a spammer
		die();
		}
	}

$tb_id = hexdec( $tb_id );
// End hexaspammer hack

if( empty($tb_id) )
{ // No parameter for ID, get if from URL:

3: Edit /inc/CONTROL/settings/settings.php:
This edit tells b2evolution to update the database when you change your preceding and trailing characters. Find at line 94 this bit:

	$Request->param_integer_range( 'user_minpwdlen', 1, 32, T_('Minimun password length must be between %d and %d.') );
	$Settings->set( 'user_minpwdlen', $user_minpwdlen );

	$Request->param_integer_range( 'reloadpage_timeout', 0, 99999, T_('Reload-page timeout must be between %d and %d.') );
	$Settings->set( 'reloadpage_timeout', $reloadpage_timeout );

Replace that with this:

	$Request->param_integer_range( 'user_minpwdlen', 1, 32, T_('Minimun password length must be between %d and %d.') );
	$Settings->set( 'user_minpwdlen', $user_minpwdlen );

	// Begin hexaspammer hack
	param( 'trackback_aspm_before', 'string', true );
	$Settings->set( 'trackback_aspm_before', $trackback_aspm_before );

	param( 'trackback_aspm_after', 'string', true );
	$Settings->set( 'trackback_aspm_after', $trackback_aspm_after );
	// End hexaspammer hack

	$Request->param_integer_range( 'reloadpage_timeout', 0, 99999, T_('Reload-page timeout must be between %d and %d.') );
	$Settings->set( 'reloadpage_timeout', $reloadpage_timeout );

4: Edit /inc/MODEL/items/_item.class.php:
This edit will create your customized hexadecimal trackback ID. Basically we will add a character before and after the trackback ID after converting from decimal to hexadecimal. Find this bit around line 2011:

	function get_trackback_url()
	{
		global $htsrv_url, $Settings;

		if( $Settings->get('links_extrapath') )
		{
			return $htsrv_url.'trackback.php/'.$this->ID;
		}
		else
		{
			return $htsrv_url.'trackback.php?tb_id='.$this->ID;
		}
	}

Replace that with this:

	function get_trackback_url()
	{
		global $htsrv_url, $Settings;

$leading_adder = $Settings->get('trackback_aspm_before');
$this_tb_id = $this->ID;
$trailing_adder = $Settings->get('trackback_aspm_after');
$this_tb_id = $leading_adder.dechex($this_tb_id).$trailing_adder;

		if( $Settings->get('links_extrapath') )
		{
			return $htsrv_url.'trackback.php/'.$this_tb_id;
		}
		else
		{
			return $htsrv_url.'trackback.php?tb_id='.$this_tb_id;
		}
	}

5: Edit inc/VIEW/settings/_set_general.form.php:
This part of the hack lets you change your preceding and trailing characters. This hack loses effectiveness if you don't have at least one of these characters, but you can leave the other blank if you wish. You WILL need to change them from time to time because sooner or later the spammers will index one of your posts with your customized hexadecimal trackback ID. At line 122 find this bit:

$Form->end_fieldset();

$Form->begin_fieldset( T_('Miscellaneous options') );

Replace that with this:

$Form->end_fieldset();

// Begin hexaspammer hack
param( 'trackback_aspm_before', 'string', '' );
param( 'trackback_aspm_after', 'string', '' );
$Form->begin_fieldset( T_('Trackback antispam options') ); ?>
<p>These two fields work together to further confuse the spammers.  Your trackback ID is your post ID converted to it's hexadecimal equivalent AND preceded by the first variable AND followed by the second variable.  By changing these you create a trackback ID that is unique for your blog.</p>
<?php 
$Form->text_input( 'trackback_aspm_before', $Settings->get('trackback_aspm_before'), 2, T_('Preceding Character'), array( 'note'=>T_('Single character (a - z, A - Z, 0 - 9) to add BEFORE your hexadecimalized trackback ID.'), 'maxlength'=>1, 'required'=>true ) );
$Form->text_input( 'trackback_aspm_after', $Settings->get('trackback_aspm_after'), 2, T_('Trailing Character'), array( 'note'=>T_('Single character (a - z, A - Z, 0 - 9) to add AFTER your hexadecimalized trackback ID.'), 'maxlength'=>1, 'required'=>true ) ); ?>
<p>When the spammers get you again, and they will, you simply change one or both of these values.</p>
<?php 
$Form->end_fieldset();
// End hexaspammer hack

$Form->begin_fieldset( T_('Miscellaneous options') );

Upload everything, go to your back office and visit your 'App settings' tab, and pick whatever characters you like. Always use at least one, and you might as well use both.

---------------------------

Wanna test this hack before using it? My blog is linked below (buttons - not sig file), so do a trackback to any post and see if it works. If it doesn't then this is a crappy hack. When it does work you'll be free of trackback spam ... until the next time.

2 Aug 05, 2006 02:01

I could write this into a plugin, for your studying pleasure, but I fear that this method is not very effective. All they would have to do is get the page, before they send trackbacks to them and I think this is what they already have done, if they put up a page / copy your contents..

Anyway, I've just added the DisplayTrackbackAddr hook also for 1.8.1, which could be used for this (though you would want to use another, not yet existing hook - "FilterItemTrackbackAddr").

3 Aug 05, 2006 10:42

I would love to see it as a plugin! I've tried to not think in terms of hacks, but it's hard to learn the 'new way' when you don't really know what you're doing... I figure when there are lots of plugins that interest me I'll be able to undo them and rebuild them into something different because that's all I really know how to do.

I've been a bit concerned about how easily this hack could be defeated, but back in the 0.9.2/1.7CVS days I personally never got trackback spam when I had this hack. I'm a bit afraid though that you may be right. IF something like this is widely implemented then spammers will learn to snag the page immediately before spamming. Then again it's like using non-standard field names for commenting: it stops most of them except the truly motivated.

As a hack if this is beaten frequently then it's no good. As a plugin no one would care because you simply un-install the plugin and say "oh well"...

4 Aug 05, 2006 18:32

You're right - and I don't find the "non-standard field names" a good solution either.

If 1.8.1 is out (with the new hook) I'll make this a plugin for you.. :)

For now, I'd recommend the Captcha plugin to protect the trackback URL, but it relies also on the same event and does not work with 1.8 (does not accept any trackback therefor).

5 Aug 05, 2006 21:39

Just for the record. The hook won't be in 1.8.1, but 1.9.

6 Apr 07, 2007 01:31

I'll be darned. This hack as-is works fine for 1.9.3 installations. Didn't even try to make it a plugin though.

7 Apr 08, 2007 01:12

okay so it didn't work after all. It looked like it worked, but it blocked ALL trackbacks, which it wasn't supposed to do. One line needed changing, but rather than say "here do this instead of that" I figured I'd zip up the files you'll need with a little 'read me' file. So here ya go!


Form is loading...