FAQ FAQ   Search Search   Memberlist Memberlist   Usergroups Usergroups   Register Register 
PhpBB- & WordPress- antispam.com
Home of the Antispam for all fields mod ! 
  Profile Profile   Log in to check your private messages Log in to check your private messages  Log inLog in 

 PhpBB- & WordPress- antispam.com Forum Index » [PhpBB2] Feature requests » IP logging and banning idea
  The time now is Tue Sep 19, 2017 11:30 pm 

 Post new topic   This topic is locked: you cannot edit posts or make replies. View previous topic :: View next topic  
Author Message
PostPosted: Sun Jul 01, 2007 10:39 pm    Post subject: IP logging and banning idea  Reply with quote  

Lord Raiden
Experienced user


Joined: 11 Dec 2006
Posts: 123

Hey, was just replying to one of the guys over at PHPbb, and an idea struck me. (*ouch!* Wink) Anywho, the idea is this. You already log how many hits are made against certain spam words. That feature is nice for telling which spam words are most active and which are not.

But how about one for IP addresses? Say someone comes in and spams your forum with britainy spears stuff 20 times, but joe johnson comes in and posts five items and one of them is flagged as spam. You could then do something like this:

IP Address | Number of spam attempts | Number of approvals | Who posted
186.16.66.23 | 20 | 0 | NA (if no name)
12.72.15.43 | 4 | 1 | Joe Johnson

Something like that. This way you can look at how many attempts there were vs whether or not any where approved. Those with approved posts would get a lower potential banning score vs the joker with 20 attempts from the same IP who's had none. Another thing too would be to only list names and IP's of the said attempts if 1) The poster hasn't reached the cutoff threshold yet, and 2) if the user has already been banned/removed or the IP has already been banned.

In other words, only show IP spam attempt info for users and IP's that are either not banned or have not met certain pass criteria configured elsewhere. Also, we should add a "delete" option in case there's old entries we need to clean out of the list, and maybe another option to clean up the list every so often so that the spamdb isn't fussing with long lists of entries that are no longer relevant.

Also, one last idea for this. Have the ability to look at entries within the list of logged IP's and look for patterns. IE, if there's been spam attempts from X number of IP's within a given class C subnet, give the user the option to ban the entire class C.

That's just a few ideas for you. Feel free to chew on it and see what you come up with. Smile

TOP View user's profileSend private message  BOTTOM
PostPosted: Mon Jul 02, 2007 10:36 am    Post subject:  Reply with quote  

WebSnail
Phpbb coder


Joined: 14 Dec 2006
Posts: 38

Only thing to note... Lots of IP spoofing goes on so it's a bit tricky to be sure you get the right one...

I'd also suggest that there be some kind of threshold for IP's used over a number of days rather than over a 3 - 5 minute stretch... This would help filter out the IP's that are used briefly (ie: dynamic IP's from a dial up) and those that are reasonably static. The latter are worth considering for banning while the former are a waste of time.

TOP View user's profileSend private messageVisit poster's website  BOTTOM
PostPosted: Mon Jul 02, 2007 5:52 pm    Post subject:  Reply with quote  

ramon fincken
Site Admin


Joined: 11 Dec 2006
Posts: 269
Location: A'dam/Diemen, The Netherlands

I'll have a go with
Quote:
Also, one last idea for this. Have the ability to look at entries within the list of logged IP's and look for patterns. IE, if there's been spam attempts from X number of IP's within a given class C subnet, give the user the option to ban the entire class C.


Same IP adresses is allready a feature with a # of 3, and I'd like to keep in mind what WebSnail mentioned. And for that same reason I will never implement an instant ban module.
_________________
Phpbbantispam founder, available for freelance WordPress coding.

PhpBB2 mod: http://www.phpbbantispam.com/viewtopic.php?t=1
WordPress plugin: http://wordpress.org/extend/plugins/antispam-for-all-fields/
Project files & mailinglist: https://sourceforge.net/projects/phpbbantispam/

TOP View user's profileSend private messageVisit poster's website  BOTTOM
PostPosted: Mon Jul 02, 2007 11:35 pm    Post subject:  Reply with quote  

Lord Raiden
Experienced user


Joined: 11 Dec 2006
Posts: 123

Oh no, I wasn't suggesting an instant ban module or any kind of similar addition. Simply a logging and reporting function with thresholds and limits to allow the admin to decide *if* they want to consider any kind of banning of IP blocks. I'd want all that to be left up to the admin themselves. But in order to do that effectively it's necessary to make sure they're properly informed. That was the whole idea behind the addition was just information gathering and display.

TOP View user's profileSend private message  BOTTOM
PostPosted: Tue Jul 03, 2007 5:20 pm    Post subject:  Reply with quote  

WebSnail
Phpbb coder


Joined: 14 Dec 2006
Posts: 38

Lord Raiden wrote:
Oh no, I wasn't suggesting an instant ban module or any kind of similar addition. Simply a logging and reporting function with thresholds and limits to allow the admin to decide *if* they want to consider any kind of banning of IP blocks. I'd want all that to be left up to the admin themselves. But in order to do that effectively it's necessary to make sure they're properly informed. That was the whole idea behind the addition was just information gathering and display.

Makes sense...

The more information available the better you can make some kind of decision on bans, etc...

TOP View user's profileSend private messageVisit poster's website  BOTTOM
PostPosted: Tue Aug 28, 2007 4:51 pm    Post subject:  Reply with quote  

WebSnail
Phpbb coder


Joined: 14 Dec 2006
Posts: 38

WebSnail wrote:
Only thing to note... Lots of IP spoofing goes on so it's a bit tricky to be sure you get the right one...

I'd also suggest that there be some kind of threshold for IP's used over a number of days rather than over a 3 - 5 minute stretch... This would help filter out the IP's that are used briefly (ie: dynamic IP's from a dial up) and those that are reasonably static. The latter are worth considering for banning while the former are a waste of time.


Thinking this may have been lost in the other points so I'd like to rehighlight...

TOP View user's profileSend private messageVisit poster's website  BOTTOM
PostPosted: Mon Sep 03, 2007 5:44 pm    Post subject:  Reply with quote  

Lord Raiden
Experienced user


Joined: 11 Dec 2006
Posts: 123

One thing that might be nice, if it were possible, would be to include a subnet lookup that would show country of origin and what subnets are owned in that block. Also, banning by class a, b, or c subnets would be worth considering too. Although banning just a /29 through a /24 might be best because anything bigger than a /24 might be a bit over reaching.

TOP View user's profileSend private message  BOTTOM
PostPosted: Wed Sep 19, 2007 11:45 am    Post subject:  Reply with quote  

WebSnail
Phpbb coder


Joined: 14 Dec 2006
Posts: 38

Lord Raiden wrote:
One thing that might be nice, if it were possible, would be to include a subnet lookup that would show country of origin and what subnets are owned in that block. Also, banning by class a, b, or c subnets would be worth considering too. Although banning just a /29 through a /24 might be best because anything bigger than a /24 might be a bit over reaching.


I'm definitely for this one.

In the past week I noticed that attacks from Russia have stepped up with one ISP accounting for 12 out of 18 attacks in a 24 hour period. Each time they dropped their dynIP and grabbed a new one to start all over... phpBB2 doesn't seem to allow the sort of banning LR suggested but it sure would be useful!

TOP View user's profileSend private messageVisit poster's website  BOTTOM
PostPosted: Thu Sep 20, 2007 1:39 pm    Post subject:  Reply with quote  

Lord Raiden
Experienced user


Joined: 11 Dec 2006
Posts: 123

Well, you can do a /24 subnet ban by doing 3 octets and a *. (example: 192.168.0.*) To do subnets that aren't full octets, like a /25 for example, you'd use the first ip in that block, a dash, and the last ip like this: 129-256.

I admit that PHPbb could do better to designate subnets when block banning, but there's always ways around stuff.

TOP View user's profileSend private message  BOTTOM
PostPosted: Wed Oct 24, 2007 9:13 pm    Post subject:  Reply with quote  

Lord Raiden
Experienced user


Joined: 11 Dec 2006
Posts: 123

Ramon, I've looked at the mod a little closer, and I think I've found something that'll make what I'm after quite easy.

If you can toss the "ip", "ip_forwarded" and "time" variables into a table titled "antispamdb_logs" with "id" as the first field and primary key, I can write a more detailed script that'll parse that for information and generate detailed logs if people want them.

I plan a simple summary page, then several sub pages that are more detailed and offer the user all the possible info they could want on a given IP or IP block. Smile

All you'll need to do after I'm done is just merge it into the mod since I'm still not totally fluent with writing for phpbb. Sad But I'll be sure that your work to complete the merge is minimal. Wink

TOP View user's profileSend private message  BOTTOM
PostPosted: Tue Dec 18, 2007 11:04 pm    Post subject:  Reply with quote  

WebSnail
Phpbb coder


Joined: 14 Dec 2006
Posts: 38

WebSnail wrote:
WebSnail wrote:
Only thing to note... Lots of IP spoofing goes on so it's a bit tricky to be sure you get the right one...

I'd also suggest that there be some kind of threshold for IP's used over a number of days rather than over a 3 - 5 minute stretch... This would help filter out the IP's that are used briefly (ie: dynamic IP's from a dial up) and those that are reasonably static. The latter are worth considering for banning while the former are a waste of time.


Thinking this may have been lost in the other points so I'd like to rehighlight...

At the risk of starting to sound petulant this particular idea is very much an ongoing one that would make this mod a lot more effective when it comes to the actual "ban" effectiveness. So, not actually getting any kind of response to it, is frustrating Razz

At the moment I'm having to manually identify patterns of IP addresses that recur over longer periods of time rather than having 6 spam triggers in the space of a 30 second window.

To be blunt, there is absolutely no point whatsoever to immediately ban bursted spam attempts as they are highly likely to be from dynamic IP addresses. Banning them just results in you blocking potential visitors that aren't spamming or pwned. IP's that re-appear a day or so later are more likely to be static and it's these you want to ban.

Bottom line, can anyone think of an algorithm that would highlight multiple hits where the space between hits is greater than a few minutes?

TOP View user's profileSend private messageVisit poster's website  BOTTOM
PostPosted: Fri Dec 21, 2007 7:51 pm    Post subject:  Reply with quote  

ramon fincken
Site Admin


Joined: 11 Dec 2006
Posts: 269
Location: A'dam/Diemen, The Netherlands

There will no development for an insta-ban mod / addon.

so thats said Wink
what we are doing right now is to check for current trapped ( in spam DB ) entries uppon registration for some fields, so that rules out , or actually includes spammers with alike sign up info and different IP's.

Lord raiden's module has some nifty stuff to determine network ranges so if it comes to banning that would be a solution. ( System telling that range x-y is a bit spammy, board admin decides to ban or leave it as is ).
_________________
Phpbbantispam founder, available for freelance WordPress coding.

PhpBB2 mod: http://www.phpbbantispam.com/viewtopic.php?t=1
WordPress plugin: http://wordpress.org/extend/plugins/antispam-for-all-fields/
Project files & mailinglist: https://sourceforge.net/projects/phpbbantispam/

TOP View user's profileSend private messageVisit poster's website  BOTTOM
PostPosted: Sat Dec 22, 2007 5:36 am    Post subject:  Reply with quote  

Lord Raiden
Experienced user


Joined: 11 Dec 2006
Posts: 123

Yeah, I think you guys will like the spam logs add-in I did for the spam filter. It's very nice as it gives you information about current spam activity on your board so that, as ramon said, you can decide what to ban and not ban.

TOP View user's profileSend private message  BOTTOM
PostPosted: Sun Aug 16, 2009 10:42 pm    Post subject:  Reply with quote  

ramon fincken
Site Admin


Joined: 11 Dec 2006
Posts: 269
Location: A'dam/Diemen, The Netherlands

Spamlogs contrib is now ( 1.3.2 ) a standard admin package Smile
_________________
Phpbbantispam founder, available for freelance WordPress coding.

PhpBB2 mod: http://www.phpbbantispam.com/viewtopic.php?t=1
WordPress plugin: http://wordpress.org/extend/plugins/antispam-for-all-fields/
Project files & mailinglist: https://sourceforge.net/projects/phpbbantispam/

TOP View user's profileSend private messageVisit poster's website  BOTTOM
 Post new topic   This topic is locked: you cannot edit posts or make replies. All times are GMT + 1 Hour

Display posts from previous:   
 PhpBB- & WordPress- antispam.com Forum Index » [PhpBB2] Feature requests » IP logging and banning idea
 
 Page 1 of 1
 
 
 
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Jump to:  


     Powered by phpBB © 2001, 2005 phpBB Group | Template Neon | Snelle Managed WordPress webhosting