PLEASE HELP, persistant spammer wont leave my forum alone!

I run a forum right, and this dude on dial up keeps on coming back, signing up for new accounts with his endless email accounts, spams the hell out of it with scripts. For now I have banned 81.* and 61.* as that is what his ISP uses. This also blocks out a lot of traffic.

My server is running Red Hat Linux Enterprise with cPanel / WHM and I am running IPB 2.0.

What I want to know is how I can block out ALL hostnames with POL in them. His ISP hostnames all contain POL so this would be a more effiecent way of blocking him rather than blocking whole IP ranges. However, its seems that neither IPB or IP Deny can block all hostnames containing POL. They can only ban IP ranges, or specific hostnames, which doesnt work as he is on dial up and gets new IP's and hostnames each time. The only thing that stays the same is his hostname containing pol.co.uk could someone PLEASE help!

Thanks :)

The next thing you can do is to contact his ISP.

You can continue banning IPs like you are, but you might ban a legitiment. I would try contacting the ISP for harassment. Another thing to do is put a time limit on the posts like they do here. I wouldn't pick a rediculous 90 seconds, but something like 20-30 would stop the script most likely.

Why not confirm user accounts. ? Instead of allowing anyone who registers to have access?

Originally posted by VapoRub
The next thing you can do is to contact his ISP.

I've tried that already, and they didnt do anything.

You can continue banning IPs like you are, but you might ban a legitiment. I would try contacting the ISP for harassment. Another thing to do is put a time limit on the posts like they do here. I wouldn't pick a rediculous 90 seconds, but something like 20-30 would stop the script most likely.

I know, im losing lots of traffic by banning 81.* and 62.*. I have already put a limit of 45 seconds on. His UK ISP hasnt done anything.

Why not confirm user accounts. ? Instead of allowing anyone who registers to have access?

Problem is that im getting nearly 100 members a day sometimes, and he can just use random member names. I have turned on email validation with only one email per member which will slow him down.

Right now he wont do anything because of what i've done, but as soon as i remove the bans he comes back :(


What I really need to be able to do is ban all hostnames with the domain pol.co.uk in them.

Do a search on google for cyber harassment.

One page you might want to look at..(the bottom)
http://www.securityworld.com/library/workplacetech/cyberstalking.html

If you were running Windows you can ban based upon domain name, but each connection does a dns lookup which has a performance tradeoff.

Can you do a similiar ban in Apache?

Wish there was something we could do to help ya.

Originally posted by 6PS
If you were running Windows you can ban based upon domain name, but each connection does a dns lookup which has a performance tradeoff.

Can you do a similiar ban in Apache?

Wish there was something we could do to help ya.

I will ask my admin, Apache should have that ability.

You can also add code to your forum in the header or something...

if(gethostbyaddr($_SERVER[REMOTE_ADDR]) == "the.pol.address")
echo "SORRY, You're BANNED, MOUHAHHAHAA";
else
//the rest of the code here

Of course, that's just to give you a general idea, and is not completely syntax correct for production use :)

If you have email validation turned on he/she will eventually run out of email addy's to use I would assume.

Originally posted by X-Gaming
If you have email validation turned on he/she will eventually run out of email addy's to use I would assume.

yeah thats what im hoping for. But this guy is so persistant im sure he would go to the trouble of making more email accounts.

Anywho, I think I worked it out with my this current .htaccess file:

# -FrontPage-

IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti*

<Limit GET POST>
#The next line modified by DenyIP
order allow,deny
#The next line modified by DenyIP
#deny from all
allow from all
</Limit>
<Limit PUT DELETE>
order deny,allow
deny from all
</Limit>
AuthName www.elastomaniac.com
AuthUserFile /home/elma/public_html/_vti_pvt/service.pwd
AuthGroupFile /home/elma/public_html/_vti_pvt/service.grp

<Files 403.shtml>
order allow,deny
allow from all
</Files>

<Limit GET HEAD POST>
order allow,deny
deny from pol.co.uk
allow from all
</LIMIT>

Contact his ISP again. Check their TOS for a place where its being violated.

Basicly he is using their service for illegal activity, if you have a no spam clause in the AUP that thye have to agree to before they sign up, which makes them liable if they refuse to handle the problem. Correct me if I am wrong about that...Might even want to get as official as having it sent snail mail on lawyer letterhead..

Make sure you sent it directly to the ISP's abuse dept

A simple, small PHP script that you can insert into IPB can/will help. Basicly is what it does is, retrieves his hostname, scans his hostname to see if the POL or whatever is in his name, and, if so, bans him from seeing your website.


$bad = gethostbyaddr($_SERVER[REMOTE_ADDR]);
if (strstr($bad, '<INSERT THE POL THING HERE>')) {
print("Jerk, no more spamming my forum. Get lost.");
}


All you have to do is add that to the skin_register.php or something, and he wouldn't be allowed to register anymore.

Remember, it has to be inside the PHP quotes.

If you have any trouble with it, feel free to just PM me on AIM or MSN and I'll set it up for you free of charge.

Just hope he doesn't use proxies, otherwise you'll be in for a nice headache.

Edit: PHP typo.

Originally posted by KamiDev
A simple, small PHP script that you can insert into IPB can/will help. Basicly is what it does is, retrieves his hostname, scans his hostname to see if the POL or whatever is in his name, and, if so, bans him from seeing your website.


$bad = gethostbyaddr($_SERVER[REMOTE_ADDR]);
if (strstr($bad, '<INSERT THE POL THING HERE>')) {
print("Jerk, no more spamming my forum. Get lost.");
}


All you have to do is add that to the skin_register.php or something, and he wouldn't be allowed to register anymore.

Remember, it has to be inside the PHP quotes.

If you have any trouble with it, feel free to just PM me on AIM or MSN and I'll set it up for you free of charge.

Just hope he doesn't use proxies, otherwise you'll be in for a nice headache.

Edit: PHP typo.

thanks man, but i think the .htaccess thing is working. If it doesnt i will try this aswell :)

even if he gets proxy he should run out of email accounts sooner or later.

Oopsies, yea, change that print to exit otherwise he'll just see the "No more spamming my forum" message on top of the skin.


$bad = gethostbyaddr($_SERVER[REMOTE_ADDR]);
if (strstr($bad, '<INSERT THE POL THING HERE>')) {
exit("Jerk, no more spamming my forum. Get lost.");
}


There you go.