phpBB redirect code
And the litany of vulnerable apps continues:
I got spammed with a link to a free forum site. A link to the front page of said user created forum. I got curious, and found that the user somehow got a redirect into the code.
Turns out the code was in the sub heading of the post. The only post on that forum.
Anyone with a free service handing out phpBB forums to those who sign up, better make sure that hole is plugged. I haven’t had time to check regular phpBB forums. Hopefully it is plugged 
Update: It was interesting to see how that particular free provider had solved the problem. They substituted < " and > with the HTML equivalents that display the characters correctly, but the META refresh no longer works. With this substitution, HTML code or javascript wouldn’t work either, but BB code would. The META refresh code the spammer had inserted, is now clearly visible in the subtitle, but no redirection.
August 7th, 2006 at 5:04 pm
I woudln’t call it a vulnerabillity, because usually there’s nothing wrong with Javascript in itself. It only becomes inappropriate once someone tries to run a free service. So the correct step needed would be to disallow any html tags or javascript code. But the real disaster could strike if there’s a vulnerability that would enable the injection of php code. An administrator has access to upload facilities, thus he could theoretically exploit these holes for uploading his little nifty “spamilki”. The idea of offering free forums in itself is the problem. It has never worked out well.
August 8th, 2006 at 12:42 am
You realize you’re taking time out of your life, the only one you will ever have, to promote such stupidity. At least the spammers are making money at what they do. You’re just fingerin’ your b*%&hole if you think you’re doing any serious harm to spammers. We see sites like yours and it makes us go out and make a hundred or more sites just for spite. Give it up and use your life purposefully. Sheeeesh!!!
August 8th, 2006 at 1:56 am
To Spammamongous:
And you just charitably took time out of your spamming day to set me straight. Right….
August 8th, 2006 at 3:48 pm
This redirect is done through meta tags not Javascript. But either way, there should be no reason to allow user submitted content to contain meta tags or Javascript.
Even allowing user submitted images can run into trouble thanks to the WMF exploit, but images are so popular on forums as signatures and avatars they aren’t likely to be turned off.
August 9th, 2006 at 12:10 pm
Spammer said:
At least the spammers are making money at what they do.
Quite an generalisation I wouldn’t go with. Very few do, some break out even and some merely waste their time. They all, however, seem to feel like being elitists who teach those boring squares a lesson. Something they will tell their grand children over and over again in a few decades
Spammer continued:
You’re just fingerin’ your b*%&hole if you think you’re doing any serious harm to spammers.
She’s making those aware of a problem who haven’t noticed yet. That’s entirely legitimate in my opinion and may help less tech savvy people to avoid mistakes others made before them. Aside from that I fail to see that this article aimed at harming spammers, rather than making aware of a feature, that isn’t suitable for a free service. So your claim has alredy been invalidated, because you missed the subject.
Spammer continued:
We see sites like yours and it makes us go out and make a hundred or more sites just for spite.
Not much of a choice here, because your business model entirely lives and dies with flaws in search engine algorithms. All your junk domains you’re probably using for piping traffic to your “made for adsense” pages are rather shortlived in regard to search engine presence and banned quickly, so you’re constantly forced to create new ones, or move your collection to new “clean” ip ranges. It’s not that the fruits are hanging as low as several years ago and much to your grief this weblog is frequently read by Google employees, so the efforts are in fact not in vain.
Perhaps there are spam friendly hosting companies who love your money, but all 3 major search engines agree in not wanting the kind of junk the likes of you are pestering the Internet with. And what’s it worth if people can’t find your pages? Consider that the number of available spammable targets has been dramatically shrinking for quite a while. It’s not like 2002/2003 anymore, as people got wiser and less tolerant to spam.
Spammer ended:
Give it up and use your life purposefully
Why should she, if she’s convinced of the purpose? You clearly underestimate the power a strong belief in God can unleash. Say spammer, where can you turn to if your business model is going down the drains, now that search engines are constantly improving their spam detection? If there’s one at a constant loss than it’s you, because you know very well it could be over anytime.
This reminds me of all those Russian schoolboys from Umaxsearch and elsewhere, who think they can earn quick money by hosting their buddies’ doorway pages and spambots or running “shops” where less sophisticated spammers or newbies can purchase the equipment necessary. They believe this as long as the first complaints reach their upstream provider (LayeredTech very often) and the latter pulls the plug within 2 days. Layered Tech is affordable hosting, but you should never get caught spamming from there
August 10th, 2006 at 5:17 pm
Vasily Pumpkin, I’d be very suprised if “google employees” bothered to read this blog. The spamhuntress is often very naive when it comes to spam. The amount of times I have read things which are just absolutely incorrect is unreal. She has a habbit of pointing the finger at the wrong people and doesn’t hesitate posting someones details(even if they are in a WHOIS) on her website and labelling the person as a spammer without any proof, often when anyone with half a brain can see that she has fingered the wrong person.
If you want to be a spam hunter then fine, but make sure you know enough on the subject before dedicating yourself to the task.
The bottom line is you will never stop webspammers, they’re the future.
August 11th, 2006 at 8:33 am
Spammer #2,
In regard to your doubts I can assure you there’s evidence enough:
Matt Cutts:
spamhuntress.com/2005/10/23/googles-dirty-little-secret/#respond
spamhuntress.com/2006/01/15/thanks-for-the-compliments/#respond
Adam Lasnik:
spamhuntress.com/2006/07/26/the-danger-of-autoresponders/#respond
You can easily spot Google employees by one of the corporate proxies they use. Seems like you missed out on a few things
You claim that Spamhuntress has the habit of getting things wrong, but fail to deliver evidence. Can you please elaborate with examples and tell the readers what exactly the wrong part is? Are there any traces on the Internet that could prove your expertise?
Finally your proclamation of web spam to be the future: I guess that’s what “bulkers” had claimed several years ago until they found out that email spam had became increasingly ineffective. The parallels to today’s webspam community are obvious, so I’m afraid your future is already on a sharp decline
.
Vasily
August 11th, 2006 at 8:36 am
I was too quick with submitting.
It’s of course
“that email spam had become increasingly ineffective”
Sorry for that.
Vasily
August 11th, 2006 at 1:40 pm
It often seems like we make little difference, but if fighting webspam wasn’t doing any good we wouldn’t be upsetting spammers this much.
August 11th, 2006 at 1:57 pm
Joe,
You do not upset spammers, simply serve as an irritant.
I really don’t want to read over all of spamhuntresses posts but there have been a few times that I can remember just off the top of my head where she has labelled sites as spammers when it is clearly running a referal scheme and it is infact an affiliate user who is spamming.
Also just because a website is being spammed does not mean it is being done by the owner of the domain. The spamhuntress could easily drop herself in legal hot water if she continues to post WHOIS information and state people are spammers without proof that it was actually *that* person spamming.
Vasily, I really don’t understand your attitude about spamming not generating a good reliable income. Why does it matter if it only lasts a few years… do you realise how much money a webspammer can make a day? A spammer only has to operate for a year before they can afford to retire.
Aposed to a spam hunter who makes no money and spends hours of their time each day on a lost cause.
August 11th, 2006 at 5:12 pm
To Esrun,
Early on I made a few mistakes with regard to affiliate programs, you’re right about that one. Where I’ve realized my mistake, I’ve updated the posts. There might be some forgotten pages early on, but you only got to page 14, right?
In the beginning I was probably a bit more naive than I am now. I think you’re reading into what I write a lot more than I’m actually writing. These days I seldom say straight out that a specific person is a spammer. I need to be pretty sure first. That doesn’t mean I’ll refrain from publishing whois info. The information is public, and most spammers know that. It’s a risk of doing business. Some don’t care, and some use fake info.
That whois info is what connects spam hunters. One spam hunter search for a specific name server or e-mail address, and finds what another spam hunter has written. You know, you should REALLY have a look at NANAE. If you think *I* am bad, you just have NO idea what’s going on out there!
And you’re saying I make no money on what I do?
I think you’ve got the wrong idea… I don’t make money on this directly, but it’s a heck of a resume, and has been instrumental in securing better jobs for me… I’m still looking for new challenges, and the best way to do that, is to stay on top of this game, since I’ve managed to crawl up there in the first place.
August 12th, 2006 at 2:35 pm
Actually, to solve the problem, I simply opened up the index.php file to the master forum files and placed this line of coding in:
Find: ‘FORUM_DESC’ => $forum_data[$j][’forum_desc’],
Replace with: ‘FORUM_DESC’ => htmlspecialchars($forum_data[$j][’forum_desc’]),
What this did was disable HTML from being allowed in the description of the forum or topic.
[/Problem Solved.]
August 12th, 2006 at 2:43 pm
Esrun,
I appreciate your good will in participating in a discussion, even if it’s not amongst people sharing the same opinion as yours
I really don’t want to read over all of spamhuntresses posts but there have been a few
times that I can remember just off the top of my head where she has labelled sites as spammers when it is clearly running a referal scheme and it is infact an affiliate user who is spamming.
An affiliate scheme should of course be recognised as such by a spam hunter (or ~ress). That is, if a spammer is hammering a site with redirects to:
superadultsponsor.xx/search.php?aid=012345&q=boozy+gonzo
Then it might not be a good idea to blame the site owner. In this case the right step is of course to notify the sponsor of his abusive affiliate, provided that the sponsor’s rules clearly outline web spam as advertisment.
Another variation is a spammer who installed his spamilki on the same server where his sites are or within his rented netspace. This is fairly easy to identify and if all sites hosted there contain info that’s known to be associated with this person, there’s a good chance to have at least the spambot terminated. Not all hosters would go as far as LayeredTech and send a 24hrs takedown notice on the grounds of spamvertisement, but they do demand from their customer to cease this action.
Another typical (although less often) scenario: Someone from a marketing firm is spamvertising for their clients. Here’s not necessarily a connection between the spammer and the spamvertised party aside from the task of spamming, as the marketing firm may only offer “link building” and has nothing to do with hosting or registering domains let alone web design.
And finally, let’s not forget Joe jobs (not the one posting here
): Out of personal animosity someone is impersonating a victim he likes to take revenge on and leaves no spam variation untouched (gibberish doorways, silly comment spam and referrer spam) to harm the victim.
So why am I mentioning it? It’s vital that someone dealing with combatting spam is able to recognise and differentiate these four cases. When in doubt, it’s better to play safe and let spam happen than to accuse an innocent party. So from that, I would even partly agree with you.
Also just because a website is being spammed does not mean it is being done by the owner of the domain. The spamhuntress could easily drop herself in legal hot water if she continues to post WHOIS information and state people are spammers without proof that it was actually *that* person spamming.
That’s correct. You can’t accuse someone of something unless you can back up your claims with evidence.
Vasily, I really don’t understand your attitude about spamming not generating a good reliable income.
Esrun, please reread my comments. I didn’t write that it wouldn’t generate income but that a few persons may be able to live from it. the few spammers who are lucky in this game aren’t representative for the overall amount of participants. And the work associated with maintaining the revenue stream is quite time and money consuming, the constant process of aquiring new domains get rid of old ones, back up plans for sudden cancels upon complaints and the likes. Some people came to the conclusion that it’s not worth it (despite having had a decent income):
http://www.webproworld.com/viewtopic.php?t=65874
Why does it matter if it only lasts a few years… do you realise how much money a webspammer can make a day? A spammer only has to operate for a year before they can afford to retire.
See, there we are again with your generalisation. A small percentage may be able to do so, but these are the people who’ve been in it for a couple of years and have an vital interest to keep it up this way. Others start to propagate their strategies via an affiliate programme by making similar promises to those who purchase their “success products”. But seriously, how many people will ever come this far?
Aposed to a spam hunter who makes no money and spends hours of their time each day on a lost cause.
Sorry Esrun, but that’a is a silly prejudice. There are spam hunters who do get paid for their work and are developing strategies to combat spam. There are volunteers cooperating with each other, contributing to blacklists and so forth. Sometimes these are admins who needed to compile a list or investigate a case anyway. So from that it’s not a lost cause, for that would imply that websites get plastered with spam independent of precautions taken. And that’s definetly not the case.
Vasily
August 19th, 2006 at 1:00 pm
There’s a much simpler and effective way to answer the complaints of spammers and their associates.
It’s wrong. The profitability of a scheme is not justification for its methods.
Yes, go ahead and tell us spam is ever present - that’s something we all know. Here’s the catch: We get to choose what enters our lives. Freedom of choice supercedes freedom to spam.
What else can you come up with? Forums are akin to the hosting homes of social groups. It is our legal right to maintain control, which we will do, regardless of your selfish blatherskite.
Keep it up, Spamhuntress - and to the spammers out there: Get over yourselves.
September 15th, 2006 at 10:39 am
[…] I actually commented on spamhunters often it getting it wrong on the spamhuntress website. You can see my comments on her blog. […]
September 18th, 2006 at 3:56 am
Hey Esrun,
Looks like you stirred up something there! Not all anti-spammers keep it impersonal, as you seem to have just found out.