Spam on AdvancedGuestBook 2.3.3

Hi,
Can someone help me plz,i am getting between 80 and 100 messages a day on my guestbook,i am using AdvancedGuestBook 2.3.3 version.
I have tried to block ip address but there are too many but some of them are like
Thanks in Advance

I should hope none are localhost as that would mean the spam is coming from your own server. Read the very first thread in this forum.

Carbonize wrote:I should hope none are localhost as that would mean the spam is coming from your own server. Read the very first thread in this forum.

I'm sorry, I've searced for the first thread in this forum, but I really couldn't find it. Where can I find it? I have the same problem as zaki and I really want to solve it.....

There's a bug in Advanced Guestbook that allows spammers or hackers to use faked IP addresses (incl 127.0.0.1 localhost). I've released a new version of Guestbook that solves this and many more security issues. It can be downloaded from http://www.freerelationshipadvice.com/downloads/guestbook27.zip

IP banning is not a way to stop spam. It will sto pa few prolific spammers but a lot come from a variety of IP's. That is why I made my anti spam modifications to stop the posts before they happen.

Yes, Carbonize, I am aware of that. I invite you to have a closer look at the whole package. Security features include:
- Distinguishing between real and fake IP
- enforced delay for posting
- protection against fake of significant form data (such as form load timestamp)
- 2 level human verification: User must enter a value shown in an randomly chosen image at display time. Plus optional approval mode (Guestbook Administrator must approve new incoming messages). All these options (and many more) can be turned off and on at any time through the Administration panel

Additional convenience feature for the Administrator:
- necessary database upgrades are automatically discovered upon upload of a new version (no matter which version you are on currently)
- /admin/config.inc.php no longer needs to be saved away and restored

Full list of features: http://www.freerelationshipadvice.com/guestbook/whatsnew.txt

Yes I have already looked at your 2.7 code including the 255 premade images you have for your image verification which prevents your guestbook being used with any language other than English. You should of just made the image contain the characters and left the message as part of the lang file.

Any spammer who is actually going to go to the bother of spoofing the HTTP_X_FORWARDED_FOR header is not going to be stopped by IP banning. As you have now implemented you need to stop the spam from getting posted in the first place otherwise you will end up having to go in and delete the spam entries that get made before your auto ban kicks in.

Advanced Guestbook has come with a required field/time limit since version 2.3.3.

Yes, that's a good point, Carbonize. The images are not yet language sensitive. This will be included in an upcoming revision.

As the validation value is a mandatory field, spam posted by bots will be rejected. As an additional security feature, a validation mode is in place (as mentioned before), so that new posts will not show up unless they're authorized. Since the introduction of the user validation field, my spam rate dropped by 100% !!

Your comment re non-banning of spammers using the HTTP_X_FORWARDED_FOR header is not quite correct. In my version, users are banned based on their real IP address ($_SERVER['REMOTE_ADDR']) while the HTTP_X_FORWARDED_FOR address is kept in a separate variable. If acceptance of faked IP addresses is disabled (default), any difference between an existing HTTP_X_FORWARDED_FOR address and the real IP address will be rejected.

markus56 wrote:Yes, Carbonize, I am aware of that. I invite you to have a closer look at the whole package. Security features include:
- Distinguishing between real and fake IP
- enforced delay for posting
- protection against fake of significant form data (such as form load timestamp)
- 2 level human verification: User must enter a value shown in an randomly chosen image at display time. Plus optional approval mode (Guestbook Administrator must approve new incoming messages). All these options (and many more) can be turned off and on at any time through the Administration panel

Additional convenience feature for the Administrator:
- necessary database upgrades are automatically discovered upon upload of a new version (no matter which version you are on currently)
- /admin/config.inc.php no longer needs to be saved away and restored

Full list of features: http://www.freerelationshipadvice.com/guestbook/whatsnew.txt

Hi there i'm trying to install this version & i'm running in some problems at this page mydomien/guestbook/install.php :

Warning: main(/admin/ctl.inc.php): failed to open stream: No such file or directory in /home/sites/webhosting/jufkrista/jufkrista/www/guestbook/install.php on line 3

Warning: main(): Failed opening '/admin/ctl.inc.php' for inclusion (include_path='.:/usr/lib/php:/home/sites/webhosting/uvmb/uvmb/phpincludes:/home/sites/webhosting/vbp/vbp/phpincludes') in /home/sites/webhosting/jufkrista/jufkrista/www/guestbook/install.php on line 3

I'm installing from scratch.

Please help.. i really need a better version installed on my system.. too much spam.

Hi,

In file install.php, replace the 2nd line to read as follows:

include_once "./admin/ctl.inc.php";

Then it should work. Please give feedback.

Thank you.. i'm switching to http://lazarus.carbonize.co.uk

Looks better & is up to date

Yes, it's true, the first version (2.5) removed a lot of spam, but not all of it, it e.g. limited the # of messages per day to 9 (or a different value set in the preferences). It though already distinguished between faked and real IP addresses (faked ones no longer admitted)

The big break-through occurred with version 2.6 in which I added a 2 level human verification (by user and / or admin). From that time forward, the spam rate dropped to 0%.

Other than in Lazarus, the human verfication value in version 2.6 / 2.7 is not a static per site value; it is randomly chosen from a range of 255 values at display time. Also, the antibot value is not parsable by spammers, because it's displayed as a graphical image.

In version 2.7, I further added automated delta-checks for the database-structure. Any missing fields and/or tables will be added automatically, whereas existing columns and tables are NOT removed.

New in version 2.7.3:
- Language-safe: If a new value was not translated into the Advanced Guestbook target language, the English value will be displayed, along with the keyname between brackets. This helps the administrator to identify missing entries in their language file

- Graphic files for antibot values no longer contain surrounding text ("Please enter value..."). This text may now be configured via the language file

Get the latest version at http://www.freerelationshipadvice.com/downloads/guestbook27.zip

I have to say sinds using lazarus the SPAM was complet gone

i have 3 sites runing LAZARUS & have less costumers contacting me everyday

This simple, stupid script will create spam entries into the lazarus.co.uk guestbook with an arbitrary name.

- It gets the entry form
- then it grabs the special value by parsing the source code and enters it into the bottest field
- then it waits for 30 seconds before it posts it to the forum

This is where the advantage of a picture display over a parsable text display shows up.

So long as the persons host has GD compiled.
Also given that the question/answer can be anything
you have to visit the site to know what to parse.

I am flattered you went to such lengths to make
a script to spam my guestbook. Note I say MY guestbook
as your script will only spam my copy of Lazarus and
therefore is pointless.