1 (edited by 2010-10-23 11:54:14)

Topic: [HACK] Spam protection in CuteNews

Content List

* Spam protection with random bot word.
* Deny URL's in commentshttp://users.belgacom.net/bn333252/emoticon/hot.png
* Captcha Hack
* ReCaptcha servicehttp://users.belgacom.net/bn333252/emoticon/hot.png
* Spam protection with asking three random chars from a random string of chars.
* Hidden input fields (no captcha)

2 (edited by 2010-10-23 08:21:01)

Re: [HACK] Spam protection in CuteNews

Original topic: <strike>here</strike>

Hack Name: Spam protection with random bot word.
Description: people will have to fill in this word before the comment can be added to the database. This word is a generated String of letters and numbers. This hack is updated on 06/08/2008 to improve the effectiveness. It should work now with more than 1 include code, though that's unconfirmed!
Author: FUNimations
Extra credits: Ifa
1. open the file that has your CN include code ... important make back-up first.
add

<?php session_start(); ?>

At the top of that page. This must be the very first PHP code!!
If you get a warning/error about sessions on your site. This will be due to the fact you have another PHP script in there that also uses sessions.
Ask their support what to do. And tell them that session_start() already happens before you use their script. This function is a PHP function and is not limited to a script, but can be used by all scripts in that page.

2. open shows.inc.php in inc folder
find 

$mail = trim($mail);

add under

 $test = trim($_POST[$_SESSION['spam']]);

find

<input type=\"hidden\" name=\"ucat\" value=\"$ucat\" />

and radd under

<input type=\"hidden\" name=\"".$_SESSION['spam']."\" value=\"$test\" />

find

$mail                 = replace_comment("add", preg_replace("/\n/", "",$mail));

add under

$test                = replace_comment("add", preg_replace("/\n/", "",$test));

find

if($name == " " or $name == ""){

add above

if($_SESSION[$_SESSION['spam']] == $test ) {$ok = TRUE;}
    else
        { echo("<div style=\"text-align: center;color:white;background-color:darkred;\"> Your write too long!
 [url=] go back [/url] </div>");
                $CN_HALT = TRUE;
                break 1;
        }


Please ... before you save show.inc.php , make sure javascript doesn't have a space like this:
java script:history.go(-1)

find

$template_form = str_replace("{smilies}", $smilies_form, $template_form);

add under

if( !isset($input_name) ){
function code($nc, $a='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0') {
       $l=strlen($a)-1; $r='';
       while($nc-->0) $r.=$a{mt_rand(0,$l)};
       return $r;
    }
$input_name = code(10);
$_SESSION['spam'] = $input_name;
$code = code(5);
$_SESSION[$input_name] = $code;
}
    $template_form = str_replace("{smilies}", $smilies_form, $template_form);
    $template_form = str_replace("{bot-inputname}", $_SESSION['spam'] ,$template_form);
    $template_form = str_replace("{bot-word}", $_SESSION[$_SESSION['spam']] ,$template_form);


3. Go to the comments form template.
Put something along this piece of code goes inside the comments form template.

<tr>
<td width="450" height="1"> 
<small>Type {bot-word} in the box:</small>
</td>
<td width="450" height="1"><small><input type="text" name="{bot-inputname}" tabindex="1"> (anti-spam)</small>
</td>
</tr>

3 (edited by 2010-10-23 09:57:34)

Re: [HACK] Spam protection in CuteNews

Original topic: <strike>here</strike>

Hack Name: Deny URLs in comments.
Description: Prevent people from adding comments with a URL in it. This is quite effective, because spambots leave URLs behind. Downsize is, if a spambot adds a URL in the email field and you allow email field to act as URL field it will come through as we only check the comments themselves.
Author: FUNimations, Silk & DistantJ
Downloadable file:
shows.inc.php download the file and rename .txt to .php

1. open shows.inc.php in inc folder ... important make back-up first.
find

if( strlen($comments) > $config_comment_max_long and $config_comment_max_long != "" and $config_comment_max_long != "0"){
               echo"<div style=\"text-align: center;\">Your comment is too long!</div>";
                $CN_HALT = TRUE;
                break 1;
        }

add under it.

$pattern = "/[.]+(aero|arpa|asia|biz|cat|com|coop|edu|gov|info|int|jobs
|mobi|mil|museum|name|net|org|pro|root|tel|travel|ac
|ad|ae|af|ag|ai|al|am|an|ao|aq|ar|as|at|au|aw|ax|az
|ba|bb|bd|be|bf|bg|bh|bi|bj|bm|bn|bo|br|bs|bt|bw|by
|bz|ca|cc|cd|cf|cg|ch|ci|ck|cl|cm|cn|co|cr|cu|cv|cx
|cy|cz|de|dj|dk|dm|do|dz|ec|ee|eg|er|es|et|eu|fi|fj
|fk|fm|fo|fr|ga|gd|ge|gf|gg|gh|gi|gl|gm|gn|gp|gq|gr
|gs|gt|gu|gw|gy|hk|hm|hn|hr|ht|hu|id|ie|htm|html|php|il|im|in|io|iq
|ir|is|it|je|jm|jo|jp|ke|kg|kh|ki|km|kn|kr|kw|ky|kz|la
|lb|lc|li|lk|lr|ls|lt|lu|lv|ly|ma|mc|md|mg|mh|mk|ml|mm
|mn|mo|mp|mq|mr|ms|mt|mu|mv|mw|mx|my|mz|na|nc|asp|cgi
|ne|nf|ng|ni|nl|no|np|nr|nu|nz|om|pa|pe|pf|pg|ph|pk
|pl|pm|pn|pr|ps|pt|pw|py|qa|re|ro|ru|rw|sa|sb|sc|sd
|se|sg|sh|si|sk|sl|sm|sn|sr|st|sv|sy|sz|tc|td|tf|tg|th
|tj|tk|tl|tm|tn|to|tr|tt|tv|tw|tz|ua|ug|uk|us|uy|uz|va
|vc|ve|vg|vi|vn|vu|wf|ws|ye|yt|yu|za|zm|zw)$/i";
$message = "Your not allowed to put URL\"s in the comments field.";
if ( preg_match($pattern, $comments) || preg_match("/www./i", $comments) || preg_match("/http/i", $comments) ) {
echo"<div style=\"text-align: center;\">$message</div>";
$CN_HALT = TRUE;
break 1;
}

4 (edited by 2012-02-21 06:57:34)

Re: [HACK] Spam protection in CuteNews

Original topic: <strike>here</strike>

Hack Name: Captcha Hack
Description: Show a image inside your comments form with a scrambled code in it. Enter the code for confirmation.
Author: FI-DD
Downloadable File: Download, extract the files and upload them to your main cutenews folder. Read the readme and follow the instruction.
Captcha1: Use these files if you have only 1 cutenews include on your newspage. Comments in popup still works.
Captcha2: Use these files if you have more then 1 cutenews include on your newspage. Comments in popup don't work here.

The hack itself: see orignal topic for the hack. READ THE INSTRUCTIONS really carefull and double check everything you do. Many have had problems because they overlooked something.
ATTENTION: not all servers support this hack!! You need GD2 Lib support.

5 (edited by 2009-09-21 18:59:07)

Re: [HACK] Spam protection in CuteNews

Original topic: here

Hack Name: reCaptcha Hack
Description: Show a image inside your comments form with a scrambled code in it. Enter the code for confirmation. Makes use of a captcha service.
Author: Greg G
Installation notes:
1) Go to reCaptcha and "Sign Up Now"

2) Sign up and note your "Private & Public Keys"

3) Download the latest version of reCaptcha for PHP here.

4) Drop "recaptchalib.php" into your /inc folder

5) Open /inc/shows.inc.php

6) find:

if($allow_add_comment){

and add BELOW IT:

    //----------------------------------
    // Recaptcha
    //----------------------------------

require_once('recaptchalib.php');
$privatekey = "###";
$resp = recaptcha_check_answer ($privatekey,
                                $_SERVER["REMOTE_ADDR"],
                                $_POST["recaptcha_challenge_field"],
                                $_POST["recaptcha_response_field"]);

if (!$resp->is_valid) {
  die ("The reCAPTCHA wasn't entered correctly. Go back and try it again." .
       "(reCAPTCHA said: " . $resp->error . ")");
}

REPLACE ### WITH YOUR PRIVATE KEY

This code validates the captcha.

7) Now find:

$template_form = str_replace("{smilies}", $smilies_form, $template_form);

and add ABOVE IT:

require_once('recaptchalib.php');
$publickey = "###";
$template_form = str_replace("{captcha}", recaptcha_get_html($publickey), $template_form);


REPLACE ### WITH YOUR PUBLIC KEY

This code displays the captcha.

8) Find:

echo"<div style=\"text-align: center;\">This name is owned by a registered user and you must enter password to use it

<form name=passwordForm id=passwordForm method=\"post\" action=\"\">

Replace with:

echo"<div style=\"text-align: center;\">";
echo"<form name=passwordForm id=passwordForm method=\"post\" action=\"\">";

require_once('recaptchalib.php');
$publickey = "###";
echo recaptcha_get_html($publickey);

echo"


REPLACE ### WITH YOUR PUBLIC KEY
This code adds the captcha window to the page displayed when an admin needs to verify their password when they leave a comment.
The rearranging happens because recaptcha needs to be inside the <form> tag.

9) Save shows.inc.php

10) Go into your template editor (in the cutenews controle pannel) and add {captcha} into your template wherever you want the captcha box to be displayed.

Now I know its not the prettiest captcha box but it works really well and has cool features like "read the captcha text as audio". Browse around the reCaptcha site and you will find some adjustments that can be made to the box itself.

6 (edited by 2010-04-10 18:52:24)

Re: [HACK] Spam protection in CuteNews

Hack Name:  Spam protection with asking three random chars from a random string of chars.
Description: From 10 random letters, people will have to count what letterls the spam protection is asking for (it asks for 3 letters). In example from abcdefghij, one must count first, seventh and fourth char (agd). What char is must be given, is also randomized. 
Author: Ifa

Find

 if($comments == ""){
            echo("<div style=\"text-align: center;\">Sorry but the comment can not be blank
[url=]go back[/url]</div>");
                        $CN_HALT = TRUE;
                        break 1;
    }

And add below it

$pass = FALSE;
    if (htmlentities($_POST['letters'], ENT_QUOTES, 'UTF-8'))
        {
            $letters = str_split(substr(htmlentities($_POST['letters'], ENT_QUOTES, 'UTF-8'), 0, 3));
            print_r($letters);
            $random_letters = str_split(htmlentities($_POST['cba'], ENT_QUOTES, 'UTF-8'));
            $order = str_split(htmlentities($_POST['abc'], ENT_QUOTES, 'UTF-8'));
            
            foreach ($order as $key => $check)
                {
                    if ($random_letters[$check] == $letters[$key]) $pass = TRUE;
                    else
                        {
                            $pass = FALSE;
                            break;
                        }
                }
        }
    if (!$pass)
        {
            echo("<div style=\"text-align: center;\">Spam protection check failed, 
[url=]go back[/url]</div>");
            $CN_HALT = TRUE;
            break 1;
        }

Find

$template_form = str_replace("{smilies}", $smilies_form, $template_form);

    echo"<form  $CN_remember_form  method=\"post\" name=\"comment\" id=\"comment\" action=\"\">".$template_form."<div><input type=\"hidden\" name=\"subaction\" value=\"addcomment\" /><input type=\"hidden\" name=\"ucat\" value=\"$ucat\" /><input type=\"hidden\" name=\"show\" value=\"$show\" />$user_post_query</div></form>
                    \n $CN_remember_include";

And replace it with

function r_letters($nc, $a='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0')
                            {
                                $l = strlen($a) - 1;
                                $r = '';
                                while($nc-->0) $r .= $a{mt_rand(0,$l)};
                                return $r;
                            }
    $words_array = array ('first', 'second', 'third', 'fourth', 'fifth', 'sixth', 'seventh', 'eight', 'ninth', 'tenth');
    $first = $words_array[mt_rand (0, 9)];
    $second = $words_array[mt_rand (0, 9)];
    $third = $words_array[mt_rand (0, 9)];
    $random_letters = r_letters(10);            
    
    $template_form = str_replace("{r-letters}", $random_letters, $template_form);
    $template_form = str_replace("{letter-input}", "<input type=\"text\" name=\"letters\" />",$template_form);
    $template_form = str_replace("{first}", $first ,$template_form);
    $template_form = str_replace("{second}", $second ,$template_form);
    $template_form = str_replace("{third}", $third ,$template_form);
    $template_form = str_replace("{smilies}", $smilies_form, $template_form);
    echo"<form  $CN_remember_form  method=\"post\" name=\"comment\" id=\"comment\" action=\"\">".$template_form."<div><input type=\"hidden\" name=\"subaction\" value=\"addcomment\" /><input type=\"hidden\" name=\"ucat\" value=\"$ucat\" /><input type=\"hidden\" name=\"show\" value=\"$show\" />$user_post_query
    <input type=\"hidden\" name=\"cba\" value=\"".$random_letters."\" /><input type=\"hidden\" name=\"abc\" value=\"".array_search($first, $words_array).array_search($second, $words_array).array_search($third, $words_array)."\" />
    </div></form>\n $CN_remember_include";

Now, in your Add comment form template, you can use the following:
{r-letters} - shows 10 randomly generated letters.
{letter-input} - the text field where users type the 3 letters
{first}, {second} and {third} will output witch letters users should type (ie Please type the {first}, the {second} and the {third} letter)

7 (edited by 2010-07-27 19:01:27)

Re: [HACK] Spam protection in CuteNews

Hack name: Hidden input fields
Description: This hack was based on an article posted here.
It's an attempt to fool spambots into thinking there is no spam protection and giving input fields random obscure names so there isn't a real pattern to input fields names. Visitors will notice nothing about the spam protection; No captchas or anything they need to fill out.
Auhtor:  FUNimations
Instrtuctions:
For the most part we need editing in shows.inc.php so let's open this file
find

$user_query = cute_query_string($QUERY_STRING, array( "comm_start_from","start_from", "archive", "subaction", "id", "ucat"));

add above or below

$priv_salt="somestring";

CHANGE the word somestring with some sort of securitycode you make up. And leave the quotes!

find

$name = trim($name);
        $mail = trim($mail);
    $id = (int) $id;  // Yes it's stupid how I didn't thought about this :/

and replace with

$salt_name = md5($priv_salt.date('z'));
        $salt = $_POST[$salt_name];
        if(empty($salt))
        {

            $salt_name = md5($priv_salt.(date('z')-1));
            $salt = $_POST[$salt_name];
        }
        $obsc_name = sha1('name'.$salt );
        $obsc_mail = sha1( 'mail'.$salt );
        $obsc_comment = sha1('comment'.$salt );
        $true_name = sha1('tname'.$salt );
        $true_mail = sha1('tmail'.$salt);
        $true_comment = sha1('tcomment'.$salt);
        $name = trim($_POST[$true_name]);
        $mail = trim($_POST[$true_mail]);
        $submit = trim($_POST['submit']);
        $comments = trim($_POST[$true_comment]);
    $id = (int) $id;  // Yes it's stupid how I didn't thought about this :/

find

if( strlen($comments) > $config_comment_max_long and $config_comment_max_long != "" and $config_comment_max_long != "0"){
               echo"<div style=\"text-align: center;\">Your comment is too long!</div>";
                $CN_HALT = TRUE;
                break 1;
        }

and add below

if( $submit == "Add My Spam"){
                       echo"<div style=\"text-align: center;\">Spambot detected. Don't worry if you're not!</div>";
                        $CN_HALT = TRUE;
                        break 1;
        }
        //SPAMPROT
        if(strlen(trim($_POST[$obsc_name])) >0 || strlen(trim($_POST[$obsc_mail])) >0 || strlen(trim($_POST[$obsc_comment])) >0)
        {
            echo"<div style=\"text-align: center;\">Spambot detected. Don't worry if you're not!</div>";
                        $CN_HALT = TRUE;
                break 1;
        }

find

echo"<div style=\"text-align: center;\">This name is owned by a registered user and you must enter password to use it

             <form name=passwordForm id=passwordForm method=\"post\" action=\"\">
             Password: <input type=\"password\" name=\"password\" />
             <input type=\"hidden\" name=\"name\" value=\"$name\" />
             <input type=\"hidden\" name=\"comments\" value=\"$comments\" />
             <input type=\"hidden\" name=\"mail\" value=\"$mail\" />
             <input type=\"hidden\" name=\"ip\" value=\"$ip\" />
             <input type=\"hidden\" name=\"subaction\" value=\"addcomment\" />
             <input type=\"hidden\" name=\"show\" value=\"$show\" />
             <input type=\"hidden\" name=\"ucat\" value=\"$ucat\" />
             $user_post_query
             <input type=\"submit\" /> \n 

             <input type=\"checkbox\" name=\"CNrememberPass\" value=1 /> Remember password in cookie (md5 format)
             </form>
              </div>";
                         $CN_HALT = TRUE;
             break 2;

                }

replace with

 //SPAMPROT
                            $salt_name = md5($priv_salt.date('z'));
                            $salt = $_POST[$salt_name];
                            if(empty($salt))
                            {

                                $salt_name = md5($priv_salt.(date('z')-1));
                            }
                            $obsc_name = sha1('name'.$salt );
                            $obsc_mail = sha1( 'mail'.$salt );
                            $obsc_comment = sha1('comment'.$salt );
                            $true_name = sha1('tname'.$salt );
                            $true_mail = sha1('tmail'.$salt);
                            $true_comment = sha1('tcomment'.$salt);
             echo"<div style=\"text-align: center;\">This name is owned by a registered user and you must enter password to use it

             <form name=passwordForm id=passwordForm method=\"post\" action=\"\">
             Password: <input type=\"password\" name=\"password\" />
             <input type=\"hidden\" name=\"$true_name\" value=\"$name\" />
             <input type=\"hidden\" name=\"$true_comment\" value=\"$comments\" />
             <input type=\"hidden\" name=\"$true_mail\" value=\"$mail\" />
             <input type=\"hidden\" name=\"ip\" value=\"$ip\" />
             <input type=\"hidden\" name=\"subaction\" value=\"addcomment\" />
             <input type=\"hidden\" name=\"show\" value=\"$show\" />
             <input type=\"hidden\" name=\"ucat\" value=\"$ucat\" />
             <input type=\"hidden\" name=\"$salt_name\" value=\"$salt\" />
             <input type=\"hidden\" name=\"$obsc_name\" value=\"$_POST[$obsc_name]\" />
             <input type=\"hidden\" name=\"$obsc_mail\" value=\"$_POST[$obsc_mail]\" />
             <input type=\"hidden\" name=\"$obsc_comment\" value=\"$_POST[$obsc_comment]\" />
             $user_post_query
             <input type=\"submit\" /> \n 

             <input type=\"checkbox\" name=\"CNrememberPass\" value=1 /> Remember password in cookie (md5 format)
             </form>
              </div>";
                         $CN_HALT = TRUE;
             break 2;

                }

find

$template_form = str_replace("{smilies}", $smilies_form, $template_form);

    echo"<form  $CN_remember_form  method=\"post\" name=\"comment\" id=\"comment\" action=\"\">".$template_form."<div><input type=\"hidden\" name=\"subaction\" value=\"addcomment\" /><input type=\"hidden\" name=\"ucat\" value=\"$ucat\" /><input type=\"hidden\" name=\"show\" value=\"$show\" />$user_post_query</div></form>
                    \n $CN_remember_include";

replace with

//SPAMPROT
    $salt = md5(time()+$_GET['id']+$_SERVER['REMOTE_ADDR']);
    $salt_name = md5($priv_salt.date('z'));
    $obsc_name = sha1('name'.$salt );
    $obsc_mail = sha1( 'mail'.$salt );
    $obsc_comment = sha1('comment'.$salt );
    $true_name = sha1('tname'.$salt );
    $true_mail = sha1('tmail'.$salt);
    $true_comment = sha1('tcomment'.$salt);
    $show = t.sha1( 'show'.$salt );//css classname my never start with a number
    $hide = t.sha1( 'hide'.$salt );//css classname my never start with a number

    $template_form = str_replace("{smilies}", $smilies_form, $template_form);
    $template_form = str_replace("{spam-input-name}", $obsc_name, $template_form);
    $template_form = str_replace("{spam-input-mail}", $obsc_mail, $template_form);
    $template_form = str_replace("{spam-input-comment}", $obsc_comment, $template_form);
    $template_form = str_replace("{real-input-name}", $true_name, $template_form);
    $template_form = str_replace("{real-input-mail}", $true_mail, $template_form);
    $template_form = str_replace("{real-input-comment}", $true_comment, $template_form);
    $template_form = str_replace("{show}", $show, $template_form);
    $template_form = str_replace("{hide}", $hide, $template_form);

    echo"<style type=\"text/css\">.".$show."{display:inline;} .".$hide."{display:none;}</style><form  $CN_remember_form  method=\"post\" name=\"comment\" id=\"comment\" action=\"\"><input type=\"hidden\" name=\"".$salt_name."\" value=\"".$salt."\" />".$template_form."<div><input type=\"hidden\" name=\"subaction\" value=\"addcomment\" /><input type=\"hidden\" name=\"ucat\" value=\"$ucat\" /><input type=\"hidden\" name=\"show\" value=\"$show\" />$user_post_query</div></form>
                    \n $CN_remember_include";
                    //SPAMPROT

close shows.inc.php, save changes and upload the modified file.

Next change ALL your templates (the comments form part) like following.
First find (based on the default template)

<input type="submit" name="submit" value="Add My Comment">

and repalce it with

<span class="{hide}"><input type="submit" name="submit" value="Add My Spam"></span><span class="{show}"> <input type="submit" name="submit" value="Add My Comment"> </span>


Next we are going to replace all input fields:

<input type="text" name="name">

to

<span class="{show}"><input type="text" name="{real-input-name}"></span><span class="{hide}"><input type="text" name="{spam-input-name}"></span>


<input type="text" name="mail">

to

<span class="{show}"><input type="text" name="{real-input-mail}"></span><span class="{hide}"><input type="text" name="{spam-input-mail}"> </span>


<textarea cols="40" rows="6" id=commentsbox name="comments"></textarea>

to

<span class="{show}"><textarea cols="40" rows="6" id=commentsbox name="{real-input-comment}"></textarea></span><span class="{hide}"><textarea cols="40" rows="6" id=commentsbox name="{spam-input-comment}"></textarea></span>


And save the new template. That is all. Now it may be good for you to understand what the change in the template does. For each field we create a dummy field. The dummy fields will be invisible, so users won't notice them and won't be able to fill anything in. Bots however won't notice them as being invisible, so they will submit values for those fields. When CN detects the dummy fields as being filled in, it'll know it's a bot.
Now what you should know is that around every input field there is a span. You are free to swith the dummy field and the REAL field but don't forget to switch the span aswell so you don't accidently make the dummy fields visible and the rela fields invisible. It's a good idea to do some random ordering with these fields, so we don't have a standard

real dummy, real, dummy, real, dummy

order but you get something like

dummy real, dummy, dummy, real, real

Posts: 8

Pages 1

You must login or register to post a reply

CutePHP Forums → Hacks & Tricks / FAQ → [HACK] Spam protection in CuteNews



The pun_antispam official extension is installed. Copyright © 2003–2009 PunBB.