Home

Your premium source for custom modification services for phpBB

   logo

HomeForumsBlogMOD ManagerFAQSearchRegisterLogin

Comments July 5, 2008

Creating “Fake” Signatures

Filed under: Anti-spam — Dave Rathbun @ 8:16 am CommentsComments (6) 

One of the boards that I help administer is seeing a new form of spam that I call fake signatures. It’s very irritating, but quite creative. The people (or person?) doing this are joining the board and getting past the checkbox challenge, so I assume they’re human. They are posting what at first glance looks like legitimate content. But there are symptoms. :)

First, their content is generic enough (and often posted in a “general” or “off-topic” area) that it escapes the normal red flag spam warnings. However, I suspect if you did a search for the post text you would find the same exact post on multiple boards across the Internet. Here are some samples:

Hi everyone,

I’ve got a room in the house that seems to have terrible signal reception from my home’s wireless router.

I a wireless usb network card to connect to the router. There’s no antenna, so I pretty much just move the USB cord (around 3 feet) around to get the best signal.

Is there any way to increase reception on a USB adapter that doesn’t have an antenna?

I don’t care if it looks stupid, like wrapping the thing in foil, or whatever. It’s not like anybody’s going to see it.

Thanks

Just wondering how my web server compares to everyone elses. I’m running a P4 2.0 GHz with 2GB DDR-266 RAM on DSL Internet. I know its slow but it gets the job done…for now. What are the specifications of your web server and its internet connection?

Second, their post includes a signature. Nothing wrong with that, right? Most boards will let you put links in your signature. The key here is the signatures look “spammy” as they include keywords and links that have nothing to do with the post, much less the board content.

Third, their signature changes from post to post. :shock: As anyone that uses phpBB2 knows, your signature is part of your user profile. When you change your signature, it changes on every post that you have opted to include it. So how are these folks getting a new signature for each post?

It was easy to figure out. When I pulled up the user profile, there was no signature at all. Instead these people are embedded what looks like a signature within the body of their post. By doing this, they are able to change their signature and spam new links at will. Here’s an example (screen shot) of what one of these posts looks like:

fake signature example image

See the part that looks like a signature? It’s actually part of the post. What’s even worse is that when someone quotes the entire post (and why do people do that, anyway? :roll: ) then the fake signature and all of the spam links get quoted as well!

<sigh>

In a nutshell, the poster includes the horizontal line that phpBB2 uses by default to separate the post content from the signature, then they frequently include three or four short words, each of which is a link to a different site, and then they follow that with a smiley of some kind. The only way to remove the spam is to edit each of their posts.

I did this (edited posts) on the board in question, and then one of the spammers went back and edited their posts again to add the fake signature right back. So I banned that account. And then for good measure I checked the Checkbox Challenge log table and found out what IP address that account had used to register, and I checked every other account that used that same IP during registration. I banned all of those too. :twisted: It turned out that all of these accounts were using gmail addresses, and any of them that had posted were also using fake signatures.

I haven’t come up with a way to combat this just yet. And it’s a bit difficult to come up with a way to search the database for fake signatures because the understore character used to separate the signature from the post content is a database wildcard. If you search for posts where the post_text is “like” a string of underscore characters like this:

select post_id from phpbb_posts_text
where post_text like '%____________%';

Well, it doesn’t work. The _ character used in conjunction with the LIKE operator is a wildcard that matches any individual character, rather than matching the _ itself. You have to escape the _ in order to search for it directly.

What I have done for now is install my Spammer Hammer on the board in question. At least that way I don’t bother searching for posts all over the board… a couple of clicks and all posts by the user anywhere on the board are instantly removed from public view.

6 Comments »

  1. On a whim I searched for the text in one of the posts above. I found the exact same post on a phpBB3 board

    computer-forums.net/viewtopic.php?t=3167

    and on a vBulletin board

    forums.dealofday.com/general-chit-chat/205605-terrible-signal-reception.html

    and another vB board

    forums.clantemplates.com/showthread.php?p=1317393

    and an IPB board

    microsupport.4.forumer.com/index.php?showtopic=853

    and… well, you get the idea. :)

    Comment by Dave Rathbun — July 5, 2008 @ 8:22 am

  2. I’ve had this problem as well. People joining up, all from the same IP, in order start strange generic topics and include either these fake signatures in their postings or embedded links like they are cut & pasting ready-made text. A lot of them had links to the same web site, which I added as a forbidden phrase.

    They are real people as before I realized it was widespread, I would send them a PM asking them to stop using spam-type links in their postings. They all read the PMs. They did not respond but they stopped.

    Comment by Everett — July 7, 2008 @ 10:17 am

  3. Hi, Everett, and welcome to my blog. Thanks for your comment.

    On the board in question, I did the same (sending PM’s). Not only did they not stop, they went back and edited some of their posts to include the fake signature once again. That earned them a quick whack from the ban hammer. :)

    Comment by Dave Rathbun — July 7, 2008 @ 5:38 pm

  4. Hi Dave,

    I too have seen two or three of those posts on my board. No big deal as I gladly remove those. If numbers were bigger I’d get bothered though.

    I haven´t tried this, but can´t you simply make _____________ a banned word with the ban word tool in the ACP, or would this ban single underscores too?

    Greetings,

    Willy.

    Comment by Dogs and things — July 10, 2008 @ 6:36 pm

  5. That’s pretty amusing, I think, to make a legit post with a fake spam sig!

    Unfortunately, I haven’t had any spam posts since I installed your Checkbox Challenge, so I have no personal experience with this matter.

    Oh yeah, and I am glad that there are new blog entries here, I had stopped coming for awhile because nothing new was posted after the Subforums entry. :)

    Comment by Dog Cow — July 15, 2008 @ 2:56 pm

  6. A follow up on my earlier post. I noticed all of the people I warned stopped posting and visiting the site altogether. A number of the accounts I suspected were duplicates never read my warning PM. I guess they figured their cover had been blown. I decided to ban all of them as a precaution against future spam.

    Comment by Everett — July 30, 2008 @ 11:34 am

RSS feed for comments on this post.

Leave a comment

Tags allowed in comments:
<a href="" title=""> <acronym title=""> <blockquote cite=""> <code> <strong> <em> <u> <sup> <sub> <strike>

Confirm submission by clicking only the marked checkbox:

     **         

Powered by WordPress