I gather the original poster is talking about his experience of having his forum content 'scraped' by someone.

Then finding that that his content (posts etc) was being used to populate another forum, using some of the tools available to steal other people's content this way that one can find on the web, alas.

It's a big problem that can be difficult to fight off, especially as a lot of these scrapers do bad things like:

- fail to respect robots.txt,
- attempt to cloak themselves behind bogus user agents, and
- access you from a variety of changable IP addresses.

I would look at my server logs on the day(s) the scraper in question came to visit, and see if there was anything in the logs that would help you perhaps block it in future (by user agent, IP address etc) either in your robots.txt file, .htaccess, mod_security filter settings, with your firewall, or whatever other means at your disposal.

To get a good lesson in the scope of the problem, and some of the solutions, I heartily recommend reading and keeping abreast of IncrediBILLs blog.

He is about the most vocal enemy scrapers and bad bots have on the web. He also says he is developing a tool to help content authors defeat them that, if it works, will certainly be worth looking out for:

http://incredibill.blogspot.com/

Some of the services offered by Copyscape - http://www.copyscape.com - may also be useful to you if you are worried about this happening again. It can help alert you to people ripping off your content.

TFD wrote:

This guy is in the UK and Im in the US. He is on dsl and can reconnect to get a new IP so bans arent working. He just gets a new email and registers again. Over 40 times so far.

The IP address is: 85.210.63.255
The host name is: 85-210-63-255.dsl.pipex.com

Is there a way to block that carrier and  not just the IP? any other suggestions? I have no other users from overseas so I can block the whole thing but Id like to block just the carrier pipex.com

Thanks in advance!

Try using the CIDR netmask 85.210.0.0/18.

That should block all addresses in the range 85.210.0.1 - 85.210.63.255, which corresponds to the relevant section of the Pipex ADSL Dynamic IP address pool. That's about 16382 IP addresses...

You can add this either in PunBB [I think the IP blocklist in the Admin area supports CIDR netmasks?], or make the block happen via your .htaccess file:

deny from 85.210.0.0/18

I had the same issue, in IE6 and FF 1.5

I could download the whole raw PHP page code. Nice! smile

I think someone was playing around with the MIME types configuration in the server that PunBB is hosted on [TextDrive?], thus prompting the browsers to get confused about how they should handle PHP.

It seems fixed now though.

I found it at:

http://www.punres.org/files.php?pid=317

405

(18 replies, posted in General discussion)

Ugh. I hate digg.

Full of teens, tech tribal fanboys, product-pushers, link-baiters and too many posts with: 'Amazing' and '!!' in the subjects.

Sorry to be a grump, but I could never bring myself to sign up and join the company of such people.

You get a far better crowd around here smile

This is old news, since their forum has been up since 05, but this site is a good vote of confidence in punBB and its security, and such a reminder is timely, given the recent pun security related updates:

http://forum.hardened-php.net

It's also always a good time to remind folks about the hardened-php project.

The project has recently released 'Suhosin' 0.9.6, the first stable release of their new Advanced PHP protection software, which punBB users who have the ability to modify their Apache/PHP setup might like to check out.

Let us know if it works. I plan to do the same.

408

(27 replies, posted in PunBB 1.2 troubleshooting)

Smartys wrote:

If it becomes standard, the people that make bots will render it useless. The key is to make your registration process unique, since the chances of a bot maker caring about your specific forum is pretty low tongue

I have a simple suggestion to defeat the bots, based around this concept of making each forum's user registration process in some way unique.

Rickard could code the Members section of the PunBB administrators area to allow Admins to add 1 (or more) custom form field(s) to the user registration page. This custom form field would allow (or require) each site to specify an additional unique registration variable for all forum signups, to supplement username, password and email verification.

The options available in this form could be anything the forum administrator likes. The format of it should also be variable, so that the admin can make it a drop down form, or radio-buttons, or a blank text input form box. Ideally, the php code or form ID for the subsequent form should also make its name unique, based on the form name or a randomly generated value.

Eg on one punBB forum it could be a drop-down form that asks the user at signup time to confirm: 'What's your favourite colour?', and gives them a selection of 'Red/ Green/ Yellow/ Blue'. Another punBB forum might have a drop down form that asks: 'Who is the President of the United States?', and gives them the option of specifying 'George Bush/ Dick Cheney/ Arnold Schwartzenegger'.

Etc, ad infinitum.

If every punBB forum that required signups had a unique question/response requirement like so, bots may have a harder time reaching into multiple punBB sites.

Is this concept valid?

What I am trying to express is some (built in) way of essentially randomising the punBB login sequence, so that each punBB board has in some way a unique login process.

Actually, a neater solution to this (now that I think about it) could be as simple as having the punBB installer assign a random prefix to either the login.php file or the register.php file, which is unique to each punBB install, so that for example on one site login.php becomes '123login.php', whereas on another site it is '99bblogin.php'.

That alone would screw the bots up.

409

(8 replies, posted in News)

In their defence, some of the more reputable security reporting sites do attempt to verify that bugs are real before they pass on any reports.

That is the responsible thing to do - otherwise they contribute to the severe noise pollution problem that security minded IT administrators have to deal with nowadays, as well as un-necessarily damaging the reputation of vendors and coders, and un-necessarily alarming users of the products concerned.

In this case, for example, I notice Secunia.com has not passed on news of this 'punBB vulnerability', presumably because they actually checked to see if the bug was real before registering it in their database.

IanN wrote:

How quickly are vulnerabilities like this normally patched? Also i take it from the licence that we'd be free to patch this ourselves?

FWIW, as a pun user, in my experience Rickard is pretty on the ball, in terms of being aware of security issues and fixing them promptly if they indeed are real vulns.

He's also quite receptive to being told about potential security issues, even though it may sometimes be a drag investigating some of the more obscure or poorly described ones.

And so far, the security track record of punBB re publicly known vulns, is pretty good, better probably than many of the larger forums.

Of course much of this may also be due to the lower profile of punBB, and consequently the lower number of hackers exposed to it and inclined to try and break it, rather than any guarantee about the security of its code.

So prudent installation, configuration and management of your punBB forum will still be required.

I notice that XennoBB - http://www.xennobb.com - a forum package based on PunBB code has been having problems recently keeping it's home site up, perhaps due to vulnerabilities - http://secunia.com/product/11262/ - reported in its code base.

I just wondered if Rickard was keeping an eye on this product to see if the vulns identified in Xennobb had any implications for the PunBB code base?

Paul wrote:

I don't think there is any magic bullet for spam, its just a question of chipping away at it with a number of small steps. Though I still think we need to make it easier to remove spam that has got through.

I agree on both counts. A 5% anti-spam improvement here, a 5% improvement there on an incremental basis is still very worthwhile in the anti-spam arms-race we are all hostage to nowadays, alas.

And yep, I think we need to assume that no matter what we do at the front-end of a forum, somehow a certain percentage of spammers will get their crap through onto even the best run punBB forum, and so we will increasingly need more efficient tools for hoovering spam posts out of a punBB forums.

Another useful anti-spam feature would be punBB support for the 'no-follow' attribute on links in Guest postings:

see

http://googleblog.blogspot.com/2005/01/ … -spam.html

and

http://www.mattcutts.com/blog/quick-com … -nofollow/

It would remove some of the incentive for forum spammers to do so, since the purpose of such forum spam is often not 'direct marketing' to forum members, but link farming in order to boost their search engine positioning for specific, valuable search key words.

If they know that the links they insert into forums and blogs no longer are followed by search engines like Google, and thus count for little in SEO terms, there will be less incentive for them to spam.

It isn't the 100% solution within punBB to forumspam, but it should be a part of the pun solution.

414

(15 replies, posted in General discussion)

Report any 'warez' you find on the Internet to the global, centralized Internet Authority that has power over every network on the Internet and every website.

And yes, of course the developer of punBB is personally responsibile for everything anyone does with the punBB forum, including all the content provided in any punBB forum world-wide, so immediately contact Rickard the developer and he will, I am sure, intervene to fix the problem asap on your say-so. Just tell him what you want done and he will do it.

And, sure, ping is a great tool to find out everything you need to know about a website, including domain name ownership and hosting arrangements. Just fire it up from within a command prompt and it will tell you everything you need to file a report of the problem to the Internet Authority.

Jeeze, sometimes I think people should be required to pass a 'Internet 101' course before they are allowed access to the Internet and, for example, to post to forums such as this.

415

(11 replies, posted in General discussion)

And there's not a lot of activity from Rickard. It's all Paul, pretty much.

416

(24 replies, posted in General discussion)

http://www.bigfastpowerful.net/images/osborne1big.gif

Hmmm. I think it's time I upgraded my computer...

417

(24 replies, posted in General discussion)

What brands/models were the failed disks?

Just so I know what to avoid.

LINDA wrote:

I have tried that but there are so many fields that I don't need.... Is it possible to hide fields for the user instead of deleting them?

Aside from the option in PunBB Administration > Options to turn user info off (Show information about the poster under the username in topic view. The information affected is location, register date, post count and the contact links (e-mail and URL).

I would suggest just commenting out the fields you dont want displayed in the PHP file(s) used in the topic reading view?

Viewtopic.php (starting from about line 221) and profile.php are perhaps the files you might want to look into.

Once commented out in the PHP, those variables may still be processed and stored by PunBB, but the results wont be displayed to the user.

Oh, of course remember to backup any PHP files you modify before you make any changes to them.

419

(2 replies, posted in PunBB 1.2 troubleshooting)

Tim0z wrote:

Hello,
My forum www.brokeneden.com/forums/ got hacked by Snakeq3i.
The error it gives is: Unable to fetch user information.

Can you say anything about how the site was hacked? Do you have the latest version of Pun? Was it a PunBB problem or something else?

Why should anyone bother to help?

Neither the tone of your post or your forum itself make the prospect of lending you a hand an inviting one.

I was just browsing the dev tree for v1.3, and noticed the new .htaccess in the /extras folder.

There are quite a few new rewrite rules in there, like:

RewriteRule ^topic/([0-9]+)/page/([0-9]+)/?$ viewtopic.php?id=$1&p=$2 [L,NC]

They seem to be there to allow search engine friendly URLs, I guess.

I have a few questions:

(a) Will they slow down a site that uses them? There are quite a few rules - over 50 - for Apache to parse in there. Is there a server load issue users should be aware of?

(b) Have you tested them on a server with mod_security running?

As to (b), sometimes mod_security and mod_rewrite can interfere with each other, since they both want to do URL parsing/filtering.

If mod_security parses the URL first, and a user has a aggressive or very specific set of rules enabled, theoretically mod_security can mangle/rewrite/'normalise' a URL request that mod_rewrite may be expected to act upon.

While I am not sure exactly of the sequencing of how Apache processes new URL requests if both modules are loaded in RAM at web server startup, I suspect the load sequence of modules in httpd.conf has some influence on how URL requests are processed by Apache.

So you might perhaps want to make a recommendation to users to make sure mod_rewrite is loaded up in httpd.conf before mod_security is, so that perhaps mod_rewrite gets to have a go at the URL first, and mod_security only gets to work with the result.

422

(13 replies, posted in PunBB 1.2 show off)

Very nice. Loads fast, easy to read, nice clean layout, good colour family.

My only gripe would be that it is fixed width.

But I like what you did with

<div class="normal-header">
Designer's Table <span>Have a seat and discuss design, function, & web standards.</span>
</div>

I hadn't thought of doing it that way, to allow the bit in the span code to be the sub-title.

I guess such long category names may make the DB code a bit more complicated though, since those long names will find themselves in MySQL code behind the scenes I guess (??).

But well done. Your site illustrates very well the flexibility of the PunBB CSS + templating system.

423

(8 replies, posted in PunBB 1.2 troubleshooting)

colak wrote:

...I keep on thinking how the extra click to reach the search is some times pointless.

Well, maybe not pointless. Surely the point is to get to search smile

But I agree it would be nice to have a little search box visible on each page. I've seen it done on various punBB boards, so its doable. Have you searched www.punres.org for a mod or hack?

424

(5 replies, posted in PunBB 1.2 show off)

where did it go? I get a blank page.

I still see a '24' favicon though, so that's something I guess. smile

425

(12 replies, posted in PunBB 1.2 show off)

hcgtv wrote:

Damn, very nice and quite a lot of people online.

Go Debian based systems!!!

Yep. Very nice. Congratulations.

It's not surprising that it is popular.

A sure way to get a busy site is to help people solve their Linux problems.

I think probably half the traffic on the Internet is people trying to find out how to solve various Linux related bugs and issues. Forget about bit-torrent and P2P as traffic generators!

This is from someone who's been a long-time RH9 user, but who has also spent almost the last fortnight installing and re-installing (open source) CentOS and (open source) RH FC4 on a web server (read - about 10 times), trying to track down an obscure IP tables bug that prevented all the (open source) firewalls I tried from working on the (open source) VPS platform I was using...

I must have visited thousands of sites in the process of tracking down various RPM's, downloading and configuring variations of firewall software, tracking down iptables info etc etc etc ad nauseum.

In my Linux misery,  I found plenty of company.

It's a goldmine for Linux help site developers, if you can bear the pain of dealing with countless hordes of people in desperate pain and confusion.

More power to you Yann!