Warning: Silent Spamming of vBulletins

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • I, Brian
    Senior Member
    • Feb 2003
    • 400
    • 3.6.x

    Warning: Silent Spamming of vBulletins

    Hi there -

    I wanted to post this on the "Hints and Tips" board, but I don't appear to have permission to start a new thread there.

    So I'll post it here, so that the vBulletin staff can decide as to whether it is suitable or not...

    Anyway - the sad fact is that a lot of forums are being spammed without the forum administrators even being aware that problem exists.

    I call it Silent Spamming and wrote a specific article on it here, detailing what is going on, and giving three principle examples of where it is occurring:



    The most relevant part is where I refer to the Silent Spamming of forums:



    This is a very real problem - and, not only that, seems particularly an issue with indexed vBulletin's (note that phpbb's use a drop down box to sort memberlists out alphabetically).

    Anyway, once you've referenced the articles above - notably the second link - then please check out a live example of Silent Spamming on Forum Forum (once a vBulletin of the Month last year):

    http://www.forum-forum.com/forum/memberlist.php?s

    Almost every member on that first page of the Memberlist page is a Silent Spammer, manipulating the vBulletin memberlist to promote porn sites - all without Admin knowledge. And, yes - I have just sent Mal a warning e-mail now that I've found it on his board.

    Anyway, if anyone wants to block Silent Spammers from abusing the Memberlist, either turn it off manually in the settings (at least in vBulletin 3) - or else implemented a robots.txt file, such as this very simple example:

    Code:
    User-agent: *
    Disallow: /forum/memberlist.php
    I sincerely hope that helps some people.

    What's really sad is that all this Silent Spamming of the Memberlist is done supposedly for Search Engine Optimisation purposes - yet is extremely inefficient and ultimately serves little advantage in SEO terms.

  • Floris
    Senior Member
    • Dec 2001
    • 37767

    #2
    Thank you, nice stuff.

    Comment

    • KeithMcL
      Senior Member
      • Jun 2000
      • 621
      • 3.6.x

      #3
      After reading the article I went and checked my first page of my memberlist and nearly all of the users have porn sites as their homepage!!

      Thanks a million for this article I,Brian

      Comment

      • Wayne Luke
        vBulletin Technical Support Lead
        • Aug 2000
        • 73976

        #4
        This isn't a fault of vBulletin, there are anti-robot features already within the product that administrators can take advantage of...

        1) They can require that registration requires a image verification code to be entered as well as valid email addresses to activate the account.

        2) They can secure email addresses so that they are not shown anywhere on the site.

        3) They can restrict access to the member's list without using a robots.txt file simply by removing guest access to it.

        4) They can limit the number of emails sent out via flood control.

        The tools are there to prevent this already, it is up to the administrators of respective forums to utilize them properly. All of the above exists in both 2.3.4 and 3.0. This also requires due diligence on the part of the Administrator because there is no way to completely safeguard against these actions with technology and maintain a publicly accessible system.
        Translations provided by Google.

        Wayne Luke
        The Rabid Badger - a vBulletin Cloud demonstration site.
        vBulletin 5 API

        Comment

        • I, Brian
          Senior Member
          • Feb 2003
          • 400
          • 3.6.x

          #5
          Oh, I'm not at all implying that this is at all the fault of vBulletin or its design. My point is - most specifically - that indexed vBulletins could be being targeted specifically by these Silent Spammers.

          Also note that I'm not talking about traditional spamming, bots, or e-mail harvesting in the slightest. That's another part of my point - this is about crude attempts at SEO through inactive memberships - ie, spamming links out, just for search engines (specifically Google).

          The entire intention of this thread is to warn the vBulletin community at large that their own forums could be being subverted in precisely this way, to support porn sites - or worse.

          In fact - they've even done some of the same to vBulletin.com:

          http://www.vbulletin.com/forum/memberlist.php?

          check out the "exclamation marks" only members.
          Last edited by I, Brian; Sun 8 Feb '04, 11:44am.

          Comment

          • Phillip Chapman
            Senior Member
            • Jul 2001
            • 103
            • 3.7.x

            #6
            3) They can restrict access to the member's list without using a robots.txt file simply by removing guest access to it.
            How is this done exactly? Is it a built-in option in control panel or is it a file update? I'd still like to allow guest access everywhere but the member's list.

            Comment

            • filburt1
              Senior Member
              • Feb 2002
              • 6606

              #7
              Originally posted by Wayne Luke
              This isn't a fault of vBulletin, there are anti-robot features already within the product that administrators can take advantage of...

              1) They can require that registration requires a image verification code to be entered as well as valid email addresses to activate the account.

              2) They can secure email addresses so that they are not shown anywhere on the site.

              3) They can restrict access to the member's list without using a robots.txt file simply by removing guest access to it.

              4) They can limit the number of emails sent out via flood control.

              The tools are there to prevent this already, it is up to the administrators of respective forums to utilize them properly. All of the above exists in both 2.3.4 and 3.0. This also requires due diligence on the part of the Administrator because there is no way to completely safeguard against these actions with technology and maintain a publicly accessible system.
              An idea I had was just not listing members with no posts. It would make the memberlist significantly shorter on most forums, but the (quite disgusting, to be honest) spammers would be foiled.
              --filburt1, vBulletin.org/vBulletinTemplates.com moderator
              Web Design Forums.net: vB Board of the Month
              vBulletin Mail System (vBMS): webmail for your forum users

              Comment

              • sabret00the
                Senior Member
                • Jan 2003
                • 1044
                • 3.0.7

                #8
                they also done it over at vbulletin.org

                and vBT

                Comment

                • okrogius
                  Senior Member
                  • Dec 2001
                  • 1149

                  #9
                  Originally posted by filburt1
                  An idea I had was just not listing members with no posts. It would make the memberlist significantly shorter on most forums, but the (quite disgusting, to be honest) spammers would be foiled.
                  Actually, what would be the best solution IMHO is to offer an outgoing redirect script. Whether for profile urls, or for URL's in posts, would be parsed to something like http://www.example.com/out.php?uri=tada (which would then redirect to tada), possibly with script setup to not redirect any known search engine spiders. That would stop much spam in this sense, and also offer an easy way for someont to track their outgoing links.

                  Comment

                  • tamarian
                    Senior Member
                    • Oct 2000
                    • 784
                    • 1.1.x

                    #10
                    Our members are very concerned with privacy, so memberlist and profiles are not viewable by searchengines or guests, along with many forums that are only accessable to registered members.

                    So the only remaining part for "silent spamming" is the home page link in the postbit, which we do monitor, and our members will report if it's offensive or spammy, then the links are removed along with the spammer account.
                    vB Drupal Community Plumbing | vB Survey | vBusy | vB Spell | vBouncer

                    Comment

                    • Fusion
                      Senior Member
                      • Aug 2001
                      • 4346
                      • 3.8.x

                      #11
                      Originally posted by Phillip Chapman
                      How is this done exactly? Is it a built-in option in control panel or is it a file update? I'd still like to allow guest access everywhere but the member's list.
                      You toggle the access for the Unregistered / Not logged in user-group in the ACP. It's fairly easy.
                      Last edited by Fusion; Sun 8 Feb '04, 7:44pm.
                      Toddler from Hell

                      Comment

                      • I, Brian
                        Senior Member
                        • Feb 2003
                        • 400
                        • 3.6.x

                        #12
                        Originally posted by okrogius
                        Actually, what would be the best solution IMHO is to offer an outgoing redirect script. Whether for profile urls, or for URL's in posts, would be parsed to something like http://www.example.com/out.php?uri=tada (which would then redirect to tada), possibly with script setup to not redirect any known search engine spiders. That would stop much spam in this sense, and also offer an easy way for someont to track their outgoing links.
                        A redirect script would be unacceptable to many admins and members.

                        Such a script can be implemented by admins themselves if they really really want to - but, really, shutting off the memberlist from silent spamming is pretty easy and painless anyway.

                        I'm curious - does the vBulletin staff see any value in this thread for the "Hints and Tips" board? That was the original intention. I'm not a technical person so what I can contribute to the larger vBulletin community is extremely limited - hopefully there's something of interest and use here, though.

                        Comment

                        • buro9
                          Senior Member
                          • Aug 2000
                          • 415
                          • 3.8.x

                          #13
                          A redirect would be lovely actually... I wouldn't have it take a URL though, but the users ID.

                          /forum/redirect.php?s=&userId=3

                          Then the URL for the userId can be checked serverside for existence, a hit logged against the user (so you could see the most popular links later in a report, and thus flag up anything weird that way too) and because it's run through your own code... you could easily have it so that only logged in users got redirected.

                          I doubt the silent spammers care less whether the users of your forum follow the links... it's probably more to foil Google and raise the pagerank rating of their sites as a wide number of 'trusted' sites would appear to link to their URL's. A redirect would absolutely foil that.

                          Secondly... the redirect could protect the users even more... if the links were not presented in http:// format, but the protocol stripped out and the URL exploded... it would prevent spiders crawling through via vbulletin and harvesting any e-mail addresses for spam... whilst keep them useable and the URL visible (so no-one links to goatse.cx without you knowing!).

                          A redirect seems a grand idea IMO.
                          London Fixed-gear and Single-speed

                          Comment

                          • I, Brian
                            Senior Member
                            • Feb 2003
                            • 400
                            • 3.6.x

                            #14
                            Originally posted by buro9

                            I doubt the silent spammers care less whether the users of your forum follow the links... it's probably more to foil Google and raise the pagerank rating of their sites as a wide number of 'trusted' sites would appear to link to their URL's.
                            You are absolutely right - that's why they're doing it - but it's an extremely clumsy way to SEO.

                            People like me value our sig links - even on our own forums - but a redirect on the member ID would hardly be painful.

                            Comment

                            • Freddie Bingham
                              Former vBulletin Developer
                              • May 2000
                              • 14057
                              • 1.1.x

                              #15
                              Originally posted by I, Brian
                              A redirect script would be unacceptable to many admins and members.

                              Such a script can be implemented by admins themselves if they really really want to - but, really, shutting off the memberlist from silent spamming is pretty easy and painless anyway.

                              I'm curious - does the vBulletin staff see any value in this thread for the "Hints and Tips" board? That was the original intention. I'm not a technical person so what I can contribute to the larger vBulletin community is extremely limited - hopefully there's something of interest and use here, though.
                              Yes, I'm glad you brought this topic up. All one has to do is view our memberlist to see that it is a problem.

                              The redirect idea can be debated for a future version but right now I am going to add an option to require a minimum of X posts before a user appears on the memberlist.

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...