Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By calebgilbert on
My site, politicalphysics.com, almost since the day I launched it over a year ago has been plagued by a spammer who promotes "online poker". Am sure I'm not the only person familiar with this species of pondscum as they seem to have optimized themselves for the drupal platform. Up till now I've alternately managed to keep the upper hand on them through captcha and some other controls for anonymous accounts, however -
now this dirtbag has managed to permanently "hijack" a user session somehow. I don't want to ban the user they are using, because the real person using it is very valued and I'm pretty sure they would just do it again to some other user account, anyway. Changing passwords for the account does nothing - have changed them for the affected account multiple times and nada - we still get spammed to death. The only thing I know to stop it at this point is turn on captcha verification for registered users, which of course gets people totally cranky.
Any help/hints/direction-to-look-in would be very more than appreciated. We just want our site back.
We're on Drupal 4.5.2 - and if there is any way around upgrading I would much, much prefer it at this point in time.
Thanks!
Comments
code hack idea
I have no idea what is available as standard with 4.5, but since you haven't had a response yet, I will offer my view as a coder.
I would hack the comment module so that when checking access rights it blocked any new post with the text variations of "poker" in it.
First of all, upgrade
4.5.8 is the current release of that version of Drupal. Those releases were prompted by security patches. It should be an easy upgrade. (Also check your contrib modules for latest versions for that release.)
Also, look at the spam 2.0 module and the troll module. Both have features that include banning IP addresses. (You can also do that manually in your .htaccess file.) The spam module can filter out the casino posts, no matter who's posting them.
Laura
_____ ____ ___ __ _ _
design, snap, blog
_____ ____ ___ __ _ _
Laura Scott :: design » blog » tweet
For the spam, try
For the spam, try this:
http://drupal.org/project/spam
They have a Drupal4.5 version of the module available for download, too:
http://www.kerneltrap.org/jeremy/drupal/spam/
In any case, Drupal 4.7 will come out any time, now. You should at least upgrade to Drupal 4.6.6, now. The 4.5 branch may not be supported for long.
--
http://www.reuniting.info/
Healing with Sexual Relationships.
http://www.wechange.org/
We live in a world of solutions.
Delete your sessions, reset
Delete your sessions, reset the users password.
-Steven Peck
---------
Test site, always start with a test site.
Drupal Best Practices Guide -|- Black Mountain
-Steven Peck
---------
Test site, always start with a test site.
Drupal Best Practices Guide
This seems to have worked for now...
Thanks a lot Steve (and everyone for that matter - I definitely get it, that I need upgrade at some point here...)
Does anyone know if it is possible for the spammer to have logged in without a password? Am just wondering how this could have happened in the first place and/or how to prevent in future.
Political Physics
If I understand
If I understand correctly....
the spammer doesn't need the password. It's enough for him to get the PHPSESSID. If the user copy and pasted a link from your site with his own PHPSESSID appended to it, then the spammer could have used this link to hijact the session.
I think (i am not sure) that the PHPSESSID will not be appended to the URL with Drupal 4.7. In any case, if you search drupal.org you may find a document describing how to avoid having the session ID attached to the URL.
--
http://www.reuniting.info/
Healing with Sexual Relationships.
http://www.wechange.org/
We live in a world of solutions.
Interesting...
Will have to check out more about this. Thanks!
Political Physics
This probably only works
This probably only works with Drupal 4.6: block the user's account and then unblock it again. This will delete all open sessions associated to this account.
--
Drupal services
My Drupal services
--
Drupal services
My Drupal services