Changeset 1177

Timestamp:

10/20/06 01:36:05 (2 years ago)

Author:

jm3

Message:

new spam-fighting code, including:

* converted login and signup forms to explicit POSTs (not GETs) so they can't be automated
* confirm new accounts via valid email and lock the account until confirmed
* add a one-click "Report this user as a spammer" button for all users
* add a one-click "Snuff this user instantly" button for superusers
* log the IP address of all new accounts for 1 week
* disallow creating > 1 account per IP address per week
* lock out unused accounts after 90 days
* add a bulk-snuffer to snuff whole batches of spammers at once

Files:

• feedmelinks/admin/bulk-snuff.php (added)
• feedmelinks/admin/clear-logged-IPs.php (added)
• feedmelinks/admin/expire-old-users.php (added)
• feedmelinks/admin/index.php (modified) (1 diff)
• feedmelinks/admin/snuff.php (added)
• feedmelinks/categorize.php (modified) (1 diff)
• feedmelinks/diespammersdie (added)
• feedmelinks/diespammersdie/TOS.inc.php (added)
• feedmelinks/diespammersdie/index.php (added)
• feedmelinks/diespammersdie/neck-before-the-sword.php (added)
• feedmelinks/diespammersdie/report.php (added)
• feedmelinks/img/fumigating.jpg (added)
• feedmelinks/import/present-clean-pre-flight-input.inc.php (modified) (2 diffs)
• feedmelinks/import/upload-form.inc.php (modified) (1 diff)
• feedmelinks/login.php (modified) (11 diffs)
• feedmelinks/modules/my-recent.inc.php (modified) (2 diffs)
• feedmelinks/modules/recent-with-times.inc.php (modified) (1 diff)
• feedmelinks/modules/utils.inc.php (modified) (10 diffs)
• feedmelinks/modules/view-link.inc.php (modified) (2 diffs)
• feedmelinks/style/new-portal.css (modified) (2 diffs)
• feedmelinks/testing/enabled.php (added)
• feedmelinks/testing/ip.php (added)
• feedmelinks/thanks.php (modified) (1 diff)
• feedmelinks/users.php (modified) (3 diffs)

feedmelinks/admin/index.php

@@ -32 +32 @@
-        <b>TOOLS</b>:<br />
-        <ul>
+                <li><a href="/admin/expire-old-users">expire old users</a></li>
+                <li><a href="/admin/snuff">snuff a user</a></li>
+                <li><a href="/admin/bulk-snuff">snuff a batch of users</a></li>
+                <li><a href="/admin/clear-logged-IPs">clear logged IP addresses</a></li>
-                <li><a href="/admin/FUQ">FUQ management &amp; testing</a><br /></li>
-                <li><a href="http://six.pairlist.net/mailman/admin/gourmands">administer the FML mailing list</a><br /></li>

feedmelinks/categorize.php

@@ -62 +62 @@
-
-<div class="warning" style="text-align: center;">
+<h1>Double-Link!</h1>
-        <h3>
-
+Link: 
-        <p />
-        <img src="/img/doublemint-twins.jpg" border="2" />

feedmelinks/import/present-clean-pre-flight-input.inc.php

@@ -19 +19 @@
-                new tags to be created:
-        </div>
+        <form name="tags">
-<%
-        for( $i = 0; $i < $ts; $i++ ) {
@@ -27 +28 @@
-                } else {
-                        ++$num_tags;
-
+<label><!-- input type='checkbox' checked='checked' name='tag' value='$line' /-->Create tag: </label> 
-                }
-                echo "</div>\n";
-        }
-%>
+</form>
-</div>
-

feedmelinks/import/upload-form.inc.php

@@ -10 +10 @@
-         
-
-
+style="padding: 0.4em; font-size: 150%;" 
-</form>
-

feedmelinks/login.php

@@ -2 +2 @@
-        # $Id$ 
-
-
+#
-
-        include_once( "modules/utils.inc.php" );
@@ -32 +32 @@
-                                $dbUserId = mysql_result($q,$i,"userId");
-                                if( ! strncmp( urlencode( $password ), $dbPassword, 16 )) {
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-%>
@@ -79 +77 @@
-                                                }
-                                        }
+                                        } else {
+                                                log_mesg_to( "WARN. attempted login from invalidated user $userId", "global" );
+                                                warn( "Your account is temporarily DISABLED. Check your email for a validation code.");
+                                                return;
+                                        }
-                                } else {
-                                        if( $debug ) {
@@ -118 +121 @@
-                                        } else {
-
+                                                log_mesg_to( "successfully created new user $userId", "global" );
+
-                                                $shouldShowLoginForm = 0;
-                                                $shouldShowCreateForm = 0;
@@ -124 +129 @@
-
-                                                        $headers = "";
+                                                        $code = get_validation_code( $userId );
-                                                        $subject = "Welcome, Linkster!";
-                                                        $body    = "Welcome to Feed Me Links!
@@ -129 +135 @@
-Your feedmelinks user name is: $userId.
-Your feedmelinks password is: $password
+
+To start using Feed Me Links, you need to validate your account by clicking: http://feedmelinks.com/diespammersdie/?user=$userId&code=$code
-
-Go to $site to log in and start sharing links.
@@ -200 +208 @@
-
-<br />
-
+ method="POST"
-        <input type="hidden" name="op" value="login" />
-        <input type="hidden" name="debug" value="<%= $debug %>" />
@@ -264 +272 @@
-<br />
-<br />
-
-
-
+
+
-<% } else if( $shouldShowCreateForm ) {
-        if( ! $errors ) 
@@ -304 +311 @@
-                                errors += "Please double-check your email address.<br />\n";
-                }
-
-                
-
+ {
-                        return true;
-
+} 
-                        f.errors.value = errors;
-                        //return false;
@@ -317 +323 @@
-</script>
-
+<%= $debug == 1 ? "<h1 style='color: red;'>* * * DEBUG IS ON * * *</h1>" : "" %>
-<% if( $errors ) { %>
-
@@ -326 +333 @@
-
-<% } %>
-
-
-
+
+
+
+
+
-<table>
-        <tr>

feedmelinks/modules/my-recent.inc.php

@@ -8 +8 @@
-        $con_myRecent = mysql_connect();
-        mysql_selectdb( getDBName() );
-$max ? $max : 
+
-
-        if( $u || $who ) {
@@ -39 +39 @@
-<% if( $numLinks > 0 ) {
-        $qs = $viewedByOwner 
-
-
+ LIMIT $MAX_LINKS
+ LIMIT $MAX_LINKS
-        $q = mysql_query( $qs );
-        if( $q ) {

feedmelinks/modules/recent-with-times.inc.php

@@ -45 +45 @@
-        }
-        </script>
-
+ action="/link-cruiser"
-                <input type="hidden" name="start" value="<%= $start %>">
-                <input type="button" value="&laquo; BACKWARD!" onClick="go( -1 );">

feedmelinks/modules/utils.inc.php

@@ -4 +4 @@
-include_once( "env.inc.php" );
-include( get_root() . "/modules/prep-cache.inc.php" );
+
+function progress( $mesg ) {
+ob_start();
+%>
+<div class="progress">
+        <h3><%= $mesg %></h3>
+        <img src="/img/aqua-progressbar.gif" />
+</div>
+<%
+return ob_get_clean();
+}
+
+function fire( $sub, $mesg ) {
+  $success = mail( get_maintainer_email(), "WHAT THE CHOPSTICKS!?! $sub", $mesg, get_mail_headers());
+}
+
+function report_spammer( $alleged_spammer, $reporter ) {
+  $body = "
+
+  $alleged_spammer was reported as a spammer (gasp!).
+  http://feedmelinks.com/u/$alleged_spammer
+
+--
+
+reported by $reporter
+http://feedmelinks.com/u/$reporter
+
+snuff them?
+http://feedmelinks.com/admin/snuff?user=$alleged_spammer
+";
+  $headers = get_mail_headers();
+  $success = mail( get_maintainer_email(), "Potential spammer: $alleged_spammer reported by $reporter", $body, $headers);
+
+        return "Filed Successfully!";
+  if( $success )
+                log_mesg_to( "user $alleged_spammer reported as a spammer by $reporter", "global" );
+}
+
+function user_enabled( $user ) {
+        $disabled = getFieldForUser( $user, "disabled" );
+        return (!$disabled || $disabled == "NULL") ? true : false;
+}
+
+function enable_user( $user ) {
+        $q = run_query( getQuery( "enable_user", $user ));
+        return "success"; # FIXME: replace with a real status
+}
+
+function disable_user( $user ) {
+        $q = run_query( getQuery( "disable_user", $user ));
+        log_mesg_to( "disabled user $user", "global" );
+        return "disabled user"; # FIXME: replace with a real status
+}
+
+function snuffed( $u ) {
+        return getFieldForUser( $u, "snuffed" );
+}
+
+function snuff_user( $user ) {
+        if( is_privileged_importer( $user ) || isSuperUser( $user ))
+                return "you cannot snuff a superuser.";
+
+        # disable their login 
+        disable_user( $user );
+
+        # reset their password to garbage
+        $snuff_pass = get_validation_code( $user . "-SNUFFED" );
+        $q = run_query( getQuery( "snuff_pass", $user, $snuff_pass ));
+
+        # mark all their tags private
+        $q = run_query( getQuery( "privatize_tags", $user ));
+
+        # mark all their links private
+        $q = run_query( getQuery( "privatize_links", $user ));
+
+        # make their user directory un-readable
+        $f = get_user_folder( $user );
+        if( is_dir( $f )) {
+                shell_exec( "cp " . get_webserver_root() . "/admin/.htaccess $f/" );
+        }
+
+        # mark them as snuffed
+        $q = run_query( getQuery( "snuff_user", $user ));
+
+        log_mesg_to( "snuffed out user $user", "global" );
+        echo get_snuffed_mesg();
+%>
+
+        <a href="/u/<%= $user %>">Done. Check your work</a>.
+
+<%
+        return "success.";
+}
+
+function get_snuffed_mesg() {
+        ob_start();
+%>
+        <ol>
+                <li>we changed their password, </li>
+                <li>disabled their ability to log in,</li>
+                <li>hid their tags,</li>
+                <li>hid their links,</li>
+                <li>censored their profile page,</li>
+                <li>locked their user directory, and</li>
+                <li>marked them as a snuffed user</li>
+        </ol>
+<%
+        return ob_get_clean();
+}
+
+function relight_user( $user ) {
+        return "not yet implemented";
+        log_mesg_to( "re-lit user $user", "global" );
+}
+
+function get_salt( $s ) {
+        return "40ape"; # FIXME: hardcoded few now
+}
+
+function get_validation_code( $user ) {
+        return md5( $user . get_salt( $user ));
+}
-
-function log_mesg_to( $mesg, $to ) {
@@ -17 +139 @@
-}
-
+function get_ip() {
+        return getenv(HTTP_X_FORWARDED_FOR) ? getenv(HTTP_X_FORWARDED_FOR) : getenv(REMOTE_ADDR);
+}
-
-function notify_added_as_peep( $u, $by ) {
@@ -106 +231 @@
-        if( ! $q )
-                return undefined;
-
-
-
+
+
+
+
-        $diff = round( diff_in_secs( $d0, $d1 ) / 60 / 60 / 24, 4);
-        return $diff > 0 ? $diff : 0;
+}
+
+function get_now_db() {
+        return get_simple_rs( "SELECT now() AS now" );
-}
-
@@ -832 +962 @@
-function get_recent_for_user_footer_cb() { return "<a href='/u/" . func_get_arg( 0 ) . "'>See more of " . func_get_arg( 0 ) . "'s links...</a>";  }
-
+function get_contacts_links_rss( $users, $links_per_user ) {
+
+  #ksort($users);
+  foreach ($users as $user => $junk) {
+                echo "\n$user";
+        }
+
+return;
+
+
+        $n = 3; # FIXME: number of users
+        for( $i = 0; $i < $n; $i++ ) {
+%>
+
+                <item>
+                        <title>LINK_TITLE</title>
+                        <link>LINK_URL</link>
+                        <description>added by: LINK_USERNAME</description>
+                        <guid isPermaLink="true">http://LINK_URL</guid>
+                        <content:encoded>
+                                LINK_DESCRIPTION
+                        </content:encoded>
+                        <dc:subject>
+                                Tagged with: 
+                                        <a rel="tag" href="LINK_TAG_URL_1">LINK_TAG_NAME_1</a>
+                                        <a rel="tag" href="LINK_TAG_URL_2">LINK_TAG_NAME_2</a>
+                        </dc:subject>
+                        <dc:date>LINK_DC_DATE</dc:date>
+                        </item>
+                </channel>
+<%
+        }
+}
+
-function get_contacts_links_html( $show_summary ) {
-        $cache = get_cache();
@@ -1417 +1581 @@
-                        LEFT JOIN linksCategoriesXRef ON links.ID = linksCategoriesXRef.linkID
-                        WHERE linksCategoriesXRef.linkID IS NULL ";
+        
+        } else if( $argWhichQuery  == "log_ip" ) {
+          return "
+                INSERT INTO spam_IPs VALUES ( '" . urlencode($args[1]) . "', '" . urlencode($args[2]) . "', '" . urlencode($args[3]) . "', NULL, NULL ) ";
+
+        } else if( $argWhichQuery  == "most_recent_link_for_user" ) {
+                return "
+                SELECT createDate, max(id) AS m FROM links WHERE submitter = '" . urlencode($args[1]) . "' group by submitter, createDate order by m desc limit 1;";
+        
+        } else if( $argWhichQuery  == "multiple_accounts_from_this_ip" ) {
+                return "
+                SELECT * FROM spam_IPs WHERE ip = '" . urlencode($args[1]) . "';";
+
+        } else if( $argWhichQuery  == "enable_user" ) {
+                return "
+                UPDATE linksUsers SET disabled = 'NULL' WHERE userid = '" . urlencode($args[1]) . "';";
+        
+        } else if( $argWhichQuery  == "disable_user" ) {
+                return "
+                UPDATE linksUsers SET disabled = 1 WHERE userid = '" . urlencode($args[1]) . "';";
+        
+        } else if( $argWhichQuery  == "snuff_pass" ) {
+                return "
+                UPDATE linksUsers SET password = '" . urlencode($args[2]) . "' WHERE userid = '" . urlencode($args[1]) . "';";
+        
+        } else if( $argWhichQuery  == "snuff_user" ) {
+                return "
+                UPDATE linksUsers SET snuffed = 1 WHERE userid = '" . urlencode($args[1]) . "';";
+        
+        } else if( $argWhichQuery  == "privatize_tags" ) {
+                return "
+                UPDATE linksGroups SET isPrivate = 1 WHERE userid = '" . urlencode($args[1]) . "';";
+        
+        } else if( $argWhichQuery  == "privatize_links" ) {
+                return "
+                UPDATE links SET isPrivate = 1 WHERE submitter = '" . urlencode($args[1]) . "';";
+        
+        } else if( $argWhichQuery  == "all_users" ) {
+                return "
+                SELECT distinct(userid) FROM linksUsers WHERE disabled is NULL;";
-
-        } else if( $argWhichQuery  == "get_fuq" ) {
@@ -1899 +2103 @@
-function getColorKey() {
-        return;
+}
+
+# judge, jury, and executioner
+function isJJE( $u ) {
+        if( $u == "jm3" )
+                return true;
+        else
+                return false;
-}
-
@@ -2163 +2375 @@
-
-function addUser( $argUserId, $argEmail, $argPassword, $argName ) {
+
+        # check to see if weve seen any new accounts from this IP recently
+        $ip = get_ip();
+        $q = run_query( getQuery( "multiple_accounts_from_this_ip", $ip ));
+
+        $num_rows = mysql_num_rows($q);
+        if( $num_rows > 1 ) {
+                fire( "Possible spammer-birth in progress!", "Multiple accounts being requested from the same IP ($ip) -- user: $argUserId, $argEmail" );
+                log_mesg_to( "WARN. potential spammer $argUserId ($argEmail) creating multiple accounts from the same IP", "global" );
+                $q = run_query( getQuery( "log_ip", $argUserId, $argEmail, $ip ));
+                return;
+        } else {
+                # if not, log this IP in case we see it again:
+                $q = run_query( getQuery( "log_ip", $argUserId, $argEmail, $ip ));
+        }
+
-        $userId   = urlencode( $argUserId );
-        $email    = urlencode( $argEmail );
@@ -2168 +2396 @@
-        $name     = urlencode( $argName );
-
-
+, 1, NULL
-
-        l( "new_user: $argUserId, $argEmail" );
@@ -2637 +2865 @@
-        mysql_selectdb( getDBName() );
-        
-from
+FROM
-        $q = mysql_query( $qs );
-        if( $q )
@@ -2695 +2923 @@
-        mysql_selectdb( getDBName() );
-        $qs = "SELECT $field from links WHERE ID = $argId";
+        $q = mysql_query( $qs );
+        if( $q )
+                $numRows = mysql_num_rows($q);
+        conClose();
+        if( $numRows )
+                return mysql_result($q, $i, $field);
+}
+
+function getFieldForUser( $user, $field ) {
+        mysql_connect();
+        mysql_selectdb( getDBName() );
+        $qs = "SELECT $field from linksUsers WHERE userid = '$user'";
-        $q = mysql_query( $qs );
-        if( $q )

feedmelinks/modules/view-link.inc.php

@@ -16 +16 @@
-                $createDate = formatTS( $link_info['createDate'] );
-                $isPrivate = $link_info['isPrivate'];
+
+                if( $isPrivate && $submitter != $u )
+                        return;
-                        
-                $numGroups = 0;
@@ -24 +27 @@
-
-%>
-
-
-<div class="attention" style="width: 45em;">

feedmelinks/style/new-portal.css

@@ +1 @@
+.progress {
+        background-color: white;
+        width: 300px;
+        text-align: center;
+        padding: 10px;
+        border: 1px solid gray;
+}
+
-.b {
-        font-weight: bold;
@@ -7 +15 @@
-        font-weight: bold;
-        color: black;
+}
+
+/* for buttons: */
+.big {
+        padding: 0.4em;
+        font-size: 150%;
-}
-

feedmelinks/thanks.php

@@ -55 +55 @@
-
-                        <div id="controls">
-<input type="submit" value="Log in to get started &raquo;" class="idiotproof" />
+Please check your email nobox to validate your account and start linking.
-                        </div>
-

feedmelinks/users.php

@@ -51 +51 @@
-                $numRows = mysql_num_rows($q);
-
+                # DESTROY SNUFFED USERS
+                if( mysql_result($q,$i,"disabled") == 1 ) {
+                        if( snuffed( $userId )) {
+%>
+                        <center>
+                        <% warn( "<h3>This user has been Snuffed Out&trade;</h3>" ) %>
+                                <a href="http://flickr.com/photos/petroleumjelliffe/170473487/">
+                                        <img src="http://static.flickr.com/76/170473487_bb5a3e6a10.jpg" />
+                                </a>
+                        <p />
+                        photo by <a href="http://flickr.com/photos/petroleumjelliffe/">petroleumjelliffe</a>
+                        </center>
+                        <p />
+                        <big>
+                                <%= get_snuffed_mesg() %>
+                                (You're welcome :-)
+                        </big>
+
+<%
+                        return;
+                }
+                }
+
+
-                if( $numRows ) {
-                        $i = 0;
@@ -76 +100 @@
-        <b><%= encodeAddress( $email, $userId ) %></b></big>
-        <%= get_verbose_contact_link( $userId ) %>
+
+        <% if( $u && $u != $userId ) { %>
+        <p>
+                <form name="flag_user_form" action="/diespammersdie/report" method="POST">
+                        <input type="hidden" name="user" value="<%= $userId %>" />
+                        <input type="submit" value="Report this user as a spammer?" />
+                </form>
+                </p>
+        <% } %>
+
+        <% if( isJJE( $u ) && $u != $userId ) { %>
+        <p>
+                <form name="snuff_user_form" action="/admin/snuff" method="POST" style="background-color: red; padding: 1em;">
+                        <input type="hidden" name="user" value="<%= $userId %>" />
+                        <input type="submit" style="background-color: red;" value="End this user's pathetic life?" />
+                </form>
+                </p>
+        <% } %>
+
-        <p>
-                Master of <%= $numLinks %> links and <%= $numFolders %> 
@@ -94 +137 @@
-        <img src="<%= get_profile_image( $userId ) %>" width="200" />
-
+        <!--
-        <br />
-        <big><b><a href="/comments?who=<%= $userId %>">comments by and about <%= $userId == $u ? "you" : $userId %></a></b></big>
+        -->
-</div>
-