Skip to main content
Recent Posts
1
Chit Chat / Re: Tips for Bots
Last post by Steeley -
Well, I built the scheme using basic opensource files, and basic html. And I'm not a programmer by any serious definition.

First thing you need is a directory-privacy feature (htaccess, in Apache, for example). C-Panel makes it easy to manage. However, that's not something ElkArte can do.. you create the protected directory on your server, and then tuck ElkArte behind it.. It's the directory-privacy feature that keeps the bots out and away from ElkArte (and anything else you don't want the unwashed masses to access). It's not the most secure way, but I've not yet had anyone try to "hack in" (except valid users that couldn't remember their credentials.. eventually they send me an email or another access request..)

Then you need some software routines to support your validation of people that will have access to the protected area..

email-code.php (located in cgi-bin)

Code: [Select]
<?php
if(!isset($_POST['submit']))
{
	//This page should not be accessed directly. Need to submit the form.
	echo "error; you need to submit the form!";
}
$visitor_email = $_POST['email'];
$message = rand(100000, 999999);

//Validate first
if(empty($visitor_email)) 
{
    echo "Email address is mandatory!";
    exit;
}
if (!strstr($visitor_email, '@'))
{
    echo "EMail Format is Incorrect - missing @ - press back button and try again";
    exit;
}

if (strpos($visitor_email, ','))
{
    echo "EMail Format is Incorrect - contains a comma - press back button and try again";
    exit;
}

if(IsInjected($visitor_email))
{
    echo "Bad email value!";
    exit;
}

$email_from = 'no-reply@domain.url';
$email_subject = "Validation Code";
$email_body =
"Copy the following validation code into the request form. \n". 
"(If you did not request a code, someone entered an incorrect email address,\n". "please accept our apologies and delete this email.) \n".
"Validation Code: $message. \n".
"Submitter address: \n".
     
$to = "$visitor_email \r\n";
$headers = "From:  no_reply@domain.url \r\n";
$headers .= "Reply-To: no_reply@domain.url \r\n";
$headers .= "Bcc: access@domain.url \r\n"; //(goes to admin to match with later applicant form)
//Send the email!
mail($to,$email_subject,$email_body,$headers);
//done. redirect to code-pending page.
header('Location: ../pending.html');

form-to-email.php   (located in cgi-bin)

Code: [Select]
 <?php
if(!isset($_POST['submit']))
{
	//This page should not be accessed directly. Need to submit the form.
	echo "error; you need to submit the form!";
}
$Fname = $_POST['First'];
$Lname = $_POST['Last'];
$visitor_email = $_POST['email'];
$code = $_POST['code'];
$username = $_POST['Nick'];
//{other fields you want here}
$message = $_POST['Narrative'];
//Validate first
if(empty($Fname))
{
    echo "First name is required! Please press back button and correct";
    exit;
}
if(strpos($Fname, '_')) 
{
    echo "Valid first and last name is required! Please press back button and correct";
    exit;
}
if(empty($Lname))
{
    echo "Last name is required! Please press back button and correct";
    exit;
}
if(strpos($Lname, '_')) 
{
    echo "Valid last name is required! Please press back button and correct";
    exit;
}
if(empty($visitor_email))
{
    echo "Email is required! Please press back button and correct";
    exit;
}
if(IsInjected($visitor_email))
{
    echo "Bad email value!";
    exit;
}
if(empty($code)) 
{
    echo "Verification Code is required. Please press back button and correct";
    exit;
}
if(empty($username)) 
{
    echo "If you do not provide a nickname/username, you might not like what we assign. Please press back button and correct";
    exit;
}
if(strpos($username, '/')) 
{
    echo "If you do not provide a nickname/username, you might not like what we assign. Please press back button and correct";
    exit;
}
//if(empty{otherfields})) 
//{
//    echo "Tthis data is required! Please press back button and correct";
//    exit;
//}
$email_from =  'no-reply@domain.url';
$email_subject = "Access Request";
$email_body = "$Fname $Lname has submitted the following information for access: \n".
    "EMail Address: $visitor_email \n".
    "Validation code: $code \n".
    "Username: $username \n".
    //etc.. for additional fields
    "$username says: \n  $message \n".
     
$to = "access@domain.msg \r\n";
$headers = "From: $email_from \r\n";
$headers .= "Reply-To: $visitor_email \r\n";
//Send the email!
mail($to,$email_subject,$email_body,$headers);
//done. redirect to submitted page.
header('Location: ../submitted.html');

// Function to validate against any email injection attempts
function IsInjected($str)
{
  $injections = array('(\n+)',
              '(\r+)',
              '(\t+)',
              '(%0A+)',
              '(%0D+)',
              '(%08+)',
              '(%09+)'
              );
  $inject = join('|', $injections);
  $inject = "/$inject/i";
  if(preg_match($inject,$str))
    {
    return true;
  }
  else
    {
    return false;
  }
}
   
?>

gen_validatorv31.js is located in cgi-bin/scripts for form validation

And of course, html pages

web form for email addy that will drive the above

gets email addy, assign code and send email..
working guts are:
Code: [Select]
(snip)
<SCRIPT language=JavaScript type=text/javascript 
src="scripts/gen_validatorv31.js"></SCRIPT>
</HEAD>
<BODY >
(your instructions and formatting here..)
<TBODY>
        <TR>
          <TD><!-- Start code for the form-->
            <DIV align=center>
            <FORM method=post name="EMail Address Verification" 
            action=../cgi-bin/email-code.php>
            <P>STEP 1</P>
            <P><LABEL for=email>Enter Your Email Address 
            (carefully)</LABEL><BR><INPUT style="HEIGHT: 22px; WIDTH: 338px" 
            size=21 name=email> </P>
            <P></P><INPUT type=submit value=submit name=submit> </FORM></DIV>
      <SCRIPT language=JavaScript>
           var frmvalidator  = new Validator("EMail Address Verification");
           frmvalidator.addValidation("email","req","Please provide your email"); 
           frmvalidator.addValidation("email","email","Please enter a valid email address"); 
      </SCRIPT>

Submit brings up a "pending" webpage, tells submitter to get the email sent, and then click on "I have the code".
When they click on that, it brings up the authorization-data html form.

That form contains the same form structure as the form above, but with different fields, and calls a different form-email routine
 
Code: [Select]
snip
 <TD><!-- Start code for the form-->
            <DIV align=center>
            <FORM method=post name="Access Data" 
            action=../cgi-bin/form-to-email.php>

 but with other fields (first name, last name, nickname/username, and any other pertinent information you desire to validate the applicant. Upon submit, it calls form-to-email.php, instead of email-code.php, and sends the applicant to a "success" page, informing them to wait for another email with their authorization data. and what to do with it to get into the "restricted section" behind the htaccess-directory check..

Of course, you would want to customize your authorization webpages to your needs, but the crux of the code is above.. it's simple stuff, really.. for example, I tell users to let their webbrowser remember the authorization data so it's just one extra mouse click to get into the restricted area. (HOWEVER - the ducklduckgo webbrowser - and maybe others - doesn't know wtf a directory-access prompts looks like so it doesn't bring up the username password like it does for other account-access prompts). Edge, Chrome, Firefox etc. does.  

EDIT: OH, and you have have to configure mail.php to send smtp mail through your mail server, simple in concept, but your actual mileage may vary..
2
Chit Chat / Re: Tips for Bots
Last post by ahrasis -
I like the idea of what you did, could this be best, if we make this one of the ElkArte default features, with option to be disabled, or not, so once setup and install, an ElkArte forum is bots free or bots less?

What do you think @Spuds?
3
Chit Chat / Re: Tips for Bots
Last post by Steeley -
For the record. my site uses htaccess to make a significant part of my site "private". My Forum resides "behind the wall". the 'public facing pages' explain the topic of the site and provides lots of 'general' information. The public side also informs of the existence of the forum (could certainly provide some sample screenshots if I was fishing for members, but in my case it's not necessary).

There's a link off the main menu of my site for requesting access to the restricted side. It's two-step process.. Click the link, it brings up a simple form.. you enter your email address, and submit.  The form submittal generates a reply to the entered address, and embeds a 6-digit random code.  It also copies me with that email. 

If the applicant doesn't get an email, it means it was typed wrong. Go back and try again. I want to make sure I send the access credentials to a valid address!

Meanwhile, submittal also brings up a second form for the applicant with instructions about what to do now..  specifically, says to retrieve the email just sent to them, copy the email address AND the 6-digit code into the new form, and fill out a few other fields in the form, information that I use to validate the applicant as someone allowed access to the forum. (In my case, it's people stationed at a particular location during the 'Nam war - things they know about it nobody else would. Your mileage would vary, of course).  I ask for his nickname or call sign - that will inform the username I'll give him if he provides one, otherwise I'll tweak his first name or last name.

When the applicant submits that second form, I comes to me in Email.

[Note: If I were to use the same credentials for everyone. and it gets compromised, now I have a problem - everything "behind the wall" is compromised. I'd have to change it and inform EVERYONE, and likely the unauthorized person too in the process. With unique credentials for each user, I know which account is compromised and can address that one.]
(Steeley's law: If you be lazy up front, you be hate'n your life later. All non-academic knowledge comes in suppository form).

I'll create a password for him based on info he provides.. something easy he'll remember.. (OK, so he was a hydraulics mech with Squadron 345, and a Sgt, so password "bubbles345sgt" will suffice..) I send his unique access info back..

All of the access email requests and my response email providing their unique access credentials are stored in my local computer. 

Voilla! Now they have access to the forum to register. (I don't have guest read access,  so they must register, to get in.)

BOTTOM LINE:

My forum does not get spammed. At all.  Ever. No bots, except the spiders looking for something new on the public side. Occasionally, they get lucky and find something new to link and memorialize. All the private personal information from the guys we share with each other is kept hidden so as not to scare or freak out the civilian visitors -that is back in the restricted area, and secure and snug as a bug in a old forum software version.

If you run a "really large" form with lots and lots of users, just set up a database of users that forbids duplicate username entries to keep them all unique. Otherwise, if you create a duplicate, it overwrites the original and the first username entity can't get in any more..  (and note; username "Mac" is different than "MAC" and "mac" as far as htaccess usernames are concerned).

Oddly enough, I get very few "fakers"... I do get a fair number of first emails, but the second form presented pretty much stops them in their tracks .. they know they ain't gonna fake that stuff (many don't even know what the heck it's asking for in some fields), a couple squirrels gave it a shot over the past 7+ years, but my BS detector is pretty good and an email reply back to them requesting "clarification" never gets answered..  

Anyway, if you want to see how it works, PM me for the website url.. If you're a legit user and not a bot, I'll "get back to ya.."
6
Chit Chat / Re: Tips for Bots
Last post by shawnb61 -
Quote from: nwsw – The session_start on every GET request, combined with db session storage, has a dramatic impact on the server. As an immediate mitigation, I forced sessions to use cookies:

Code: [Select]
sources/Session.php:

@ini_set('session.use_only_cookies', true);

I then configured nginx to no longer serve requests that contain the session id. This only helps until the bots stop including the session id in their requests.

I'll probably move the session management to a ramdisk until I can figure out how to lean out the need for sessions by unregistered guests.

Note that PHP is deprecating the passing of PHPSESSID via URL in 8.x, and it will be removed in 9.0. 

That particular setting, 'use_only_cookies', will be retired soon - mainly because setting it to false is soon to be disallowed.  More here:
https://wiki.php.net/rfc/deprecate-get-post-sessions

So...  The idea is good - don't use PHPSESSID, and, since you're not generating it anymore, you can then block it via .htaccess. 

SMF implementation: https://github.com/SimpleMachines/SMF/pull/8394

One part of the SMF implementation, this commit, can save a LOT of resources.   It's causing some issues for forums that have guest-browsing disabled, though... Those issues are currently being addressed.:
https://github.com/SimpleMachines/SMF/pull/8394/changes/2f2a5e0ae404fd1adb408b87896ce00cca1715ec

The basic idea is that, since you cannot pass by URL, you MUST pass by cookie.  So...  When cookies are disabled, there is no way to pass the session.  At all...  So, don't even bother writing it.  Note certain classes of bots either block cookies or don't use them, or pass their own PHPSESSID...  All these variants cause more session writes. 

These changes will be a hard requirement before PHP 9.0.

You are effectively giving bots total control over your DB writes...   One step further, since they can flood you with writes, they can overwhelm your undo/redo logs.  Which can further lead to issues with backups.  Which can cause performance issues & even bring your site down... 

So stop that...

The savings can border on the ridiculous:
VGF-cpu-2025-01-13.png

In addition, this note outlines even further savings.  The goal is to avoid driving up CPU during bot storms.  I've been testing these on my site.  Check out the CPU charts before/after:
https://www.simplemachines.org/community/index.php?msg=4199062

The more broad notes found here might also help:
https://www.simplemachines.org/community/index.php?topic=593895.0
7
Chit Chat / Re: Tips for Bots
Last post by ahrasis -
I simply use cloudflare as my dns server, so never use any of the above. Not sure about bots as I never keep track on them.
8
Chit Chat / Re: Tips for Bots
Last post by nwsw -
The session_start on every GET request, combined with db session storage, has a dramatic impact on the server. As an immediate mitigation, I forced sessions to use cookies:

Code: [Select]
sources/Session.php:

@ini_set('session.use_only_cookies', true);

I then configured nginx to no longer serve requests that contain the session id. This only helps until the bots stop including the session id in their requests.

I'll probably move the session management to a ramdisk until I can figure out how to lean out the need for sessions by unregistered guests.
9
Addons / [Addon] Topic Preview
Last post by vbgamer45 -
Topic Preview
Version 1.0
by vbgamer45

Description:
Shows a styled popup preview when hovering over topic titles in the message index (board view). The popup displays the topic title, author name, post time, a preview of the first post body, and reply/view counts.

Compatibility:
  • ElkArte 1.1.x

Features:
  • Hover popup with topic preview on message index pages
  • Shows first post body text (truncated), author, time, reply and view counts
  • Smooth show/hide with configurable delay (no flicker)
  • Viewport-aware positioning (stays within screen bounds)
  • Admin settings panel to enable/disable and set preview length
  • Graceful fallback: when disabled, original tooltip behavior is restored

Installation:
Install via the ElkArte Package Manager (Admin > Packages > Install).

Settings:
After installation, go to Admin > Configuration > Addon Settings > General to find Topic Preview settings:
  • Enable Topic Preview popup - Turn the mod on or off
  • Preview text length - Number of characters to show in the preview (default: 256)

Uninstallation:
Uninstall via the ElkArte Package Manager. All file changes will be reversed and mod files removed.

Author:
vbgamer45 - ElkArte Mods

License:
BSD 3-Clause License