How To Block The Entire Planet From Joining Your Site... well.. almost

If your Dolphin 7 site relates to users in a specific country, and you want to block entire countries from joining your site, this tutorial will show you an easy way to accomplish this.  My own site relates to a very specific region, and people from China, and most other places, have no business joining my site.  The folk from China only want to post spam.  As a matter of fact, anybody outside of the United States, has no good reason to join my site.  I don't care if they look around, I just don't want them creating nuisance accounts that I have to be constantly deleting.  I also don't want to individually approve each and every member that joins.  I want it easy for people in the United States to join my site, but I want it to be impossible for everyone else on the planet to join.

The simplest way to do this, is with a .htaccess allow file, where you specify the ranges of IP addresses you want to allow access, then deny from every IP address that ISN'T on the allow list.  Usually, when people think about blocking IP addresses from the .htaccess file, they think of the .htaccess file in the sites root directory, and add the block, or allow lists there.  This is a mistake, and will never work.  The reason is, adding an allow list from just the United States, to the .htaccess file, makes the file almost 1 MB in size.  This will slow your site considerably, because the .htaccess file in the sites root is read on every page request, and the performance hit by doing it this way would be unacceptable.

There's a better way.  If you just want to block entire countries from joining your site, you don't need to block your entire site.  You just need to block one file, join.php.  If people can't access this file, they can't join your site.

Since the join.php file is in your sites root, and we  can't add the block list to the .htaccess file in the sites root, the first thing we need to do, is move the join.php file to it's ow directory.  First, create a sub directory in your sites root, and name this new directory 'join'.  Next, move a copy of join.php to the new 'join' directory.  In the 'join' directory, rename 'join.php' to 'index.php'.  The new 'index.php' file will need one small edit to work, so open 'index.php' for editing, and find the code:

require_once( './inc/header.inc.php' );

change to:

require_once( '../inc/header.inc.php' );

Notice that the only change is adding another period to the beginning of the path to header.inc.php.  This just tells the script to go up one directory befor looking for the 'inc' folder.  After adding that additional period, save the file to your server.

You should now be able to access your join form by browsing to http://yoursite.com/join/   The next step is to delete the join.php file in your sites root directory, so no one can join using this file.   The next step, is to go to menu builder in your sites admin, and click on the join menu item.  Change the url from 'join.php' to 'join/', then save the menu item.  This completes the move of join.php.  Now, whenever someone joins your site, they will be accesing the /join subdirectory.

Now, we are at the point where we can control which countries can access this directory.  You will need a .htaccess file in the new /join sub directory.  I usually just upload some other .htaccess file, and edit it how I want it.  I've made this all easy for you by attaching a zip file that contains a join directory with index.php, and a .htaccess file.  The htaccess file that I've included, will allow only IP addresses from the United States to access your join form.  The index.php file already has the required edit.  Just unzip, and upload the join directory and its contents to your sites root.  If you use the attached files, all you need to do is delete the join.php file in your site root, and make the changes in menu builder as outlined above.

If you want to allow other countries, this website will be very useful to you: http://www.countryipblocks.net/country-blocks/

Just use the tools to generate .htaccess code for allow lists or deny lists.  Maybe you just want to block China, which is where the majority of spamming originates these days.  Add the allow or deny code that is generated by this site, to the .htacces file in your join/ directory, and you're all set.

This will make a relatively large .htaccess file, and slow the loading of the join form a bit, but I found load time to be quite acceptable when using the attached .htaccess file.  Using this method only slows down the loading of the join form, and not the entire site.  Users that are blocked from accessing the join form, will see the profile not found error page, and will probably thing there is something wrong with your site.  As long as they can't join. who cares what they think. People that are allowed access to the /join directory, will see the usual join page.

I should add, that yes.... I know there are more efficient ways to do this that don't require huge .htaccess files.  One such method is to install Maxmind's apache mod_geoIP, which is much more efficient than this method.  However, this is something anyone can do on their own, for free, and on shared servers.

Hello Houston,

Thanx for extensive tutorial :-) good job. Just wanna point out that this only decrease amount of spammers - the real spammers from well known spam countries like china using proxy in some other countis to get around this. By my experience the only way how to get rid of spammers for real is only paid membership access  - even putting some kickoff price like 1 or 2 dollars will stop those people as they dont wanna spend anything and rather move to other site they can spam more easily. I know if somebody want keep site free this is not an option but I think pay 1 usd not bancrupt anybody and if you guys explain your members why they pay ( to stop spammers that annoy members) they will understand - prolly your site loose some members but if price is set really low as mentioned one dollar than I think it should be okay...

I was just about to add this post:

Add the following lines to the end of your .htaccess file in your new /join directory.  This will block access from many anonymous proxies.

RewriteEngine on
RewriteCond %{HTTP:VIA}                 !^$ [OR]
RewriteCond %{HTTP:FORWARDED}           !^$ [OR]
RewriteCond %{HTTP:USERAGENT_VIA}       !^$ [OR]
RewriteCond %{HTTP:X_FORWARDED_FOR}     !^$ [OR]
RewriteCond %{HTTP:PROXY_CONNECTION}    !^$ [OR]
RewriteCond %{HTTP:XPROXY_CONNECTION}   !^$ [OR]
RewriteCond %{HTTP:HTTP_PC_REMOTE_ADDR} !^$ [OR]
RewriteCond %{HTTP:HTTP_CLIENT_IP}      !^$
RewriteRule ^(.*)$ - [F]

hmmmm interesting.. I didnt know that anonymous proxies can be detected that way ..... did you tried this on some live site yet ?

All I can say is, it will work on a lot of them.  Someone determined to join your site after all of this, might find a way, but doing so, will take a higher set of skills than the average spammer.  Preventing 95% of the world's population from joining a site, and blocking anonymous proxies, is probably going to put a dent in spammer registrations.

It just occurred to me that I need to update the 'Join' link in several other places.

Rather than changing the join link in 8 different files, I just created a new join.php file in my sites root with the code below:

<?php

header( 'Location: join/' ) ;

?>

Alternately, you could just leave the standard join.php in place, and add that line of code directly after the opening php tag.  All requests for join.php will be redirected to the new directory.  You could change join.php to join/ in 6 different files, and edit a language key, but that just seems a little too tedious.

Thank you for sharing this HL.

Now. I'm all set.  I have the join form in a sub directory protected by .htaccess, where only US based IP addresses have access to the form.  Even with blocking 95% of the planet from using my join form, I was still faced with the likely possibility of spammers getting access to the join form via a US based open proxy server.

Blocking access via US based open proxy servers, requires a more proactive approach.  Here's where Maxmind's web based proxy detection service comes to the rescue. http://www.maxmind.com/app/proxy I subscribed to this service, to which I submit a query to their API, using the remote IP address.  The Maxmind API will then return a proxyScore, which is a value between 0 and 10... the higher the number, the less you want to give access to the remote IP.

Anyway, here's the code I added to the beginning of my join form:

$license_key = 'License_Key_Here';
$ipaddress = $_SERVER['REMOTE_ADDR'];
$query = "https://minfraud1.maxmind.com/app/ipauth_http?l=" . $license_key
. "&ipaddr=" . $ipaddress;
$score = file_get_contents($query);
$numericScore = str_replace("proxyScore=", "", $score);
if ($numericScore > .5) {
header( 'Location: ../404.html' ) ;
}

You'll get a license key when you subscribe to the service.  All this code does, is submit a query to the Maxmind API using the IP address of whoever, or whatever is requesting the join form.  The query to the API will return a score based on a bunch of important stuff.  The str_replace function cleans up the query results a bit, and then the result is compared to a preset value.  If the score is greater than the preset value, the remote address is presented with a 404 page instead of the join form.  Desirable traffic gets the join form.

So long people in China.  You will never again be able to register an account on my site.

I forgot to mention that it is necessary to change a file path in inc/classes/BxDolProfileFields.php when doing this, or else the join form won't submit.

The text highlighted in red was changed from join.php to join/index.php to reflect the new path.  I need to double check everything, but everything else is OK.

// generate form array
$aForm = array(
'form_attrs' => array(
'name'     => 'join_form',
'action'   => BX_DOL_URL_ROOT . 'join/index.php',
'method'   => 'post',
'onsubmit' => 'return validateJoinForm(this);',
'enctype'  => 'multipart/form-data',
),

Just as a note to myself, all of my templates were working with this, except the main one.  As it turned out, I had lytebox.js called in the header of the main template, but not in any of the others.  It was just a remnant of some experimentation, but it seems as though lytebox.js doesn't play well with something.  Once I deleted the call, everything worked fine.

I tried to use your tip.

However, the link to JOIN.PHP in the root folder is almost omnipresent, there is a link in the JOIN button on the promo pictures, there is a join.php link on the breadcrums (welcome guest, join, login) that tiny little menubar.

Isnt it possible to include /join./index.php from join.php in the root folder. or will the .htaccess not work then?

rgds,

W//

If you read this entire thread, the issues you mention are addressed.  I use this on my site, and it all works quite nicely.... especially the open proxy detection.

That would undo everything that this does.

Excellent post! Thank you. I have implemented the anti-spam protocols you have provided into my site. I would like to utilize the Maxmind API, however, I am a bit confused on how to integrate it into my site. I studied some of  the supporting documentation at the developer's site and find myself lost. Is it possible you could create a tutorial, like this one, explaining how to integrate the Geo IP/Geo Lite Country into a Dolphin site?

Thanks again.

I only use Maxmind's open proxy detection service.  I don't use GeoIP.   Unless you are on a dedicated server, you can forget about GeoIP.

@houstonlively:

Hello,

I have implemented your changes for moving the JOIN.php file, however, I have a 3 page JOIN FORM and once a member completes the 1st page of the JOIN FORM and clicks on the "Join Now" button, nothing happens. The page does not refresh and bring the member to the 2nd page of the JOIN form, as it previously did, before this installation. Can you tell me how to fix the problem please.

Did you make the change to inc/classes/BxDolProfileFields.php as instructed above?:

Yes I did make the change. Still having the problem.

I figured it out. Thanks again.

Whoops. Sorry. Spoke too soon. All 3 pages display of the JOIN FORM now display, however, only Page 1 of the form saves to the member's profile. Pages 2 & 3 will accept info, but will not save to the member's profile.

Any ideas on how to fix?

I expect it has something to do with the redirect planted in join.php in the root directory.  I've never imagined a three page join form, so this shortcut in lieu of modifying 7 files, a language key, and some database entries, is probably what is causing problem for your multi-page join form.

I would suggest that you not use this method, and instead try the Join by Country mod in the Market.

Does this work in 7.0.6.? I have done everything you said but when I click the join button, the page just refreshes with "profile not available for view"

You did something wrong.  You need to read this entire thread and check your work, because if you do everything this thread tells you to, it will work.  Maybe you just need to clear the cache directory.  If you still can't manage to get this to work, I'd suggest you try the free 'join by country' mod in the market.

 If you're using 7.0.6 then there is a much better way to handle spam on this version. First you have anti-spam controls built in that are very effective if you enable them and also get an API key from Akismet. Second, if you want to really protect your site then go to the market and download the force email confirmation extension which is free and install that then go to your moderation settings and check "Do not change profile status after editing profile information:" only which means uncheck both "Automatic profile activation after joining:" and "Automatic profile confirmation without Confirmation Email:". What this will do is force all new users to confirm their email account and once confirmed then admin still have to approve the account before they can login to the site. I have used this method on my site and it is 100% fool proof because it gives you the time to checkout the new users account info before allowing them access. I would also like to note that a lot of the larger sites today are using this method. If you want to tie it all together just edit your account confirmation message to say something like" Your account will be reviewed and approved by our staff within 12 hours" and whatever else you would like it to say. Works great and the built in anti-spam controls in Boonex 7.0.6 even blocks spammers from the Contact Us form and sends you a notification e-mail when they try using that form to spam you their. If you go download Deanos tools for free and install that then when they attempt to spam you through the contact us form you can use the built in IP tracker to ban that IP range which it provides using WHOIS lookup which is built-in to the tools system. I use Dolphin 7.0.6 and this method has been tested and is 100% spam retardant. :)

 Also if you want to kick your registration spam prevention up another notch then go buy the Captcha1 extension in the market. This version of captcha requires a real user to use because it's a form unlock slider and not some scrabbled text which bots now can get around. Easy install and will also cut down the amount of spam accounts that are setup on your site.

Hi Houston,

I appreciate your sharing the code.  Thank you.  I set everything and it seems to be working correctly.   The only part I had a question on is the License_Key_Here......I take it one needs a licsense...... as I don't :)- where does one get this license?  Thanks!  The spam was driving me crazy.  I hope it quits now.  Thanks!

$license_key = 'License_Key_Here';
$ipaddress = $_SERVER['REMOTE_ADDR'];
$query = "https://minfraud1.maxmind.com/app/ipauth_http?l=" . $license_key
. "&ipaddr=" . $ipaddress;
$score = file_get_contents($query);
$numericScore = str_replace("proxyScore=", "", $score);
if ($numericScore > .5) {
header( 'Location: ../404.html' ) ;
}

 I don't think Houston visits the forums anymore. Here is the site he mentions in his post but it isn't a free service:

http://www.maxmind.com/app/proxy

Thanks MS Scott!  I'm still getting primarily Avery Islands country spam.  If anyone knows how to get of these people.....grrrrrr, I am so tired of wack a mole to get rid of them.   Has anyone else used the code and had success with it, and to block Avery Islands, if anyone knows the code for that, I'd love to have it!  Thanks.

Sounds like you need the BOT STOPPER!

The only thing which helped REDUCE not stop the spam bot was cloudflare.

http://www.cloudflare.com/

But i still cannot figure out how to cloudflare to dolphin 

http://www.cloudflare.com/wiki/Log_Files

 The Captcha1 mod on this site made by AndrewP does not work to stop the spammers. I set this up on 2 different domains, and found that the first hour had over 200 new registrations, versus the dozen or so with the standard Boonex Captcha.

The only way is to have a multi-tier approach, and Houstonlively's post shows ONE way of making this easier. The other is also incorporating a question/answer with a slider, and making the Q&A pick up a value for the test from a small array of 10-12 different question-answer combinations.

For all of you that are on a VPS or dedicated server, you can setup your server using MaxMind's Apache mod GeoIP

http://dev.maxmind.com/geoip/legacy/mod_geoip2/

The mod_geoip2 module uses the libGeoIP library to look up geolocation information for a client as part of the http request process. This module is free software, and is licensed under the Apache license.

Once this is installed at server level, you setup your .htaccess file to direct all requests.

example:

GeoIPEnable On GeoIPDBFile /path/to/GeoIP.dat SetEnvIf GEOIP_COUNTRY_CODE CN BlockCountry SetEnvIf GEOIP_COUNTRY_CODE RU BlockCountry # ... place more countries here Deny from env=BlockCountry

 You can also use re-direct commands as well. This process will stop the huge block by IP address .htaccess files, and block more efficiently the entire country.