vBulletin Mods

The Official vBulletin Modifications Site

Hidden Image Checker by BOP5 for VB 3.x and VB 4.x (Stop Cookie Stuffing!)
by BirdOPrey5
01 Apr 2012 02:48

4 Attachment(s)

Version 1.02 - Compatibility fix for dbtech Advanced Thanks/Like mod
Version 1.01 - Bugfix for post counts over 1000
Version 1.0 - Initial Release

Also available on Qapla.com.

For some time now a new type of "Spammer" has been hitting forums. These "spammers" are not as obvious as those trying to make links or sell cheap Viagra. These new spammers use a technique called "Cookie Stuffing" which can make them a lot of money if you don't notice what they've done.

Cookie stuffing is when a malicious user posts a hidden (clear) image in a post. Although you may never see the image it actually links to a location that will set a cookie on the browser of everyone viewing the post. In the cases of cookie stuffing this is almost always a cookie that contains their affiliate code for a site like Amazon or eBay. If anyone on your forum should go on to buy something from Amazon.com later in the day the spammer will get a credit from Amazon because your user has the spammer's cookie on their computer.

At best this allows the spammer to make money off your unsuspecting users. At worst it is taking money away from you if you had your own affiliate cookie (legitimate) it may get over-ridden by the spammer's cookie.

There is no built in means for detecting small transparent images in vBulletin. This mod will show a banner notice under every post by a "new" user reporting the number of images in the post (if any). It only takes a second to scan the post and make sure the number of images reported, matches the number of images you see.

So next time a spammer tries to hide a small clear image in a post you or your mods will see a big yellow notice below the post that it contains an image- allowing you or your staff to take appropriate action. (Usually deleting the post and banning the user.) [Mod functions not part of this modification.]

However since it would get annoying to see these big yellow banners under every post that contains images the mod lets you limit seeing banners to only "new" users- You can choose a minimum post count or # of days registered before the user who posted is not considered new anymore.

In addition you can choose trusted usergroups that will never have their images counted regardless of their number of posts or days registered.

This mod contains both the VB 3.x and VB 4.x version in the same .xml file. It has been tested on VB 3.8.7 and VB 4.1.10 and VB 4.1.11 but it should work on all VB versions from at least 3.7 through 4.1.x and beyond. Feel free to try on earlier versions and let me know if you run into an error.

This mod DOES NOT count attachments or smilies as images since they are safe from cookie stuffing. Only remotely linked images using the [img] BBCode will be counted.

See screenshots for examples.

Please Mark as Installed if you use this. :)
Donations always appreciated. :up:

BirdOPrey5 01 Apr 2012 02:49


Hornstar 01 Apr 2012 08:22

That was really clever of them :) damn spammers lol.

Pandemikk 01 Apr 2012 08:25

Does this mod come with the feature to track spammers to their homes and terrorize them?

BirdOPrey5 01 Apr 2012 09:10

Updated to version 1.01 - There was a bug when a user's post count was over 1000. Failed to account for the comma or decimal point (depending on locale).

BirdOPrey5 12 Apr 2012 12:54

Version 1.02 - Compatibility fix for dbtech Advanced Thanks/Like mod

HeartLessNet 12 Apr 2012 14:27

Thanks/Like mod

home9000 13 Apr 2012 05:36

Dear BirdOPrey5

very nice subject

It's good idea if you do auto action like hide the post or send email to admin
I prefer to open a post as report in moderators section

BirdOPrey5 13 Apr 2012 10:01

The problem with auto-hiding the post is there is no way for this mod to know if there is a hidden image or not- it simply counts the images used. You need a human to figure out if the count matches what is displayed.

I believe there are already mods that can prevent new users from posting images at all or auto moderate all posts with any image.

vijayninel 26 Apr 2012 09:50

Many thanks for this information and mod. :)

cstreater 06 May 2012 16:28

This has become a huge problem in the last few months. I've been using another technique to auto moderate these posts, because if this "image" displays before the mods see it, the stuffer has already accomplished what they set out to accomplish, to at least some victims. I have the mods clear their cookies and cache after they've reviewed the moderated post, because doing so stuffs their browser too. I might add your plugin as another layer of protection.

If I'm reading your description correctly, you cannot add an additional option to auto moderate these, is that correct? Despite what I said about having my own technique, I think your mod + that capability would work even better.

Some others notes:

If this hooks into new post_process, does it see the quoted portion of a post as well? They are quoting valid posts and inserting them there.

They don't always use broken image links. They are embedding a link that resolves to a standard looking vBulletin smiley, and displays as such, but there's actually a PHP script that's being run in the process. Tip: don't use standard vBulletin smilies and convert what you have to PNG's. <some domain>/happy.gif is the most common. I believe the use of the GIF extension is what is enabling them to run scripts via these images.

Use relevant replacements to replace known cookie stuffer domains with something else. Not only will this block future attempts from these domains, it will also clean up existing posts.

They will try to get this on one page of every thread. That increases the possibility that a Google click through will be successful in the event what the searcher is looking for is on a specific page of your thread (other than page 1)

There's another technique that's being used to inject this in these into these into the footer template.
If you want to stay on top of their techniques, read the places they hang out. Search Google for blackhatseo and cookie stuffing. Their are even YouTube instructional videos on how to cookie stuff.

Edit your reportpost_newthread phrase to wrap quoted posts with no parse tags. This will help you see the domain better, so the URL tag doesn't mask it. Do the same with infraction_thread_post. Otherwise, the mods can't see the offending link without editing the post.

If you're an admin, create new infraction types (e.g., cookie stuffing) That way you can quickly look through the reports and infractions forum and review these yourself. I have a pretty large board, so this makes it easier for me to manage.

This article best describes every technique under the sun:

If you run a large board, and are just reading this for the first time, there's a good chance your forum already has a lot of these. Once you clean them up, and put some protection mechanisms in place, it's unlikely you will see these show up in someone who has more than a 15 posts.

Use BOP's plugin to block members with less than <x> posts from using signatures. They are sticking them there too. I would link everyone, but I'm typing all this from a phone.

At one point, I think they were using spam bots to cookie stuff. The posts would often consist of only text that said "great information" or something of not much substance. Now there are live human beings that are on topic and are fitting in with regular members.

I have some more insightful tips info, and what I do to control this, but I actually think they read these forums and I'm not giving my secrets to them ;)

Keep in mind, this problem doesn't just exist in your forum. It's all over blogs, and even sites that might look legitimate. I clear my cookies constantly now.

Sorry for hijacking your thread, but this has been a huge nuisance.

BirdOPrey5 06 May 2012 16:48


Thanks for the detailed info. You are correct this mod will NOT auto-moderated a post.

It requires a human to make sure the count of images matches the number of images the user sees.

What is that if someone does use a fake smiley that smiley will count as an image and this mod will display it's warning banner. If they had used a real forum smiley this mod will ignore it and there would be no banner.

So, in summary, if you see the warning banner and only a default smiley in the post- that is very suspicious and should probably be deleted.

Webdude™ 07 May 2012 21:54

Back in the day, they used to hide warez within images and put them on a webhost. Most of the time they were broken images, but if they took enough time, would be a tiny image like a smiley, but which had a huge file size. We had a script on cron that would scan real late at night, find and report these images. It is possible to have php review the code of the actual image and look for domains in that code. No image should have any domain such as 'amazon' within it's code. Take any image and open it with wordpad. Now find a cookie stuffer image and do the same. You will know what your addon needs to do after seeing that. All it really has to do is look for certain words in the image code, or you can give that option to the forum owner to insert what keywords he would like the addon to check for in the image code.

BirdOPrey5 07 May 2012 23:11

That's a good idea for a mod Webdude... it won't be part of this one as it would involve very different code and setup but I will do some investigation and see what can be done.

Spinball 11 Jun 2012 11:13

Is it possible to only show this alert to certain user groups? I don't want regular members seeing it.

All times are GMT. The time now is 05:22.

Powered by vBulletin® Version 3.8.12
Copyright © 2019, MH Sub I, LLC dba vBulletin. All Rights Reserved. vBulletin® is a registered trademark of MH Sub I, LLC
Copyright ©2001 - , vbulletin.org. All rights reserved.