Page 2 of 3
Posted: Sat Mar 31, 2007 7:28 am
by Kevin McGuire
Does it mean that they would be able to figure out what are the fields for even if they randomly change anytime with names like kiarkt, tialit, and there are like 100 invalid fields?
For making it harder, they could be positioned using CSS in such a way that only valid fields are seen by the user. The interface could also be generated using Javascript, so those programs will need to be able to interpret both Javascript and CSS correctly with rather complex and "self-modifying" algorithms to calculate the layout and naming of fields (keeping track of valid ones using a session cookie, so it would also need to interpret and keep cookies). If invalid fields are filled, then the sent content would be rejected.
No. Do not give them anything to work from except their own human brain which of course if not present should not work. =)
You guys are thinking multiple choice. What I meant was a blank text box that a user should actually type the words. If you can write software that can recognize objects in a picture which implies recognizing their location (XY) and potentially Z you have just become a little richer. Of course if someone targeted
www.osdev.org then it would not work but it would prevent a automated spam bot from working.
Here the point is to prevent brute forcing by a bot, and help a user which may have problems get automated help in which the process disables them from registers until someone in the forum validates there answers with the picture and makes sure the user name is not something like sexinshoes.
Once the user fails two or three times they would automatically be directed into the second process which is the creation of a thread in which members could validate the words used. Someone might type "planents" which would have worked as "planets" so we could validate the registration as forum members by someone making a reply of "valid" to that thread and thus accepting their registration. Someone could also reply:
The original thread.
<image shown here for members to verify>
<internet message address with a couple of characters masked>
<user name used for registration>
The reply by a member.
valid
add-alternative-misspelling: planents
To help other people who might be younger or have a hard time spelling.
Here I purposely do not include multiple select tactics, but instead use a text box that needs to have a sentence or words that describe the picture. If a word used to describe the picture match what is acceptable and the total length of the description is below so many characters which would prevent a spam bot from just inserting almost every single word known to man then the user gets registered. If the user fails however it goes to the sub forum registration for acceptance by the members of this forum.
Code: Select all
<html>
<script>
/* code to display one out of twenty images */
picture.value = /* picture choosen */
theimage.value = /* picture choosen */
</script>
<body>
<img id=theimage>
<form type=post action="....">
<input type=hidden name=picture id=picture>
<input type=text name=describe_the_picture>
<input type=text name=email>
<input type=text name=username>
</form>
</body>
</html>
You keep a transaction log so you can back out changes made by members for alternative words that were not originally included to describe the picture in case someone has a problem with something.
The moderators could find another picture every once in a while and post it in that sub forum and let people just make a post with words they would use if trying to register by looking at that picture every couple of weeks just to keep ahead of someone who might be targeting
www.osdev.org with a bot. Although if a direct targeting is made to spam these boards then it is much harder, but form what people are saying it seems it is a automated bot doing this to us and many other forums?
These might be copyrighted but I just want a quick example. =)
http://antwrp.gsfc.nasa.gov/apod/image/ ... 17_big.jpg
http://www.littletownmart.com/dolphins/dolphin1.jpg
Now if we wanted to we could include a picture description then say tell us what is in the picture in as few words as possible.
Bots could use words from the text under the picture so if spam started appearing then you try removing the text under the image.
If these spam bots get this smart we could just invite them on the forum to help members with questions considering rotating in new images every few weeks by the moderators.
Just for clarification we might want to keep the valid internet mail address check since this would help a little.
Posted: Sat Mar 31, 2007 8:21 am
by Brynet-Inc
It's highly unlikely a bot will be able to interpret an image.. so what is everyone smoking?..
People likely use Google or w/e to search for vulnerable phpBB forums, If you had a better robots.txt file or updated the forum software occasionally some of these bots could of been avoided.. If you started coding a image verification form, either displayed during sign-up or "posting" a reply or topic would weed out 99% of the bots.
The 1% being anyone who sits in front of their desk 24/7 writing complex algorithms that are able to interpret such images and situations. For example.. if you had a simple PHP script alternate a question and a picture it seems highly unlikely anything could be coded to get around it.
"What is this cat doing?"
If anything besides a human is able to determine something this random.. there must have been major leaps in artificial intelligence..
Posted: Sat Mar 31, 2007 8:26 am
by ~
In short, it has to be something simple to program yet subtle enough as not to be understood by any robot, and it also would have to be easy to understand for new registrants.
The point is it's claimed that they would be capable of interpreting that; and personally I'd prefer to prove it instead of speculating. But maybe just nobody here has enough time to do those changes in the software.
Posted: Sat Mar 31, 2007 9:30 am
by Kevin McGuire
What if someone decides to flood the forum by changing the internet mail address like:
With registration attempts?
Posted: Sat Mar 31, 2007 12:20 pm
by Brynet-Inc
Doesn't sign-up require email verification?
Meaning the email address has to be valid?
If not... perhaps that should be implemented..
Posted: Sat Mar 31, 2007 12:44 pm
by Alboin
It does have to be valid.
Posted: Sat Mar 31, 2007 1:10 pm
by ehird
This is far too complex people
Posted: Sat Mar 31, 2007 1:45 pm
by Android Mouse
Most importantly, however, is that none of these measures may be widely adopted (!).
Exactly, which is why it is almost insignificant what the anti-spam measure actually is as long as it isn't widely use, ideally completly original.
The method doesn't even need to be complex at all. Like someone else suggested, a simple checkbox that requires checking/unchecking would work.
I think most are forgetting bots are not going to be written specifically for this site. It isn't worth the botmakers time to specialize their bot for one individual website.
Posted: Sat Mar 31, 2007 8:42 pm
by ~
What about building up eventually and patiently a test forum with heavily modified code or built from scratch to put in practice those recommendations, as well as a fair amount of mirrored code to see if what is most and least defeated and, maybe, a custom solution not foreseen by the malicious programmer.
Posted: Mon Apr 02, 2007 1:19 am
by Solar
~ wrote:What about building up eventually and patiently a test forum with heavily modified code or built from scratch...
"Heavily modified" means you have to port your patches to every new release of the forum software, or miss out on upstream patches for
real security holes.
As for "build from scratch"... no comment.
Posted: Mon Apr 02, 2007 10:10 am
by ~
Candy wrote:Most of the "check if human" checks proposed are things computers can do, if only because they use a certain determination humans aren't that good at either. Which of these three is a planet? The one with one object on a black background, of course. Which is earth? Check the colors. Statistics could solve that.
Candy wrote:Most importantly, however, is that none of these measures may be widely adopted (!). If something is widely adopted, it becomes humanly feasible to write a bot for it in order to make profit. On the other hand, you can make something computationally infeasible, by determining something a human is really really fast at and a computer is really really bad at. That's not OCR or such.
What about asking for an image: "How does it look?": "Good" "Bad" "Funny" "Sad".
Could be complex images to classify for a computer but with a definitive meaning for a human... I think that not even japanese robots are capable of such classifications (maybe I'm wrong, I don't think so in that point).
Posted: Mon Apr 02, 2007 3:25 pm
by Android Mouse
~ wrote:What about building up eventually and patiently a test forum with heavily modified code or built from scratch to put in practice those recommendations, as well as a fair amount of mirrored code to see if what is most and least defeated and, maybe, a custom solution not foreseen by the malicious programmer.
All that would be needed to be modified is the registration page. No other changes would need to be made.
Posted: Thu Feb 28, 2008 6:21 pm
by Masterkiller
What about if wiki is registration is closed and all the articles are posted in the forum, then if article is good enough it can be written in the wiki, even edited by registered user. This is half solution, because you have to just take care for the forum spam. About Spam prevention - it is easy, just make a photos of some products like chips, beer and so on and ask a simple question "What is this?". Computers don't eat
Posted: Thu Feb 28, 2008 8:40 pm
by jerryleecooper
Posted: Thu Feb 28, 2008 10:18 pm
by neon
In my site, I added another input field that requires users to answer a simple math question when registering. This has, so far, completely removed all spam bots.
Perhaps something like this can help with the spam?