Page 2 of 3
Posted: Wed Mar 21, 2007 8:26 am
by GLneo
The timeout is a bad idea, if I see someone on another board that has a problem I know the solution to ( very rare
) i just register + post really quick, if others are joining just to answer one quick question it could get annoying to have to wait...
my solution: a decoy "General Ramblings" section!
Posted: Wed Mar 21, 2007 8:37 am
by Combuster
I'll propose it once again, as I haven't heard any opinions on it from the senior members here:
Just modify the new account page and ask the user to enter the captcha in reverse. I doubt the difficulty/effectiveness ratio is that poor.
Posted: Wed Mar 21, 2007 8:42 am
by ehird
captcha in reverse? that'd put at least me off registering...
I suggest getting one of those spam filter plugins, and setting it so it only applies for the users first 3 posts. Then set it its strength very high.
Posted: Wed Mar 21, 2007 8:50 am
by Solar
Combuster wrote:...as I haven't heard any opinions on it from the senior members here...
I said what I think about captcha's, and I don't think any "reverse" stuff would improve that much, and just raise the annoyance bar while registering.
I see the point where a delay would be a nuisance, too, though. However, the whole subject we have here is hardly one where you "jump in" to help, and the quota of regulars vs. newbies is quite high...
Ah well. Luckily it's not for me to decide.
Posted: Wed Mar 21, 2007 11:03 am
by bubach
Something that i know works well is to use randomized form names, like "kdjf8dssdf9" instead of "message". You then, with some sort of hidden field key, decrypt the names before processing them as usual.
To get the protection even better you throw in a random number of bogus hidden input fields (or hide them wih css) so that the bots can't even keep track of the input order.
But thats way easier on your own software then inserting in something like phpBB (where it migth break automatic updates).
Posted: Wed Mar 21, 2007 12:48 pm
by Brynet-Inc
I don't think OSDev's phpBB has been updated in a very long time..
Updating might be a decent way of evading bots..
It's possible chase made so many modification's that updating wouldn't be very easy..
(This line leads me to my assumptions:
Powered by phpBB © 2001, 2005 phpBB Group)
Posted: Wed Mar 21, 2007 2:03 pm
by Alboin
bubach wrote:But thats way easier on your own software then inserting in something like phpBB (where it migth break automatic updates).
You could write your own forum; or fork phpBB. (GPL, right?)
However, I doubt anyone here has any time to do anything like that.
Posted: Wed Mar 28, 2007 5:23 am
by Solar
OK, a completely different suggestion: Limit the amount of links in a user's posting depending on the number of previous posts. No links in the first five postings. That should be easy enough, shouldn't bother newbies too much, and would hopefully discourage spammers.
Posted: Wed Mar 28, 2007 8:09 am
by Combuster
I can imagine non-n00b newcomers linking to Sourceforge or some svn repository when they come in and ask for help, which might be bothered by this.
On the other hand, the current generation of spammers who post a list of urls are effectively silenced, but not the newer ones.
My main concern with this one is that it potentially impairs normal users, while the hidden fields and several other turing tests do not. (Which is also why i dislike the timeout)
On another note, you may want to try to add these to the banlist:
http://dimensionalrift.homelinux.net/co ... badips.txt (From my own honeypot)
http://www.gearhack.com/Articles/FightSpam/ (which contains a far more exhaustive list)
Posted: Wed Mar 28, 2007 8:27 am
by ~
I repeat here something I had posted previously. You will note that it still largely applies and would be great if could be worked out. Maybe the 99% of effective protection claimed could reach up to 75% more or less, because
either the "bad-crawl-web-app" is ultra-smart or the author/supporter of it is personally present here or has some way to evaluate the forum content humanly, because you can see how the anomalous messages directly evolve to the plans discussed here, hence the need to keep parts of that plan secret so to build a better protection (at least long enough to reach a true, significative, sustainable and hard-to-reach advantage against them):
What about letting only members that have been here for a while (several useful posts) to post in "General Ramblings" AND allow them to post off-topic content? It just makes no sense that some person comes here, a specialized development forum, just to post "spam" right away.
As a plus, it could be that an user that gets its very first post as spam gets into believing that it has posted something, but in such case that user will be the only one able to see its own post appearing as it actually is seen by everybody.
Getting more dramatic, there could be also a low priority web crawler process (to avoid eating too many server resources) to find out whether a post of such type of user (spam at first post) is found massively on the Internet, and, if so, detete it automatically without human intervention.
For example, look at the following Google search looking for the text of the first line from the spam topic "Always getting a 404 error
":
Friend of mine tell me about some statistic information available at this page
You'll see that even the same exact user names are being used which opens a wider multitude of testing possibilities to prove it's spam. Based on that, it is possible to find out one of the weaknesses of such spambots: they always repeat the same posts massively to many forums. Certainly, captchas have stopped being a 100% effective protection. Now,
monotony from spambots would be a 99% of a solution (the other 1% would be if the message is contained completely in an image of a text and random actual text to avoid banning the message for having only 1 image and no text).
Some other things should be added in case these workarounds get to be taken into account by the malicious programmer and kept secret so that the spambots don't know what kind of measures other than captchas are being applied.
Now, you can also look for any link or link-like text in messages and also in profiles to see if they are related to spam around the Internet. To increase its effectivity we may look both for the complete addressed subdomain spamsubdomain.spamdomain.com and its root domain spamdomain.com. If the user has such an address in its profile it could even be banned immediately and, if the IP is found to be predictable enough it could be banned, ranging randomly in time.
Posted: Thu Apr 05, 2007 4:33 am
by bubach
I recently found out about a php software called "bad behavior" that seems perfect for both the forum and wiki:
http://www.homelandstupidity.us/software/bad-behavior/
Bad Behavior is a set of PHP scripts which prevents spambots from accessing your site by analyzing their actual HTTP requests and comparing them to profiles from known spambots. It goes far beyond User-Agent and Referer, however. Bad Behavior is available for several PHP-based software packages, and also can be integrated in seconds into any PHP script.
Ready to use version for phpBB:
http://phsoftware.de/index.php/content/view/51/8/
and for mediawiki:
http://www.homelandstupidity.us/softwar ... mediawiki/
Posted: Thu Apr 05, 2007 2:19 pm
by ~
Isn't there any comment about the previous post?
It looks like a very good and easy to implement solution, and seems that the source code of the package is freely accessible is there exist the need of some modification.
Posted: Thu Apr 05, 2007 2:59 pm
by bubach
It's really only Chase that can answer on that, and I guess he's not checking here every minute. I'm not sure what else he migth have on this account/machine and if he would ever trust someone with ftp and db details, but it might be an idea to let all/some/one mod(s) help with software modifications and updates.
Posted: Fri Apr 06, 2007 1:01 pm
by chase
I'm going spend some time this weekend looking into every way possible to stop the spam. I might end up requiring mod approval for new accounts if it I can't find anything that works well enough.
Posted: Sat Apr 07, 2007 7:58 am
by Combuster
From experience, dont select admin account activation. It is probably worse than the current set-up. It will cost lots of time filtering through all signups, most of which are bots, and will fail when the user/bot did not specify anything beyond the required. Getting 20 mails a day about new accounts needing approval is IMO worse than removing one spammer every other day.
In short: instead of spamming the board, bots will end up spamming the staff.