Announcement

Collapse
No announcement yet.

Need to have some better security on the forums

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Need to have some better security on the forums

    Michael, there seems to be a lot of bots hitting the forums lately and spamming them, would you please consider implementing some sign up security to thwart these annoyances?

    Here is another example with no doubt a few more garbage posts to follow:

    http://www.phoronix.com/forums/showthread.php?t=21419
    http://www.phoronix.com/forums/showthread.php?t=21376
    http://www.phoronix.com/forums/showthread.php?t=21338
    http://www.phoronix.com/forums/showthread.php?t=21296
    http://www.phoronix.com/forums/showthread.php?t=21061
    Last edited by deanjo; 01-13-2010, 09:46 PM.

  • #2
    Another one:

    http://www.phoronix.com/forums/showt...807#post107807

    Comment


    • #3
      Problem is there's no signup security which can't be defeated by OCR or an office full of Chinese people on $0.50 an hour which won't drive away real users. 'Captchas', for example, have devolved to the point where it's probably easier for a computer to read than for me to do so; I typically have to make two or three attempts before I can work one out.

      Comment


      • #4
        Originally posted by movieman View Post
        Problem is there's no signup security which can't be defeated by OCR or an office full of Chinese people on $0.50 an hour which won't drive away real users. 'Captchas', for example, have devolved to the point where it's probably easier for a computer to read than for me to do so; I typically have to make two or three attempts before I can work one out.
        Well there are some trends if you look at the spams,

        1) they always start a new thread on their initial spam, make it so that creating a new thread on the first posts from a new user can't be put up until reviewed

        2) since these are mostly bot signups have the signup process not accept a signup when the form is "instantly" filled from their macro's, etc. Usually with their signups are filled in all in one shot, something a human couldn't really do. Restrict it to the signup process has to take at least a minimum time such as 10 seconds.

        There are other ways as well to minimize the effect, they just have to be put in place.

        Comment


        • #5
          Originally posted by movieman View Post
          Problem is there's no signup security which can't be defeated by OCR or an office full of Chinese people on $0.50 an hour which won't drive away real users. 'Captchas', for example, have devolved to the point where it's probably easier for a computer to read than for me to do so; I typically have to make two or three attempts before I can work one out.
          id tend to say its the Chinese, except that no profit is involved.

          anyone know a reason behind the spam?

          Comment


          • #6
            Originally posted by movieman View Post
            Problem is there's no signup security which can't be defeated by OCR or an office full of Chinese people on $0.50 an hour which won't drive away real users. 'Captchas', for example, have devolved to the point where it's probably easier for a computer to read than for me to do so; I typically have to make two or three attempts before I can work one out.
            I hear that.

            Comment


            • #7
              Originally posted by movieman View Post
              Problem is there's no signup security which can't be defeated by OCR or an office full of Chinese people on $0.50 an hour which won't drive away real users. 'Captchas', for example, have devolved to the point where it's probably easier for a computer to read than for me to do so; I typically have to make two or three attempts before I can work one out.
              Dunno... I thought Text-chas were pretty effective at filtering out bots and still very accessible? They'll filter out everyone who doesn't speak english though, which might be a good and a bad thing. Good: Chinese wont be able to defeat them (as long as they don't speak english). Con: Non-english speakers wont be able to join the board. But seeing as how this is an english board anyway I don't think that'd be such a big trade-off.

              Comment


              • #8
                Originally posted by Zhick View Post
                Dunno... I thought Text-chas were pretty effective at filtering out bots and still very accessible? They'll filter out everyone who doesn't speak english though, which might be a good and a bad thing. Good: Chinese wont be able to defeat them (as long as they don't speak english). Con: Non-english speakers wont be able to join the board. But seeing as how this is an english board anyway I don't think that'd be such a big trade-off.
                oh man. poor Qaridarium would be trying for hours and hours.

                Comment


                • #9
                  Moderators are needed, not CR systems.

                  Comment


                  • #10
                    You probably need both. Moderators are the only practical solution for human posters, but if you can keep bots and other mass posters out that makes the remaining moderator effort a lot more manageable.

                    Comment


                    • #11
                      Added "Android" and "converter" to the list of checks that will flag a post for the moderation queue if the user's post count is less than three, that should cut out lots of this spam lately.
                      Michael Larabel
                      http://www.michaellarabel.com/

                      Comment


                      • #12
                        There's three kinds of attacks:

                        1) automated broad-scale attacks against random vbulletin boards found via google
                        2) specialized attacks specifically crafted for a certain forum
                        3) humans paid to manually register and spam

                        Type 1 attacks are easily defeated by changing the registration form in ways the bots don't expect. We've reduced the bots in a phpBB board with a few simple tricks:
                        - changed the URL of the registration form, most bots don't even find it any more. Disallowing the registration form in robots.txt seems to help, too.
                        - we made the "username" field invisible (via css). If anyone submits a non-empty "username", it's a bot.
                        - we added a field "actual_username" that's displayed instead. If anyone submits an empty actual_username, it's a bot.

                        It's as effective as a custom captcha but not as annoying.


                        Custom registration forms can be defeated by hand-crafting attacks to the specifics of the board (attacks of type 2), but usually nobody will bother. Our 100k-person board should be more attractive for such things, but it hasn't happened yet.


                        The best automation against Type 3) are badword-filters, disabling links in the first x posts or adding new threads of recently-registered to the moderator-queue.
                        Last edited by rohcQaH; 01-15-2010, 09:05 AM.

                        Comment


                        • #13
                          Everybody welcome the new member

                          http://www.phoronix.com/forums/showt...527#post108527

                          Comment


                          • #14
                            Originally posted by deanjo View Post
                            Well there are some trends if you look at the spams,

                            1) they always start a new thread on their initial spam, make it so that creating a new thread on the first posts from a new user can't be put up until reviewed

                            2) since these are mostly bot signups have the signup process not accept a signup when the form is "instantly" filled from their macro's, etc. Usually with their signups are filled in all in one shot, something a human couldn't really do. Restrict it to the signup process has to take at least a minimum time such as 10 seconds.

                            There are other ways as well to minimize the effect, they just have to be put in place.
                            There's mods and patches for vbulletin for thwarting spammers cold.

                            Also disabling signatures and avatars for new people till they reach a certain number of posts also helps too, as some spammers use signatures filled with links to badware

                            Originally posted by Michael View Post
                            Added "Android" and "converter" to the list of checks that will flag a post for the moderation queue if the user's post count is less than three, that should cut out lots of this spam lately.
                            as other "spam words" pop up add them to the checklist too.

                            @Michael, spammers will always try to get around whatever you throw at them, so its pretty much a must to keep devising new ways to keep on top of the spammers.

                            Originally posted by L33F3R View Post
                            oh man. poor Qaridarium would be trying for hours and hours.
                            LOL!

                            But Q's not really a spammer though, despite how badly worded his posts are.
                            Last edited by DeepDayze; 01-19-2010, 11:44 PM.

                            Comment


                            • #15
                              http://www.phoronix.com/forums/showt...587#post108587

                              More spam.

                              http://www.phoronix.com/forums/showt...552#post108552

                              Comment

                              Working...
                              X