Hard Light Productions Forums
Site Management => Site Support / Feedback => Topic started by: Droid803 on July 30, 2011, 06:55:55 pm
-
Has it gotten worse again?
They were dead for a while after the forum upgrade, but now they look like they're back in force.
-
Evidently.
-
\/|@GR@
-
\/|@GR@
(Psst - LordPomposity: You forgot the link!)
-
Instant Penis Enlargements (http://www.hard-light.net/wiki/images/Solarisdd.jpg)
-
\/|@GR@
(Psst - LordPomposity: You forgot the link!)
I've never been permabanned for being a spambot, so I daresay my strategy is better than yours. :p
-
I've been getting multiple reports e-mailed to me per day over the past few weeks. Whatever our CAPTCHA is, it's no longer working.
-
time to change it up maybe? :P
-
Maybe add one that displays several different images, two with numbers, one with an operand, ( +, -, x, / ) and combines them and asks for the correct answer to the equation?
-
Maybe add one that displays several different images, two with numbers, one with an operand, ( +, -, x, / ) and combines them and asks for the correct answer to the equation?
Like This?
(http://www.recreationalreality.com/Integral_Example.png)
-
Maybe add one that displays several different images, two with numbers, one with an operand, ( +, -, x, / ) and combines them and asks for the correct answer to the equation?
Like This?
(http://www.recreationalreality.com/Integral_Example.png)
I like your style. :p
-
I vote against this, primarily on the basis that maths is for stupidheads.
-
No system is invulnerable, so while the upgrade bought us some time, that time sadly wasn't used effectively because the problem wasn't fully understood.
Yes, our captcha and registration process are weak. I'm working on devising methods that will beef up the Registration process and make it more difficult for bots to be able to register accounts (by sticking them in a bucket and validating the information -before- sending them a confirmation email, for example). I'll also be upgrading the registration captcha schema as well as the post validation captcha schema.
Any accounts that are questionably able to pass pre-confirmation email in the registration process will go directly into "Moderated Posts" status to further buffer any suspicious (but not out-right verifiable) accounts.
I'm also going to see about adjusting some of the privileges available to newer members, such as instituting a "Minimum Post Count" level in order to view extended member information (Such as E-Mail, for anybody that elects to show it) and what not. As well, while there will be a minimum post count fro regular posts to require passing the captcha, that number will be higher for any posts that include any external links, to hopefully guard against any human created accounts that are then turned over to spam-bots.
Any accounts that fail validation or become flagged in their Moderation Status as belonging to spam accounts, even when deleted, will still have their pertinent details stored in a "failed or banned" category to build a better anti-spam registration process as well as provide the opportunity for any mistaken ban/deletes to be more easily undone.
Naturally, all of that is a LOT of work, so it may take a while after the 2.0 Final upgrade for the forum software foes live. In the meantime, while I'm doing it manually, I am employing a lot of the processes for checking IP/Emails/Domains that the intended modules will use to gauge their over all success rate (which lead to me discovering that their biggest flaw is that not one of them checks the valid members database prior to issuing a ban, which I need to correct for before I deploy them). So far, the results are pretty positive with so far only 6 "accidents" (out of over 6000+ "accounts")
-
Any progress on this, Zacam? There have been spambots registering and posting every day for the last couple of days. :mad:
-
Yeah, this is getting out of hand
-
i've just been reporting them every time it springs up... oh well :D
-
Any progress on this, Zacam? There have been spambots registering and posting every day for the last couple of days. :mad:
Tell me about it. I really miss the "One touch ban and clean" that Game-Warden has.
-
i've just been reporting them every time it springs up... oh well :D
I appreciate the effort in general, but since you're not the only one, I've been getting six or seven e-mails for every single spambot. :D
-
i check the forum at least 20 times a day :p
sorry, cant help it much :p
-
Well, it's not exactly your fault...it's the fact that SMF apparently doesn't have a setting that stops people from reporting a post after it's already been reported, like at least one version of phpBB does. It'd be super-handy for this current wave of bots.
-
i think it'd just be better if it didnt send any more e-mails after the first, until a mod checks the list, ala the "subscribe to topic" thingy on phpBB.
-
Ironically, security and immunity from forum spam were the main reasons we moved to SMF back in 2006 or so. This was when getting one spambot a week was considered an epidemic.
By the way, during the past week Zacam was at DefCon (http://www.defcon.org/) and I was at BrickFair (http://www.brickfair.com/), so neither of us were available to squash bots.
-
Tell me about it. I really miss the "One touch ban and clean" that Game-Warden has.
There is actually a series (two) modules for SMF that could be combined that I think might be able to fit the bill of duplicating that. Add in a third module, and you can set the ban to an existing ban group (such as a general catch all bucket). Course, the ultimate idea is that we shouldn't need ban buckets anymore except for cases where actual members do something to deserve it.
(The modules in question would add both delet user and ban user buttons to the left side in the short profile section, and the second one would add the ability (when using delete) to also set up a ban, where the third one would allow you to set the ban triggers into an already existing ban element. a 4th (semi-related) module could probably be templated off either of those that would allow Moderators/Globals to one touch "Firewall" users as well.)
i think it'd just be better if it didnt send any more e-mails after the first, until a mod checks the list, ala the "subscribe to topic" thingy on phpBB.
I can see if there is a customization available that allows for that behaviour, so far I haven't seen anything in the defaults that allows it.
As far as the progress of everything else goes, we'll first need to roll out to 2.0 Final, then work in the 5 modules that made it to my list that will then need some time for configuration and what not and observation.
I also have at least 2 other modules that can be independently used to beef up our captcha, but I'm not totally satisfied with either of them individually at the moment', and I'm trying to work out a combination system. One works based of Rotating images to a correct alignment. But I want to combine that into creating what a user then has to input as well. (Basically, straighten out the letters and numbers and images, then type in (using a wildcard character for the image as a placeholder) any of the letters/numbers/symbols that show up in the order they appear (or say, in the reverse order or randomly either) into the validation box) and we'd still need to institute a delay mechanism to the registration process so that it doesn't just email out a validation code on completion.
It will also mean a slight re-organization to the member database, as I want to insulate the "pending" members and the banned/deleted members into their own database categories. This will make being able to A: Review history and sort offenders based on IP's/emails/etc to get a decent count as well as B: Give us the ability (which we don't have) to "undo" any deletes that might happen or (in the event that the anti-bot/spammer check is wrong) be able to "push" a validation, without it taking up any further slots in the db count of regular members. Which will help keep the size down on that respective db as well.
-
Umm, why (and when) was our unique custom-built CAPTCHA replaced with some stock thing that every bit of bot knows how to deal with?
-
Umm, why (and when) was our unique custom-built CAPTCHA replaced with some stock thing that every bit of bot knows how to deal with?
IIRC, it was broken a few months back.
@admins: Out of curiosity, does HLP take part in something like Project Honeypot (http://www.projecthoneypot.org/about_us.php) to help classify incoming users?
-
Umm, why (and when) was our unique custom-built CAPTCHA replaced with some stock thing that every bit of bot knows how to deal with?
Or "unique" custom captcha only operates on the posting level. Not on the registration level. Yet. Hence where we are going to be beefing it up more.
@admins: Out of curiosity, does HLP take part in something like Project Honeypot (http://www.projecthoneypot.org/about_us.php) to help classify incoming users?
Not at present it does not. But there is an SMF module for it that will be added which will provide it to us. I just need to tie it into the registration collection process (but before the activation email is sent) so that we can reject out-right spam accounts from ever being created in the first place, and retain suspicious looking ones on the "Pending" list (again, still without sending an activation email) so that we can approve or reject them as necessary. But the default out-of-the package module needs some adjustment to play well with the other modules I'm looking to combine and customizations to insert it into the proper place, etc.
-
Our "unique" custom captcha only operates on the posting level. Not on the registration level. Yet. Hence where we are going to be beefing it up more.
[/color]
It was used for registrations too, I remember checking it out myself (I mean the one with the ship names). But the CAPTCHA we have now (for registration) is in use pretty much everywhere, so obviously bots know how to deal with it...
IIRC, it was broken a few months back.
I wonder if the surge in spambot activity coincided with the removal of it?
-
A second wave of the bastards seems to be inbound. I've already reported two of them.
-
I don't think they come in waves but rather a continuous steady stream.
-
Yeah, like a fire hose. There's still a crapload in the memberlist we haven't gotten rid of yet. Zacam is working on a proper batch-delete feature.
-
They're more aggressive than I ever seen them to be. I've ran a little forum as the administrator for around 3 years and they were annoying but not particularly hard to beat with limited means. It could just be my perception but they really seem to be much more insistent than around 5-6 years when i last worked on my forum. Still, looking at how they're acting like they're real people... makes me wonder, how long until someone perfects this and uses it against forums o.o
Of course it's more an entertaining thought than anything else.
-
Well, a little forum 3 yers ago and a middle-sized one now can hardly be compared (HLP gets about 1.5 million pageviews per month, I believe?). We're definitely a juicier target.
-
one of my "9 months unused" forums suddenly got a spike in traffic, resulting in around of 11 gigabytes of traffic generated.
i was at first like "What the?", then i went checking subdomains. suddenly, one of the forums i used to run was shown to have somewhere like 400 new members. go check posts, went over 10k posts total. on a forum that previously had less than 500 total.
i'd let it go on, but then i simply nuked the subdomain and the forum.
-
I wonder how The Forum of James is doing.
-
the what?
-
Forum of James. (http://www.hard-light.net/forums/index.php?topic=56111.0) Every link of his is dead though so I assume it's been deleted. :P
What about that other guy's hyper-conservative forum? Some of us in IRC trolled it but it got boring.
-
To prevent multi-reporting, I just saw Shade do something neat, and absurdly simple. He reported a bot, and replied to the topic stating that he did so.
EDIT: Holy sheep! Two more bots in the couple of minutes since I posted this!
-
Yeah, that idea is greatly appreciated, since it cuts down on the flood of e-mails that we've all been getting. :) Someone else did it a day or two ago, though I don't know if it was Shade, since the post got deleted along with the thread.
-
Just had a spam bot that's online now hit the FringeSpace board and I took care of the post.
Here's the user name - incorvitos
-
@admins: Out of curiosity, does HLP take part in something like Project Honeypot (http://www.projecthoneypot.org/about_us.php) to help classify incoming users?
CloudFlare would do that and much more too. The only reason why it was disabled shortly after it was tried out was that Starman01 was having weird issues. I'd suspect these are fixed by now. HLP CloudFlare account still exists with all but the newest (if any) domains already set up. Only GoDaddy DNS needs to be changed and it'd be good to go once again.
-
@admins: Out of curiosity, does HLP take part in something like Project Honeypot (http://www.projecthoneypot.org/about_us.php) to help classify incoming users?
CloudFlare would do that and much more too. The only reason why it was disabled shortly after it was tried out was that Starman01 was having weird issues. I'd suspect these are fixed by now. HLP CloudFlare account still exists with all but the newest (if any) domains already set up. Only GoDaddy DNS needs to be changed and it'd be good to go once again.
Yes they do. I think they actually use Project Honeypot as part of their metrics or a similar service.
I understood there were other issues with CloudFlare as well, not just Starman01 having issues, which was why we dropped it. Though you would know best as you were the one that implemented it :D.
-
Should user registration be disabled temporarily because of all the spambots coming in?
-
I've changed the registration process to require admin approval. That will at least get rid of the bots registering with gibberish names.
Zacam is working on a more permanent solution.
-
Have noticed a huge drop in spam posts since this was done :)
-
Just to post my thoughts, being a brand new registered user.
The wait to get an account is quite annoying, I can completely understand your situation (I've got a couple forums myself, and numerous blogs), but, with the current system, it does appear you could be harming your chances of getting new users to stick about.
Just my $0.2
-
The current system is temporary until Zacam finishes a forum mod. You definitely have a legitimate concern, but unfortunately the spam registrants make it extremely difficult to come up with a satisfactory solution. When I approved your membership, for example, I had to reject about 50 spam accounts that registered at about the same time you did. In fact, right now there are 65 (edit: now 66) members awaiting approval, and I'll bet that almost every one of them is a spam attempt.
-
It's no problem.
Is there a plugin for SMF that checks account IP's against a database of known spammers, like the StopForumSpam database? I've used a plugin like that for vBulletin, and it's helped a lot, though it does occasionally pick up a few false positives.
-
There is indeed. And one that talks to Project Honeypot and a few others.
The problem, is that when more than one potential "check" system is available, they all have to work in a collaborative fashion, which none of the SMF Mods are initially created to do.
It also means some significant reworking of the database end as well as adding in new administration controls. And being able to build a history of our own that also allows us to undo any "false positive" rejections wouldn't hurt either.
-
Like I've already mentioned, enabling CloudFlare and "nameplate" captcha in addition to SMF default captcha would reduce number of spam registrations. Nameplate images should still be there where they were left when it was removed. Nothing stops you from using different method if you so desire, but at least it would beat waiting for this mystical and magical solution Zacam has been said to be working on.
-
Awww, but I wanted there to be Ponies and Rainbows and glittery confetti.
I'm a bit at a loss to understand where you are coming from with that derisive statement. The "mystical and magical" solution seems more like using CloudFlare rather than developing our own supportable Module that has it's own database capabilities that it can build and refer to in the event of an outage or change in service type from any external source.
But sure, I guess we can just close our eyes and let somebody else do it for us and not bother with asking how or why. Or having ANY control over when it decides to false-positive block somebody.
Okay, that last part is a bit of a stretch. They do have a control panel that is pretty nice for what they offer on their Free Services side. And none of it is anything that we can't do or have for ourselves.
-
That said, why aren't we using the nameplates stuff? No bot is getting through that one.
-
IIRC, there was some discussion about the STOP font being too difficult for people.
-
I'm a bit at a loss to understand where you are coming from with that derisive statement. The "mystical and magical" solution seems more like using CloudFlare rather than developing our own supportable Module that has it's own database capabilities that it can build and refer to in the event of an outage or change in service type from any external source.
But sure, I guess we can just close our eyes and let somebody else do it for us and not bother with asking how or why. Or having ANY control over when it decides to false-positive block somebody.
Okay, that last part is a bit of a stretch. They do have a control panel that is pretty nice for what they offer on their Free Services side. And none of it is anything that we can't do or have for ourselves.
It's been quite a long while since it was first mentioned publicly you were working on a solution of your own. A time at which any other readily available solution(s) could have been used to lessen the impact of spammers and anything else malicious. If you really feel like reinventing the wheel and using the solution you're cooking up, please do but why are you not making use of temporary solutions that may or may not be just as effective at stopping spammers?
And least we forget, any external service beats local service when it comes to stopping malicious traffic. Why? Because in ideal scenario such traffic never reaches the server that is hosting actual content. In many cases CF has managed to reduce http traffic of their customers by several times. CF is efficient in blocking denial of service attacks as well. As the server serves far fewer http requests, it can focus on serving real visitors all that much quicker. Not to mention that CF also works as CDN, reducing loading times of static content which should help visitors from other continents quite a bit all the while reducing bandwidth usage of the server. CF also features many tools, one of which is support for Google Analytics. Since it works for all http traffic on specified domains, it is way more accurate than it would be if you just add the code to select few pages such as HLP forums and mainpage. With CF you'd be able to monitor all hosted project sites too without editing their files and so on. Available tools doesn't end there, but you should be able to research it yourself should you feel inclined to do so.
Can your module do that? It very much sounds like it's SMF module, which does jack squat for the wiki and any other sites being served on this server. If I am mistaken and it works for the whole server, awesome but you still could make use of what's available until it is done.
-
Okay then, so what's the process for turning CF back on then, seeing as how it was on before? If you're going to say "turn it back on" including -how to- at some point would probably be a good idea.
You know, just in case anybody else wants to do it.
-
IIRC, there was some discussion about the STOP font being too difficult for people.
Seriously? Someone who can't make out perfect English words in a somewhat stylized font either
A. doesn't know English whatsoever
B. is a complete idiot
I wouldn't bother about blocking that 0.01% of possible HLP members out, TBH, even if it makes us look like a secret bunch of incommunicado reclusives :P
But that might be just me. If STOP is unreadable, there's still BSG and UEF (and TBP?) nameplates we can use...
-
Last time I checked, "Aquitaine" isn't really an English word :p
That's probably the case for some of the others, I don't remember which ones were there.
-
Neither is "eökrgqserg", and yet normal captchas have no problem spitting word salad at people.
-
Neither is "eökrgqserg", and yet normal captchas have no problem spitting word salad at people.
This.
I kinda want to find that thread.. but I can't really be arsed to search right now.
EDIT: I lied, here it is. (http://www.hard-light.net/forums/index.php?topic=73882.0)
-
yeah I remember it, type Nyarlathotep ftw... and forum entrance.
It was the best captcha evar, and I mean it.
-
Okay then, so what's the process for turning CF back on then, seeing as how it was on before? If you're going to say "turn it back on" including -how to- at some point would probably be a good idea.
You know, just in case anybody else wants to do it.
I think I posted CF login details in the admin board (I may have changed pw since then though) and Sandwich should know how to change DNS. In any case, I've PM'ed you step-by-step instructions on it. While you're at it, request Sandwich to remove my permissions to HLP domain on GoDaddy. It's nothing more than a liability for me to have those anymore.
-
Just make them spell Hatshepsut. If they spell it right, we know they're a bot. :p
-
While you're at it, request Sandwich to remove my permissions to HLP domain on GoDaddy. It's nothing more than a liability for me to have those anymore.
Done - thanks for reminding me. :)