Topic: spammers are on to you

yes, it seems they have adapted to your verification system and are automatedly checking their email and then logging in and posting porn spam. maybe you could implement one of those "type these letters" verification things in as an added level of security as well as randomize the verification email so a bot cant parse it

Re: spammers are on to you

there are a few modifications you can do to stop spammers, and if you had seached here and punres you would of found them wink

Sorry. Unactive due to personal life.

Re: spammers are on to you

not into modding.. just want to use the product as-is untouched. thanks for your helpful input into this matter

Re: spammers are on to you

Spammers are always going to adapt to new systems. wink
Now then, as to your suggestions:
CAPTCHA: It's not accessible to blind users and would require us to either use PHP sessions (which we use nowhere else) or add our own system for storing data in, say, the online table, both of which are less than ideal. Of course, people are always looking to crack CAPTCHAs using OCR software, so we would probably end up in another arms race against spammers.
Random email: I'd be interested to see how you would do that, I don't think it's actually possible. Of course, each individual forum can change its welcome email to be unique, which is a point I'll be addressing right now wink

Now then, for 1.3, we plan to release several extensions to help deal with spam. The key to addressing spam, however, is realizing how much of it is automated. Just adding a trick to every forum won't help, since spammers will code their bots around it. So, we need to focus on allowing each forum to make its setup unique. smile

Re: spammers are on to you

well whatever you do to get around the spammers is hard because they too have access to the code and im sure some may even follow these forums just to keep up.

as far as the ocr.. i dont know how many of them have that sort of capacity available to them, im sure some do. but why have it use sessions? upon generation of a random string.. add the string to a temp table.. then check the user's verification input against that temp table.. too many wrong tries.. ban em. but the main problem i see is that to use this feature the server would need imagemagik or some other sort of graphic manipulation lib installed which increases requirements for the punbb and thats not good

if you had the resources available to support it.. you could add a "captcha" generation service. where when the verification email goes out.. the server first queries your service center for a captcha image(reduce local requirements) then drops the string in the temp table or wherever it is you store the random password.. emails the verification email with the random password inside the captcha image im the email and for those textonly-based mail clients they could be pointed to a url that is a copy of the verification email.

i guess the options are limitless really and we could come up with more all day but what matters is someone has to do it and thats not me. so ill shutup now lol

Re: spammers are on to you

kevinnading wrote:

as far as the ocr.. i dont know how many of them have that sort of capacity available to them, im sure some do. but why have it use sessions? upon generation of a random string.. add the string to a temp table.. then check the user's verification input against that temp table.. too many wrong tries.. ban em.

I mentioned that in my previous post as being less than ideal wink

kevinnading wrote:

if you had the resources available to support it.. you could add a "captcha" generation service. where when the verification email goes out.. the server first queries your service center for a captcha image(reduce local requirements) then drops the string in the temp table or wherever it is you store the random password.. emails the verification email with the random password inside the captcha image im the email and for those textonly-based mail clients they could be pointed to a url that is a copy of the verification email.

No way that would work tongue
A single point of failure for all the CAPTCHAs that would be used by PunBB? Even if spammers didn't pay people a couple cents to type in CAPTCHAs for them, that would take an immense setup to run for very little gain.

Re: spammers are on to you

Why is adding a table not a good option? Just curious.

Re: spammers are on to you

Not adding a table, adding a column to the online table (a HEAP table) that is only applicable to guests who are registering. So, you're allocating more of the MySQL server's memory when the column isn't even going to be used by most of the users.
Of course, if you're going to write a CAPTCHA extension, you would likely do add the column or use PHP sessions. That doesn't change the fact that they're less than ideal solutions for storing the answer on the server wink

Re: spammers are on to you

Yes, adding a column to the online table does not sound like a good idea, but why would you do it like that instead of having a seperate table just for captchas? Not trying to argue, as I do agree that using mods for spam protection is good because then everyone's is a little different smile Just a hypothetical question I guess.

Re: spammers are on to you

dmspilot00 wrote:

Yes, adding a column to the online table does not sound like a good idea, but why would you do it like that instead of having a seperate table just for captchas? Not trying to argue, as I do agree that using mods for spam protection is good because then everyone's is a little different smile Just a hypothetical question I guess.

How would you associate the CAPTCHA data with the guests I think you would end up either reimplementing PunBB's system or reimplementing the PHP session system. In either case, using the existing system is better than writing your own, if only for the assurance that it just works. tongue

Re: spammers are on to you

Ok... hope the discussion doesn't get all broken since this is being discussed in a few topics.

I think a good solution would be some adjustable cap parameters. For example, letting the admin decide after how many posts does a user have the permission to post links. That along with a frequency cap applied only to new users, i think would work.
The more variables the admin can control the most efficient the protection is because the spammers don't get to know what they need to go around.

I belive the future is colaborative solutions like akismet. There is an akismet mod to punbb which i've tryed, but i don't recomend because it's too strict. It's tunned to moderate blog comments which are not supose to have the same kind of content then forum posts.

An anti-spam product with its own spammers database that would be designed specially to punbb would a killer plus.

Re: spammers are on to you

I think a good solution would be some adjustable cap parameters. For example, letting the admin decide after how many posts does a user have the permission to post links. That along with a frequency cap applied only to new users, i think would work.
The more variables the admin can control the most efficient the protection is because the spammers don't get to know what they need to go around.

Except that won't stop the spam from bots, which don't care whether or not you have links or not. As long as they can post, there will be spam posts smile

Re: spammers are on to you

Smartys wrote:

How would you associate the CAPTCHA data with the guests I think you would end up either reimplementing PunBB's system or reimplementing the PHP session system. In either case, using the existing system is better than writing your own, if only for the assurance that it just works. tongue

I would do something like this rather than use sessions or adding a column to online table:

create table captchas ( captcha_id varchar(16) not null primary key, captcha_code varchar(6) not null, timestamp timestamp not null default now() );

In register.php
- generate random captcha_id, random captcha_code, insert them into the captchas table
- add hidden form field to register form for captcha_id
- call image generating php script with captcha_id in query string
- when submitted, compare the entered captcha code to captcha_code in the db

Hmm, you could also generate the image within register.php and save it with some random name, and use an hmac/salted hash  in the hidden form field, then you need neither cookies nor a db table. But you would need a script to delete the old images.

Re: spammers are on to you

Mmm, fair point.
Now, there is a bit more complexity. There should be only one attempt allowed per CAPTCHA, successful or not, to prevent brute-forcing. Also, you should deal with garbage collection so you don't have unused CAPTCHAs sitting there.

15

Re: spammers are on to you

I always post this in these threads as it makes me feel smart.

This has been the single most effective anti-spam solution I have found, and is as easy as falling out of a tree to implement that it doesn't even count as a mod.


##
##
##        Mod title:  Simple Antispambot-code Mod  
##
##      Mod version:  0.8 
##   Works on PunBB:  1.2.15 
##     Release date:  28 May 2007 
##           Author:  sirena (on http://punbb.org/forums)
##
##      Description:  This is a *very* simple mod to help prevent forum 
##                    spambots from registering on a punBB forum. 
##
##       Affects DB:  No 
##
##   Affected files:  register.php 
##
##            Notes:  This mod simply adds an extra free-text form field into 
##                    the registration page for punBB (register.php) that 
##                    prospective users need to complete, and which the forum 
##                    administrator can easily customize. 
##                    
##                    Forum administrators can specify any sort of question 
##                    and the required (numeric or text) response.  
##                    
##                    Administrators are encouraged to: 
##                    (a) customize the question posed by this mod to suit their needs, and 
##                    (b) change their question periodically. 
##                    
##                    The more variation there is in the deployment of this mod, the more 
##                    effective it will be, particularly against automated spambots. 
##                    
##                    Questions can be simple - like "What year did Columbus discover America?"
##                     - or perhaps more complicated - like "What is the sum of 1000+100". 
##                    
##                    Questions may even be very specific if you are confident that the 
##                    people who you want to join your forum should know the answer. 
##                    
##                    For example if you have a forum about the Beatles the question may be 
##                    "What year did the Beatles break up?"  
##                    
##                    Or if you have a forum about Beverly Hills Calif., a good question may be 
##                    "What is the postcode of Beverly Hills?"  Etc. 
##                    
##                    Specific questions such as these will help prevent automated registrations 
##                    and may even cause difficulties for some human spammers too, 
##                    if local or esoteric knowledge is required.
##                    
##                    Questions may also be framed to require some exploration of the site. 
##                    Eg "Please enter the 4 digit VIP code visible at the top of the Support page". 
##                    
##                    This sort of question will block automated bots and slow down 
##                    and perhaps even deter human spammers too. 
##                    
##
##     Generated By:  Auto Read-Me(by Caleb Champlin) - http://www.rscheatnet.com/Auto_Readme.zip
##
##       DISCLAIMER:  Please note that 'mods' are not officially supported by
##                    PunBB. Installation of this modification is done at your
##                    own risk. Backup your forum database and any and all
##                    applicable files before proceeding.
##
#
#---------[ 1. OPEN ]---------------------------------------------------
#

/YOURPUNBBFORUM/register.php

#
#---------[ 2. FIND (line:186) ]---------------------------------------------------
#
    $timezone = round($_POST['timezone'], 1);
#
#---------[ 3. BEFORE, ADD ]---------------------------------------------------
#
    // anti-spam code variable checked here. Customize to suit your needs.
    if ($_POST['spamcode'] <> "1492") 
        message('Please enter the correct 4 digit code for the year Columbus discovered America.');

#
#---------[ 4. FIND (lines: 305-309) ]---------------------------------------------------
#
            <div class="inform">
                <fieldset>
                    <legend><?php echo $lang_prof_reg['Localisation legend'] ?></legend>

#
#---------[ 5. BEFORE, ADD ]---------------------------------------------------
#

            <div class="inform">
                <fieldset>
                    <legend>Spambot prevention</legend>
                    <div class="infldset">
                        <p>Please enter the year in which Columbus discovered America in the box below.</p>
                        <p><b>Hint:</b> <i>In XXXX, Columbus sailed the ocean blue...</i></p>
                        <div class="rbox">
                        <input type="text" name="spamcode" size="4" maxlength="4" /><br />
                        </div>
                    </div>
                </fieldset>
            </div>

#
#---------[ 6. SAVE/UPLOAD ]---------------------------------------------------
#

/YOURPUNBBFORUM/register.php
Landen Meadows Residents Forum - http://www.landenmeadows.net

Re: spammers are on to you

axa: Indeed, and that's the kind of anti-spam tool that works (and the kind that we're most looking forward to implementing) smile

17

Re: spammers are on to you

can someone take this a bit farther and create a admin panel where the admin creates the Question and answer?


Q

My stuff or my style might sux, but atleast I'm willing to help when I can.
Don't be stupid and help ! We are the stupid one's !!!

18

Re: spammers are on to you

quaker wrote:

can someone take this a bit farther and create a admin panel where the admin creates the Question and answer?


Q

i did that earlier wink

19

Re: spammers are on to you

post the code fool...
so other can have it as well

Q

My stuff or my style might sux, but atleast I'm willing to help when I can.
Don't be stupid and help ! We are the stupid one's !!!

20

Re: spammers are on to you

http://www.punres.org/viewtopic.php?pid=22006#p22006

dont say i never do anything for you.

21

Re: spammers are on to you

here a question for ur admin_options..

how many times will it take you to get it right the first time?
(hint 100000000000000000000000000000000000000000000)
lmao...
kewl marky-poo!!

Q

My stuff or my style might sux, but atleast I'm willing to help when I can.
Don't be stupid and help ! We are the stupid one's !!!

Re: spammers are on to you

here is a quick tip for anyone with a spam problem:

i was up to about 2 spammers per day that actually verify account and post porn, the remainder 5-10 false accounts per day arent sophisticated enough to automate the verification process. i simply changed the layout on the welcome email that has the login info and they stopped.. why? because their automated system recognizes the default template and knows where to extract the username and password from programatically.. so since i changed it around, their automated software no longer knows where to look for the login verification info and hence fails to verify account and does not post spam!

Re: spammers are on to you

Not adding a table, adding a column to the online table (a HEAP table) that is only applicable to guests who are registering. So, you're allocating more of the MySQL server's memory when the column isn't even going to be used by most of the users.
Of course, if you're going to write a CAPTCHA extension, you would likely do add the column or use PHP sessions. That doesn't change the fact that they're less than ideal solutions for storing the answer on the server

You could use csrf_token in 1.3.

Re: spammers are on to you

You mean, since the column is already there, just use it? Not a good idea, especially since we're generating CSRF tokens for every user/guest anyway tongue

Re: spammers are on to you

kevinnading wrote:

here is a quick tip for anyone with a spam problem:

i was up to about 2 spammers per day that actually verify account and post porn, the remainder 5-10 false accounts per day arent sophisticated enough to automate the verification process. i simply changed the layout on the welcome email that has the login info and they stopped.. why? because their automated system recognizes the default template and knows where to extract the username and password from programatically.. so since i changed it around, their automated software no longer knows where to look for the login verification info and hence fails to verify account and does not post spam!

I think this kind of approach is the way to go.
If the administrator can easily from the admin panel control a lot of variables in order to brake patterns then it should be easy to keep spammers away with some minor changes here and there