1

(0 replies, posted in Test forum)

Testing whitelist feature of anti spam bot. Attempting to see if good bots following the link below will end up in spam bot trap.

http://www.network-technologies.org/use … passwords/

http://www.network-technologies.org/use … /index.php

Parpalak wrote:

You can use pun_antispam as an example to make your own extension. Seems like you should use the same hooks, you have only to change them.

I will try to use the PunBB database class since my own database class only support MySQL ATM.
I just uploaded the code handling the addition and removal of IPs to the .htaccess file to my own site. I will monitor the latest changes for bugs and will then modify my code to work with PunBB.

Examples:
Instant Block for bots not honoring robots.txt. First load works, then total block
http://www.network-technologies.org/use … passwords/

Or block after incorrectly answering the validation question of the comment form three times (invalid count is a configuration value). This is how PunBB's "Register" page will work.
http://www.network-technologies.org/Pro … readsheet/

sirena wrote:

Hi Jacky:
1.3 has an official CAPTCHA extension
but a mod like yours would be a great complement to it as it has a number of advantages over a graphical CAPTCHA.
One can never have enough firepower at the ready to deal with spambots. They are relentless, as you know, and attacks on 1.3 are far from unknown.

I installed 1.3 yesterday and found the image based CAPTCHA. I tested it with my OCR program and the software had no problems reading the numbers .....

So I will implement my mod for PunBB 1.3

BTW, this forum is monitored by a lot of spam bots. My site has been hit by 50 extra bots attempting to spam my comment page since I posted the link to my old PunBB 1.2 mod.
I should have posted a link earlier because the more bots attempt to break my CAPTCHA the faster I can test for weak questions  wink

Spam bots, please go here and test your code => http://www.network-technologies.org/Pro … mod_punbb/

SuperMAG wrote:

i didnt had any spam registrations etc when i didnt installed the captcha, but i installed it any way later.

I have not used 1.3 but back when I ran a website with Punbb 1.2 I had a few bots spam my board until I protected it.
My guess is that your forum has either not been found or the spam bots have not been updated to PunBB 1.3 yet.
The CAPTCHA you installed, is it built into version 1.3 or is it a add on?

I don't have a site running PunBB ATM so I don't know what is included in 1.3 as far as CAPTCHA goes but I just decided to open a new form website so I'll check out 1.3

Thanks for the reply

I just wanted to see if there is any interest in a spam bot protection mod for 1.3 or if 1.3 already comes with one.

I wrote this mod http://www.network-technologies.org/Pro … mod_punbb/ a while back and have received good feedback but I doubt the instructions work for 1.3

I am currently writing a new bot protection script for all my web pages and I could port it to 1.3 if it is needed.

My protection will:
- Ask questions, I really hate images based captchas because most are just too hard to read.
- Write to .htaccess file and block user by IP using mod rewrite if too many invalid answers where given (brute force protection)
- Offers instant block when opening the wrong page. It is possible to place a hidden link on a page and disallow access via robots.txt. This will catch the badly behaving robots.
- Offers the user the chance to unblock his/her IP via a unlock form

Not done yet but will be added soon:
- Whitelist IPs, the database will contain the IP block for Google.com, Yahoo, ... and prevent accidental blocks of "good bots"

So please post here if you are interested in the above and I will get started on writing the implementation guide.

JAcky wrote:

Type the word after the colon into the box below: red
Type the word "love" without quotes into the box below (without quotes)
Remove all occurrences of the number 2 from the word "2jel2ly2" and type it into the box below (without quotes)
Fill in the missing character and enter the word into the box below: cof_ee
Fill in the missing character and enter the word into the box below: mat_ematics
.... and so on.

I am writing a guide on proper question/answer selection now and the first two are actually not that good since they contain the answer in plain text. A smart bot may try to brute for the way in by trying out every word on the page.

Looks like I need to start working on the next version soon which will include brute force protection.... damn spammers....

sirena wrote:

It works well. Pity there is no admin control panel to modify the challenge/response pair though.
Just remember not to script multiple questions that all have simple answers like 1, 2 or 3. smile
Complex questions that have simple answers - no matter the actual number of questions - can defeat the purpose of this mod. A bot (or scripted browser...) could easily break through a run of 10 randomised complex questions if they all have simple answers like 1, 2 or 3.

Correct, a little bit of thought needs to go into the selection of the questions but there are sooooo many good questions  to choose from such as:

Type the word after the colon into the box below: red
Type the word "love" without quotes into the box below (without quotes)
Remove all occurrences of the number 2 from the word "2jel2ly2" and type it into the box below (without quotes)
Fill in the missing character and enter the word into the box below: cof_ee
Fill in the missing character and enter the word into the box below: mat_ematics
.... and so on

That's why I wrote the mod it does not require the standard 1,2,3 responds from the user and offers a great deal of variety.
I will add more information about proper question selection to the instruction manual as it is susceptible to brute forcing ... or maybe I could write an anti brute force mod .... mhhh

As far as adding it to the admin panel, I doubt I will write that.

I have written a new mod for PunBB to help forum administrators the fight against SPAM.

The new mod will ask a simple question which must be answered before registration is possible. The new mod differers to other "ask a simple question mod" in the following ways:

- Prevent bots from auto registering if they try to submit POST variables directly to register.php instead of loading the form to enter username and password first. This should stop most bots ..... PunBB developers may want to implement this for the login procedure and for posting new messages.
- register.php will ask a simple question which must be answered correctly. Unlike other solutions, my modifications will ask different questions which are randomly selected from a file which contains the questions and answers.
Example:
   Question: How many letters e are in the word: free?
   Answer: 2 or two
   This should stop the more sophisticated bots....
- Fixed problem when a user running the Firefox web browser enters an incorrect value and needs to go back, the submit button will stay disabled until the page is reloaded. Java script removed to fix issue on register.php

You can download the modifications and find the instructions here:
http://www.network-technologies.org/Pro … mod_punbb/

Please report any problems or submit suggestions via the Contact form on my website as I will not monitor this thread forever.
http://www.network-technologies.org/contact.php

It is my personal rule to keep all my posted information from issuing 404's even when moving to a new server but should it ever happen, you can find the mod at the following URL as well:
http://www.punres.org/desc.php?pid=503

I hope you find this mod as helpful as I do, since I installed the mod my forum has received 0 SPAM posts.

EDIT, added question information:
Important Notes Regarding Question Selection:
Because the validation scheme supports many questions it is possible to make the mod almost useless if you have a lot of questions with the same answer or very short answers.
Assume that you have added 10 questions, most of the questions are simple math problems such as 1+1 or 2-1 which only have a one digit answer, then a spammer can adjust his SPAM bot to attempt a brute force attack. When brute forcing, the bot will attempt to try any possible combination so any simple question can be broken very quickly.
It is a good idea to apply standard password policies to the answers, no answer should be shorter then 6 characters.
It is also a good idea not to include the word which is supposed to be typed into the answer field within the question.

Here are a few not so good examples:
- What is 1+1?
- Write the word red into the field below.

Here are a few good questions you may want to modify to build your question/answer file:
- Remove all occurrences of the number 2 from the word "2jel2ly2" and type it into the box below (without quotes)
- Fill in the missing character and enter the word into the box below: cof_ee
- Fill in the missing character and enter the word into the box below: mat_ematics
- What does one hundred PLUS thirty PLUS twenty five PLUS two hundred equal to?
- What year did Apollo 11 land on the moon?
- Write the number one thousand three hundred thirty three in numbers.

9

(1 replies, posted in General discussion)

Hello,

is there any way to do the following or are there any plans on implementing them any time soon?

- Moderate after the user submits a message but before messages are public
- E-Mail Moderator(s) when a message needs approval


Thanks