Topic: Vulnerable to spambots

I think being vulnerable to spambots should be considered as serious as being vulnerable to SQL injections. I am a very good advocate of punBB, and I suggest it everywhere when someone asks for forum recommendations, but I had to sort of "close" my forum for now until this vulnerability is fixed.

I left on Friday, with my forum clean, with no spam (I cleaned the few spams manually). When I got back this morning, I found out that my server was rebooted twice due to non-response. After further investigation, I found out that the account that caused the problem was the account that hosts my low-traffic forum. Strange. So, I accessed my forum and found... A deluge os spam. Litterally hundreds of thousands of adult, child porn, and men's health spam. Tired of removing manually spams everyday, no time with my job, and seeing that I just can't remove manually hundreds of thousands of spam, I reverted my database to an older backup from last week, I disabled new registrations and set all categories as read-only.

I hope something is done about it. Thanks in advance.

Charles.

Re: Vulnerable to spambots

Moved to PunBB Discussion
Spam is a serious issue, but unless a mistake in the code is allowing something it shouldn't, it isn't a bug smile

There are plenty of mods that allow you to deal with spam, and 1.3 will most certainly have official extensions to help fight spam

http://fluxbb.org

Free PunBB Hosting - lots of mods, easy to customize

3 (edited by calande 2007-05-14 13:51)

Re: Vulnerable to spambots

For me it's a bug when it brings your server down, and when basically it uses an exploit to turn your forum unusable. I agree that there are mods, but it shouldn't be necessary to install a mod. Any forum that you set up these days will be hit by spambots early or late. It's like surfing the web using Windows 98 with no antivirus IMHO.

Charles.

Re: Vulnerable to spambots

Any massive number of requests can take down your server: that's a Denial of Service attack smile
And it isn't as if PunBB has no way to deal with the spam: there are mods, there is banning, there is deletion, there is a usergroup system, there are forum permissions.

http://fluxbb.org

Free PunBB Hosting - lots of mods, easy to customize

Re: Vulnerable to spambots

Of course I can install mods or create mine. The problem is that it has an exploit, it allows any non-human user to send an unlimited number of messages with no restriction. It's like not requiring registration, or disabling captchas. The point is that with a default installation of punBB, I can't run my forum.

Charles.

Re: Vulnerable to spambots

hi.  when i first installed punbb i started getting hit with spam mostly from russian email accounts.  then i enabled the rules options "if you don't want your mommy to read it, don't write it" type of thing and the spammers went away.  i guess who ever was hitting me didn't know how to modify his script.  so just out of couriosity, do you make new registrations click okay on the rules and do you use email verification?  it's not perfect but it slows down the dummies.

Re: Vulnerable to spambots

I use the default settings (with e-mail verification, etc...).

Charles.

8 (edited by naitkris 2007-05-14 17:34)

Re: Vulnerable to spambots

try BB Spam Fighter, very small changes to your forum needed and should stop a lot of spam bots without affecting accessibility (if configured right).

a very good alternative is Akismet for PunBB which is accessiblity friendly, however checks are performed by relying on a 3rd party which may not suit.

EDIT - if you want to stop them at registration and so use CAPTCHA (not reccommended for accessibility), try something like Registration Verification Code, an accessibility friendly alternative is a sortof "What is 2 + 2?" check, but while accessible, it is easy for spambots to be reconfigured to work this out.

Re: Vulnerable to spambots

Thanks. As I said, I can install mods myself or even tweak my own spam filter. I'm talking about fixing this bug for the default installation so that people who install punBB don't have to worry, the default installation will be safe.

Charles.

Re: Vulnerable to spambots

Thanks. As I said, I can install mods myself or even tweak my own spam filter. I'm talking about fixing this bug for the default installation so that people who install punBB don't have to worry, the default installation will be safe.

i don't think the word 'bug' is being properly used here.  if the default installation is too open for your liking several methods have been mentioned here on how to tighten things up.

if you feel that the default settings should be changed that is something you could mention to the developers.  but i personally like punbb as is.

i do feel your pain, spammers suck balls.

Re: Vulnerable to spambots

It's not just for me. I have 3 different forums (Interaction, PC-BSD and another one for my NGO). They all have been targetted by spambots. I can safely conclude that any forum will be exploited to broadcast spam on the web. Anyway, I hope Rickard will read this thread and agree that this security breach is something important that should be fixed in the default installation, especially that common users don't expect that a forum can be hit by spam, even less by spambots. My message has been heard wink

Charles.

Re: Vulnerable to spambots

I'm in agreement that some native spam-fight control should be integrated but I also don't expect it done tomorrow, so meanwhile you'd better install a mod for that.

13

Re: Vulnerable to spambots

I tend to agree with calande.

It's a classic problem. Administrators should accept some responsibility for the secure operation of their sites, of course. But you can see the trends - we have to accept that the web is a hostile environment nowadays. So application hardening is the way to go.

Ergo, a modern forum has to be able to deal effectively with spam in a default install. That is to say, a 'secure' anti-spam configuration should be the default.

Perhaps this means including stuff like a CAPTCHA or textual equivalent built-in, along with expanded post and registration 'censoring' options, and certainly implementation of the simple stuff like support for the no-follow tag on links in forum posts, designed to reduce the incentive to spam. And turning all of these options 'on' by default.

Administrators should then be able to choose to selectively disable the spam control options, but by default they would be active.

It's the appropriate security model to adopt. Forum spam is only going to get worse. Why contribute to the problem?

Look at the MS experience and the new security model in Vista and successive generations of for example their server product lines. You start with a secure configuration, and users then have to explicitly *choose* less secure options.  Is good.

I'd certainly encourage punBB to go down this path.

Re: Vulnerable to spambots

that's a good point sirena.  maybe making a couple of already existing options default would help.

i'm an extreme newb at programming so i'm not sure on what would be the best method for additional defense but possibly a captcha that could be turned off for accessibility reasons...

interesting thread.

Smartys wrote:

...1.3 will most certainly have official extensions to help fight spam...

:-)

15 (edited by naitkris 2007-05-14 22:15)

Re: Vulnerable to spambots

i also agree, but at the same time PunBB is standards compliant - XHTML, CSS, accessible, etc and these are some of the great things about PunBB, so to introduce something like CAPTCHA would only break this which is quite bad in my opinion.

a text equivilant like "What is 5 + 3?" (random numbers) would be a good idea as a basic defence, but then, as mentioned earlier, if this becomes standard to PunBB, then bots will be programmed to defeat this which brings us back to square one. a mod i made, mentioned earlier (based on the Forbidden word spam blocker mod by Daniel Vijge), addresses the issue differently but the problem with this mod is that it must be customised by the administrator to each forum and a "one size fits all" is not going to work (except maybe for limiting URLs and post sizes for new users/guests).

Akismet, as previously mentioned does a great job but the downside with this is the forum administrator is relying on a 3rd party which may not suit a lot of people who like simplicity and total control, and who therefore chose PunBB in the first place.

perhaps integrating like you mentioned sirena, a few solutions, like CAPTCHA, "What is 5 + 3?" etc into PunBB but having them off by default would give new forum administrators the easy option to turn them on at their will. having them on by default though i do not think is a good idea as PunBB is simple and standards focused, and adding too much and breaking the standards would not be good.

16

Re: Vulnerable to spambots

sirena wrote:

Look at the MS experience and the new security model in Vista and successive generations of for example their server product lines. You start with a secure configuration, and users then have to explicitly *choose* less secure options.  Is good.

You are incorrect. That is not good. That is merely taking a broken system and trying to prevent it from becoming broken even further quickly. What's even worse is that it has a highly detrimental effect on legitimate use.

Adding any type of spam protection has problems. For one, I believe it deviates from PunBB's basic design philosophy? Secondly, whatever system one chooses will become only partially effective within time, leading to requests for further additions. Where does one stop? Three, one solution will never be okay for all.

At the end of the day, PunBB appears to have more of a *nix based philosophy than a M$ one, which is to provide a secure base system without needless bells and whistles that can be altered precisely to meet ones needs. It does not start off as a bloated system with countless needless parts which impact reliability, configurabilty, security and speed.

For goodness sakes, it can be adapted with several hours work. A modded version of your own can then be used to create all your own installs. You only need to do the job once.

17

Re: Vulnerable to spambots

I knew it was a mistake to use a MS example around here smile

But a dislike of MS shouldn't cloud the argument. It was just meant to illustrate a point about application hardening. One valid approach can involve reducing the 'surface area' an application exposes to attack 'out-of-the-box'. That's all. It's a very *nix-like perspective.

Progressive strengthening of the defences by all web apps is an inevitable trend. You can see it everywhere. And the forums you will see around in several years time will be much tighter than the ones you see today, that seems an absolute given.

This doesn't necessarily need to get in the way of the spirit of open source, *nix, the web and other goodness. It's a matter of survival.

18

Re: Vulnerable to spambots

sirena wrote:

I knew it was a mistake to use a MS example around here smile

But a dislike of MS shouldn't cloud the argument. It was just meant to illustrate a point about application hardening. One valid approach can involve reducing the 'surface area' an application exposes to attack 'out-of-the-box'. That's all. It's a very *nix-like perspective.

Progressive strengthening of the defences by all web apps is an inevitable trend. You can see it everywhere. And the forums you will see around in several years time will be much tighter than the ones you see today, that seems an absolute given.

This doesn't necessarily need to get in the way of the spirit of open source, *nix, the web and other goodness. It's a matter of survival.

Judging by how many of the mods for PunBB are written with M$ editors, I think most on here are appear to be running that OS. big_smile The means for hooking in external measures is a method I would agree with. The base system should always be as small as possible, in my personal opinion, though. I can't disagree with the need for security measures. smile I just personally prefer them to be separate entities.

19 (edited by MadHatter 2007-05-15 01:20)

Re: Vulnerable to spambots

there was a mod here a little bit ago that had you change the first item in the time zone drop down to "select a time zone," and a change in login to check for a null timezone.  this simple fix has completely (now that I say this I'll get bombarded I bet) stopped false registrations on my board.  I think that things like this, that stop automated scripts from signing up and posting on your forum is needed, and simple to add in without disturbing the masses.  I run several other websites and only one has punbb, the others run phpbb, but I have never had this problem with the phpbb and there are a lot more people trying to exploit that board.

I'd definitely call it a bug.  not that there is anything broken in the code, but it does allow for subsequent automated sign ups after one valid registration (even with the email me the password enabled, because once they know the server time, they can use fake emails and generate the password), and I'd call that a security (albeit timid) risk.

ultimately its up to the guys owning the code to fix / change it, and if they don't see it as a bug then it wont get fixed.  If they don't see it as a bug, maybe they'll still consider it as a feature request, but whatever it is, I think it would be a good idea to revisit that algorithm and see if it couldn't be refactored a bit.

20

Re: Vulnerable to spambots

Yeah, true. I agree with MattF and MadHatter.

At the moment punBB certainly fulfils its role very well in security terms against a variety of threats based on code integrity - eg it's simple code base has a good track record against XSS, SQL injections etc, because (aside from simply being coded very well) the less there is in terms of features and simple number of lines of code, the less scope there is for things to go wrong. A gold star to punBB on that issue, for sure. And everyone would want that to continue.

But forum spam and bad bots are an external threat that punBB needs to face. No matter how tight and secure the code itself is, the 'front door' may still be a vulnerable to abuse, and that degrades the whole utility of punBB, potentially. (As it does a lot of other web apps).

Bringing this issue within the core security envelope of punBB - somehow - would be a welcome development, IMHO.

Re: Vulnerable to spambots

hey i know this is slightly off topic but i couldn't resist posting it.  so u you have spam problems?  check out this article,
MySpace users snowed in by new blizzard of spam.

A few days later, a new spammer left 500 pages worth of postings. Bartley eventually converted the group to private, so people would have to receive her explicit permission before being able to post messages. But even this has done nothing to stem the viral wave of crap, which in many cases includes postings of some of the vilest porn known to man. To make matters worse, the vandals have figured out a way to ban her most vocal supporters from accessing the group, so they are unable to participate in any meaningful way.

"...some of the vilest porn known to man..."  i hate spammers but that line's kind of funny.

22

Re: Vulnerable to spambots

naitkris wrote:

a text equivilant like "What is 5 + 3?" (random numbers) would be a good idea as a basic defence, but then, as mentioned earlier, if this becomes standard to PunBB, then bots will be programmed to defeat this which brings us back to square one. a mod i made, mentioned earlier (based on the Forbidden word spam blocker mod by Daniel Vijge), addresses the issue differently but the problem with this mod is that it must be customised by the administrator to each forum and a "one size fits all" is not going to work (except maybe for limiting URLs and post sizes for new users/guests).

But why not an option to allow an administrator to choose the text of the question, and the text of the answer? It can be a good "basic" anti-spam function.

At the beginning, i used punbb without control (a guest can post): after 1 year, it became impossible.
Then registering was mandatory. After some time, there were spambot registering. And now, spam messages (links, photos...)
Now the e-mail is mandatory : now some spambot registering, but not yet message. For how many time?

Nowadays, one or several simple anti-spam functions (to avoid spam message and spambot registering) should be mandatory. They should be provided by default with the punbb package, but they should be activated or deactivated, in order to replace them by a mod.
It's not really a bug, but it is a missing function, for sure.

Re: Vulnerable to spambots

I'll agree spam filtering and captcha should be options for the default installation, too many newcomers to punbb and people that dont konw php wont have time or know how to implement some of the plugins and mods

i doubt it will happen though, the team here has decided in keeping the core super clean, although spam filters are being put in almost every modern web app now

i think in a way it hurts punbb, i see a lot of old links in old posts that are now using phpbb/smf/vbulletin and I'm sure they switched because of spam and fake registering

24

Re: Vulnerable to spambots

PunBB 1.3 will have extensions, enabling easy installation of new features and they do not modify the core code. So spam fighting options like Akismet would be available for a new user to implement after they get their forum up and running. Keep in mind that not all forums are targets, only the high profile ones.

As for people switching to other projects, it happens all the time, this isn't a popularity contest, at least I don't feel it is. The simplicity of PunBB to one person, may look lacking to the next, that's just the way of the world.

Let me restate how I've handled spam on my forums:

a) Fake registering - enabled rules, it throws off the bots
b) Spam - using the Akismet plugin

25

Re: Vulnerable to spambots

Can I use punbb with a configuration allowing guest message (without registering): no
Can I use punbb with registration (without e-mail verification): no
Can I use punbb with e-mail registration: yes (for the moment), and with regular deletion of spambot registrations
Can I use punbb with e-mail registration and rules: yes (for the moment - tested only since yesterday)

A mandatory extension should not be an option...

A user should be able to use punbb in each of this 4 configurations without extension. It seems to be logical and obvious. If you create a forum for children-youngs and you are spammed by porn images, there is a true problem.

What solution/option in base? no images and links for guest message or for the N first messages of a registered user, captcha, I don't know, but nowadays I think that a forum must offer at least one solution to avoid spam.