1 (edited by buzzkill 2005-01-14 21:13)

Topic: Protecting the forum from auto signups

I have experienced this first hand.  Are there provisions in 1.2 for this?  One way I know of is to use some sort of optical character recognition in the sign up form that asked the user to enter in the characters that are dispayed in auto generated image.  I am sure most people have come across this before.  I have done one before in a testing enviorment, but never on a live site.  I did it with classes. One for sessions, and one for randomizing the image text. 

Has this ever been thought of for punBB?  I am not sure what kind of load that it would put on a  server, but its definately a safegaurd from "bots".

Even if a system requires email confirmation of an account, the confirmation process can also be part of a "bot" provided that the bot has access to the account that the email confirmation was sent.

2 (edited by Bwongar.com 2005-01-14 21:16)

Re: Protecting the forum from auto signups

If this were integrated with the board (and I think it is a good idea) it would have to be an option within the administration section. This would require the GD lib and not all hosts support that.

Re: Protecting the forum from auto signups

Bwongar.com wrote:

This would require the GD lib and not all hosts support that.

Yes.  Some of the functions I used were from the GD lib.  ie imagecreatefromjpeg()

Re: Protecting the forum from auto signups

Mmm
Someone could create a mod for this smile

Re: Protecting the forum from auto signups

We could easily leverage something like this: http://www.phpclasses.org/browse/package/1914.html

Re: Protecting the forum from auto signups

I generally dislike the use of images for this. There must be a better way.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Re: Protecting the forum from auto signups

There could be an argument for JavaScript obfuscation, but I myself have in the past written a user agent (in Perl) to go through such obfuscation and put the information in the database. The algorithm can be too easily exploited.

Re: Protecting the forum from auto signups

Smartys wrote:

Mmm
Someone could create a mod for this smile

I don't think that something that strengthens site security should be considered a mod.  Maybe it could start out that way to see how well it works and effects speed & performance.

Rickard wrote:

I generally dislike the use of images for this. There must be a better way.

How come?

Re: Protecting the forum from auto signups

What about creating a third option for registrations - admin validation?  The setting would be part of the forum admin options.

Right now, in version 1.2, you have 2 options to choose from - no validation, or user validation.  What about having a third setting that will require an admin to approve a forum registration before it goes through?  People could still register, but their registration would be held in a queue pending admin approval.  Those people could still read the forum, but would not be able to post until their account was approved.  Once approved, the user would still have to validate their email addy similar to the way you have it set up now.  It would also require another user group called 'validating' to be created, which would be assigned to all unapproved forum registrations.  Permissions for that group would have to be very strict.

IPB and phpbb both have this feature as part of the standard set-up. It allows the forum admin to monitor who is signing up, and generally stops troublemakers from immediately setting up a duplicate forum account after their first one has been banned, and continuing to cause problems.

This is a feature that I would like to see implemented in version 1.2.  Right now, that is one of the things that is keeping me from converting an existing IPB forum to PunBB, as we have alot of trouble with people signing up for duplicate forum accounts.  This method is the only way we have been able to stop them.  It does require work on our part to verify new registrations, but has proved worth it in the long run.

Re: Protecting the forum from auto signups

dhdesign wrote:

It would also require another user group called 'validating' to be created, which would be assigned to all unapproved forum registrations.  Permissions for that group would have to be very strict.

Would you realy need to have a seperate user group setup?  Could it just be done with a boolean "on or off" in the user account information that could only be changed by an admin?

New user signs up.  Gets email confiming sign up
Admin(s) get email that a new user has signed up. 
Admin Validates
New user get an email confirmation.

One of the problems I see with this is that some "legit" users may get turned off by waiting for the admin to validate the registration.  Some admins don't visit their message board as much as ours does wink

Re: Protecting the forum from auto signups

buzzkill wrote:

I don't think that something that strengthens site security should be considered a mod.  Maybe it could start out that way to see how well it works and effects speed & performance.

Sounds like a good idea.

buzzkill wrote:
Rickard wrote:

I generally dislike the use of images for this. There must be a better way.

How come?

Well, mainly because everyone will not be able to use it.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Re: Protecting the forum from auto signups

buzzkill wrote:
dhdesign wrote:

It would also require another user group called 'validating' to be created, which would be assigned to all unapproved forum registrations.  Permissions for that group would have to be very strict.

Would you realy need to have a seperate user group setup?  Could it just be done with a boolean "on or off" in the user account information that could only be changed by an admin?

New user signs up.  Gets email confiming sign up
Admin(s) get email that a new user has signed up. 
Admin Validates
New user get an email confirmation.

One of the problems I see with this is that some "legit" users may get turned off by waiting for the admin to validate the registration.  Some admins don't visit their message board as much as ours does wink

The validating user group is only temporary - as soon as the admin approves them, and the user validates their registration, they are automatically changed from 'validating' to 'member'.  When you view a person's profile who hasn't been approved yet, their user group clearly states 'validating' to identify that they are awaiting approval / validation.  Nobody stays in that group for long - they are either approved or rejected.  Perhaps it could be done the way you suggest - the admin simply toggles their status before approving them, but the default when a user signs up would have to be 'on' (on = validating).

If you run a busy forum, you are at the forum daily, probably several times a day.  The one that I am an admin at - there are 2 of us that are admins - the 'queue' gets checked regularly, as in at least twice daily.  It's part of the job. wink

This would probably not be something that a small forum would need; however, a busy one like the one that I'm speaking of, would definitely benefit from this.

As far a 'legit' user getting turned off, if they truly want to join, then they'll wait for approval.  I have yet to run into one who didn't have the patience to wait a few hours to have their registration approved.

Re: Protecting the forum from auto signups

dhdesign: big_smile I get your point.  Makes more sense now.  I see where putting these people in a group would make filtering easier.

Re: Protecting the forum from auto signups

Rickard:  Isn't the GD lib package with PHP now?  They only thing I had to do with my host was to use an htacess file that included it in the PHP path.  But I can see where this would be a problem with Windows Server.  I don't have much server experience other than toying with one at home.  I guess I am one of the lucky ones to have a host that  has it.

Thanks for the input.

Re: Protecting the forum from auto signups

The problem is rather that some hosts (especially cheap or free ones) disable GD because of the load it puts on the server.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

16

Re: Protecting the forum from auto signups

Well a friend of mine made me some image verification code a while back, I just never got around to implementing it into my game. The code is relatively small (11 lines). Only problem with it would be 1) possible server load like Rickard said and 2) determining the color of it with the default style of your forum.

I'd be willing to do this up though. It looks like some of you want it. Just let me know.

"You start coding. I'll go find out what they want." - Computer Analyst to Programmer

17 (edited by ptlis 2005-01-17 17:36)

Re: Protecting the forum from auto signups

You could always go the old authentication email way; it's not perfect and for somebody who know what they're doing circumvention would be relatively trivial, but then the same goes for images now (thanks to the major improvements in OCR software). It would mean that the user would sign up for an account with an email address, but not specify a password. When the authentication email is sent it would contain a randomly generated 8character password and a link to the authentication page, with a get variable containing a md5 hash of the password in it (eg auth.php?md5=9487FGH3424FG2FGR3432Q42C342R34), the user would then have to enter their username and password. A check would run to make sure that the md5 hash of the password the user enters is the same as the md5 hash stored in the database and in the md5 get string. The user would then be prompted to enter a password they could remember, this could then potentially be checked for complexity for extra security, the new password would be hashed and stored in the database.

Of course this method is probably not the best, but it is platform androgenous (will work for any webserver capable of running php & connecting to a SQL & SMTP server).

Re: Protecting the forum from auto signups

ptlis wrote:

You could always go the old authentication email way; it's not perfect and for somebody who know what they're doing circumvention would be relatively trivial, but then the same goes for images now (thanks to the major improvements in OCR software). It would mean that the user would sign up for an account with an email address, but not specify a password. When the authentication email is sent it would contain a randomly generated 8character password and a link to the authentication page, with a get variable containing a md5 hash of the password in it (eg auth.php?md5=9487FGH3424FG2FGR3432Q42C342R34), the user would then have to enter their username and password. A check would run to make sure that the md5 hash of the password the user enters is the same as the md5 hash stored in the database and in the md5 get string. The user would then be prompted to enter a password they could remember, this could then potentially be checked for complexity for extra security, the new password would be hashed and stored in the database.

Of course this method is probably not the best, but it is platform androgenous (will work for any webserver capable of running php & connecting to a SQL & SMTP server).

Which is basically exactly what we do today smile

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Re: Protecting the forum from auto signups

if a user registers and never logs in with the email validation are they eventually removed?

20 (edited by Jacq 2005-01-18 07:56)

Re: Protecting the forum from auto signups

The gd lib is required if you want to, for example, use ttf fonts and rotate them etc. It is possible to make this captcha image without gd lib. I have to make this happen for my forum so why not publish it as a mod after I'm done, unless someone beats me to it.

E-mail thing doesn't really help. Database gets a new record, e-mail get's sent and so on creating dos effect without user ever responding to the e-mail. Been there, deleted accounts.

Re: Protecting the forum from auto signups

Jacq wrote:

The gd lib is required if you want to, for example, use ttf fonts and rotate them etc. It is possible to make this captcha image without gd lib. I have to make this happen for my forum so why not publish it as a mod after I'm done, unless someone beats me to it.

Sounds like a plan smile

"Programming is like sex: one mistake and you have to support it for the rest of your life."

22

Re: Protecting the forum from auto signups

Jacq wrote:

E-mail thing doesn't really help. Database gets a new record, e-mail get's sent and so on creating dos effect without user ever responding to the e-mail. Been there, deleted accounts.

Can you run cron jobs? If so then you could write a script to remove accounts that have not been authenticated after some arbratary timeframe such as 7days.

Re: Protecting the forum from auto signups

It's still not a solution to the problem.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Re: Protecting the forum from auto signups

7 days is too late i guess servers already died by then lol

Re: Protecting the forum from auto signups

7 days is too late.  lol.  I have seen a number of community sites go down briefly because of DOS attacks.  Any method to deter would be hackers/exploiters would be welcomed.  On one hand I wish there weren't such deviants out there, on the other hand.  It ends up making better programmer out of all of us.  Unfortunately, it just makes the "keep things simple" method a little less simple.