Topic: Bots attacking :(

Holy crap!
Yesterday I've installed PunBB (Well, version 1.2.12), and now (but nobody knows about my forum!!!) bots attacking! 5-7 bot registrations per day! I really need some advice. I don't know what to do. Is there any mod or something?
I want bots to get away:))) i don't want them registering on my forum every bloody day!

Michael aka Emilien @ My Opera Community: http://my.opera.com/michael_aka_emilien

2

Re: Bots attacking :(

Look at the bright side, your forum will have a lot of members smile

Seriously, we know about it and we've been discussing ways to combat this.

Re: Bots attacking :(

Email verification didn't help?

4

Re: Bots attacking :(

I have Email verification on, the email will go out but that's no indication it's valid.

In your admin, go to users, enter an '*" in the user name and click Submit search. All those users that say, Not verified, have never responded to the email they were sent.

Re: Bots attacking :(

In the meantime, you can use Image Verification to try to prevent bots (although you should remember that there are potential accessibility issues).

Looking for a certain modification for your forum? Please take a look here before posting.

6 (edited by Michael aka Emilien 2006-09-29 19:52)

Re: Bots attacking :(

pogenwurst, yep, I remember that. Let's try anyway...
Strofanto, this e-mail verific. can't help, because every user registered with any e-mail is already in user list.
hcgtv, thanx, didn't know where to find this "not verif." userlist, now I know, thanx a lot. And about bright side...

Look at the bright side, your forum will have a lot of members

......oh, and my DB someday will be down (and not only for maintenance, ha-hah!:)))

Michael aka Emilien @ My Opera Community: http://my.opera.com/michael_aka_emilien

7

Re: Bots attacking :(

I just checked for Not Verified on my forum, and there are tons!
Is there any way to prune away all those users, with a mod perhaps?

Re: Bots attacking :(

http://punbb.org/forums/viewtopic.php?id=5936
User Management Plugin

9

Re: Bots attacking :(

Smartys wrote:

http://punbb.org/forums/viewtopic.php?id=5936
User Management Plugin

Thanks, I should search before I ask tongue

Re: Bots attacking :(

Hey, guyz!
Bots has started to post spam and verifying registrations!!!
What to do????????????? HELLP!!
Note: they all attacking to the Test Forum category...

Michael aka Emilien @ My Opera Community: http://my.opera.com/michael_aka_emilien

11

Re: Bots attacking :(

You might need akismet for PunBB: http://www.punres.org/desc.php?pid=293

Then type in all words that you want to ban.

Re: Bots attacking :(

There's too many registations per day... I think I hate them all...
Well, let look from the other side.
What I need?
I need something special.
Heh...
Why there are no such registrations on vB or IPB, uh?
What's the difference between PunBB and vB?
I like vB, but it cost too much. And I want PunBB to work carefully with the registrayions, BUT HOW???

I'm crying...

Michael aka Emilien @ My Opera Community: http://my.opera.com/michael_aka_emilien

13

Re: Bots attacking :(

Michael, I feel your pain.

A couple of things you can do:
* Put in some censor words to stop the drugs and sex related user names.
* Ban some of the most abused domain names from signing up.

This is going to have to be looked at for the PunBB 1.3 release, it's getting a bit out of hand.

Re: Bots attacking :(

Can I add some fields in registration form to avoid this crap?
If yes, how?

P.S. I just think that if I add a few new required fields it could be better!

Michael aka Emilien @ My Opera Community: http://my.opera.com/michael_aka_emilien

Re: Bots attacking :(

If what Michael is suggesting actually works, i.e. adding some custom fields... I mean if its that easy to thwart spam-bots then why isn't that standard?
  Standard meaning, building into the forum registration the ability for the forum host to create, say, 3 custom fields that can be configured with anything they want, or whatever.
   Or do spam-bots have some sort of built in learning that renders this inviable?
Cheers,

TwoHawks
Love is the Function
No Form is the Tool

Re: Bots attacking :(

Because it's only slightly more work to build a spam bot that actually reads the HTML from register.php and fills in things properly tongue
If it becomes standard, the people that make bots will render it useless. The key is to make your registration process unique, since the chances of a bot maker caring about your specific forum is pretty low tongue

17

Re: Bots attacking :(

One of the things we do is enforce first and last support.  Something else would be good to use is capatha support too - that usually prevents bots from grabing the front form.

Also, add a checkbox {nulled} so before the new member can create the new acct they must check it - we use one for "I Read the Terms and Agreement" - the continue button is dimmed until the check the box.

HTH

18

Re: Bots attacking :(

Smartys wrote:

If it becomes standard, the people that make bots will render it useless. The key is to make your registration process unique, since the chances of a bot maker caring about your specific forum is pretty low tongue

I have a simple suggestion to defeat the bots, based around this concept of making each forum's user registration process in some way unique.

Rickard could code the Members section of the PunBB administrators area to allow Admins to add 1 (or more) custom form field(s) to the user registration page. This custom form field would allow (or require) each site to specify an additional unique registration variable for all forum signups, to supplement username, password and email verification.

The options available in this form could be anything the forum administrator likes. The format of it should also be variable, so that the admin can make it a drop down form, or radio-buttons, or a blank text input form box. Ideally, the php code or form ID for the subsequent form should also make its name unique, based on the form name or a randomly generated value.

Eg on one punBB forum it could be a drop-down form that asks the user at signup time to confirm: 'What's your favourite colour?', and gives them a selection of 'Red/ Green/ Yellow/ Blue'. Another punBB forum might have a drop down form that asks: 'Who is the President of the United States?', and gives them the option of specifying 'George Bush/ Dick Cheney/ Arnold Schwartzenegger'.

Etc, ad infinitum.

If every punBB forum that required signups had a unique question/response requirement like so, bots may have a harder time reaching into multiple punBB sites.

Is this concept valid?

What I am trying to express is some (built in) way of essentially randomising the punBB login sequence, so that each punBB board has in some way a unique login process.

Actually, a neater solution to this (now that I think about it) could be as simple as having the punBB installer assign a random prefix to either the login.php file or the register.php file, which is unique to each punBB install, so that for example on one site login.php becomes '123login.php', whereas on another site it is '99bblogin.php'.

That alone would screw the bots up.

Re: Bots attacking :(

sirena: The main way to deal with spam registrations as suggested here is randomized form variables. However, for them to be effective they have to be unique for each install (and people can't simply guess at them). I can't see a way to add arbitrary form variables to registration becoming part of the core (although it would be a good extension)  simply due to the issue of bloat. And as you said, the only way for the spam prevention to be effective is if the question is unique for every forum.
As for a randomized filename, that wouldn't help. All links need to point correctly, so the bot would simply need one more page request to find the correct URL.

Re: Bots attacking :(

I track the ip address. I give a warning on the site that you can NOT sign up more than once in 24hrs. If the same ip tries to access the sign up form more than once in 24hrs I block their ip address for 24hrs and redirect them to my error script. Then the script deletes their entry in the db. If I start having trouble from one particular ip address I block it permanently, they simply cant get to the sign up script.

I also check for ban words, both during sign up and on the forum. Anyone using a ban word on the forum is immediately removed from the db. Checking my db, it doesnt look like anything has even gotten as far as the forum to be ban.

Works fine so far.

Re: Bots attacking :(

Aren't there some 'common functions' of bots that can be taken advantage of to cause them to 'reel' into loops?...
What I am thinking is (but I do not know bot-techno, so some other brainy-ack would have to thunk it through...),
   ...if bots have some primary functions for some sort of calculating when they arrive, and they must because they have to make decisions (which essentially are calculations), ...aren't there 'problems' you could seed into the site pages or the root of the domain that would cause the bot to get stuck until it timed out and decided "ouch, I am leaving now for more fertile prey elsewhere"... kind of like giving a computer the task of solving the square root of 2... kind of thing?

Maybe a stupid idea, I haven't a clue...
Cheers,

TwoHawks
Love is the Function
No Form is the Tool

Re: Bots attacking :(

kind of like giving a computer the task of solving the square root of 2...

1.4142135623730950488016887242097
tongue

And there's nothing I can think of that wouldn't harm users/legit bots (ie: from search engines) more wink

Re: Bots attacking :(

Here's how I have virtually coped with spam bots on my site:

http://www.smartmenus.org/down/anti-spam.gif

I followed an idea I saw on the phpBB forums a few months ago. It's basically creating a custom question/field that every (or nearly every smile) human could easily answer but for which the spam bots have almost no chance at guessing the answer. The question can be well-thought so that it doesn't bring accessibility issues.

Since I did this, I haven't got ANY spam delivered to my mailbox through the contact forms on the site. And before that I used to get about 10-20 spam emails per day.

So I am planning to implement the same technique with my copy of PunBB soon. I only need to find some free time to take a closer look at the code.. roll

Re: Bots attacking :(

Only problem is that simple math can be easily adapted to by bot makers smile

Re: Bots attacking :(

Adapted to, but if it's not currently, it will temporarily stop spam won't it?
Also, maybe you should change the questions to ask historical questions that everyone would know, such as: What civilization built the pyramids, What empire was known for building roads, and maybe a few easy questions about your countries history.
If people don't know they can switch questions.

Should be pretty simple for a person, but hard for a bot.

That was just an idea I had, I've never dealt with spam before, so I'm not really sure, but it sounds good.