Re: Vulnerable to spambots

gil wrote:

no images and links for guest message or for the N first messages of a registered user

This is not a solution. To fight spam, you have to think out of the box.

- If you can't post images or links for guests, as a spammer you put your URL in your profile.
- If you are a registered spammer and can't post images and links before 10 messages, then you send then canned messages such as those that we get everyday that say something very generic ("Hi, nice web site, just wanted to say hello"). And when your bot has sent 10 automatic messages, start sending your spam.

Charles.

27

Re: Vulnerable to spambots

If you allow guest posting or do not enable rules and and email registration then you will not be able to avoid SPAM. Whichever forum software you use this is a basic way to limit SPAM.
It is more a management/policy issue than a software one.

Re: Vulnerable to spambots

i'm not talking about a captcha solution or extension.  I'm talking about re-thinking the sign up process so that automated registrations are overly difficult or infeasible.

Re: Vulnerable to spambots

MadHatter wrote:

i'm not talking about a captcha solution or extension.  I'm talking about re-thinking the sign up process so that automated registrations are overly difficult or infeasible.

And how would you do that?

30

Re: Vulnerable to spambots

yemgi wrote:

If you allow guest posting or do not enable rules and and email registration then you will not be able to avoid SPAM. Whichever forum software you use this is a basic way to limit SPAM.
It is more a management/policy issue than a software one.

If you're true, so these options (enabling guest posting or using no rules) can be deleted from punbb, as there are not usable... No ?

I'm sorry, but nowadays I think it's not only a management/policy issue, it's a software one... Not really a bug, but a missing capacity.

31 (edited by gil 2007-05-18 12:30)

Re: Vulnerable to spambots

calande wrote:
gil wrote:

no images and links for guest message or for the N first messages of a registered user

This is not a solution. To fight spam, you have to think out of the box.

- If you can't post images or links for guests, as a spammer you put your URL in your profile.
- If you are a registered spammer and can't post images and links before 10 messages, then you send then canned messages such as those that we get everyday that say something very generic ("Hi, nice web site, just wanted to say hello"). And when your bot has sent 10 automatic messages, start sending your spam.

I didn't say that *this* is the solution. It can be completed for example with a "trial period" then an admin validation.

I think that we (or the punbb team) should list all the existing (or not yet existing) tools and ideas to avoid or fight spam, then that some simple options should be added by default in punbb.

Re: Vulnerable to spambots

What about a captcha that displays an operation that requires the person to think, and that requires to use the calculator, ie: 5841 / 651 = ?

This is for registration. Each post could require a simple captcha also. For people who have problems to read, a sound player to speak the content of the captcha would be an alternative.

How could spambots circumvent this? Again, this would be an option in the admin area. Thos who don't want that on their forum would just have to disable it.

Charles.

33

Re: Vulnerable to spambots

Actually, calende that last thought is an interesting one. A little jscript pocket calculator or number-pad in an online form where the data has to be punched in manually *via a mouse*, combined with a numeric calculation. The concept is a bit similar to the login page my bank uses for their online service.

Of course this would all be solved if we had a universal PKI infrastructure, and everyone had a digital ID certified via an ID check smile

Ahem.

But I guess a good compromise concept here would be if punBB 1.3 shipped out of the box with 2 admin plug-ins that by default enabled some sort of enhanced forum spam blocking, either at the 'front door' during the registration process, or post registration.

That way the core code could stay slim and trim but at least new punBB admins would have tools immediately available in the package to fight forum spammers, without having to go all around the place to find them and install them.

Now someone just has to code those plug-ins, and ensure the hooks are there for things like that to work smile

Re: Vulnerable to spambots

Actually I have an antispambot filter on the pcbsd.org forum, and for 5 months we have had only 1 or 2 spams. Combinations of spam filters are best. And there needs to be antispambots also for registered users, otherwise spammers register accounts manually and then send loads of spam using spambots. When the whole process needs to be manual and time-consuming, spammers give up.

Charles.

Re: Vulnerable to spambots

calande wrote:

Actually I have an antispambot filter on the pcbsd.org forum, and for 5 months we have had only 1 or 2 spams. Combinations of spam filters are best. And there needs to be antispambots also for registered users, otherwise spammers register accounts manually and then send loads of spam using spambots. When the whole process needs to be manual and time-consuming, spammers give up.

As do legitimate users smile

Re: Vulnerable to spambots

Nope, no legitimate user use something automatic to sign up and post messages. At least not me big_smile
The whole process has always been manual for regular users.

Charles.

Re: Vulnerable to spambots

calande wrote:

Nope, no legitimate user use something automatic to sign up and post messages. At least not me big_smile
The whole process has always been manual for regular users.

I was referring to "When the whole process needs to be manual and time-consuming, spammers give up."

Re: Vulnerable to spambots

This is what I understood as well smile

Charles.

Re: Vulnerable to spambots

Then I guess you missed my point: users hate time-consuming processes

Re: Vulnerable to spambots

It's relative. What is time-consuming for a spambot is considered normal to end-users, ie: calculating 84x34 =  ?

People already type what is in a captcha. It's commonplace.

Charles.

Re: Vulnerable to spambots

calande wrote:

It's relative. What is time-consuming for a spambot is considered normal to end-users, ie: calculating 84x34 =  ?

People already type what is in a captcha. It's commonplace.

Calculating 84x34 is far easier for a bot than for a human wink
And there are issues with CAPTCHAs, a lot of which have already been mentioned

Re: Vulnerable to spambots

I think it's going to take at least a few years before spambots are able to read the operation that is written inside an image, and then process it and give the result. People who have problems reading can click the "speaker" icon to hear it loud.

Charles.

Re: Vulnerable to spambots

Smartys wrote:
MadHatter wrote:

i'm not talking about a captcha solution or extension.  I'm talking about re-thinking the sign up process so that automated registrations are overly difficult or infeasible.

And how would you do that?

let me say that I'm not as versed in the registration process as you guys are, so take this with a grain of salt.

if this were me (which its not), I would probably put all registrations in a temp table.  create a new uuid in that table with the user info.  when users sign up, they are added to a temp users table and pull the generated uuid from the table after its inserted, then place that uuid into an activation email to the user.  crate an activation page that the user has to type / paste in the uuid and submit it.  have an activation threshold for activation attempts and date range and when it reaches the first of those limits, the temp record is deleted (and or banned, depending on preferences).

thats my 2 second thought process, so I'm sure there are many more, more efficient ways to stop automated registrations from signing up in punbb, but this was the first thing that came to mind.  looking at the apps / scripts that do the automated spamming would probably be fruitful too.

Re: Vulnerable to spambots

calande wrote:

I think it's going to take at least a few years before spambots are able to read the operation that is written inside an image, and then process it and give the result. People who have problems reading can click the "speaker" icon to hear it loud.

http://www.cs.sfu.ca/~mori/research/gimpy/
http://www.botmaster.net/pictocod/
etc
CAPTCHAs can and have been broken.
As for the sound, I have not yet seen any PHP that generates a sound file for given characters (and most likely there would be issues with running it on hosts)

MadHatter wrote:
Smartys wrote:
MadHatter wrote:

i'm not talking about a captcha solution or extension.  I'm talking about re-thinking the sign up process so that automated registrations are overly difficult or infeasible.

And how would you do that?

let me say that I'm not as versed in the registration process as you guys are, so take this with a grain of salt.

if this were me (which its not), I would probably put all registrations in a temp table.  create a new uuid in that table with the user info.  when users sign up, they are added to a temp users table and pull the generated uuid from the table after its inserted, then place that uuid into an activation email to the user.  crate an activation page that the user has to type / paste in the uuid and submit it.  have an activation threshold for activation attempts and date range and when it reaches the first of those limits, the temp record is deleted (and or banned, depending on preferences).

thats my 2 second thought process, so I'm sure there are many more, more efficient ways to stop automated registrations from signing up in punbb, but this was the first thing that came to mind.  looking at the apps / scripts that do the automated spamming would probably be fruitful too.

Bots can deal with activation emails though wink
And even if they couldn't, we already have an activation code process (and a cron job to remove unverified users after x days isn't difficult)

Re: Vulnerable to spambots

I didn't know that crackers have come that far with captchas. This is scary.
Anyway, we need to be better than them, and more creative, this is an open war! smile

Charles.

46 (edited by trakman 2007-05-19 03:16)

Re: Vulnerable to spambots

I totally sympathise with calende. My forum is now closed off for new registrations as these spam-bots seem to be able to get past e-mail verification.
The thing is that once you code some kind of 'human-testing' system into the registration, these punks are gonna reverse engineer it sad
We need something that has no pattern or is random, so that they can't pre-script/predict and supply the 'answer' - maybe when someone registers the admin gets e-mailed a template which they fill out with a custom question, when they click 'send' and that gets e-mailed to the bot.

but if you make it too complex, it will be a real hassle to bother registering...a real catch 22

the last thing I wanted to read was someone getting defensive and saying: well it's not a 'bug'

This is as important as a buffer overflow/exploit. Developers should stop working on 1.3 until this is addressed in 1.2
Out-of-the-box pun installs are too vulnerable to spam.

Re: Vulnerable to spambots

Yes obviously. Considering that this is not a bug, one could also consider that MySQL injections are not bugs because one could argue that "no one is supposed to type some SQL commands in the search field". Same rationale.

Charles.

Re: Vulnerable to spambots

trakman wrote:

the last thing I wanted to read was someone getting defensive and saying: well it's not a 'bug'

This is as important as a buffer overflow/exploit. Developers should stop working on 1.3 until this is addressed in 1.2
Out-of-the-box pun installs are too vulnerable to spam.

To quote Wikipedia, "A computer bug is an error, flaw, mistake, failure, or fault in a computer program that prevents it from working correctly or produces an incorrect result."
PunBB is working exactly as intended. 1.3 will have more tools to deal with spam. In the meantime, if you are having a problem, there are plenty of modifications around to help you. Those modifications will protect you even better than they would if we coded them in for the reason you stated: as soon as a method becomes popular enough, spammers will try to reverse engineer it.
Take the "add an extra timezone" tweak: if we wer to put that in, spammers would immediately just change their programs to pick a legitimate timezone. Instead, since it's done by individual forum owners, it can actually trick some bots who are registering.

calande wrote:

Yes obviously. Considering that this is not a bug, one could also consider that MySQL injections are not bugs because one could argue that "no one is supposed to type some SQL commands in the search field". Same rationale.

An SQL injection compromises the safety of the data in the database. It's a bug because it allows a user to bypass the protections built in to the queries. Spammers are bypassing nothing, they are simply registering and posting in a legitimate manner (albeit in an automated manner as well).
As I've said before though, that's not to say that we don't consider spam a big deal. We do. However, saying "oh, it's a bug! it's a bug!" and demanding that we "fix it" isn't productive. Fighting spam is difficult. If you have suggestions on how to deal with it, by all means tell us them. If you think one of your suggestions should be added to 1.3, PLEASE post it in Feature Requests.

I'm going to start writing some anti-spam mods for 1.2 I've been putting off wink

49 (edited by gil 2007-05-19 15:43)

Re: Vulnerable to spambots

For my point of view, it's not a bug (a bug is a no-conformity in a provided and specified function). It's rather a lacking function or option... but it's only exploiting the words. Doesn't matter.

But I cannot use punbb in an "open" configuration (guest allowed, or no e-mail procedure),  so I think there is a fundamental problem. If a function is provided, we should be able to use it without extension.
If a spambot can fight a forum software, it can not fight all the administrator in the world. So why not an option with two text fields, a "question" and an "answer", both defined (as often as wished) by the admin? And each guest message or inscription, the "question" is displayed, and the answer is checked (whithout spaces, no capital letters). Like a standard anti-captcha, but here, a spambot cannot spam all the forum in the world, each forum must be first manually attacked.


PS: No mistake: I like punbb, i donated someting for it, and i will donate again when 1.3 will be here. My contribution (like others I think) are not criticisms. I just want to see a better punbb!

Re: Vulnerable to spambots

gil wrote:

But I cannot use punbb in an "open" configuration (guest allowed, or no e-mail procedure),  so I think there is a fundamental problem. If a function is provided, we should be able to use it without extension.

You can use it. However, you have to deal with spam. Just because you can do something does not mean that it's necessarily prudent to do so wink
For an example, how about buying a computer. If I buy a computer, the first thing I need to do is update it, get security tools (eg: firewall, antivirus, etc). It works perfectly "out of the box," but if you use it like that you will be hacked.

gil wrote:

If a spambot can fight a forum software, it can not fight all the administrator in the world. So why not an option with two text fields, a "question" and an "answer", both defined (as often as wished) by the admin? And each guest message or inscription, the "question" is displayed, and the answer is checked (whithout spaces, no capital letters). Like a standard anti-captcha, but here, a spambot cannot spam all the forum in the world, each forum must be first manually attacked.

Spammers already pay people to manually register accounts for them wink
Plus, this makes for a great deal more work for the administrator