Vulnerable to spambots (Page 2 of 4)

i'm not talking about a captcha solution or extension.  I'm talking about re-thinking the sign up process so that automated registrations are overly difficult or infeasible.

If you're true, so these options (enabling guest posting or using no rules) can be deleted from punbb, as there are not usable... No ?

I'm sorry, but nowadays I think it's not only a management/policy issue, it's a software one... Not really a bug, but a missing capacity.

What about a captcha that displays an operation that requires the person to think, and that requires to use the calculator, ie: 5841 / 651 = ?

This is for registration. Each post could require a simple captcha also. For people who have problems to read, a sound player to speak the content of the captcha would be an alternative.

How could spambots circumvent this? Again, this would be an option in the admin area. Thos who don't want that on their forum would just have to disable it.

Actually I have an antispambot filter on the pcbsd.org forum, and for 5 months we have had only 1 or 2 spams. Combinations of spam filters are best. And there needs to be antispambots also for registered users, otherwise spammers register accounts manually and then send loads of spam using spambots. When the whole process needs to be manual and time-consuming, spammers give up.

Nope, no legitimate user use something automatic to sign up and post messages. At least not me
The whole process has always been manual for regular users.

This is what I understood as well

It's relative. What is time-consuming for a spambot is considered normal to end-users, ie: calculating 84x34 =  ?

People already type what is in a captcha. It's commonplace.

I think it's going to take at least a few years before spambots are able to read the operation that is written inside an image, and then process it and give the result. People who have problems reading can click the "speaker" icon to hear it loud.

http://www.cs.sfu.ca/~mori/research/gimpy/
http://www.botmaster.net/pictocod/
etc
CAPTCHAs can and have been broken.
As for the sound, I have not yet seen any PHP that generates a sound file for given characters (and most likely there would be issues with running it on hosts)

Bots can deal with activation emails though
And even if they couldn't, we already have an activation code process (and a cron job to remove unverified users after x days isn't difficult)

I totally sympathise with calende. My forum is now closed off for new registrations as these spam-bots seem to be able to get past e-mail verification.
The thing is that once you code some kind of 'human-testing' system into the registration, these punks are gonna reverse engineer it
We need something that has no pattern or is random, so that they can't pre-script/predict and supply the 'answer' - maybe when someone registers the admin gets e-mailed a template which they fill out with a custom question, when they click 'send' and that gets e-mailed to the bot.

but if you make it too complex, it will be a real hassle to bother registering...a real catch 22

the last thing I wanted to read was someone getting defensive and saying: well it's not a 'bug'

This is as important as a buffer overflow/exploit. Developers should stop working on 1.3 until this is addressed in 1.2
Out-of-the-box pun installs are too vulnerable to spam.

To quote Wikipedia, "A computer bug is an error, flaw, mistake, failure, or fault in a computer program that prevents it from working correctly or produces an incorrect result."
PunBB is working exactly as intended. 1.3 will have more tools to deal with spam. In the meantime, if you are having a problem, there are plenty of modifications around to help you. Those modifications will protect you even better than they would if we coded them in for the reason you stated: as soon as a method becomes popular enough, spammers will try to reverse engineer it.
Take the "add an extra timezone" tweak: if we wer to put that in, spammers would immediately just change their programs to pick a legitimate timezone. Instead, since it's done by individual forum owners, it can actually trick some bots who are registering.

An SQL injection compromises the safety of the data in the database. It's a bug because it allows a user to bypass the protections built in to the queries. Spammers are bypassing nothing, they are simply registering and posting in a legitimate manner (albeit in an automated manner as well).
As I've said before though, that's not to say that we don't consider spam a big deal. We do. However, saying "oh, it's a bug! it's a bug!" and demanding that we "fix it" isn't productive. Fighting spam is difficult. If you have suggestions on how to deal with it, by all means tell us them. If you think one of your suggestions should be added to 1.3, PLEASE post it in Feature Requests.

I'm going to start writing some anti-spam mods for 1.2 I've been putting off