• Smartys
  • Former PunBB Developer
  • Offline
  • Registered: 2004-04-30
  • Posts: 7,844

Re: Vulnerable to spambots

MattF wrote:

If you modded your installation to use that method, it probably would kill your spam off either completely or to a negligible level. However, was not the point of this thread with regards to including standard spam prevention techniques within PunBB? If, for example, that mod was incorporated within 1.3 when it finally leaves R.C status, the thing would be cracked within a week. It is then not a deviant technology, but a core mainstream one. The fiscal benefit for the bot scripters would mean that it was viable to concentrate on it once that occured.

I wouldn't say cracked, since unless there's a flaw bots shouldn't be able to automatically crack something like the VIP code mod or a question mod. They would need a human to find the code/answer in the first place and THEN they can spam all they want (until it's changed, rinse and repeat).

MadHatter wrote:

you're right...
there's no better way than whats been implemented. 
nothing else anyone can do outside of whats been done. 
if you want your official punbb forum, you just have to deal with the spam.

glad I finally figured that out.  I'm a bit slow so you'll have to forgive me (us) for thinking all this massive spam is a problem.

please continue (not) developing the next version.

Well thanks for your sarcasm MadHatter, it makes me happy that I took the time to respond to your post wink
Nobody has said spam is not an issue. Nobody has said we can't do more. However, we can't add an anti-spam feature to PunBB without considering how it will be affected by going from "small userbase" to "all of PunBB's users."

gil wrote:
Smartys wrote:
sirena wrote:

Just FYI.

There is apparently a very effective yet simple mod that is available for phpBB discussed here:

http://www.phpbb.com/community/viewtopic.php?t=435702

It works by allowing the admin to specify a 'VIP code' or pass-phrase, essentially, that users need to enter when they register. The variability of this across phpBB boards makes it effective against scripted bots.

Judging from the feedback in the thread above, it seems to work well. Some forum admins even report being able to turn off their CAPTCHAs.

It's similar to some of the approaches already discussed here.

It's like the question method people have been discussing. smile
However, once enough people start using a tool to fight spammers, the spammers try to adapt. If there's a way to detect what the word is, for example, they'll do it.

Of course, but How? If it is not hard-coded, if it is different in each forum, and if it can be changed by the admin when he want to do? Only human action can help spambot, scripting isn't sufficient it seems.  If a large forum is a specific target for some spammer, of course a human help will be used. But all the small or medium forums (99%) will be protected!
I totally agree with Sirena and it "cost-effective" contribution...

With the VIP Code, I hadn't looked at any demos of its implementation. My thought was that if people are simply posting a number/word on register.php, the bots can parse the HTML and get it from there. However, obviously that's not the case there. wink
So, lets assume automated grabbing of the code is not the issue. Spammers will still use humans to register for them. And the small and medium forums will not be protected: in large forums you're more likely to have an active moderator team that will delete your spam in minutes. The small/medium forums, where the spam lingers for days, are where spammers want to target.
That doesn't mean that the idea is worthless: far from it, I think it would make a wonderful extension. However, I personally think it puts too much of a burden on the admin. Plus, as I've said before, with fighting spam what works for one forum might not necessarily be right for another. A more modular approach helps make that a non-issue.

77 Reply by gil (edited by gil 2007-05-21 11:18)

  • gil
  • Member
  • Offline
  • Registered: 2005-10-12
  • Posts: 45

Re: Vulnerable to spambots

Smartys wrote:
MattF wrote:

If you modded your installation to use that method, it probably would kill your spam off either completely or to a negligible level. However, was not the point of this thread with regards to including standard spam prevention techniques within PunBB? If, for example, that mod was incorporated within 1.3 when it finally leaves R.C status, the thing would be cracked within a week. It is then not a deviant technology, but a core mainstream one. The fiscal benefit for the bot scripters would mean that it was viable to concentrate on it once that occured.

I wouldn't say cracked, since unless there's a flaw bots shouldn't be able to automatically crack something like the VIP code mod or a question mod. They would need a human to find the code/answer in the first place and THEN they can spam all they want (until it's changed, rinse and repeat).

I agree, but to attack all the forums in the world, searching the answer in each annoucement area or in rules text or elsewhere, or searching an encyclopedia/logical/thematic answer... in all languages? Don't you think spammer need an international army?

With the VIP Code, I hadn't looked at any demos of its implementation. My thought was that if people are simply posting a number/word on register.php, the bots can parse the HTML and get it from there. However, obviously that's not the case there. wink
So, lets assume automated grabbing of the code is not the issue. Spammers will still use humans to register for them. And the small and medium forums will not be protected: in large forums you're more likely to have an active moderator team that will delete your spam in minutes. The small/medium forums, where the spam lingers for days, are where spammers want to target.
That doesn't mean that the idea is worthless: far from it, I think it would make a wonderful extension. However, I personally think it puts too much of a burden on the admin. Plus, as I've said before, with fighting spam what works for one forum might not necessarily be right for another. A more modular approach helps make that a non-issue.

It is our difference smile You say "mod"; I think that a real protection to spam *must* be included in the software, as not all users are able to find/do the needed modifications. For a lot of people, even the word (source) "code" is not understandable. Ok, in 1.3 version, open a source file will not be mandatory, it will be easier, but first the current version is 1.2, then even in 1.3 it will be mandatory to search, read, and understand in english forum (here or punres). Do you think that to have a good protection, one must be able to understand english and to edit/modify a source file? It will excludes a large part of the world, and it would be too bad.
Nevertheless, thank you for your responses. And I do not desesperate smile

gil's Website

  • Smartys
  • Former PunBB Developer
  • Offline
  • Registered: 2004-04-30
  • Posts: 7,844

Re: Vulnerable to spambots

gil wrote:
Smartys wrote:
MattF wrote:

If you modded your installation to use that method, it probably would kill your spam off either completely or to a negligible level. However, was not the point of this thread with regards to including standard spam prevention techniques within PunBB? If, for example, that mod was incorporated within 1.3 when it finally leaves R.C status, the thing would be cracked within a week. It is then not a deviant technology, but a core mainstream one. The fiscal benefit for the bot scripters would mean that it was viable to concentrate on it once that occured.

I wouldn't say cracked, since unless there's a flaw bots shouldn't be able to automatically crack something like the VIP code mod or a question mod. They would need a human to find the code/answer in the first place and THEN they can spam all they want (until it's changed, rinse and repeat).

I agree, but to attack all the forums in the world, searching the answer in each annoucement area or in rules text or elsewhere, or searching an encyclopedia/logical/thematic answer... in all languages? Don't you think spammer need an international army?

If their goal is to spam everyone at once, yes. However, they only want to spam a finite number of forums at a given time. Which means they can pay people to search through and find it. But like I said, it's still a good mod

gil wrote:

With the VIP Code, I hadn't looked at any demos of its implementation. My thought was that if people are simply posting a number/word on register.php, the bots can parse the HTML and get it from there. However, obviously that's not the case there. wink
So, lets assume automated grabbing of the code is not the issue. Spammers will still use humans to register for them. And the small and medium forums will not be protected: in large forums you're more likely to have an active moderator team that will delete your spam in minutes. The small/medium forums, where the spam lingers for days, are where spammers want to target.
That doesn't mean that the idea is worthless: far from it, I think it would make a wonderful extension. However, I personally think it puts too much of a burden on the admin. Plus, as I've said before, with fighting spam what works for one forum might not necessarily be right for another. A more modular approach helps make that a non-issue.

It is our difference smile You say "mod"; I think that a real protection to spam *must* be included in the software, as not all users are able to find/do the needed modifications. For a lot of people, even the word (source) "code" is not understandable. Ok, in 1.3 version, open a source file will not be mandatory, it will be easier, but first the current version is 1.2, then even in 1.3 it will be mandatory to search, read, and understand in english forum (here or punres). Do you think that to have a good protection, one must be able to understand english and to edit/modify a source file? It will excludes a large part of the world, and it would be too bad.
Nevertheless, thank you for your responses. And I do not desesperate smile

With extensions in 1.3, nobody should need to edit code. You download the extension, upload it to your forum, hit Install, and you're done. And people need to know English to find/download/install PunBB right now: if they know enough to do that, they'll know enough to find extensions they might need.

79 Reply by gil

  • gil
  • Member
  • Offline
  • Registered: 2005-10-12
  • Posts: 45

Re: Vulnerable to spambots

Smartys wrote:
gil wrote:

It is our difference smile You say "mod"; I think that a real protection to spam *must* be included in the software, as not all users are able to find/do the needed modifications. For a lot of people, even the word (source) "code" is not understandable. Ok, in 1.3 version, open a source file will not be mandatory, it will be easier, but first the current version is 1.2, then even in 1.3 it will be mandatory to search, read, and understand in english forum (here or punres). Do you think that to have a good protection, one must be able to understand english and to edit/modify a source file? It will excludes a large part of the world, and it would be too bad.
Nevertheless, thank you for your responses. And I do not desesperate smile

With extensions in 1.3, nobody should need to edit code.

It's what I said, it will be easier, when you what you're searching for. But 1.3 is not the current version.

now,  You download the extension, upload it to your forum, hit Install, and you're done. And people need to know English to find/download/install PunBB right now: if they know enough to do that, they'll know enough to find extensions they might need.

I don't think so. English is not mandatory to find it, as it is provided in a lot of web site in several (at least) countries, like for example "bank" of freeware, Internet provider... or a not-official punbb site.  To install it, if there is no text with the download link, it is not very difficult to read the small help file.

gil's Website

80 Reply by MattF (edited by MattF 2007-05-21 22:22)

  • MattF
  • Senior Member
  • Offline
  • From: South Yorkshire, England
  • Registered: 2007-03-15
  • Posts: 1,956

Re: Vulnerable to spambots

I have to ask. What is the fuss about modding and personalising a software installation. For goodness sakes, with most *nix admins it's second nature. A pre-compiled with everything version of a programme is practically a living hell. Starting with minimal solutions and adapting has always been the best and most secure policy.

MattF's Website

81 Reply by gil

  • gil
  • Member
  • Offline
  • Registered: 2005-10-12
  • Posts: 45

Re: Vulnerable to spambots

MattF wrote:

I have to ask. What is the fuss about modding and personalising a software installation. For goodness sakes, with most *nix admins it's second nature. A pre-compiled with everything version of a programme is practically a living hell. Starting with minimal solutions and adapting has always been the best and most secure policy.

Modding and personalising a software is a good thing. But a mandatory function should not be modding. Avatar, for example, is not mandatory, and could be an extension. It is offered with the software, why not, but it was not an obligation. When a software *cannot* be used without an extension in the target context (just real world...), this package is not complete.

gil's Website

82 Reply by MattF (edited by MattF 2007-05-22 21:07)

  • MattF
  • Senior Member
  • Offline
  • From: South Yorkshire, England
  • Registered: 2007-03-15
  • Posts: 1,956

Re: Vulnerable to spambots

gil wrote:
MattF wrote:

I have to ask. What is the fuss about modding and personalising a software installation. For goodness sakes, with most *nix admins it's second nature. A pre-compiled with everything version of a programme is practically a living hell. Starting with minimal solutions and adapting has always been the best and most secure policy.

Modding and personalising a software is a good thing. But a mandatory function should not be modding. Avatar, for example, is not mandatory, and could be an extension. It is offered with the software, why not, but it was not an obligation. When a software *cannot* be used without an extension in the target context (just real world...), this package is not complete.

Just as a counter argument for that, I have looked at a lot of the other forum software, and even tried installing a lot of it, and all I would say is that I far prefer to mod PunBB with what are minor alterations than to install most of the other alternatives, which may have basics like that built in. Installing something with cartloads of crap added that then has to be removed to achieve ones purpose is far worse than having to add a few mods specific to your requirement items.

MattF's Website

83 Reply by quaker

  • quaker
  • quaker
  • Senior Member
  • Offline
  • From: USA
  • Registered: 2006-02-22
  • Posts: 1,783

Re: Vulnerable to spambots

umm.. well have you looked at some mods that is offered for punbb..

captcha mod is out
spambot
bad behavior
list goes on and on..

it is up to the user to add these mods to there punbb..


Q

My stuff or my style might sux, but atleast I'm willing to help when I can.
Don't be stupid and help ! We are the stupid one's !!!

quaker's Website

  • Registered: 2004-12-31
  • Posts: 73

Re: Vulnerable to spambots

some of my suggestions....

a modification that says registered users can post replys but not a thread itself until they post at least 10 times.

a mod that says "whats the color of an apple" answer = red
this would be random and bots wouldnt be able to put numbers together because their are no numbers.

obviously others suggested whats 1+3 = 4 thing, but they have defeated that.

i suggest finding out how spammers point to you to spam, do they spam because you have alot of users? then block out the user count, or whatever.

  • Smartys
  • Former PunBB Developer
  • Offline
  • Registered: 2004-04-30
  • Posts: 7,844

Re: Vulnerable to spambots

spammers will post replies and new topics
the question thing has already been proposed and pointed out as generally good (although it does put a burden on the admin)
and spammers spam whatever they can

86 Reply by trakman (edited by trakman 2007-05-24 23:34)

  • Registered: 2005-04-01
  • Posts: 35

Re: Vulnerable to spambots

So it seems like the plan should be:
-get 1.3-beta out ASAP so that programmers can write/re-write a multitude of anti-spam extensions/plugins using the new 1.3 hooks
am I right? smile

  • Registered: 2006-09-04
  • Posts: 107

Re: Vulnerable to spambots

I use a slightly different solution for spammers. I have a submission form on my site (no visible links) the bots latch onto. I get a couple of submissions daily with the cialis, viagra crap etc. and the occasional virus (small attachments are permitted) which come in email and are filtered into a junk mail folder which I check and empty now and then.

So the bots use that form and leave the forums alone. Works like a charm. As for the topic here I'm with the minimalists. It's not hard to install a mod if needed.

Blog
  • Registered: 2004-12-31
  • Posts: 73

Re: Vulnerable to spambots

how about an option to make the url an https://
i remember hearing somewhere that would deter all spammers.

a differnt option would be to make a script much like google uses, a submit and review type of mod.  an admin (or for that matter, end users) could select a spam for review, if an admin says its spam (admins would have the final word) then its marked as spam and added to a fillter.  this filter would then filter out the keywords for the next spam and just hide that spam post - the End user would get a message or email or both and they could talk it over with the admin to unhide it.

anyways, i dont think there would be any real way to stop spammers.  there has to be mutliple ways to deter them, but no way to stop them. 

so i would recomend a imaged base script, unless end user doesnt have GD, then a text based script (question=answer)... then a script that uses 3rd parties such as spamhous and other .htaccess files to deter known spam.
and as a last result a much larger project to colect spam and make a filter out of it. 
This filter project will probably be something major that could even be cross platform and hosted at sourceforge, so that all forum applications could code to use it if they wanted.  this would bring great support for it!

89 Reply by Tobi

  • Tobi
  • Senior Member
  • Offline
  • From: Samos, Greece
  • Registered: 2005-06-27
  • Posts: 477

Re: Vulnerable to spambots

mindlessoath wrote:

as a last result a much larger project to colect spam and make a filter out of it. 
This filter project will probably be something major that could even be cross platform and hosted at sourceforge, so that all forum applications could code to use it if they wanted.  this would bring great support for it!

Well. there's spamassassin.
I am pretty sure that it can be modified to filter message posts as well, or with a separate installation.
It has all one would need, blacklists, whitelist, bayesian filter.
It's just since I got addicted to PHP my Perl has started to rust... sad
Maybe some Perl god out there (I know there are still some...) wants to have a look....

The German PunBB Site:
PunBB-forum.de

Tobi's Website

90 Reply by gil

  • gil
  • Member
  • Offline
  • Registered: 2005-10-12
  • Posts: 45

Re: Vulnerable to spambots

A french (and abandonned, I suppose - maybe desperate administrators...) "Desperate Housewives" forum. One forum, among the others:
http://www.desperate-housewives-fr.be/f … 95437528bd

gil's Website