Thanks, spaciba, done wink

I wish these features came standard (not as extensions):

  • Subforums

  • Human question/reply to sign up

3

(89 replies, posted in PunBB 1.2 discussion)

Yes obviously. Considering that this is not a bug, one could also consider that MySQL injections are not bugs because one could argue that "no one is supposed to type some SQL commands in the search field". Same rationale.

4

(89 replies, posted in PunBB 1.2 discussion)

I didn't know that crackers have come that far with captchas. This is scary.
Anyway, we need to be better than them, and more creative, this is an open war! smile

5

(89 replies, posted in PunBB 1.2 discussion)

I think it's going to take at least a few years before spambots are able to read the operation that is written inside an image, and then process it and give the result. People who have problems reading can click the "speaker" icon to hear it loud.

6

(89 replies, posted in PunBB 1.2 discussion)

It's relative. What is time-consuming for a spambot is considered normal to end-users, ie: calculating 84x34 =  ?

People already type what is in a captcha. It's commonplace.

7

(89 replies, posted in PunBB 1.2 discussion)

This is what I understood as well smile

8

(89 replies, posted in PunBB 1.2 discussion)

Nope, no legitimate user use something automatic to sign up and post messages. At least not me big_smile
The whole process has always been manual for regular users.

9

(89 replies, posted in PunBB 1.2 discussion)

Actually I have an antispambot filter on the pcbsd.org forum, and for 5 months we have had only 1 or 2 spams. Combinations of spam filters are best. And there needs to be antispambots also for registered users, otherwise spammers register accounts manually and then send loads of spam using spambots. When the whole process needs to be manual and time-consuming, spammers give up.

10

(89 replies, posted in PunBB 1.2 discussion)

What about a captcha that displays an operation that requires the person to think, and that requires to use the calculator, ie: 5841 / 651 = ?

This is for registration. Each post could require a simple captcha also. For people who have problems to read, a sound player to speak the content of the captcha would be an alternative.

How could spambots circumvent this? Again, this would be an option in the admin area. Thos who don't want that on their forum would just have to disable it.

11

(89 replies, posted in PunBB 1.2 discussion)

gil wrote:

no images and links for guest message or for the N first messages of a registered user

This is not a solution. To fight spam, you have to think out of the box.

- If you can't post images or links for guests, as a spammer you put your URL in your profile.
- If you are a registered spammer and can't post images and links before 10 messages, then you send then canned messages such as those that we get everyday that say something very generic ("Hi, nice web site, just wanted to say hello"). And when your bot has sent 10 automatic messages, start sending your spam.

12

(89 replies, posted in PunBB 1.2 discussion)

It's not just for me. I have 3 different forums (Interaction, PC-BSD and another one for my NGO). They all have been targetted by spambots. I can safely conclude that any forum will be exploited to broadcast spam on the web. Anyway, I hope Rickard will read this thread and agree that this security breach is something important that should be fixed in the default installation, especially that common users don't expect that a forum can be hit by spam, even less by spambots. My message has been heard wink

13

(89 replies, posted in PunBB 1.2 discussion)

Thanks. As I said, I can install mods myself or even tweak my own spam filter. I'm talking about fixing this bug for the default installation so that people who install punBB don't have to worry, the default installation will be safe.

14

(89 replies, posted in PunBB 1.2 discussion)

I use the default settings (with e-mail verification, etc...).

15

(89 replies, posted in PunBB 1.2 discussion)

Of course I can install mods or create mine. The problem is that it has an exploit, it allows any non-human user to send an unlimited number of messages with no restriction. It's like not requiring registration, or disabling captchas. The point is that with a default installation of punBB, I can't run my forum.

16

(89 replies, posted in PunBB 1.2 discussion)

For me it's a bug when it brings your server down, and when basically it uses an exploit to turn your forum unusable. I agree that there are mods, but it shouldn't be necessary to install a mod. Any forum that you set up these days will be hit by spambots early or late. It's like surfing the web using Windows 98 with no antivirus IMHO.

17

(89 replies, posted in PunBB 1.2 discussion)

I think being vulnerable to spambots should be considered as serious as being vulnerable to SQL injections. I am a very good advocate of punBB, and I suggest it everywhere when someone asks for forum recommendations, but I had to sort of "close" my forum for now until this vulnerability is fixed.

I left on Friday, with my forum clean, with no spam (I cleaned the few spams manually). When I got back this morning, I found out that my server was rebooted twice due to non-response. After further investigation, I found out that the account that caused the problem was the account that hosts my low-traffic forum. Strange. So, I accessed my forum and found... A deluge os spam. Litterally hundreds of thousands of adult, child porn, and men's health spam. Tired of removing manually spams everyday, no time with my job, and seeing that I just can't remove manually hundreds of thousands of spam, I reverted my database to an older backup from last week, I disabled new registrations and set all categories as read-only.

I hope something is done about it. Thanks in advance.

18

(15 replies, posted in PunBB 1.2 discussion)

I want that too!

19

(6 replies, posted in Feature requests)

I want that too!

20

(10 replies, posted in General discussion)

Why don't you help out creating these tools, Paul? tongue smile

21

(10 replies, posted in General discussion)

Well, expect that this tool is in its infancy. Shortly these guys will offer a lot more than forum spamming, they will also spam in blog comments, wiki entries, phpMyFAQ comments, and hundreds of other web applications that are probably not prepared. And they will also protect against flooding or bot detection, using a random delay between posts. They will also randomize text of each post and subject to by-pass filters just like in e-mail spam techniques.

22

(10 replies, posted in General discussion)

Definately.

23

(10 replies, posted in General discussion)

Exactly, I have also noticed it. I'm not sure about the proportion of true and fake registration, but I would say that more than 50% for sure are false registration in a sense that these registrations will never send any post on the forum. Also, when I do some research on the web looking up these usernames, they are already present in a number of forums with...Zero post! I have only one explanation for this practice: These people are creating thousands of accounts on thousands of forums with not a single post....For now. One day they could all of the sudden use these usernames to start filling the whole Internet with one single message. What sort of message? I don't know... Maybe a single product, maybe political, maybe an adult web site... I have no idea, but the thing is that on the PC-BSD forum for instance, there are thousands of fake usernames, I guess, under the control of a remote central bot. At any time this bomb can explode and the spam bot can trigger all of its usernames around the world to send one single message to promote their product.

PS: Yes, the PC-BSD forum is phpBB, sorry. Actually I moderate a simple punBB forum on www.interactionchat.com

24

(10 replies, posted in General discussion)

From the recent evolution of spam in forums, everything indicates that forum spam is using more and more techniques of e-mail spam. Filters and addons used for forums and going to be more and more like SpamAssassin rather than just a keyword blocking addon. I am pretty sure that in a near future, spam forum will be like this: non sense garbage in the subject line or words like "V1AGRA", "P0RN", "phaarmaccy" to by-pass filters, and in the message, just one large clickable image, just like spam that you get in your Gmail account.

A possible solution to this problem would be having a "Report" button on each post, linked to a backend central server used by many forums in the world, to list all blacklisted IP addresses. If spammer Jack sends a gambling spam on Bob's forum, Jim clicks the "Report" button to report Jack's IP address to the central server. Bill also has a forum which system knows the blacklisted IP right away, and when Jack tries to post his spam on Bill's forum, he gets an error message because his IP address is blacklisted. After 3 people click the "Report" button, the user is erased, his message as well, and his original IP address is sent to the central server.

Forums spammers will do their best for messages to get through, they will be as carried away as for e-mail spam. We just have to be prepared. No good built-in protection will ruin the forum experience the same way spam killed Usenet that once was very popular.

25

(16 replies, posted in PunBB 1.2 discussion)

How good is punBB fighting spam? I have a phpBB forum with several mods installed, and every now and then I still get a few spam messages... I'm thinking about changing for punBB if it's better.