This is an old revision of the document!
Table of Contents
Antispam (pun_admin_antispam)
- Status: Under development
- Current version: 1.0RC
General idea
Protect the forum using CAPTCA from
- Bruteforcing the passwords
- Spam in guest posts
- Bot registration
Specification
- Add CAPTCHA at:
- Registration
- If user has passed the CAPTCHA, but mistaken in some other field of the form (the form is displayed again for user to correct the data), do not show the CAPTCHA again. I.e. user must pass the CAPTCHA only once to register.
- Here may be used the simple CAPTCHA kind of “Are you robot? Yes/No” Just use the random
name
for<input>
or evenname=“agree”
for “Yes”. This will protect from common robots, but not from targeted attack, so this may be an option. Delay this for (pun_antispam 2.0)
- Guest post
- Same as for registration: do not ask CAPTCHA again if user has some errors, ask once per message.
- Or even once per N messages? (pun_antispam 2.0)
- Password restore
- Do not ask for the first N requests from the IP (pun_antispam 2.0)
- Login
- Do not ask for the first N requests from the IP (pun_antispam 2.0)
- Add options to Administration ⇒ Settings ⇒ Features
- Use CAPTCHA on register page (checkbox, checked by default)
- Use CAPTCHA on guest posting (checkbox, checked by default)
- Use CAPTCHA after 5 login failures (checkbox, checked by default)
- Use CAPTCHA on password restore form (checkbox, checked by default)
- Add database table <db_prefix>_config
- o_pun_antispam_captcha_register = 1
- o_pun_antispam_captcha_guestpost = 1
- o_pun_antispam_captcha_login = 1
- o_pun_antispam_captcha_restorepass = 1
- CAPTCHA implementation
- Use sessions to store the code.
- Delay before image output (1 s).
- When the test is passed by the user, do not ask again it again on other pages for some time (or until user does something suspicious).
- TODO: Describe how the code will be modified against bots.
- IDEA: Use the words list? E.g. “punbb”, “forum”, “guest”, “user” and s.o.
- IDEA: Use the empty invisible field with title like “do not fill this”. If filled, this is a bot.
- IDEA: Use math captcha.