Lemmings Forums

Site Boards => Site Discussion => Topic started by: namida on June 16, 2021, 03:32:34 AM

Title: Regarding the recent spambots.
Post by: namida on June 16, 2021, 03:32:34 AM
They've been dealt with. I've also modified the security question - usually this is enough to shut down a wave of spambots (it's likely they've been manually given the answer to the question at some point, though it could be an AI thing).

In the future - please don't give them "attention". This means don't reply to their posts / quote them / mention their username / etc. If you'd like to bring it to our attention, use the "Report to moderator". I do understand that the responses some people made were well-intentioned, but at best it achieves nothing, and at worst it might report back "hey, our bots get attention on this site, we should push harder at it" to the developers of the spambots (unlikely, but not out of the question).
Title: Re: Regarding the recent spambots.
Post by: Minim on June 16, 2021, 06:16:58 AM
Thanks for the reminder. :) I just noticed this after indirectly replying to the spam post.
Title: Re: Regarding the recent spambots.
Post by: namida on June 18, 2021, 10:22:02 AM
As we have had yet another case, I have for now increased the level of distortion applied to the CAPTCHA. We'll see if this works - if not, the next step will be to look into integrating reCAPTCHA or similar in place of the current CAPTCHA (which I believe is an SMF integrated one). Admin approval on new accounts is possible as a last resort, but I'm really not a fan of requiring that.
Title: Re: Regarding the recent spambots.
Post by: Simon on June 18, 2021, 10:59:38 AM
It's worth a try.

But long-term, it's bad for the honest registrants. I suppose that all of these built-in captchas are already solved; any extra distortion makes it harder for humans, not for spambots. We don't have evidence that the spammers were bots.

After the trial, let's change the security question to easy Lemmings knowledge, e.g. what is the name of the skill that produces a horizontal tunnel?

-- Simon
Title: Re: Regarding the recent spambots.
Post by: namida on June 19, 2021, 03:46:35 AM
I notice a new post was made today; however, the account behind it was created before the setting was changed. There don't appear to be any more suspicious-looking recent accounts.
Title: Re: Regarding the recent spambots.
Post by: namida on June 22, 2021, 01:48:50 AM
I've noticed there has been another case. The account was dealt with before I could check its age, but given that I didn't spot any suspicious recent-looking accounts, I'm going to assume it registered more recently.

I'm going to look at integrating reCAPTCHA, which should be more resilient than SMF's built-in CAPTCHA - I did try using an SMF addon, but it didn't work, so I'm going to have to try doing it manually. I'll also update the forums to SMF 2.0.18 at the same time (I've already done this part in the source code, though haven't pushed it live yet - in case of a future need to restore to source, it should be safe to just directly restore this 2.0.18 commit with the existing database, rather than hunting down the last 2.0.17 commit).
Title: Re: Regarding the recent spambots.
Post by: geoo on June 22, 2021, 10:44:18 AM
We already got 5 more registrations today, 3 of them posting spam.
I deleted the posts, the accounts are still there if you want to have a closer look (I don't think they ever come back to post more anyway).
Title: Re: Regarding the recent spambots.
Post by: Simon on June 22, 2021, 02:59:18 PM
These bots, I have always deleted the accounts. Do you prefer me to ban them instead of deleting them, to keep the account?

Different captcha sounds like a good try, thanks for investigating. These bots have registered after you bumped the SMF-builtin captcha.

-- Simon
Title: Re: Regarding the recent spambots.
Post by: namida on June 22, 2021, 07:09:15 PM
Yeah, yesterday I was experimenting with the reCAPTCHA plugin, disabled the built-in security, and it seems I only turned the built-in CAPTCHA back on (not the security questions) afterwards.

This would suggest that the built-in CAPTCHA is basically worthless, and the security questions are what's been keeping spammers at bay. I've put these back, now with four possible questions (all of which are simple Lemmings-related trivia) and a requirement to answer two instead of just one. I'm going to remove the CAPTCHA for now altogether (no point if it's not achieving anything) and see how that goes, but I still intend to look at implementing reCAPTCHA at some point soon - I'll just have to do it myself rather than rely on a plugin, fortunately it sounds like it should be relatively simple.
Title: Re: Regarding the recent spambots.
Post by: namida on June 23, 2021, 07:28:55 PM
Looks like even reCAPTCHA isn't keeping them out.

I'll try bumping reCAPTCHA's difficulty up to maximum, as well as putting back security questions in addition to reCAPTCHA. If this doesn't keep them out, the options are either a custom validation of some kind (the logic here being that, due to it being nonstandard, spambots won't be designed to know how to defeat it - security by obscurity, but we're obscure enough it'll probably work in our case), or requiring admin activation on new accounts.
Title: Re: Regarding the recent spambots.
Post by: WillLem on June 24, 2021, 05:27:47 PM
What if they're human trolls as opposed to spambots... ??? :lem-shocked:
Title: Re: Regarding the recent spambots.
Post by: namida on June 26, 2021, 09:14:15 PM
It's been brought to my attention that the security questions aren't working properly. I'll investigate this at some point, but for now I've disabled them (still leaving the higher-strictness reCAPTCHA setting in place).
Title: Re: Regarding the recent spambots.
Post by: Simon on June 27, 2021, 12:25:21 PM
Thanks for the hard work and fine-tuning!

-- Simon
Title: Re: Regarding the recent spambots.
Post by: namida on June 27, 2021, 09:00:01 PM
Security questions fixed and re-enabled.
Title: Re: Regarding the recent spambots.
Post by: Minim on June 30, 2021, 05:09:07 AM
Hmm... We've had another security breach today from a similar spambot. >:(

Maybe we should try a different approach: If this spambot is using several IPs in a certain range, maybe we should block this range from creating accounts? Some people create accounts via a proxy, which happens on Wikipedia a lot.

(I think this would probably be too tedious as there are so many proxies which change dynamically, so a bot account with admin privileges could be created instead.)
Title: Re: Regarding the recent spambots.
Post by: namida on June 30, 2021, 09:26:19 PM
The one thing I do notice is that they all seem to post very shortly after activating their account. I could perhaps try implementing a restriction that new accounts must wait some length of time (a few hours would probably be effective enough) after creating their account before they can post.

For now, I've replaced the security question with one where the answer is not a single, common word.
Title: Re: Regarding the recent spambots.
Post by: Simon on July 27, 2021, 10:07:03 PM
The security question is: What is the first level of Mayhem in Lemmings 3D? Surprisingly, this is nontrivial to websearch. I find the security question too hard now, and I fear that we prevent interested newbies from registering. I have no data from the forum to back my claim, though. At least blitz made it through.

I propose to ask for Mayhem level 1 of DOS/Amiga Lemmings 1, or even right for Fun 1.

-- Simon
Title: Re: Regarding the recent spambots.
Post by: namida on July 28, 2021, 05:45:55 AM
For me, it wasn't hard to find. Of course I know the answer anyway, but I tried to search for it as if I didn't. I entered "lemmings 3D level list" (without quotes, exact capitalization), first result looked useful, clicked it, found the answer.

Nonetheless, yeah, probably not much point in making it a bit more obscure. I'll change it to Mayhem 1.