Author Topic: spam posts on the up again (Read 3984 times)

ccexplore · « **on:** May 17, 2011, 08:03:02 PM »

Looks like we're getting hit by spam postings again. They've even managed to look less "spammy" in form, which of course just makes it a bigger waste of time as it takes slightly longer for the reader to realize it's spam.

" title="Angry" class="smiley" />

So much for the "what color is lemming's hair?" test. $:-\$

Mr. K · « **Reply #1 on:** May 19, 2011, 02:51:27 AM »

I can't even figure out how these bots break through everything. I'm going to guess the questions asked at registration are broken through using a collection of standard answers (numbers, colors, words)-- or, as I've heard, sometimes actual people are doing the registration and then hand control over to software.

Unfortunately SMF doesn't seem to be doing so well at blocking registrations. In general, every forum software is having issues. Bots have just become too sophisticated... kinda have a feeling that forums will decline rapidly in the next 5 years or so unless developers can figure out better ways to stop the spam.

namida · « **Reply #2 on:** May 19, 2011, 07:31:53 AM »

The best idea would be to write your *own* anti-spam code. Or, use a very rare forum system - GF++ is a fairly good one, once you iron the bugs out of the released source. I'd also be willing to let Lemmings Forums use the one I'm working on as a GF++ replacement once it's complete, if the admins are interested, but it's got a bit of a way to go yet.

ccexplore · « **Reply #3 on:** May 21, 2011, 08:27:58 AM »

The anti-spam measures on this particular forum could definitely use some strengthening. Right now when you click "request another image", it'll give you a different image, but it's still the same letters, so I can imagine that there are bots out there that could potentially work out the letters by repeatedly using "request another image".

But if as Mr. K says, if actual people are involved behind the registration (I guess it's not all that implausible that somewhere in China's a "forum registration sweatshop" $:-\$ ), then it's going to be quite hard to defend against spamming.

One really neat anti-spam system for this forum would be forcing the user to solve a very simple lemmings-like puzzle. It's unique and different enough from other anti-spam schemes, that it should hold up well for a long time against bots, and could potentially hold off human-assisted registrations at least for a short while. But probably a little too impractical to implement.

In any case we're a little late. If you look at the current memberlist sorted by most recently registered, you'd notice how many of the recent entries look suspicious (to me anyway) just by username alone, even though they haven't (yet) posted anything. Let's see how long before "Online Coupons45BB" makes its strike. $:-\$

geoo · « **Reply #4 on:** May 21, 2011, 10:58:11 AM »

Quote from: ccexplore on 2011-05-21 02:27:58

One really neat anti-spam system for this forum would be forcing the user to solve a very simple lemmings-like puzzle. It's unique and different enough from other anti-spam schemes, that it should hold up well for a long time against bots, and could potentially hold off human-assisted registrations at least for a short while. But probably a little too impractical to implement.

While writing some small game to complete that'd require people to have Flash or Java or something like this enabled, one could do something along the lines of the captcha, but aimed for Lemmings:
Auto-generate a small, trivial (auto-generated kinda implies trivial) level as image with a given (possibly even fixed skillset, like one of each), and ask how many of each skill are at least required to pass this level.
That'd require people to at least know the basics of the Lemmings game, which I assume can be expected from any legitimate person trying to register here.
Of course, levels would have to be generated that it doesn't really matter how far a builder builds or how deep a bomb crater is to solve the level, and that there's only one skill combination that takes the minimum amount of skills. It seems feasible, and an interesting challenge to try to implement.

Of course, there's also forums that require people to post privately why they want to join the forum, and get manually improved by an admin (who can decline if the reason is like "cheap pills" or "starfish necklaces"). Has the downside of more work, possibly frightening away some users (especially lurkers who only come to post after a while, or really contemplate whether anything they post really is worthwhile), and users not immediately being able to post.

EDIT: Alternatively, reCAPTCHA seems to be pretty strong against bots.

Mr. K · « **Reply #5 on:** May 21, 2011, 02:03:29 PM »

Then level generation would be pretty neat, but I'm no web programmer (silly since I manage this place, I know-- basic html is about all I have under my belt)

I'm at least looking at some of the available SMF modifications that can increase the security.

Here are a couple:
httpBL (blacklists known spammers at the IP address level before they strike)
KeyCAPTCHA (different sorta of CAPTCHA, looks pretty promising)
There was a ReCAPTCHA modification I would've liked to try, but unfortunately it hasn't been updated to be compatible with the last few releases. :/

namida · « **Reply #6 on:** May 22, 2011, 08:22:04 AM »

Why not try giving a random level and asking what the skillset for it is? It's easy enough for a human to find out if they don't already know...

Mr. K · « **Reply #7 on:** May 22, 2011, 02:30:31 PM »

It's not that it's difficult, it's that most people wouldn't even bother going through the effort. I know I wouldn't.

Adam · « **Reply #8 on:** May 22, 2011, 02:59:45 PM »

Just added a few relatively simple Lemmings related questions. Hopefully, these will help to slow down / stop the spambots.

ccexplore · « **Reply #9 on:** May 23, 2011, 10:12:44 PM »

One problem with your questions is that while most of the ports do have a rating named "Fun" and has the same "tutorial" levels in the same order, there are exceptions, notably the PS3 version. Also, it's amazing how many different terminologies have been used for the concept of "skill". I've seen it called "task", "tool", and more.

Thus it may be necessary to have the questions not refer to any specific levels, to avoid the port issue. (eg. You'd want questions like "What skill do you use to <do this>?") For the multiple-terminlogy issue, I think we can simply follow the word "skill" with " (eg. climbers, ...)" or something like that, so even for people who aren't used to calling them "skills", they'd know what the question is asking for. Along that note, it'd be preferable if the answers can accept both singular and plural forms.

Clam · « **Reply #10 on:** May 23, 2011, 11:47:59 PM »

Looks like spam posts are up on the wiki too, so whatever we decide to implement here should be done there as well.

Mr. K · « **Reply #11 on:** May 24, 2011, 12:25:25 AM »

Also I am going to add a script to automatically remove these spam members because it's going to be a HUGE pain to do it by hand.
142 of 237 members (about 60%) are attempted spam registrations. Basically it's going to remove them after a given amount of time with zero posts. What would be good to avoid zapping actual people? A month? I figure if actual people register and don't post, then it's okay to delete their account because they probably never WILL post-- and we still get these spam accounts to vanish automatically.

geoo · « **Reply #12 on:** May 24, 2011, 01:11:54 AM »

You'll still have to remove their spam posts they post within the first month.

What seems to be very common is that they set a signature with a link immediately upon registration (well, those that actually make a spam post don't always seem to). Perhaps you could just delete the account as soon as it sets a signature containing a link within the first 7 days, and put an explicit warning where you enter the signature to users telling them what will happen if they do it.

Alternatively, you could add the 'link in signature' criterion to the 0-posts criterion for the purge you intend to do.

ccexplore · « **Reply #13 on:** June 06, 2011, 07:55:37 PM »

Quote from: ccexplore on 2011-05-23 16:12:44

Along that note, it'd be preferable if the answers can accept both singular and plural forms.

As an example, minutes ago I just used the "search" feature w/o logging in, and it took me 3 tries to answer the question "What skill is used in the first level of Fun?". First I tried "digger" since the question is in singular ("...skill is..."). Wrong. Then I tried "dig", and then finally "diggers" is apparently the only accepted answer.

And this is w/o the concern about the "skill" terminology I noted earlier in the thread.

My worry is that something like this may deter legitimate registration attempts. It'd be almost impossible to tell since there are probably far more illegitimate attempts compared to the rather occasional legitmate attempt.

Author Topic: spam posts on the up again (Read 3984 times)

ccexplore

spam posts on the up again

Mr. K

Re: spam posts on the up again

namida

Re: spam posts on the up again

ccexplore

Re: spam posts on the up again

geoo

Re: spam posts on the up again

Mr. K

Re: spam posts on the up again

namida

Re: spam posts on the up again

Mr. K

Re: spam posts on the up again

Adam

Re: spam posts on the up again

ccexplore

Re: spam posts on the up again

Clam

Re: spam posts on the up again

Mr. K

Re: spam posts on the up again

geoo

Re: spam posts on the up again

ccexplore

Re: spam posts on the up again