Regarding the recent spambots.

[namida]

They've been dealt with. I've also modified the security question - usually this is enough to shut down a wave of spambots (it's likely they've been manually given the answer to the question at some point, though it could be an AI thing).

In the future - please don't give them "attention". This means don't reply to their posts / quote them / mention their username / etc. If you'd like to bring it to our attention, use the "Report to moderator". I do understand that the responses some people made were well-intentioned, but at best it achieves nothing, and at worst it might report back "hey, our bots get attention on this site, we should push harder at it" to the developers of the spambots (unlikely, but not out of the question).

[Minim]

Thanks for the reminder. I just noticed this after indirectly replying to the spam post.

[namida]

As we have had yet another case, I have for now increased the level of distortion applied to the CAPTCHA. We'll see if this works - if not, the next step will be to look into integrating reCAPTCHA or similar in place of the current CAPTCHA (which I believe is an SMF integrated one). Admin approval on new accounts is possible as a last resort, but I'm really not a fan of requiring that.

[Simon]

It's worth a try.

But long-term, it's bad for the honest registrants. I suppose that all of these built-in captchas are already solved; any extra distortion makes it harder for humans, not for spambots. We don't have evidence that the spammers were bots.

After the trial, let's change the security question to easy Lemmings knowledge, e.g. what is the name of the skill that produces a horizontal tunnel?

-- Simon

[namida]

I notice a new post was made today; however, the account behind it was created before the setting was changed. There don't appear to be any more suspicious-looking recent accounts.

[namida]

I've noticed there has been another case. The account was dealt with before I could check its age, but given that I didn't spot any suspicious recent-looking accounts, I'm going to assume it registered more recently.

I'm going to look at integrating reCAPTCHA, which should be more resilient than SMF's built-in CAPTCHA - I did try using an SMF addon, but it didn't work, so I'm going to have to try doing it manually. I'll also update the forums to SMF 2.0.18 at the same time (I've already done this part in the source code, though haven't pushed it live yet - in case of a future need to restore to source, it should be safe to just directly restore this 2.0.18 commit with the existing database, rather than hunting down the last 2.0.17 commit).

[geoo]

We already got 5 more registrations today, 3 of them posting spam.
I deleted the posts, the accounts are still there if you want to have a closer look (I don't think they ever come back to post more anyway).

[Simon]

These bots, I have always deleted the accounts. Do you prefer me to ban them instead of deleting them, to keep the account?

Different captcha sounds like a good try, thanks for investigating. These bots have registered after you bumped the SMF-builtin captcha.

-- Simon

[namida]

Yeah, yesterday I was experimenting with the reCAPTCHA plugin, disabled the built-in security, and it seems I only turned the built-in CAPTCHA back on (not the security questions) afterwards.

This would suggest that the built-in CAPTCHA is basically worthless, and the security questions are what's been keeping spammers at bay. I've put these back, now with four possible questions (all of which are simple Lemmings-related trivia) and a requirement to answer two instead of just one. I'm going to remove the CAPTCHA for now altogether (no point if it's not achieving anything) and see how that goes, but I still intend to look at implementing reCAPTCHA at some point soon - I'll just have to do it myself rather than rely on a plugin, fortunately it sounds like it should be relatively simple.

[namida]

Looks like even reCAPTCHA isn't keeping them out.

I'll try bumping reCAPTCHA's difficulty up to maximum, as well as putting back security questions in addition to reCAPTCHA. If this doesn't keep them out, the options are either a custom validation of some kind (the logic here being that, due to it being nonstandard, spambots won't be designed to know how to defeat it - security by obscurity, but we're obscure enough it'll probably work in our case), or requiring admin activation on new accounts.

[WillLem]

What if they're human trolls as opposed to spambots...

[namida]

It's been brought to my attention that the security questions aren't working properly. I'll investigate this at some point, but for now I've disabled them (still leaving the higher-strictness reCAPTCHA setting in place).

[Simon]

Thanks for the hard work and fine-tuning!

-- Simon

[namida]

Security questions fixed and re-enabled.

[Minim]

Hmm... We've had another security breach today from a similar spambot.

Maybe we should try a different approach: If this spambot is using several IPs in a certain range, maybe we should block this range from creating accounts? Some people create accounts via a proxy, which happens on Wikipedia a lot.

(I think this would probably be too tedious as there are so many proxies which change dynamically, so a bot account with admin privileges could be created instead.)