forum spam...

[wayskobfssae]

Just out of curiosity, thought maybe some of you folks would have some experience in this. Not necessarily looking for a solution, but I'm at least curious to what others have seen/heard.

Over roughly the past year, heavy spam attacks have managed to infiltrate just about every popular piece of message board software out there. Admins and mods are unable to figure out how they're getting in, and the most they've been able to manage is hiring a healthy dose of moderators to kill them quickly and efficiently. But what the heck is going on? Where is this sudden surge coming from or what caused it? Have the bots learned how to interpret the graphical codes (the ones that users have to type in to prove that they're human)? Is anything being done to put a crackdown on it? Every single one of my boards (except 3DR) has been hit, and everyone feels pretty much helpless to do anything about it.

[ADM]

3DR has it as well.. the difference is the ones that you find that slip through all of those things aren't bots, but humans.

Also those "graphical codes" aka captcha suck. Most bots can go around them.. have a look at this test that some guys did:
http://www.cs.sfu.ca/~mori/research/gimpy/

Oh and some reasons not to use captcha:
http://www.bestkungfu.com/?p=445

Best things to do are email verification PLUS human verification.. so someone signs up and they are forced to approve their registration via email, then they are added to a mod queue to be approved by the admin.

That's how we have it here, that way you filter out the bots (who don't approve emails, though having said that some can) and then they still have to get past the human test (ie you manually approving accounts.. you can tell what is suspicious or not).

[Foxy]

There's a flood of the damned things at my home-forum. My guess is they queue up registrations in advance and pay lackies to defeat the verification in bulk. Then the bots go spam with the accounts.

[jimbob]

is there a good way to secure a guesty book aswel? those need to be simple enough for any dimwit to leave a message but secure enough to keep spam bots out.

a site of a friend is being spammed with auto generated commercials ( with URL tags wich dont work ) but we want to stop it but preferably without an graphical code or other sign up stuff because its a guest book. thanks.

[Iggy]

Quote:

Originally Posted by ADM

Best things to do are email verification PLUS human verification.. so someone signs up and they are forced to approve their registration via email, then they are added to a mod queue to be approved by the admin.

Based on my personal experience with a board I run this is a very good solution. About 99% of the spambots get stopped before they can do any harm. I also advice this to other admins who are dealing with spambots signing up.

Of course next to this are forums where there is actually a section where admins/mods put the topics in that spambots created, like it actually has a value or something. Really silly if you ask me.

Quote:

Originally Posted by jimbob

is there a good way to secure a guesty book aswel? those need to be simple enough for any dimwit to leave a message but secure enough to keep spam bots out.

Perhaps putting new entries on hold for approval could be an option but I doubt this will stop spambots.

I have a tagboard and a guestbook at almost all of my sites and the funny thing is that the guestbook gets haunted by spambots where the tagboard (which techically exactly the same) is being left competely unharmed. It's like spambots react on keywords such as 'guestbook' or something.

[Usurper]

Had a problem with 3 or 4 spammers a week. On my forum, I put the following on the registration page:

Quote:

Attention New Members

This board requires email validation. Please keep the following in mind:
If you don't validate your registration within 24 hours, I am going to assume you are a spambot and delete the registration.
If you register with an AOL email address, AOL is likely to block the registration email, mistaking it for spam. Sorry, there's nothing I can do about that.
If you are using a hotmail, yahoo, or gmail account and you don't get the registration email within 20 minutes, make sure you check your bulk or junk messages folder in case it was sorted there.

Set validating entries to delete if not validated in 24 hours. Then, unfortunately, I was forced to block all *@*.ru email addresses, since most of the spammers were using Russian email addresses.

It worked quite well. Out of the last 15 registrations, only 1 has been suspect, but with no spam in the sig, we've let it be so far.

[Destroyer]

oh ya spam blows. we have forums for out local university ACM chapter and we get about 5 new spam accounts created everyday. and i have to go manually delete them. what sucks is we dont have acces to the server the forums are running from so we cant even really change anything.

[jimbob]

Quote:

Originally Posted by Iggy

Perhaps putting new entries on hold for approval could be an option but I doubt this will stop spambots.

I have a tagboard and a guestbook at almost all of my sites and the funny thing is that the guestbook gets haunted by spambots where the tagboard (which techically exactly the same) is being left competely unharmed. It's like spambots react on keywords such as 'guestbook' or something.

that might work, i noticed that the spam is considerably less than what it used to be so maybe the admin got some filter working or something. i havent had the chance to speak to him about it.

[Yatta]

Quote:

Originally Posted by ADM

3DR has it as well.. the difference is the ones that you find that slip through all of those things aren't bots, but humans.

They can be bots as well. I was able to get rid of them on Duke4.net by adding a required custom profile field with heavily restricted input requirements.

Quote:

Best things to do are email verification PLUS human verification..

I've found human verification is not much better. Bots these days tend to use the same e-mail addresses as humans, so you really can't tell if the "person" signing up is a machine or not.

[Jiminator]

i have suggested it on other forums, but how about something that auto-kills bans users posting urls/images in their first few posts?

[Yatta]

Not a good idea at all. What if the URLs and images are sources of useful/relveant information that they registered just to share with other forum members, or if their first post confidentially contains something like that?

[Mongorian]

Having to manually type in a random code that is placed inside an image that only a human eye can see is a great way to get rid of bots.

[ADM]

Quote:

Originally Posted by jiminathare

i have suggested it on other forums, but how about something that auto-kills bans users posting urls/images in their first few posts?

Something like this could work. I use something similar in my comments on brightfalls.com -- if someone posts more than 5 links in one post then it gets tagged automatically as spam and sent to a queue.

I think the best way to avoid getting spam is use the Akismet API.

Quote:

Originally Posted by Mongorian

Having to manually type in a random code that is placed inside an image that only a human eye can see is a great way to get rid of bots.

See my second post. Captcha images are useless.

[Foxy]

Not if you don't use text. Maybe have a dozen different images of household objects, and ask 'what is this?' TopWebComics does a similar thing with comic characters when you vote.

[ADM]

Quote:

Originally Posted by Foxy

Not if you don't use text. Maybe have a dozen different images of household objects, and ask 'what is this?' TopWebComics does a similar thing with comic characters when you vote.

In that case then yes it wouldn't be as useless as the current implementations are. The problem though then would be that the item you use would have to be visually accepted amongst many cultures.

[Hendricks266]

Quote:

Originally Posted by ADM

Quote:

See my second post. Captcha images are useless.

Correct. Ever heard of OCR (Optical Character Recognition)?

[Foxy]

Straight OCR only works on printed text. It won't beat obfuscated captchas.

[PlayfulPuppy]

I saw a great CAPTCHA system a while ago that served a fantastic double-purpose.

When signing up, you had to read through the forum rules and take an 'entrance exam' that made sure that both:

a) You could understand and respond to english, and therefore are not a robot.
and b) That you understood (And were made to remember) the forum rules.

The system still leaves a few problems in its wake, however:

a) It takes a good 10 minutes or so to sign up, so it would only really work well for special interest sites. More general sites such as MySpace or Yahoo, that (Partially) depend on users joining quickly and without hassle wouldn't benefit. Those who are thinking that 10 minutes to join a site is far too long and annoying, remember you only have to register once.

b) While you could rotate through a selection of questions, a well-targeted bot could learn the responses in no time. Yet again, special interest sites are not affected as much, as most are only prone to drive-by spamming as opposed to focused, intentional attacks.

c) It still doesn't stop the low-pay sweatshop workers from breaking through. It can act as a deterrant, however, as these people probably get paid by the site or have to maintain a quota, so spending 10 minutes on a single page is a complete waste of their time when they could make about 100 other accounts on other pages during that period.

So, all up, this is probably my favorite unmoderated technique. It discourages spammers, drive-by trolls and also has the bonus of making sure new users fully understand at least a good section of the forum rules.

For larger sites, or sites that are still growing and need the user throughput, I'd probably recommend KittenAuth. It's quick and easy for users, almost impossible for a drive-by bot to decipher if implemented correctly, and it's darn cute. It doesn't stop the sweatshop workers, but paired with an email verification system and diligent moderation you should be as spam-free as you can possibly get.

[edit] As a note, I don't believe that the pictures that the KittenAuth testbed uses are chosen very well, as many of the pictures look startlingly similar (Such as those of foxes and dogs). However, the theory is sound.

[ShadeEX]

I just ran into one of those spammers over at Ritualistics forum.. named Talk123 apparently they sell phones

Needles to say i told them to get lost and reported the user too the admins..

They just never learn do they

[Altered Reality]

Quote:

Originally Posted by Hendricks266

Correct. Ever heard of OCR (Optical Character Recognition)?

What about using a "reverse CAPTCHA"? I mean an algorithm which, instead of obfuscating a word, creates pictures with lots of useless characters among few characters that must be typed in? Something like this (in this case, you'd be supposed to type in "captcha"):

[Little Conqueror]

That's a very good idea.

[Nacho]

Quote:

Originally Posted by Little Conqueror

That's a very good idea.

I'm inclined to agree.

[wayskobfssae]

A logic test might even be better. Something that requires a certain degree of intelligence, such as finding the word that doesn't fit in with the others.

It would also be nice if Captcha required a form of user input OTHER than the keyboard, and something other than the most basic web form, which is the easiest for a bot to mimick.

A java applet or a flash movie of some kind could actually track mouse coordinates to determine if the cursor motion was linear or not.

[Little Conqueror]

Perhaps an animated captcha image could work, too. It has a bunch of slow frames, showing the letters one at a time with a bunch of excess letters in different colors.

[theHunted]

yey, this is fun
Let me jump in with my idea:

An image that lists 10 words or random strings each with a different unique color. The first line in the image says something like "Please type the red string in the textbox". All of this could be written with an easy to read font and a layout that is easy to read, not like the current captchas where even humans can have a hard time to read the code at times. It features both, the need for intelligence (identifying the color from the instruction), as well as the confusion factor of having multiple strings in the same image. Yet it's still very simple and easy to understand.

Possible drawbacks I can think of right now: When using more than, say, 10 strings with different colors it might become hard to distinguish between colors (e.g. is it a light brown or an orange!?).
Other than that I cant think of drawbacks right now.

Props go out to wayskobfssae and Altered Reality . I think my idea is a fine blend of your suggestions.

edit: To make it even more secure, instead of simple strings one could put simple mathematic equations like (1+2, 5+10, 66-1). The user would have to type the correct number in the textbox. Note that I don't believe this to be 100% uncrackable, but all of this would add a lot to the complexity of a system to hack this I believe. (No bragging intended but I once had to write a little OCR application using neural nets for a class at university).

[SonnyBonds]

What about color blind people?

[theHunted]

Quote:

Originally Posted by SonnyBonds

What about color blind people?

*starts to feel a little unconfortable*
Seriously I hope I didn't piss off anybody. I really didn't think about that option at all. There goes my concept down the drain. I guess there might be a reason why there's still the same old sort of captchas.

[Nacho]

Altered Reality has the best idea yet.

[Altered Reality]

Thanks.

[wayskobfssae]

Has 3d-rendered text been tried before? Might seem a bit outlandish, but I can't see any modern computer breathing too heavy having to make a low-detail graphic like that.

[Hendricks266]

There's one problem with your example… it's really granular and hard to read.

[wayskobfssae]

Well, most of what is already generated to thwart bots is hard to read.

[IHerman]

How about this one.

It would automatically make it impossible for a lot of people to register altogether but it's fun and probably nearly impossible to break. (although I don't think it's impossible)

[wayskobfssae]

ABC

Not sure how hard it is for a computer to 'decrypt' that though..

[NetNessie]

Sure as hell I can't

[Altered Reality]

Just like there are colorblind people, there are people who don't have stereovision (e.g. they are strabic, or blind from an eye). They will NEVER be able to see the hidden word in IHerman's example.

[wayskobfssae]

Quote:

Originally Posted by Altered Reality

Just like there are colorblind people, there are people who don't have stereovision (e.g. they are strabic, or blind from an eye). They will NEVER be able to see the hidden word in IHerman's example.

There are blind people who surf the net too, and can't make use of ANY kind of graphical failsafe.

[NetNessie]

There are auditory captcha's, but I've only seen MSN and Google use them so far.

[Killd a ton]

Quote:

Originally Posted by IHerman

How about this one.

It would automatically make it impossible for a lot of people to register altogether but it's fun and probably nearly impossible to break. (although I don't think it's impossible)

he im usualy good at theas but right now im using a small (3.6") screen with a high dpi (640x480 you do the math), I think I 16 after som fighting x(

theres also speech recognition software out there so audio isn't bulid proof either.

how about writing something offensive and then asking if it hurt the users fealings as computers dosen't have thows :P

How abou having to answer yes now to a list of images "is this food?" showing a picture of a burger or boot.
ofcause the images should be passed threw a script with a url based on a md5 of the session id or something like that.

negated querys seams a good option too.
also how about seporating the text that the user has to enter from the input bux and having an invisible dummy input next to the text, then name the real input something runrelated like "nickname" (the real nickname input could be named "nick"), ofcause just about any methode get inefective once it gets populare or is chalanged by sweat shops.
only thing that I would think could work againt sweat shops is complex english gramma (lotso of spam is gramaticaly very incorrect), ofcause lots of humans would fail this one to (probably my self). And time consuming tasks.

[ADM]

Have a look at what you need to do to register to these forums now, it's called NoSpam! and it's basically custom questions that need to be answered to sign up.

Bots arn't intellegent enough to answer custom specific questions so it blocks out all spam (this tied in with captcha does a pretty good job).

I set this nospam mod up at the official Alan Wake forums and it's done pretty well, spam is still slipping through but the ones that do arn't bots but humans. We get a tonne of spam over there and it's cut away quite a bit of it, it's my ongoing attempt at fighting them and I'm always looking at ways to stop spam from humans more than bots.