FreeOrion

Forums for the FreeOrion project
It is currently Sun Dec 17, 2017 5:30 pm

All times are UTC




Post new topic Reply to topic  [ 26 posts ]  Go to page Previous  1, 2
Author Message
PostPosted: Wed Nov 27, 2013 8:48 am 
Offline
Release Manager, Design
User avatar

Joined: Wed Nov 16, 2011 12:56 pm
Posts: 4307
Location: Sol III
Ok guys, this isn't funny anymore :evil:

Today, when I made my first visit to the forums, I found a flood of spam - well, you've seen it yourself. It has gotten past bearable, obviously upping the captcha didn't help at all. With that amount of spam, the forums are going to be unusable really quickly, so we have to do something. I suggest disabling normal registration and switch to something like having to apply per email to a forum admin for an account.

Annoying, cumbersome, frustrating, will probably lead to some people not registering that would have done so otherwise - I know, but I don't see another option. Apparently spambots can defeat any automated measures that try to distinguish bots from humans.

AFAIK ATM the only forum admin is Geoff. As this would add another (needless) burden on one of our main coders, maybe we can appoint someone else as an additional forum admin who could take care of this stuff (and who'd be willing to put up with that chore of course)? I'd be willing to do it, but I won't complain if anybody else volunteers... ;)


Top
 Profile  
 
PostPosted: Wed Nov 27, 2013 8:54 am 
Offline
Creative Contributor
User avatar

Joined: Fri Jun 28, 2013 11:45 pm
Posts: 3295
I've run forums in the past and my coding doesn't get past hackign the scripting files, happy to help.

_________________
Mat Bowles

Any code or patches in anything posted here is released under the CC and GPL licences in use for the FO project.


Top
 Profile  
 
PostPosted: Wed Nov 27, 2013 9:43 am 
Offline
AI Lead, Programmer
User avatar

Joined: Sat Sep 22, 2012 6:25 pm
Posts: 4390
Geoff, can we put a limit on how frequently the captcha can be refreshed by someone trying to guess it, and/or how frequently it can be guessed? With the new difficulty level it does look hard in general, I would expect the spambots get through by refreshing a lot until they come across a relatively easy one, or else just by spamming guesses.

_________________
If I provided any code, scripts or other content here, it's released under GPL 2.0 and CC-BY-SA 3.0


Top
 Profile  
 
PostPosted: Wed Nov 27, 2013 10:08 am 
Offline
Release Manager, Design
User avatar

Joined: Wed Nov 16, 2011 12:56 pm
Posts: 4307
Location: Sol III
Dilvish wrote:
Geoff, can we put a limit on how frequently the captcha can be refreshed by someone trying to guess it, and/or how frequently it can be guessed?
But how should a limitation like that work? Because even if you limit how frequently (or often) a captcha can be refreshed, how do you prevent a bot from just retrying with a different email address if a registration attempt fails? Apparently bots can read even difficult captchas already almost as well as humans, at least well enough to get past them (even if they need several tries). Making the captchas even more difficult to decipher isn't an option, because then it becomes so difficult even for humans, that registering becomes too annoying. In that case requiring new users to write an email to an admin might be the less annoying alternative (from the user's POV of course).

IMO trying to defeat spambots while sticking to an automated registering process is a race that can't be won. Every measure an automated system can come up with can and will be defeated by another automated system (the spambots). Only humans can reliably discern bots from humans (and maybe not even humans can do that reliably, but I think still far better than any automated system).

Of course we can (and probably should) try if phpBB offers options we haven't made use of yet that might help to keep the bots away. I'm just not too optimistic, I've been watching that race for too long...


Top
 Profile  
 
PostPosted: Wed Nov 27, 2013 10:15 am 
Offline
Programming, Design, Admin
User avatar

Joined: Wed Oct 08, 2003 1:33 am
Posts: 12045
Location: Munich
Dilvish wrote:
Geoff, can we put a limit on how frequently the captcha can be refreshed by someone trying to guess it, and/or how frequently it can be guessed? With the new difficulty level it does look hard in general, I would expect the spambots get through by refreshing a lot until they come across a relatively easy one, or else just by spamming guesses.
There is a limit; the default setting is 5 attempts, and I just switched it to 3.
Quote:
Registration attempts:
Number of attempts users can make at solving the anti-spambot task before being locked out of that session.
I'd guess it looks at the IP the registration attempts are coming from.

Part of the problem is that freeorion.org is using nearly stock phpBB. The standard CAPTCHA and the questions about math and numbers of letters during registration are common enough that they have a lot of attention and effort put into solving them automatically. This gets bots access to thousands of forums that all use stock phpBB.

There are various alternatives for adding anti-bot tests, but they generally require editing the PHP. I don't know PHP and don't want any additional issues in future when updating the forum software.


Top
 Profile  
 
PostPosted: Wed Nov 27, 2013 10:43 am 
Offline
Release Manager, Design
User avatar

Joined: Wed Nov 16, 2011 12:56 pm
Posts: 4307
Location: Sol III
Geoff the Medio wrote:
I'd guess it looks at the IP the registration attempts are coming from.
Which is quite useless against botnets. If one bot fails to register and gets blocked, it can simple delegate the task to the next bot. One of several thousand will get through eventually...
Quote:
Part of the problem is that freeorion.org is using nearly stock phpBB. The standard CAPTCHA and the questions about math and numbers of letters during registration are common enough that they have a lot of attention and effort put into solving them automatically. This gets bots access to thousands of forums that all use stock phpBB.

There are various alternatives for adding anti-bot tests, but they generally require editing the PHP. I don't know PHP and don't want any additional issues in future when updating the forum software.
Which effectively leaves us not much choice but to switch to manual registration. Or do we have an alternative?


Top
 Profile  
 
PostPosted: Wed Nov 27, 2013 11:52 am 
Offline
Juggernaut

Joined: Mon Feb 04, 2013 10:15 pm
Posts: 759
Is there a require posts from new members to be approved option?

I'm easily topping 100 spam posts a day on another forum (such fun to go to each post and delete)...


Top
 Profile  
 
PostPosted: Wed Nov 27, 2013 12:15 pm 
Offline
Programming, Design, Admin
User avatar

Joined: Wed Oct 08, 2003 1:33 am
Posts: 12045
Location: Munich
AndrewW wrote:
Is there a require posts from new members to be approved option?
Not that I'm aware of.
Quote:
I'm easily topping 100 spam posts a day on another forum (such fun to go to each post and delete)...
I generally delete the user, rather than delete each post. Particularly helpful when a single account posts 22+ threads.


Top
 Profile  
 
PostPosted: Wed Nov 27, 2013 2:51 pm 
Offline
Creative Contributor
User avatar

Joined: Fri Jun 28, 2013 11:45 pm
Posts: 3295
Geoff the Medio wrote:
AndrewW wrote:
Is there a require posts from new members to be approved option?
Not that I'm aware of.

IIRC, you create a 'new members' usergroup to which all new registrants are assigned, and then an 'active members' usergroup to which people that have proved their not spammers are moved.

You put the new members group onto moderated status and move people out of it as soon as they post something constructive.

Been awhile since I had to do that on PHPbb tho so I may be misremembering.

One of the potential hazards is "I need help" posts are moderated, then cleared after active users have logged in and so the person never gets help, so it's worth whoever clears the post replying to it, etc.

It doesn't stop the spam, just hides it from display for non mods, not 100% sure it's worth the extra effort seeing as it just creates more work for a few people and a fairly small number of active users here don't see stuff briefly, as it is we all know what's going on and what a PITA it is. Definitely worth it on very active forums but...

_________________
Mat Bowles

Any code or patches in anything posted here is released under the CC and GPL licences in use for the FO project.


Top
 Profile  
 
PostPosted: Wed Nov 27, 2013 5:51 pm 
Offline
Juggernaut

Joined: Mon Feb 04, 2013 10:15 pm
Posts: 759
Geoff the Medio wrote:
I generally delete the user, rather than delete each post. Particularly helpful when a single account posts 22+ threads.


Right, but that's admin only. In the case of that particular forum I'm a moderator so don't have the option... Get a bunch of single post spammers, multiple 20 post spammers a day (zapped two of those yestedray while they where still posting), an occasional one that goes over 20 (had a 40 yesterday), awhile back during the previous spam problem on there had one with >100 posts...


Top
 Profile  
 
PostPosted: Thu Nov 28, 2013 7:11 am 
Offline
Creative Contributor

Joined: Thu Aug 30, 2012 12:32 am
Posts: 699
I don't mind helping shoulder the load in deleting spam post or spam users.

_________________
Code released under GPL 2.0. Content released under GPL 2.0 and Creative Commons Attribution-ShareAlike 3.0.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 26 posts ]  Go to page Previous  1, 2

All times are UTC


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group