Hey look, it's spamday!

Talk about anything and everything related or unrelated to the FreeOrion project, especially Strategy Games.
Message
Author
User avatar
Vezzra
Release Manager, Design
Posts: 4652
Joined: Wed Nov 16, 2011 12:56 pm
Location: Sol III

Re: Hey look, it's spamday!

#16 Post by Vezzra » Wed Nov 27, 2013 8:48 am

Ok guys, this isn't funny anymore :evil:

Today, when I made my first visit to the forums, I found a flood of spam - well, you've seen it yourself. It has gotten past bearable, obviously upping the captcha didn't help at all. With that amount of spam, the forums are going to be unusable really quickly, so we have to do something. I suggest disabling normal registration and switch to something like having to apply per email to a forum admin for an account.

Annoying, cumbersome, frustrating, will probably lead to some people not registering that would have done so otherwise - I know, but I don't see another option. Apparently spambots can defeat any automated measures that try to distinguish bots from humans.

AFAIK ATM the only forum admin is Geoff. As this would add another (needless) burden on one of our main coders, maybe we can appoint someone else as an additional forum admin who could take care of this stuff (and who'd be willing to put up with that chore of course)? I'd be willing to do it, but I won't complain if anybody else volunteers... ;)

User avatar
MatGB
Creative Contributor
Posts: 3310
Joined: Fri Jun 28, 2013 11:45 pm

Re: Hey look, it's spamday!

#17 Post by MatGB » Wed Nov 27, 2013 8:54 am

I've run forums in the past and my coding doesn't get past hackign the scripting files, happy to help.
Mat Bowles

Any code or patches in anything posted here is released under the CC and GPL licences in use for the FO project.

User avatar
Dilvish
AI Lead, Programmer
Posts: 4707
Joined: Sat Sep 22, 2012 6:25 pm

Re: Hey look, it's spamday!

#18 Post by Dilvish » Wed Nov 27, 2013 9:43 am

Geoff, can we put a limit on how frequently the captcha can be refreshed by someone trying to guess it, and/or how frequently it can be guessed? With the new difficulty level it does look hard in general, I would expect the spambots get through by refreshing a lot until they come across a relatively easy one, or else just by spamming guesses.
If I provided any code, scripts or other content here, it's released under GPL 2.0 and CC-BY-SA 3.0

User avatar
Vezzra
Release Manager, Design
Posts: 4652
Joined: Wed Nov 16, 2011 12:56 pm
Location: Sol III

Re: Hey look, it's spamday!

#19 Post by Vezzra » Wed Nov 27, 2013 10:08 am

Dilvish wrote:Geoff, can we put a limit on how frequently the captcha can be refreshed by someone trying to guess it, and/or how frequently it can be guessed?
But how should a limitation like that work? Because even if you limit how frequently (or often) a captcha can be refreshed, how do you prevent a bot from just retrying with a different email address if a registration attempt fails? Apparently bots can read even difficult captchas already almost as well as humans, at least well enough to get past them (even if they need several tries). Making the captchas even more difficult to decipher isn't an option, because then it becomes so difficult even for humans, that registering becomes too annoying. In that case requiring new users to write an email to an admin might be the less annoying alternative (from the user's POV of course).

IMO trying to defeat spambots while sticking to an automated registering process is a race that can't be won. Every measure an automated system can come up with can and will be defeated by another automated system (the spambots). Only humans can reliably discern bots from humans (and maybe not even humans can do that reliably, but I think still far better than any automated system).

Of course we can (and probably should) try if phpBB offers options we haven't made use of yet that might help to keep the bots away. I'm just not too optimistic, I've been watching that race for too long...

User avatar
Geoff the Medio
Programming, Design, Admin
Posts: 12268
Joined: Wed Oct 08, 2003 1:33 am
Location: Munich

Re: Hey look, it's spamday!

#20 Post by Geoff the Medio » Wed Nov 27, 2013 10:15 am

Dilvish wrote:Geoff, can we put a limit on how frequently the captcha can be refreshed by someone trying to guess it, and/or how frequently it can be guessed? With the new difficulty level it does look hard in general, I would expect the spambots get through by refreshing a lot until they come across a relatively easy one, or else just by spamming guesses.
There is a limit; the default setting is 5 attempts, and I just switched it to 3.
Registration attempts:
Number of attempts users can make at solving the anti-spambot task before being locked out of that session.
I'd guess it looks at the IP the registration attempts are coming from.

Part of the problem is that freeorion.org is using nearly stock phpBB. The standard CAPTCHA and the questions about math and numbers of letters during registration are common enough that they have a lot of attention and effort put into solving them automatically. This gets bots access to thousands of forums that all use stock phpBB.

There are various alternatives for adding anti-bot tests, but they generally require editing the PHP. I don't know PHP and don't want any additional issues in future when updating the forum software.

User avatar
Vezzra
Release Manager, Design
Posts: 4652
Joined: Wed Nov 16, 2011 12:56 pm
Location: Sol III

Re: Hey look, it's spamday!

#21 Post by Vezzra » Wed Nov 27, 2013 10:43 am

Geoff the Medio wrote:I'd guess it looks at the IP the registration attempts are coming from.
Which is quite useless against botnets. If one bot fails to register and gets blocked, it can simple delegate the task to the next bot. One of several thousand will get through eventually...
Part of the problem is that freeorion.org is using nearly stock phpBB. The standard CAPTCHA and the questions about math and numbers of letters during registration are common enough that they have a lot of attention and effort put into solving them automatically. This gets bots access to thousands of forums that all use stock phpBB.

There are various alternatives for adding anti-bot tests, but they generally require editing the PHP. I don't know PHP and don't want any additional issues in future when updating the forum software.
Which effectively leaves us not much choice but to switch to manual registration. Or do we have an alternative?

AndrewW
Juggernaut
Posts: 767
Joined: Mon Feb 04, 2013 10:15 pm

Re: Hey look, it's spamday!

#22 Post by AndrewW » Wed Nov 27, 2013 11:52 am

Is there a require posts from new members to be approved option?

I'm easily topping 100 spam posts a day on another forum (such fun to go to each post and delete)...

User avatar
Geoff the Medio
Programming, Design, Admin
Posts: 12268
Joined: Wed Oct 08, 2003 1:33 am
Location: Munich

Re: Hey look, it's spamday!

#23 Post by Geoff the Medio » Wed Nov 27, 2013 12:15 pm

AndrewW wrote:Is there a require posts from new members to be approved option?
Not that I'm aware of.
I'm easily topping 100 spam posts a day on another forum (such fun to go to each post and delete)...
I generally delete the user, rather than delete each post. Particularly helpful when a single account posts 22+ threads.

User avatar
MatGB
Creative Contributor
Posts: 3310
Joined: Fri Jun 28, 2013 11:45 pm

Re: Hey look, it's spamday!

#24 Post by MatGB » Wed Nov 27, 2013 2:51 pm

Geoff the Medio wrote:
AndrewW wrote:Is there a require posts from new members to be approved option?
Not that I'm aware of.
IIRC, you create a 'new members' usergroup to which all new registrants are assigned, and then an 'active members' usergroup to which people that have proved their not spammers are moved.

You put the new members group onto moderated status and move people out of it as soon as they post something constructive.

Been awhile since I had to do that on PHPbb tho so I may be misremembering.

One of the potential hazards is "I need help" posts are moderated, then cleared after active users have logged in and so the person never gets help, so it's worth whoever clears the post replying to it, etc.

It doesn't stop the spam, just hides it from display for non mods, not 100% sure it's worth the extra effort seeing as it just creates more work for a few people and a fairly small number of active users here don't see stuff briefly, as it is we all know what's going on and what a PITA it is. Definitely worth it on very active forums but...
Mat Bowles

Any code or patches in anything posted here is released under the CC and GPL licences in use for the FO project.

AndrewW
Juggernaut
Posts: 767
Joined: Mon Feb 04, 2013 10:15 pm

Re: Hey look, it's spamday!

#25 Post by AndrewW » Wed Nov 27, 2013 5:51 pm

Geoff the Medio wrote:I generally delete the user, rather than delete each post. Particularly helpful when a single account posts 22+ threads.
Right, but that's admin only. In the case of that particular forum I'm a moderator so don't have the option... Get a bunch of single post spammers, multiple 20 post spammers a day (zapped two of those yestedray while they where still posting), an occasional one that goes over 20 (had a 40 yesterday), awhile back during the previous spam problem on there had one with >100 posts...

yandonman
Creative Contributor
Posts: 699
Joined: Thu Aug 30, 2012 12:32 am

Re: Hey look, it's spamday!

#26 Post by yandonman » Thu Nov 28, 2013 7:11 am

I don't mind helping shoulder the load in deleting spam post or spam users.
Code released under GPL 2.0. Content released under GPL 2.0 and Creative Commons Attribution-ShareAlike 3.0.

Post Reply