Discussion in 'Security & Legal Issues' started by Dilip, Nov 23, 2011.
1. email verification (yes, very basic)
2. Antispam mod
3. Always online
Do share ideas.
That's pretty much it at the moment, we don't seem to need anything more.
E-mail verification. Obviously a step in slowing down here.
Human-readable questions (because the re-CAPTCHA compromise is about 11 months old now and we got positively slammed as soon as it hit). The bots are getting better at reading odd CAPTCHA, but they still can't tell me the color of grass and the sky apparently.
Limitations on posting images, links, private messages based on usergroup/number of posts (it's a very small requirement of 10 posts, but we only count posts in specific forums towards that total, and we have a bypass for new paid subscriber/contributor accounts). Most bots'll just sit there and futilely try to send PM spam. Human posters will run around looking for where the right forums are and will post obvious drivel that I or any of my moderators can deal with.
Constant vigilance (I keep odd hours and an always-on computer).
All moderators regardless of assigned forum have access to Delete Post As Spam with an attached infraction that goes to a forum all moderators have access to see. The temp ban usually kicks in by the second such post deleted.
Don't usually have a problem, but the few times we do (like January's re-CAPTCHA splatter) we've been able to contain it relatively quickly.
It also helps that as a roleplaying forum, we all have thematic names. All lowercase names/names with numbers immediately raise flags.
lol, a sprinkle of all those, but after we put in "question" no more auto bots showed up.
Occasionally we'll get a human entrant who can figure out the answer, but not a single bot for years now has ever answered our true question/answer test.
Question seems to be a good idea.
Had CAPTCHA for first 5 posts, removed since it was hurting new posts. It is there by default in registration I think.
Yeah, we only have it set up for registration, and also for the Contact Us page as well I think.
Yeah, by default XenForo has it in for registrations and for non-registered users attempting to use the Contact Us box.
And yes, the plaintext questions seem to be doing well against the automated spammers. At least until they hire somebody for five cents to read through them and write down all the possible answers for a given site and record it, or until the bots go through another iteration of getting smarter. =)
lol Isn't that the truth
We'll keep with the simple setup until we start getting more spammers getting through and then look into further options. I'll probably add some random questions at some point in time
Great, now I have a mental image of turning forum registrations into the Dark Brotherhood sentry doors.
"What is the color of night?"
"Sanguine, my Brother."
"Forum registration COMPLETE!"
Don't even go there... it's not beyond the realms of possibility that I wouldn't do something like that
I use slightly different methods depending on the site software but in general it's email verification, ReCAPTCHA and a simple Q&A for registration. That generally takes care of the bots and human spammers are dealt with within minutes by me or another admin/mod. If it's a forum running on SMF I also use an anti-spam mod.
Something that did amuse me no end recently, I installed SMF on one of my domains to test something out. I forgot to delete the installation and didn't revisit it for around three months. When I returned it had a thriving community of bots mostly extolling the virtues of a Canadian pharmaceutical company. The number of users, threads and posts were in the thousands. There was more activity there than on some of my forums
E-mail verification, CAPTCHA, and good old fashion moderating.
When we ran vBulletin (and a larger forum) we used a system where we could submit spam that slipped through into a database. All posts from new members would be checked, and if they looked fishy, they were sent into moderation to be check by a moderator. At which point if it was a spam account instant ban, if it was a legit user that somehow triggered the checks we'd make the thread public.
Just begin around is your best line of defense though. A lot of spam is subtle, like signature spamming, and a lot of times its not a bot put an actual person doing the spamming. In those cases, you just gotta get your hands dirty.
Love zappa's spambot story. I had that happen on a phpBB I'd set up and left running for a year while forgetting I had it up.
Which illustrates Brad's point: If only we'd been checking those forums!
We had a spam bot invasion on an outdated vB 3.x forum I was moderating last year. I swear, I spent 6 months fighting that war, every day when I got online in the morning I was greeted by pages upon pages of threads and posts from spam bots.
I did my best to keep it clean, but it wasn't until I finally got an admin to take notice and help me out that we mostly solved the problem. Even with a "spam guard" in place sometimes things would slip through, or new members would have to wait up to 24 hours until their posts were approved. I pretty much kept the place spam free for nearly a year on my own.
The worst part was I did such a good job that people really didn't notice. So when I finally did mention it to a member one day I got verbally assaulted and was told that I didn't to anything . So much for appreciation, right?
Humans are too precious to replace
Admin verification. But I have a really small community, not feasible for larger ones.
Most sites I make use:
Question and Answer
and if the forum is IPB (which it usually is) I use the spam service that comes with a active license.
Disable Registrations. 100% effective.
But when I did that, it killed my forgotten phpBB3 community of bots selling each other Canadian pharmaceuticals.
Separate names with a comma.