Forums

Unfortunately no one can be told what FluxBB is - you have to see it for yourself.

You are not logged in.

#51 2010-05-07 23:10:42

Jérémie
Member
From: France
Registered: 2008-04-30
Posts: 629
Website

Re: Anti Spam in core

Why helping people protecting their board from spam wouldn't make sense? It's not perfect? Ok, not an issue. An imperfect temporary answer is better than none at all... no?

Offline

#52 2010-05-07 23:12:05

Franz
Lead developer
From: Germany
Registered: 2008-05-13
Posts: 6,719
Website

Re: Anti Spam in core

Ah, I think I did a bad job of explaining. Jamie already sad it in this post. Especially the first sentence...


fluxbb.de | develoPHP

"As code is more often read than written it's really important to write clean code."

Offline

#53 2010-05-08 16:41:26

Jérémie
Member
From: France
Registered: 2008-04-30
Posts: 629
Website

Re: Anti Spam in core

Yup.

But what I meant is that at least 90% of the forum admins don't have the skills to do that on their own. And since there's no plugin no more, only ugly hacking, even with a tutorial on how to do it is not an easy answer (by the way, most people would blindly follow such a tutorial, meaning spambots coders would still be attacking only one known defense, exactly as if it was core in the first place).

Even if the proposed solution would only protect against 30% of the spambots after several month of adaptation, that's still 30% less spam.

I mean, frankly I do _not_ understand how this is not a major, a critical issue for the dev team. It has been demonstrated several times over the past years by long time users that Pun/Flux is attacked by spambots already. How can you not want to address this?

Especially when a solution exist. A probation status for new registered account, with their post under Akismet oversight, and an admin backend warning and listing of such spammers accounts?

Offline

#54 2010-05-08 19:26:37

Gil
Member
From: France
Registered: 2008-05-10
Posts: 175

Re: Anti Spam in core

I agree with Jérémie: an antispam tool should be core
I agree with the dev' team: a not complete, unsatisfactory or temporary solution shouldn't be in core

Even if there is no perfect anti-spam tool, a satisfactory solution could exist for the forum. My idea of such a perfect solution:

  • during install, a question: do you want to install an anti-spam tool?

  • if yes, ajax connection to the site to download the list of possible tools/extensions

  • selection of one (or several if compatibles) tool

  • automatic dowload and installation

Of course, this is a solution without worrying about possible technical problems ... For example if a tool need contexts - but it may be possible to use flat files and not sql database, to avoid tables modifications. With a limited numbers of hooks (2 or 3) for each useful operation (registering, posting a post as guest - or not, tool administration), why not?

If such a system were possible, it would have the following advantages:

  • no anti-spam solution directly in core

  • list of solutions is not fixed: antispam tool can be added, modified or removed

  • Everybody is happy! big_smile

Offline

#55 2010-05-09 03:57:06

Jérémie
Member
From: France
Registered: 2008-04-30
Posts: 629
Website

Re: Anti Spam in core

Seems like a good idea yes.

Offline

#56 2010-05-09 08:11:04

Peeter
Member
Registered: 2010-04-26
Posts: 27

Re: Anti Spam in core

Why AJAX and not a GET call through PHP?

Offline

#57 2010-05-09 12:35:21

Gil
Member
From: France
Registered: 2008-05-10
Posts: 175

Re: Anti Spam in core

Peeter wrote:

Why AJAX and not a GET call through PHP?

Why not! I just wanted to focus to the real time request (not a static list delivered with the forum package).

[Edit] "Why not" in the meaning: why not PHP GET; it's OK, I didn't want to focus to the used technology.

Last edited by Gil (2010-05-09 16:46:39)

Offline

#58 2010-05-09 13:11:26

Jérémie
Member
From: France
Registered: 2008-04-30
Posts: 629
Website

Re: Anti Spam in core

Because AJAX mean Javascript, meaning it won't work if it's disabled on the client side.

Last edited by Jérémie (2010-05-09 13:11:35)

Offline

#59 2010-05-09 14:21:19

MattF
Member
From: South Yorkshire, England
Registered: 2008-05-06
Posts: 1,233
Website

Re: Anti Spam in core

Personally, I can't see any valid reason for not implementing a basic system in core, i.e: something along the lines of the multiple question/answer mod. I know I'm probably backtracking on what I may have said in the past on this subject, but when you actually think about it, why not?

It won't stop all spam. Nothing will. Bots will be adapted. They can only be adapted to the basic mod, not the personalised questions. Nothing will ever be a complete solution, but the text based variable answer/question allows enough variation without having any real pitfalls to not be a serious consideration for a standard core implementation. In all honesty, it is about time some basic system was provided in core.

The more you think about it, the more the 'bot adaptation' argument becomes moot. Saying the bots will adapt to any system which is provided as standard is like saying things like Recaptcha are now useless because the bots have had plenty of time to adapt. That's not the case. It may be less effective, but it still has some effect.


Screw the chavs and God save the Queen!

Offline

#60 2010-05-09 14:30:34

Reines
Administrator
From: Scotland
Registered: 2008-05-11
Posts: 3,197
Website

Re: Anti Spam in core

The argument of bots adapting (at least in my view) is in relation to the honeypot kind of idea, it is incredibly easy for a bot to counter should it wish to. I'm not saying it doesn't have potential, I'm just saying it isn't a perfect solution.

In regards to a question+answer solution, they can be effective, but require the board admin to come up with a good list of questions+answers, and personally I don't like them. My argument against including them in the core would be that FluxBB is meant to be minimal, I wouldn't want a question answer system so from my point of view it would be a waste.
I'm sure some people who implement their own systems would agree, and the majority of people would probably disagree with that. However I would think if we could ship a good set of mods with the core, it would be a good enough compromise.

I realize mods can be a pain to install without an extension system, but on the assumption that they would be installed on a clean copy (since they come with the download) I don't think it would be too hard to write a tool that would automatically apply the mod, making it a 1 click procedure.

Sorry if my thoughts aren't quite as clear as they could be, I wrote this in a rush as I gotta go out!

Offline

#61 2010-05-09 14:39:35

Jérémie
Member
From: France
Registered: 2008-04-30
Posts: 629
Website

Re: Anti Spam in core

Agreed on the question system. It has some benefits, but as pointed out as drawbacks as well (for the admin, for the legitimate registering user).

Bots can adapt to honeypots (with some works, we're talking about dynamic honeypots here... with random names and source position), but some won't. It gives breathing space.

As for probation user & Akismet, I don't see any drawbacks to that. Just make it an option in the backend (use it for users under X posts & Y age; or don't use it), and a little tool to mass delete bots registration caught by it. Yes that would be two more options in the backend, slightly against the "lightest software possible" paradigm, but it's one of the most important. How many forum admin you know don't want at least some level of spam protection?

Offline

#62 2010-05-09 15:00:34

MattF
Member
From: South Yorkshire, England
Registered: 2008-05-06
Posts: 1,233
Website

Re: Anti Spam in core

Reines wrote:

I'm not saying it doesn't have potential, I'm just saying it isn't a perfect solution.

That's the main point though. There is no perfect solution. Never has been and never will be. Better to have the Sow's ear than no pig at all though.


My argument against including them in the core would be that FluxBB is meant to be minimal.

There's a difference between minimal and functional though. I personally believe that 'point' is overly used on occasion as a convenient get out clause. Adding an anti-spam solution would add no weight as such. A few extra K in the download files, and a system which is only run on registration, (possibly on post and edit too, depending on the implementation). It's not as if it's something which is being run on every page load, hence is having absolutely no detrimental effect on the minimalist approach, and is actually implementing something oft requested, (and, in all honesty, required), to the core system.


I wouldn't want a question answer system so from my point of view it would be a waste.
I'm sure some people who implement their own systems would agree, and the majority of people would probably disagree with that. However I would think if we could ship a good set of mods with the core, it would be a good enough compromise.

I'm not saying it specifically has to be that one. It was just the first usable example which sprung to mind. If adding something like this were adding a couple of meg to the download package size, or running a convoluted function on every page load, I could understand the compromise stance. It is doing neither, however. In all honesty, I've changed my view to the way of thinking that not implementing at least one core option is merely preaching minimalism for the sake of it, and not for any real world reason. In all honesty, who cares if the adopted implementation is a bit naff? Who cares if there are better solutions? At the end of the day, even if something is supplied which only stops one spammer out of every ten, that's one spammer which won't grace a board.

It is about time to get off the minimalist high horse on this subject. Minimal is fine. Impeding functionality isn't. Put it to a vote. Not for whether it ought be included or not, but merely which solution ought be included. Give them a list and let them decide. The winner gets included by default, with an admin panel option to toggle it on/off. As keep on with this minimal point though, you could argue that supplying more than one stylesheet with the base distro is overkill and excess fluff. Who needs more than one style, for example?

No matter how you look at it, all of the arguments against supplying one solution in core boil down to either requiring a level of perfection which can never be achieved by any solution, or just plain old personal opinion/preference. There is actually no valid, real world argument for not doing so.

Btw, I am actually one of those lucky sods who suffers very little from spammers, so I'm not just arguing this point because I would personally find it useful. I'd ne'er likely have need, in all truth. big_smile

Sorry if my thoughts aren't quite as clear as they could be, I wrote this in a rush as I gotta go out!

No problem. It came across perfectly well. smile

Last edited by MattF (2010-05-09 15:28:36)


Screw the chavs and God save the Queen!

Offline

#63 2010-05-09 15:32:54

MattF
Member
From: South Yorkshire, England
Registered: 2008-05-06
Posts: 1,233
Website

Re: Anti Spam in core

In fact, thinking about it, it could also make adding any additional spam solutions easier too. If the system is already incorporated in the relevant files to include a file which has the core solution code/function in it, adding extra measures could simply be a case of mod authors offering an updated version of that include file as their mod, negating the need for most, (if not all), code hacking to implement spam solutions, or at least minimising the amount of work required. It would be removing a large part of the possibility for cocking something up with a mod inclusion, code wise.


Screw the chavs and God save the Queen!

Offline

#64 2010-05-09 17:55:30

ridgerunner
Member
Registered: 2008-06-24
Posts: 183
Website

Re: Anti Spam in core

I agree that some basic protection should be built in. Here are some arguments for the Q&A solution:

  • Its simple and should be pretty effective.

  • If for some reason the admin doesn't want any Q&A, the question count is simply set to zero.

  • Forums tend to focus on a specific topic (e.g. my favorites focus on Hang Gliding, Science, FluxxBB, Regular Expressions, etc.). People joining a specific forum tend to have specific knowledge pertaining to the forum and are in a good position to be able to answer a specific question. In fact, people will be much less annoyed (than trying to squint and read some obfuscated word), and may actually enjoy answering a question relevant to the topic.

  • Administrators can tailor the specificity of the questions. An exclusive forum might ask a highly specific question to weed out anyone who does not qualify (including "human bots"). In fact, this could be a form of authentication allowing only members (who know the "secret password") to join up. On the other end of the spectrum, the questions could be made super easy (or there could be no questions at all.)

  • For the lazy administrator, the forum install script can automatically generate a set of questions and answers based on simple (random) arithmetic (mixing words and numbers). I just wrote a simple function (less than 2KB) to do just that. Here is an example list of 10 questions and answers I had it generate:

    1. Q: "What is 9 - four?"  A: "5"

    2. Q: "What is 8 subtract 2?"  A: "6"

    3. Q: "What is 7 subtract 6?"  A: "1"

    4. Q: "What is two added to five?"  A: "7"

    5. Q: "What is 5 subtract one?"  A: "4"

    6. Q: "What is 5 multiplied by 1?"  A: "5"

    7. Q: "What is 3 multiplied by one?"  A: "3"

    8. Q: "What is eight - three?"  A: "5"

    9. Q: "What is two * 4?"  A: "8"

    10. Q: "What is 5 - five?"  A: "0"

    Now a bot could be written to break this, but it would work quite nicely as the first moat around the castle. (Note: the words in these questions here are english, but they could easily be internationalized as part of the selected language pack.)

Offline

#65 2010-05-09 18:02:53

Franz
Lead developer
From: Germany
Registered: 2008-05-13
Posts: 6,719
Website

Re: Anti Spam in core

I do agree, that having an anti-spam solution in core (next minor version, probably?) is justified.

Obviously all these solutions have their downsides and there should be none (enabled) as default, as they would either get adapted to fairly quickly or they could be unnecessary or annoying in some other cases.

The best would probably to have multiple of these in core, with the ability to enable/disable them seperately.


fluxbb.de | develoPHP

"As code is more often read than written it's really important to write clean code."

Offline

#66 2010-05-09 18:21:24

FSX
Former Developer
From: NL
Registered: 2008-05-09
Posts: 818
Website

Re: Anti Spam in core

Why the next minor release? Fluxbb 1.4.0 will be download more than 1.4.1, because it's a major release. People will probably base their opinion on 1.4.0. And how long would it take to release 1.4.1?

Offline

#67 2010-05-09 18:25:05

Franz
Lead developer
From: Germany
Registered: 2008-05-13
Posts: 6,719
Website

Re: Anti Spam in core

Because we're in RC3? This feature would delay the release too much (plus we're in feature freeze). The stuff needs to be planned, implemented, tested, tweaked...

As for how long it takes, that depends entirely on us.


fluxbb.de | develoPHP

"As code is more often read than written it's really important to write clean code."

Offline

#68 2010-05-09 18:58:06

MattF
Member
From: South Yorkshire, England
Registered: 2008-05-06
Posts: 1,233
Website

Re: Anti Spam in core

Franz wrote:

Because we're in RC3? This feature would delay the release too much (plus we're in feature freeze). The stuff needs to be planned, implemented, tested, tweaked...

I'd have to disagree, personally, (not about being in feature freeze, obviously big_smile). To say that it would cause any untoward delay, or to suggest it has the possibility of introducing any problematic bugs or such is incorrect. If you could honestly create a spam prevention system which could cock things up that much, I would personally tip my hat to you, because that would be a nigh on impossible to achieve cockup. There really cannot be much simpler a task to do. Besides, most anti-spam implementations have already received widespread testing in everyday use, so their base reliability is a known factor. The only possible place a problem could be introduced is in the implementation, and I severely doubt that between the whole of the Dev team that you could manage to let an appreciable problem slip through in what is, theoretically, such a minor update.

As for implementing it now, I would have to agree with FSX. This should be added now, not in the next minor release. A feature freeze does not absolutely exempt the addition of any new features, merely unnecessary or problematic ones.


Screw the chavs and God save the Queen!

Offline

#69 2010-05-09 19:18:35

Franz
Lead developer
From: Germany
Registered: 2008-05-13
Posts: 6,719
Website

Re: Anti Spam in core

MattF wrote:

As for implementing it now, I would have to agree with FSX. This should be added now, not in the next minor release. A feature freeze does not absolutely exempt the addition of any new features, merely unnecessary or problematic ones.

Really? I think that's a contradiction, but then again, "feature freeze" hasn't really been defined here wink

However, the main problem I see with implementing this is:
1. We'd have to decide on components etc. (that requires discussion, "voting", decisions and that will take time as we're probably talking about multiple components).
2. There are always bugs and unforeseen complications wink
3. Please post a patch if it is that easy tongue Granted, this probably is "just" a feature that should be possible to solve fairly easy, but then it is not a small one and you probably exaggerated (willingly or not).

Note: I do favor a core solution now (I know, I'm changing my opinion very quickly tongue), but I really really really don't want to see the release pushed back any longer.

P.S.: I would really like to hear Jamie's take on this big_smile


fluxbb.de | develoPHP

"As code is more often read than written it's really important to write clean code."

Offline

#70 2010-05-09 19:39:46

MattF
Member
From: South Yorkshire, England
Registered: 2008-05-06
Posts: 1,233
Website

Re: Anti Spam in core

Franz wrote:
MattF wrote:

As for implementing it now, I would have to agree with FSX. This should be added now, not in the next minor release. A feature freeze does not absolutely exempt the addition of any new features, merely unnecessary or problematic ones.

Really? I think that's a contradiction, but then again, "feature freeze" hasn't really been defined here wink

Terminology mismatch, methinks. big_smile Feature might actually be the incorrect term for something such as this, hence it was probably worded poorly.


However, the main problem I see with implementing this is:
1. We'd have to decide on components etc. (that requires discussion, "voting", decisions and that will take time as we're probably talking about multiple components).
2. There are always bugs and unforeseen complications wink
3. Please post a patch if it is that easy tongue Granted, this probably is "just" a feature that should be possible to solve fairly easy, but then it is not a small one and you probably exaggerated (willingly or not).

Note: I do favor a core solution now (I know, I'm changing my opinion very quickly tongue), but I really really really don't want to see the release pushed back any longer.

P.S.: I would really like to hear Jamie's take on this big_smile

1) Granted, that would introduce some delay, but when is the final non RC version due for release, realistically? If that's not on the cards for several weeks, a one week vote would introduce no delay.

2) Good point. You have to admit though, it would be damned hard to introduce a biggie with something like this. big_smile

3) Hell, if you lot will honestly say yup, we'll include it in final, (and a decision is made on the specific inclusion), I bloody well would submit a patch if necessary. big_smile I've put my two penneth in, so I'd make sure I backed my opinion up if necessary. big_smile Personally, I do regard it as a small inclusion, btw. Might just be my perspective which differs of what constitutes large though. big_smile


Screw the chavs and God save the Queen!

Offline

#71 2010-05-09 19:41:07

Franz
Lead developer
From: Germany
Registered: 2008-05-13
Posts: 6,719
Website

Re: Anti Spam in core

MattF wrote:

Personally, I do regard it as a small inclusion, btw. Might just be my perspective which differs of what constitutes large though. big_smile

I guess that would probably depend on what we would include.


fluxbb.de | develoPHP

"As code is more often read than written it's really important to write clean code."

Offline

#72 2010-05-09 19:52:43

MattF
Member
From: South Yorkshire, England
Registered: 2008-05-06
Posts: 1,233
Website

Re: Anti Spam in core

Franz wrote:

I guess that would probably depend on what we would include.

True. A core option ought be a relatively simple one though, as it would need to be something which didn't depend on any non-standard compile type features of PHP, has no accessibility problems, doesn't do biased blocking, (for example, I.P based), so that pretty much does limit it to non-complex solutions or including an external solution which most likely has an existing API of some sort, so it should, (theoretically), be quite small and straight forward on the amount of coding and integration required.


Screw the chavs and God save the Queen!

Offline

#73 2010-05-09 23:52:59

sirena
Member
From: AU
Registered: 2008-05-10
Posts: 172

Re: Anti Spam in core

Wow, so many smilies in this thread. smile neutral big_smile yikes wink lol

I like ridgerunners (and in the past, Jacky's) approach of having at least a simple Q and A system (randomised or custom question lists) in the core (combined with a 3-5 failed attempts timed lockout).

And franz's idea "The best would probably to have multiple of these in core, with the ability to enable/disable them seperately." is also excellent.

It's a good design goal for any anti-spam system to introduce a great degree of variation in the registration procedure of FluxBB installs, to make it harder for bot scripts to perform consistently against Flux sites, and slow down potential human attackers contracted to collect bulk forum registrations too.

Offline

#74 2010-05-10 08:07:41

Jérémie
Member
From: France
Registered: 2008-04-30
Posts: 629
Website

Re: Anti Spam in core

One thing: I frankly can't imagine anyone enjoying answering a question, as it has been suggested. It's a hassle; which may be worth it (or downright indispensable) to prevent spam and bot registration. But it's still a hassle.

Having a second tool of Probation Status for newly registered users linked to Akismet seems much more effective and less a hassle for the user imo.

On another matter, I do find an anti spam feature absolutely needed, but I can understand the will to release Flux shortly. After all, when was the latest stable (production) revision? 3, 4 years ago when Rickard was still on board? It's kind of a running, on-going joke right now, one that should probably be put to rest.

So imo having it for 1.4.1 seems fine, if 1.4.1 doesn't take a lifetime (read: like 3 months) to get out.

However, since plugin are out, having the hook in 1.4 in place would limit .patch problems down the line. Something simple, like an empty antispam.php file and a:

require_once(antispam.php);

where this stuff is supposed to be called.

Offline

#75 2010-05-10 22:58:18

Gil
Member
From: France
Registered: 2008-05-10
Posts: 175

Re: Anti Spam in core

Jérémie wrote:

On another matter, I do find an anti spam feature absolutely needed, but I can understand the will to release Flux shortly. After all, when was the latest stable (production) revision? 3, 4 years ago when Rickard was still on board? It's kind of a running, on-going joke right now, one that should probably be put to rest.

So imo having it for 1.4.1 seems fine, if 1.4.1 doesn't take a lifetime (read: like 3 months) to get out.

+ 23 609 567 234 007 big_smile

Please stop to add and to add and to add... (Especially after years claiming "no antispam in core").
I *am* for anti-spam solution in core (or tool during install); but I think it is - not only for me; for fluxBB product - more urgent to have got a stable version (with the new 1.4 functions; merge/split UTF-8; read topic tracking; feeds). Why waiting more and more months? (sure; it will not take some weeks; at least even solution is not defined). If it a "small" change, you can deliver a stable 1.4, discuss about anti-spam, and 1.4.1 will come in some months; if it is small, the upgrade will not be difficult. If the change is not as small as you think (define solution, discuss, code, test => RC4, discuss again...), the 1.4 will not come before 6 month or more; it would be a shame. FluxBB needs a (new) stable and recent release, as soon as possible. At least it is my opinion.

Offline

Board footer

Powered by FluxBB