Forums

Unfortunately no one can be told what FluxBB is - you have to see it for yourself.

You are not logged in.

#76 2010-05-10 23:02:13

Reines
Administrator
From: Scotland
Registered: 2008-05-11
Posts: 3,197
Website

Re: Anti Spam in core

I'm not keen on adding it into 1.4.0, if at all. However what might be a good idea is to rename some of the required fields in the register form, which will block a large number of old bots which are targeting PunBB 1.2. Obviously they could be updated to handle the change easily, but it would be a short term solution that would take literally 2 mins to implement.

Offline

#77 2010-05-11 06:39:10

sirena
Member
From: AU
Registered: 2008-05-10
Posts: 172

Re: Anti Spam in core

Just do the release for 1.4.0 with no special anti-spam.

But then bump anti-spam measures to the top of the development queue for 1.4.1.

Offline

#78 2010-05-13 07:29:20

sirena
Member
From: AU
Registered: 2008-05-10
Posts: 172

Re: Anti Spam in core

Aside from an optional question/answer mod at the front-end, as previously discussed, I would also like to suggest for the core of 1.4.1, a (probably) reasonably simple anti-spam addition at the back-end -  a drop-down option in the admin area to lets admins choose to optionally use either:

Botscout
http://www.botscout.com/code.htm

or StopForumSpam:
http://www.stopforumspam.com/apis

(or use both) in the FluxBB registration or posting process.

Both have public API's and existing code samples for forum registration.

Other anti-spam services could also be used or added to the list over time but those two have the advantage of being very focussed on blocking forum spam.

Offline

#79 2010-05-21 13:00:23

Reines
Administrator
From: Scotland
Registered: 2008-05-11
Posts: 3,197
Website

Re: Anti Spam in core

Reines wrote:

I'm not keen on adding it into 1.4.0, if at all. However what might be a good idea is to rename some of the required fields in the register form, which will block a large number of old bots which are targeting PunBB 1.2. Obviously they could be updated to handle the change easily, but it would be a short term solution that would take literally 2 mins to implement.

Should I go ahead and do this? It should cut down the spam slightly at least in the short term, until we can decide on a better long term strategy.

sirena wrote:

We are using StopForumSpam here at the moment, and it is catching a few. If you look at the list of contributors we've caught a fair few spammers in the couple of weeks since I implemented the antispam stuff smile

The problem is I don't like the idea of coding stuff into the core that relies on 3rd party services. If nothing else, we've had at least one false positive here so far, which isn't really acceptable if it's part of the core and the site admin doesn't understand exactly what is going on.

Offline

#80 2010-05-21 13:32:11

Paul
Developer
From: Wales, UK
Registered: 2008-04-27
Posts: 1,653

Re: Anti Spam in core

The first does no harm.  For the second, wouldn't a maintained mod be better.


The only thing worse than finding a bug is knowing I created it in the first place.

Offline

#81 2010-05-21 18:38:35

quy
Administrator
From: California
Registered: 2008-05-09
Posts: 926

Re: Anti Spam in core

Looking at the stats, 3806 blocked vs 1 false positive is a really good ratio. My vote is to add it to the core and the board owner can decide to enable it or not. It is better than nothing without having to install a mod.

Last edited by quy (2010-05-21 18:44:38)

Offline

#82 2010-05-21 19:36:58

Reines
Administrator
From: Scotland
Registered: 2008-05-11
Posts: 3,197
Website

Re: Anti Spam in core

90% of those blocked are by the honeypot idea, not StopForumSpam, the count there is how many we have reported to them, not necessarily just ones found by them.

It's more like 1 (that bothered to actually email us) vs 400 blocked.

Offline

#83 2010-05-21 19:53:28

FSX
Former Developer
From: NL
Registered: 2008-05-09
Posts: 818
Website

Re: Anti Spam in core

Paul wrote:

The first does no harm.  For the second, wouldn't a maintained mod be better.

I agree with Paul.

Offline

#84 2010-05-26 05:56:58

Franz
Lead developer
From: Germany
Registered: 2008-05-13
Posts: 6,719
Website

Re: Anti Spam in core

Wouldn't it be even meaner to mark the honeypot with class "required" and adjust the JavaScript accordingly to ignore hidden fields? Maybe bots make their decision based on that class...


fluxbb.de | develoPHP

"As code is more often read than written it's really important to write clean code."

Offline

#85 2010-08-26 04:52:38

hcgtv
Member
From: Charlotte, NC
Registered: 2008-05-07
Posts: 463
Website

Re: Anti Spam in core

Yesterday, I updated a forum running a mixture of PunBB 1.2.x and security updates from the stable FluxBB 1.2.x branch to a stable FluxBB 1.2.23 release.

I've got some really bad news to report, my registrations jumped from an average of 5 to 10 a day to 27 yesterday and 49 so far today. On this forum, the user list link on the top navigation wasn't being shown to guests nor members, though they could still key in userlist.php in the url, and I wasn't linking to user profiles for newest member or the online list. I see FluxBB 1.4.2 has these measures in place, glad to see them, but it's not deterring human registrations, sad to say.

This afternoon, I installed the very simple bot registration mod and left the standard arithmetic questions in place, I got 6 registrations in a very short period of time. I changed the questions to text based answers, like "Where is Paris?", and the human registrations continued, another 8 so far. User ids vsabr and vsabr2 mark the spot where I implemented these measures.

What I don't get, is why would someone take the time to register on a forum, where the web spiders don't index the user list nor the links in the footer to the user profiles? They do verify their registrations, so as to change their group_id from 32000 to 4, but they never post. Should they post, Akismet is waiting, but it hasn't been needed for quite sometime. I do lament not seeing Russian porn ads greeting me in the morning on the Aksimet admin screen, but on the other hand I'm glad it has deterred spam.

All I can say, and I've said it before, is that PunBB has been a very easy target for a very long time. The last couple of days proves one thing to me, that FluxBB is an even bigger target. I truly don't have the answer to the bot/spam riddle, and by the look of this thread, I don't think anybody does. But one thing is for certain, either you start fighting these assh*les in the core, with the best measures at hand, or your small project will not grow it's user base.

The simple reason that these measures have to be core, is that very few users are willing to install mods, which leaves a very high percentage of forums vulnerable, so the script kiddies and human slaves with a list of "Powered by FluxBB" at their disposal, can and will continue to screw with all of us.

One last thing, food for thought, it doesn't take a genius to figure out that FluxBB is GPL code. Any enterprising individual can take the 1.4.2 branch, slap on some anti bot/spam measures and re-release under another name.

This is your last chance. After this, there is no turning back. You take the blue pill - the story ends, you wake up in your bed and believe whatever you want to believe. You take the red pill - you stay in Wonderland and I show you how deep the rabbit-hole goes.

Morpheus to Neo in the movie The Matrix.

Offline

#86 2010-08-26 08:48:59

Reines
Administrator
From: Scotland
Registered: 2008-05-11
Posts: 3,197
Website

Re: Anti Spam in core

The problem is, as you said, they are human spammers. They still seem to sign up here as well even though there is absolutely nothing to be gained since user profiles are hidden to guests (and hence web spiders).

Maybe if we made user profiles hidden to guests by default, then they might eventually figure it out and give up?

The only other solution I can think of is to make the registration process to much hassle to be worth it, but obviously that would affect real users too so isn't an option.

Offline

#87 2010-08-26 12:48:53

quy
Administrator
From: California
Registered: 2008-05-09
Posts: 926

Re: Anti Spam in core

I installed the very simple bot registration mod

It is easy to defeat this mod by repeatedly using the same hashed question value and answer. Maybe someone will write a mod to use the textcaptcha.com service and apply it to registration, signature and website pages in profile, and first posting. All of these are done once so it won't be too much of a hassle for the users.

Last edited by quy (2010-08-26 12:50:48)

Offline

#88 2010-08-26 17:29:26

hcgtv
Member
From: Charlotte, NC
Registered: 2008-05-07
Posts: 463
Website

Re: Anti Spam in core

Reines wrote:

Maybe if we made user profiles hidden to guests by default, then they might eventually figure it out and give up?

With measures in place, from a default install, over time the registrations should ease up. At this point they just register out of habit, since they don't realize it will make no sense at all on the latest FluxBB 1.4.2.

Some more ideas:
* Have an option to not show users with 0 posts in the user list.
* User management plugin by Connor shipped as default, it's what I've been using to trim out users that never confirm their registrations (over 11,000 deleted by this plugin at hcgtv.net).
* These two threads at phpBB offer more measures they've implemented, from 2006 and 2009.

Reines wrote:

The only other solution I can think of is to make the registration process to much hassle to be worth it, but obviously that would affect real users too so isn't an option.

I think it's about making it not worth it to register anymore. As for those that think that captchas will make it hard for those with disabilities to register, well you can use Flite to read them the generated text. Flite is installed at Dreamhost, my hosting provider, so it should be on others, if not, then just ask for it.

What I would like to see are various options for the admin to chose from, like quy mentions, there's also textcaptcha. One of the nicer spam solutions in a forum is the spam_hurdles module from Phorum. There's no reason to reinvent the wheel, Rickard knew that, here too, and here.

After all, it's about collectively fighting these bots and human spammers. Let the spammers go find another open forum to pick on, they'll end up seeing what FluxBB did and the cycle will get repeated. Eventually, like the fiasco that was trackbacks, bots and spammers will just have to find somewhere else to peddle their wares.

Offline

#89 2010-08-27 10:00:19

Gil
Member
From: France
Registered: 2008-05-10
Posts: 175

Re: Anti Spam in core

hcgtv wrote:

Some more ideas:
* Have an option to not show users with 0 posts in the user list.

Good idea.
In the same way, what about an (inscription option of) automatic deletion of users if no there are no posts after a time-out, one or two days by default?

Offline

#90 2010-08-27 15:36:20

hcgtv
Member
From: Charlotte, NC
Registered: 2008-05-07
Posts: 463
Website

Re: Anti Spam in core

Gil wrote:

In the same way, what about an (inscription option of) automatic deletion of users if no there are no posts after a time-out, one or two days by default?

Gil, for now you can use Connor's User Management plugin on the PunBB.org downloads page. It works fine on FluxBB 1.2.23, which is the version I run at hcgtv.net. That particular plugin and Connor's Forum Cleanup plugin are prime candidates to be brought over to FluxBB and checked against 1.4.2.

With the help of the User Management plugin, that I run every morning, I've trimmed down number of users from over 25,000 to just 179 in a few days.
My parameters, from the rules page:
4. Any email registrations not confirmed within 24 hours will have their user profile deleted.
5. Should you confirm your email, but fail to post within 7 days, your user profile will get deleted.

Once I'm comfortable that using the above parameters are having an effect, I'll copy out the appropriate lines from the User Management plugin and create a standalone php file, with hardcoded parameters, that I can call from a daily cron job.

These are the top 10 countries hitting hcgtv.net: United States, Israel, China, India, Poland, Russian Federation, Pakistan, Germany, Greece, Philippines. Next up, I'm thinking of selectively excluding a country at a time from registering to see what effect it has, just curious where the majority of the human spammers are coming from.

There's a lot of Pun/Flux forums out there with 1,000's of users that can be trimmed. Yeah it might look great that your forum has 15,000 members, but unless you plan on being the next Facebook, you're leaving open spam holes where a user that looked benign one day, decides to sign back on and change his or her signature or website link to point to fake Gucci bags.

Personally, I'm tired of people that rather than contribute to the Net, are just using it peddle their wares or to game search rankings. Many years ago, I disabled commenting on all my sites, it became a nightmare to manage, since I moderated each and every comment.

Windows greets me in the morning with an assuring female voice telling me that my anti-virus has been updated. Our web-apps should give us the same feeling, that they're looking out for us, protecting us, female voice optional.

Offline

Board footer

Powered by FluxBB