A few Changes

Shell City and/or Daily Rotation -- Got something to say?

A few Changes

Postby bob » 06/09/09, 6:27 pm

Made a few changes in board administration -- trying to stem the rising tide of spam. We had 5 new spam postingsthis morning, so I'm seeing what can be done. One thing -- pics no longer allowed. (Hint-png will still work...). Another, can't read the board unless you're registered. We'll try these for a while...
WYSIWTF
bob
BIG GIANT HEAD I Get Free Beer
BIG GIANT HEAD I Get Free Beer
 
Posts: 7565
Joined: 12/03/01, 12:00 am
Location: St. Louis

Postby Gerry » 06/10/09, 2:24 am

Cool, but just so you know, that will stop Google and others from indexing. They will also remove all the stuff that they previously indexed.
Gerry
BIG GIANT HEAD I Get Free Beer
BIG GIANT HEAD I Get Free Beer
 
Posts: 5727
Joined: 12/04/01, 12:00 am
Location: Perth, Western Australia

Postby JohnT » 06/10/09, 7:57 am

Why not try some kind of time limit after registering before posting or email verification.
"A man may be a fool and not know it, but not if he is married."
JohnT
BIG GIANT HEAD I Get Free Beer
BIG GIANT HEAD I Get Free Beer
 
Posts: 2486
Joined: 12/03/01, 12:00 am
Location: Vladivostok, Russia

Postby Dark Shadow » 06/10/09, 11:30 am

Personally I think it's because the CAPTCHA is a bit out of date and easy to automate signups.

I'm not saying create a CAPTCHA that is totally rediculous, but perhaps something a bit more difficult to automate. For example, riddle CAPTCHA's are really big right now, or simple math problems "Two plus 2 =".

Sorry Gerry. :(
Dark Shadow
Senior Member (Entitled To Root Beer)
Senior Member (Entitled To Root Beer)
 
Posts: 860
Joined: 12/09/01, 12:00 am

Postby bob » 06/11/09, 12:34 pm

I'll look into strengthening the capcha... Not sure it's possible with the current board. We'll see.


"Why not try some kind of time limit after registering before posting or email verification."

This would be discouraging to new posters...

Speaking of which. New members now need admin approval temporarily. You might have noticed, I am allowing jpg and gifs again.
WYSIWTF
bob
BIG GIANT HEAD I Get Free Beer
BIG GIANT HEAD I Get Free Beer
 
Posts: 7565
Joined: 12/03/01, 12:00 am
Location: St. Louis

Postby bob » 06/12/09, 8:25 pm

A note--we had one spam this morning, but it was from a user who signed up before the new "admin auth" rule went into place.
WYSIWTF
bob
BIG GIANT HEAD I Get Free Beer
BIG GIANT HEAD I Get Free Beer
 
Posts: 7565
Joined: 12/03/01, 12:00 am
Location: St. Louis

Postby Dark Shadow » 06/13/09, 3:36 am

Another idea is to use an email confirm link that directs them to a second captcha system. Perhaps they get a 4 digit authorization code in an email they have to type into the page as well as visiting the link to activate their account. Automated signups currently don't look for that.
Dark Shadow
Senior Member (Entitled To Root Beer)
Senior Member (Entitled To Root Beer)
 
Posts: 860
Joined: 12/09/01, 12:00 am

Postby Gerry » 06/13/09, 8:22 am

> Sorry Gerry. :(
Don't be you are only half right :P

> Personally I think it's because the CAPTCHA is a bit out of date
Agreed, even the freeCap developer is now recommending http://recaptcha.net/

> and easy to automate signups.
I doubt it optical character recognition is still hell bad

> I'm not saying create a CAPTCHA that is totally rediculous, but perhaps something a bit more difficult to automate. For example, riddle CAPTCHA's are really big right now, or simple math problems "Two plus 2 =".

Even a amateur programmer could code something to automate signups using that method for protection. The idea was as an alternative method to a visual captcha as they can be completed by people who are blind, but it's certainly not more secure, it is far less secure. I would definitely prefer to hack around one of those systems than to try and read characters from an image. Computers were built do do maths and basic logic problems, that's what they are good at, but human vision is a lot more difficult.
Gerry
BIG GIANT HEAD I Get Free Beer
BIG GIANT HEAD I Get Free Beer
 
Posts: 5727
Joined: 12/04/01, 12:00 am
Location: Perth, Western Australia

Postby Dark Shadow » 06/13/09, 11:08 am

Gerry,

I agree my idea is less secure, however, the idea isn't that a spammer can't post on your message board, the idea is that your automation protection is different than everyone else's making it difficult for automated engines to sign up and post. Somehow I doubt that these spammers are all manually posting on Shellcity, I'm thinking they are using some sort of phpbb spaming script. I agree that the current OCR scripts suck but even a child could bypass the current, highly readable CAPTCHA currently in use at Shellcity. Personally I hate hard to read CAPTCHAs which is partially why I don't recommend them.

Ultimately no matter what type of protections you put in place a spammer WILL be able to access and post to the message boards, the question is... how can we make it not worth their time without scaring everyone else away?

The neatest CAPTCHA I've ever seen was a connect 4 game that required you to win a game agasint an easy computer player before it displayed an easy to read number. Very cool anti-automation. Also, don't forget about flash based fade in/out numbers... yet another cool way to slow down automation.
Dark Shadow
Senior Member (Entitled To Root Beer)
Senior Member (Entitled To Root Beer)
 
Posts: 860
Joined: 12/09/01, 12:00 am

Postby Gerry » 06/14/09, 7:27 am

> I agree my idea is less secure, however, the idea isn't that a spammer can't post on your message board, the idea is that your automation protection is different than everyone else's making it difficult for automated engines to sign up and post.

Yeah but everybody uses the same basic questions and the script only needs to refresh until it gets a question that it understands.

> Somehow I doubt that these spammers are all manually posting on Shellcity, I'm thinking they are using some sort of phpbb spaming script.

Dunno about that. I can't be certain either way

> I agree that the current OCR scripts suck but even a child could bypass the current, highly readable CAPTCHA currently in use at Shellcity.

You can write a script to bypass it or find me one on the net then? If a child could do it. :P

> Ultimately no matter what type of protections you put in place a spammer WILL be able to access and post to the message boards, the question is... how can we make it not worth their time without scaring everyone else away?

The only way I know that works flawlessly at the moment (now that real people are being paid to spam) is to use a respect system such as what is used by StackOerflow.com

> The neatest CAPTCHA I've ever seen was a connect 4 game that required you to win a game agasint an easy computer player before it displayed an easy to read number. Very cool anti-automation. Also, don't forget about flash based fade in/out numbers... yet another cool way to slow down automation.

LOL
Gerry
BIG GIANT HEAD I Get Free Beer
BIG GIANT HEAD I Get Free Beer
 
Posts: 5727
Joined: 12/04/01, 12:00 am
Location: Perth, Western Australia

Postby bob » 06/14/09, 2:14 pm

until we come up with something, I'm requiring admin authorization -- let Anon (our administrator) deal with it. He tells me we've had 6 requests over the last 3 days. None authorized. He also went through and deleted all the members who signed up previously, but had zero posts, because Thursday I found a spam (now deleted) from one of them. Not sure how that works. The individual (?) signed up two weeks ago, but just spammed us on Thursday. It was one of the mov->FLV->WMV converter spams. We noted a lot of sign-ups with zero posts. So we got the machete out.

Gerry, would you happen to know if the new recapcha phpBB plugin will slide neatly into the message board in place of the old freeCap one? I haven't looked into it yet.
WYSIWTF
bob
BIG GIANT HEAD I Get Free Beer
BIG GIANT HEAD I Get Free Beer
 
Posts: 7565
Joined: 12/03/01, 12:00 am
Location: St. Louis

Postby Gerry » 06/15/09, 5:20 pm

http://recaptcha.net/plugins/phpbb/

I don't know how easy that will be to add.

One way that I just though of that our current captcha is probably vulnerable is by the attacker displaying it on their own site and having visitors solve it:
http://en.wikipedia.org/wiki/Relay_attack
http://web.archive.org/web/200711061707 ... wD8SKE6Q80
http://www.pcmag.com/article2/0,2704,2210674,00.asp
http://www.getafreelancer.com/projects/ ... PTCHA.html
Gerry
BIG GIANT HEAD I Get Free Beer
BIG GIANT HEAD I Get Free Beer
 
Posts: 5727
Joined: 12/04/01, 12:00 am
Location: Perth, Western Australia

Postby bob » 06/15/09, 11:33 pm

Good point, Gerry. I wasn't aware of that, but I don't see why it wouldn't work. Clever.... That sort of explains (possibly) the delay between registering and posting too. Mal-Site visitor solves capcha and registers owner of site. Then two weeks later he gets around to running the posting script? Or he just contracts out the capcha busting work. Later makes use of the info or the registrations.

Has recapcha solved this issue?
WYSIWTF
bob
BIG GIANT HEAD I Get Free Beer
BIG GIANT HEAD I Get Free Beer
 
Posts: 7565
Joined: 12/03/01, 12:00 am
Location: St. Louis

Postby Gerry » 06/16/09, 12:00 pm

Seems like they have:

http://recaptcha.net/apidocs/captcha/
Signing up for a reCAPTCHA Key

In order to use reCAPTCHA, you need a public/private API key pair. This key pair helps to prevent an attack where somebody hosts a reCAPTCHA on their website, collects answers from their visitors and submits the answers to your site. You can sign up for a key on the reCAPTCHA Administration Portal.


Although personally I can't see how a key would stop this as your site is the one doing the submitting to reCaptcha. I don't think they have fully explained it, but if they say it works... then... well what they do is probably better than nothing.

A couple of years back I wanted to code a spam bot service for testing spam defense, but decided I didn't have enough time. *roll* It would be a really cool project though. Getting to clearly demonstrate how bad many of the solutions out there really are.
Gerry
BIG GIANT HEAD I Get Free Beer
BIG GIANT HEAD I Get Free Beer
 
Posts: 5727
Joined: 12/04/01, 12:00 am
Location: Perth, Western Australia

Postby bob » 06/16/09, 2:33 pm

You'd have gotten rich off it, Gerry...
WYSIWTF
bob
BIG GIANT HEAD I Get Free Beer
BIG GIANT HEAD I Get Free Beer
 
Posts: 7565
Joined: 12/03/01, 12:00 am
Location: St. Louis

Next

Return to Site Stuff

Who is online

Users browsing this forum: No registered users and 1 guest

cron