Life In 19x19
http://lifein19x19.com/

Account Registration Temporarily Disabled
http://lifein19x19.com/viewtopic.php?f=9&t=15014		 Page 1 of 1
Author:  Kirby [ Tue Oct 03, 2017 8:37 pm ]
Post subject:  Account Registration Temporarily Disabled
There's some spammer/bot that keeps making new accounts under different IP addresses, spamming new threads to the forum. tchan001 and I have been aggressively banning and removing the posts, but the aggressor seems to be posting under new ip addresses.

For the time being, I've disabled new account registration, until we have a better plan.
Author:  Calvin Clark [ Tue Oct 03, 2017 9:27 pm ]
Post subject:  Re: Account Registration Temporarily Disabled
Thanks for mitigating the problem quickly.
Author:  jeromie [ Tue Oct 03, 2017 9:35 pm ]
Post subject:  Re: Account Registration Temporarily Disabled
Thanks, Kirby.
Author:  Joaz Banbeck [ Tue Oct 03, 2017 10:25 pm ]
Post subject:  Re: Account Registration Temporarily Disabled
I've deleted 38 spammer accounts today, and dozens of spam posts.
Author:  Bill Spight [ Wed Oct 04, 2017 1:44 am ]
Post subject:  Re: Account Registration Temporarily Disabled
Bravo, guys! :salute: :salute: :salute:
Author:  Kirby [ Wed Oct 04, 2017 6:12 pm ]
Post subject:  Re: Account Registration Temporarily Disabled
So going forward, we have a few options:
1.) Just re-enable registration- the spammer may be bored by now.
2.) Change the captcha for registration to be more difficult.
3.) Restrict permissions on new users in some way until they've made some number of posts - for example, first X posts could require admin or moderator approval for all new users.
4.) Research phpBB mods that may have additional spam detection or functionality.

Thoughts?
Author:  jeromie [ Wed Oct 04, 2017 8:26 pm ]
Post subject:  Re: Account Registration Temporarily Disabled
Option 1 seems optimistic, and leaves the board open to a similar attack later.

Option 3 seems like it might raise an unnecessary barrier to entry in a community that already gains new members slowly.

Options 2 and 4 seem like decent technical solutions. Which is better depends on the time investment involve for the success rate, which I don't know how to evaluate right off the bat. If you need help, let me know. I think it would be good to spread the time investment as much as possible.
Author:  tchan001 [ Thu Oct 05, 2017 12:54 am ]
Post subject:  Re: Account Registration Temporarily Disabled
In my opinion, the occasional spammers are not the problem. They are easily handled by mods.
It's the serial spammers like the one we just had recently which are the real problems. Even if you make the captcha code harder during registration, it is easy for the spam originator to make new accounts manually. Therefore it is more important to make it harder for bots to spam posts quickly. Perhaps we need to think about making a captcha code for each new post or some type of delay timer between posts to keep the amount of spam mre manageable and to make banning serial spammers less demanding on mods.
Author:  daal [ Thu Oct 05, 2017 1:32 am ]
Post subject:  Re: Account Registration Temporarily Disabled
First of all, you guys did a great job handling this attack. The whole first page of new posts was spam, and more were flying in faster than I could report them. I see that at least three mods/admins were involved in the clean up, but I do wonder whether any further measures are indeed necessary. While this attack seemed alarming, this type of attack is rather infrequent, and as far as I can tell, shutting it down involved banning the user's ip and deleting the posts, which is basically the same work as with any other spammer. I like Kirby's idea #1 best as it avoids impeding the forum users. If it turns out that robot spam attacks are a frequent problem, then by all means we should look for a technical solution that doesn't place more burden on the mods, but if it's a once-in-a-blue-moon kind of thing, then why bother?
Author:  bayu [ Thu Oct 05, 2017 1:43 am ]
Post subject:  Re: Account Registration Temporarily Disabled
Thanks to the mods handling it!

Having an extra captcha for the first post of a user might be enough to throw bots off. Another idea is to block temporarily posts from accounts when (repeated) posts are posted within seconds or some spam-filter detects something.
Author:  Joaz Banbeck [ Thu Oct 05, 2017 10:59 am ]
Post subject:  Re: Account Registration Temporarily Disabled
My solution is a combination of several ideas proposed in this thread.

The one bottleneck that every potential spammer has to go through is registration. We have to catch them there. Trying to catch them afterwards can only be done after they have damaged the forum.

We could put all new members on appproval ( meaning that their posts are held waiting for approval by a mod )

But any attempt to slow down spammers at registration is likely to impose a rather irritating burden on legitimate new members - and does so at a time when the interest is very tentative. An established member may tolerate the irritation of being put on approval for he knows the benefits well, but a new member may give up and go away.

My solution is this: allow new members to post unimpeded, but modify the reporting code so that if anyone reports a new user's post, the new user's account converts to approval and the new post disappears from view.
Author:  Bill Spight [ Thu Oct 05, 2017 11:25 am ]
Post subject:  Re: Account Registration Temporarily Disabled
Does timing matter? Perhaps if a user tries to make two posts in less than 15 sec., they are assumed to be a spammer?

I have noticed several sites that use the presence of links in a note to send it to moderation. Users here often post links, usually to other go sites. Perhaps we could try that approach, and some sites to link to could be white-listed.
Author:  pnprog [ Thu Oct 05, 2017 11:25 am ]
Post subject:  Re: Account Registration Temporarily Disabled
Kirby wrote:
So going forward, we have a few options:
1.) Just re-enable registration- the spammer may be bored by now.
2.) Change the captcha for registration to be more difficult.
3.) Restrict permissions on new users in some way until they've made some number of posts - for example, first X posts could require admin or moderator approval for all new users.
4.) Research phpBB mods that may have additional spam detection or functionality.

Thoughts?


5) Tell that guys he is targeting the wrong place... seriously, he is spending so much time going through registration and captcha, to spam a site where very few person will be able to read his message :tmbdown:

Is is possible to impose a captcha to the 10 first messages of every new members? then the captcha disappears after the first 10 message.
Author:  dfan [ Thu Oct 05, 2017 12:37 pm ]
Post subject:  Re: Account Registration Temporarily Disabled
pnprog wrote:
Tell that guys he is targeting the wrong place... seriously, he is spending so much time going through registration and captcha, to spam a site where very few person will be able to read his message :tmbdown:

A large part of the point of message board spam is just to plant more links to the spammer's site so the site will rise in the rankings of search engines such as Google, which use number of incoming links as a component in their measure of quality. So it doesn't matter a ton whether people read the message or not.
Author:  macelee [ Thu Oct 05, 2017 11:58 pm ]
Post subject:  Re: Account Registration Temporarily Disabled
There are a number of ways to prevent this sort of problems:

- For computer spam bots, they will complete whatever forms very quickly unlike human-beings. So write some script to prevent forms from being submitted too quickly.
- Implement 'honey pot' - that is some fields in the registration form with some attractive names such as 'homepage', 'url', etc. Use CSS to hide such fields so they will not be seen by normal users. But computer bots are normally silly enough to fill something in these fields so such registration can be blocked easily.
- I don't remember if we need an email address in the registration process. If yes, certain domains can be easily blocked, such as .xyz (no normal people would use such domains for email).
- In all of the above cases, IP addresses are recorded and banned automatically, but only for a number of hours (just in case some legitimate users are using these IPs).
- Use some professional services to filter all traffic before they are acted upon.
Author:  Joaz Banbeck [ Fri Oct 06, 2017 11:31 am ]
Post subject:  Re: Account Registration Temporarily Disabled
macelee wrote:
There are a number of ways to prevent this sort of problems:

- For computer spam bots, they will complete whatever forms very quickly unlike human-beings. So write some script to prevent forms from being submitted too quickly.
- Implement 'honey pot' - that is some fields in the registration form with some attractive names such as 'homepage', 'url', etc. Use CSS to hide such fields so they will not be seen by normal users. But computer bots are normally silly enough to fill something in these fields so such registration can be blocked easily...


That would inhibit bots, but the latest spammers did new accounts at a rate of approximately one every two minutes, which suggests that they had a human in the loop.
Author:  Matti [ Wed Apr 24, 2019 8:37 am ]
Post subject:  Re: Account Registration Temporarily Disabled
Can one include noindex and nofollow tags in the posts of new forum members? When the member has been established we could stop adding the tags. This would frustrate the spammers attempts to increase Google rank.
Author:  hyperpape [ Thu Apr 25, 2019 7:19 am ]
Post subject:  Re: Account Registration Temporarily Disabled
Will spammers even check? I assume they just target anything that looks like PHPBB, with no manual intervention. Even if they don't get google juice, having posts from them appear on here is an annoyance.
Page 1 of 1 All times are UTC - 8 hours [ DST ]
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
http://www.phpbb.com/