[Scummvm-devel] We need to upgrade our forums
D G Turner
d.g.turner at ntlworld.com
Thu Dec 26 15:23:34 CET 2013
Eugene,
As I have been fielding the manual registrations of the spambots,
along with you and Strangerke, I tend to agree.
However, I was surprised this was happening and checked the admin
setup of our current phpBB2 forums.
While what you indicate is true and I have offered to help look at
this at some point, I did realise that the majority of these
registrations are from bots with usernames of exactly ten characters,
but no pattern, so can't ban them by pattern matching... even in the
standard phpBB3 install AFAIK. A third party antispam mod is required.
But I was suprised that they were getting through our current phpBB2
registration which needed both visual (CAPTCHA) and textual question
confirmation of humanity.
While CAPTCHA can be broken or "Mechanical Turked", the textual
confirmation should be fairly resistent if the questions are chosen
well, so I checked this.
The result was that I have replaced our current textual confirmation
questions with a new set. For future reference, some notes on choosing
these:
1. Do not choose questions with Yes/No answers as the bot will just
try both options. Ditto for limited lists such as colors or numbers
between 1 and 20.
2. Google the question and see if it would be fairly trivial to infer
the answer from a quick text parse engine on the results i.e.
I removed the question:
"The protagonist in Monkey Island is Guybrush ...?"
as Google results showed "Guybrush Threepwood" very clearly and
writing a bot to do this is fairly trivial.
3. Limit the question list to only a few questions i.e. 5-10 max
and change them occasionally if the bot spam volume increases.
4. Prefix the "real question" to prevent bots using websites to
"Mechanical turking" humans into breaking the text i.e.
SCUMMVM Antispam Asks "What .... "?
This ensures that a dumb bot solution will clearly show our name
and antispam in the question and thus should socially prevent the
breakage in most cases... Changing the questions periodically is
the other solution.
As with passwords, it doesn't matter how up to date the system
is if the password is weak, so if in future, if admins could abide
by these rules when choosing the textual confirmation questions, then
the spammers should be limited to the manual and human ones.
A few rules for dealing with these:
1. We should retain the current manual registration confirmation as
removing the spambots, the registration volume is not high enough
to be onerous on the admins and it is a good idea to have a human
check.
2. Check the username and e-mail address on new registrations against
known spammers in the SFS database:
http://www.stopforumspam.com/
3. Google the username/e-mail and see if the result indicates a known
spammer or a human profile.
4. Give benefit of doubt i.e. you should assume that a registration
is a human / non-spammer if there is no evidence to the contrary.
If this proves wrong later, we can ban/delete or otherwise deal
with the user, but barring any evidence of known bot/spam, we
should approve the registration.
I hope we should notice the spambots drop to zero registrations for
the foreseeable and this should give us the time to do the phpBB3
upgrade in a timely, but relaxed manner.
Thanks,
David Turner
On 25/12/13 07:38, Eugene Sandulenko wrote:
> Hi Team,
>
> We're stuck on ancient phpBB2 and that is hurting us. Spammers are active
> like there is no tomorrow and we're getting tens of bot registration
> attempts daily.
>
> Also our current user base is infested with all those bot accounts which
> pop up from time to time (delayed spamming) and start their job.
>
> So we really really need to switch from phpBB2 to something else.
>
> This came so much to me that I am willing to do the work by myself if
> nobody would volunteer.
>
> I know that in the past there were several attempts to do that, so please
> contact me and provide me with any information/work in progress which you
> have.
>
> Eugene
More information about the Scummvm-devel
mailing list