[ALPHA] Checkbox Challenge 0.5.0 (2007-05-11)

A place for MOD Authors to post and receive feedback on MODs still in development. No MODs within this forum should be used within a live environment! No new topics are allowed in this forum.
Forum rules
READ: phpBB.com Board-Wide Rules and Regulations

IMPORTANT: MOD Development Forum rules

On February 1, 2009 this forum will be set to read only as part of retiring of phpBB2.

User avatar
igorw
Former Team Member
Posts: 8024
Joined: Fri Dec 16, 2005 12:23 pm
Location: {postrow.POSTER_FROM}
Name: Igor Wiedler

Re: [DEV] Checkbox Challenge for Registration

Post by igorw » Fri Apr 20, 2007 10:03 am

If there's no link yet, you have to wait.
Igor Wiedler | area51 | GitHub | trashbin | Formerly known as evil less than three

User avatar
drathbun
Former Team Member
Posts: 12204
Joined: Thu Jun 06, 2002 3:51 pm
Location: TOPICS_TABLE
Contact:

Re: [DEV] Checkbox Challenge for Registration

Post by drathbun » Fri Apr 20, 2007 7:34 pm

[DEV] topics do not require download links. :-) DEV means ideas are still being collected, and code is still being written. I generally do my own ALPHA testing as well. I don't release code until it's at BETA status, which saves me (and you, frankly) a lot of effort.

I am adding the code to a fourth and fifth board over this weekend. Each time I have tweaked / changed / improved things. Once the code stops changing so much I will release a BETA version for other folks to start testing. Thanks for your interest. :-)
I blog about phpBB: phpBBDoctor blog
Still using phpbb2? So am I! Click below for details
Image

User avatar
drathbun
Former Team Member
Posts: 12204
Joined: Thu Jun 06, 2002 3:51 pm
Location: TOPICS_TABLE
Contact:

Re: [DEV] Checkbox Challenge for Registration

Post by drathbun » Sat Apr 21, 2007 6:48 am

Speaking of tweaks...

I found that some users could not - even with instructions - make it through the registration process in one go. That was, so say the least, very disappointing. So I have simplified the registration screen a bit. There is less text to read, the marks you set in the ACP to mark the "confirmation" checkbox are now included in the instructions, and here's what the new registration form looks like:

Image

The "Tell me more" link is a javascript alert that pops up a message box with additional information about the registration page.

As mentioned previously in this topic the concept of banning someone for failing to fill out the registration form is gone. It is replaced by a temporary ban on future registration attempts which is currently based on the email address. Here's a screen shot of the new ACP screen. These fields are a part of the base board configuration page.

Image

At the end you can see the number of retries and the minutes to temp ban. If you set the number of retries to 0 (zero) then this feature is deactivated. Here's the message a user sees if they are unable to complete the registration within the limited number of attempts:

Image

The MOD does seem to be working well. It is rejecting registration attemps from known spammer domains like mail.ru and anotherspamdomain.org and dsg0283y02g3.org. It is also catching registrations from new spammer domains that I have not banned yet like jessyparkeronline.org, candoyoudude.org, and gemmails.com. There were two different registrations for candoyoudude.org from the same IP address within two seconds of each other, both failing because they were unable to react properly to the checkbox challenge. Since I added this code to my largest phpBB board I have had 141 successful registrations and 136 rejections. Some of the rejections are from multiple attempts by the same user. At this point I feel good enough about the prospects for success that I plan to continue towards a BETA release soon. I would like to capture another week's worth of registration data first.
I blog about phpBB: phpBBDoctor blog
Still using phpbb2? So am I! Click below for details
Image

User avatar
drathbun
Former Team Member
Posts: 12204
Joined: Thu Jun 06, 2002 3:51 pm
Location: TOPICS_TABLE
Contact:

Re: [DEV] Checkbox Challenge for Registration

Post by drathbun » Tue Apr 24, 2007 4:59 am

I spent some time this evening examing the registration log for my latest test board. I think the results are quite promising. There are quite a few more details on my blog (see signature for link if interested) but here is a summary of what I have seen so far...

If the log shows multiple (usually two, sometimes more) registration attempts within seconds of each other, using the same IP address but different email addresses / different usernames, it's a spammer. :-) I have been banning those.

Real users take the weekends off, spammers do not. The number of registrations that pass the Checkbox Challenge drops to next to nothing on the weekends. The number of failures stays constant.

So far I have tried to review the successful registrations to see if any of them are spammers. I have not and can not review every single one, but so far the results seem quite promising.

A while back I had an idea about checking the domain creation dates as an anti-spam idea... I dropped it because as a stand-alone tactic it seemed to have a number of holes. I am thinking about bringing that idea back and integrating it into this MOD. So if a user (or bot) makes it through the Checkbox Challenge I will still check the domain creation date... if the date is too new, then some other action (perhaps a double-activation of some sort) will be required. Or optionally the user can simply be rejected.

No code to download yet. Part I, the Checkbox Challenge and logger without the domain create date checking could be available within the next week or so. We shall see how much time I get.
I blog about phpBB: phpBBDoctor blog
Still using phpbb2? So am I! Click below for details
Image

rgross
Registered User
Posts: 127
Joined: Fri Dec 10, 2004 7:22 am

Re: [DEV] Checkbox Challenge for Registration

Post by rgross » Mon Apr 30, 2007 7:33 pm

Waiting patiently for an update... Great MOD in theory, though!

User avatar
drathbun
Former Team Member
Posts: 12204
Joined: Thu Jun 06, 2002 3:51 pm
Location: TOPICS_TABLE
Contact:

Re: [DEV] Checkbox Challenge for Registration

Post by drathbun » Mon Apr 30, 2007 9:09 pm

There are updates in my blog (link in sig). So far it seems to have promise. I am going to release the initial ALPHA version some time this week to allow other folks to use it. There will not be update instructions from this initial version to subsequent updates, so unless you're comfortable with installing and removing MODs you probably will want to wait for a more complete package. The code I plan to release works, it's just not complete.

For example, to review the log right now I have to use phpMyAdmin or some other means of reading the data. I plan to create an admin page to allow you to do that. It won't be in the first release.

I have had more than one suggestion that says I should not release it, as it will undermine its effectiveness if a whole bunch of boards get this installed. :-) Don't worry, I still intend to release it.
I blog about phpBB: phpBBDoctor blog
Still using phpbb2? So am I! Click below for details
Image

User avatar
drathbun
Former Team Member
Posts: 12204
Joined: Thu Jun 06, 2002 3:51 pm
Location: TOPICS_TABLE
Contact:

Re: [DEV] Checkbox Challenge for Registration

Post by drathbun » Sat May 12, 2007 2:38 am

I have been running this code on five different boards (with very different levels and patterns of registration) and things seem to be going well. I am going to release an ALPHA version of the code for public use. What does ALPHA mean to me?

For one thing, it means that it is not complete. For example, you can configure the MOD via the standard configuration page, but there is no online page to review the registration log. You will have to do that via phpMyAdmin or some other mechanism. I have one in the works, but it is not included in this download.

It means that the code has been tested and appears to be functional. As with any MOD that impacts the registration process I strongly suggest that you register a new user immediately after installing this MOD. This will ensure that other users can still register on your board, assuming they are successful in the process.

It means that there will not be an upgrade to the next version. If you are installing on a live board you will be responsible for figuring out how to change / upgrade when a new release comes out. I have written the MOD as mostly included files, so upgrades should be simple, but you never know, and I make no guarantees.

From April 17 to May 11 on five different boards here are the aggregated stats for the four different boards where I have this running at this time.

1074 successful registrations
800 registrations blocked because no checkboxes were checked
853 registrations blocked because all checkboxes were checked

Top offending email domains were:

Code: Select all

+----------------------+----------+
| email_domain         | count(*) |
+----------------------+----------+
| mail.ru              |      198 |
| gmail.com            |       63 |
| yahoo.com            |       51 |
| cherrysolutionss.com |       44 |
| greatmailworld.com   |       43 |
| byemailsite.com      |       41 |
| junkmailsite.com     |       40 |
| illusioncorpmail.com |       38 |
| securefreemail.com   |       36 |
| somefreemailsacc.com |       34 |
| japanfreemail.com    |       33 |
| vpspt.info           |       32 |
| bestmailguide.com    |       30 |
| somefreemailserv.com |       28 |
| goglemailoffice.com  |       28 |
| freemaildirect.com   |       28 |
| freemailid.com       |       28 |
| hotmail.com          |       26 |
| gemmails.com         |       26 |
| somaildot.com        |       26 |
| alt-email-host.info  |       26 |
| biofreemail.com      |       24 |
| floridafreemail.com  |       22 |
| bugfreemail.com      |       22 |
| freemailacc.com      |       20 |
+----------------------+----------+
First post will be updated with download link shortly. Thanks for your interest.
I blog about phpBB: phpBBDoctor blog
Still using phpbb2? So am I! Click below for details
Image

User avatar
drathbun
Former Team Member
Posts: 12204
Joined: Thu Jun 06, 2002 3:51 pm
Location: TOPICS_TABLE
Contact:

Re: [ALPHA] Checkbox Challenge 0.5.0 (2007-05-11)

Post by drathbun » Sat May 12, 2007 3:08 am

Here's a chart that I built because I thought it was interesting. This chart is an aggregate of registration attemps across five different boards. The three lines show the count of the registration result codes.

Image

Blue shows successful registrations. Note that as is probably expected most users register on Monday through Friday. Black show registration attempts that were denied because the validation checkbox was not marked. Red shows registrations that marked too many (generally all of them) checkboxes. Those two lines never really get below 100, even on the weekends. So if your board(s) are like mine, you could probably turn off registrations on Saturday and Sunday and eliminate a bunch of bots. :-P That's not really a serious suggestion, of course. But I think that it's interesting that the number of failures is fairly consistent for the entire week while successful registrations are skewed so much towards weekdays rather than weekends.

First post was update with a download link.
I blog about phpBB: phpBBDoctor blog
Still using phpbb2? So am I! Click below for details
Image

User avatar
Dogs and things
Registered User
Posts: 2114
Joined: Fri Sep 01, 2006 9:04 am
Location: Spain
Contact:

Re: [ALPHA] Checkbox Challenge 0.5.0 (2007-05-11)

Post by Dogs and things » Sat May 12, 2007 6:14 am

Whow,

Quite a bit of bad bot botter you seem to be avoiding. :razz:

Are you sure your MOD uses the max. attempt feature?
For phpBB2 support visit phpBB2refugees.

User avatar
drathbun
Former Team Member
Posts: 12204
Joined: Thu Jun 06, 2002 3:51 pm
Location: TOPICS_TABLE
Contact:

Re: [ALPHA] Checkbox Challenge 0.5.0 (2007-05-11)

Post by drathbun » Sat May 12, 2007 5:45 pm

Dogs and things wrote: Are you sure your MOD uses the max. attempt feature?


Yes. If you run the configuration as it's delivered, that feature is turned off. You will need to alter the configuration in order to turn it on. The number of attempts defaults to zero, so if you don't change that it disables that feature. Set it to 1 attempt in 1 minute and then try to register using the same email address but don't check the checkboxes and you'll get this message:
We are sorry but you have exceeded the allowed number of registration attempts for this session. You may try again in about 90 minutes.

That's what I get on the 4th attempt to register when I have retries set to 3, and the retry delay set to 90.

The number of attempted registrations is high because it's from 5 boards...
I blog about phpBB: phpBBDoctor blog
Still using phpbb2? So am I! Click below for details
Image

User avatar
Rizzn.
Registered User
Posts: 264
Joined: Wed Dec 28, 2005 9:53 am
Contact:

Re: [ALPHA] Checkbox Challenge 0.5.0 (2007-05-11)

Post by Rizzn. » Sat May 12, 2007 5:56 pm

What about randomizing the number of checkboxes shown as well as the number that need to be checked? That way, each time the same bot goes to register, it'll be forced to cope with a new situation that it will need to solve to be able to get through. It may not be much, but it is a little extra hassle for those annoying bots.
[Alpha] Store MOD (phpBB3)
- Support site forthcoming -
--------------------------------------
[RC1] wGEric Store MOD (phpBB2)
Additional Usable Items and Store MOD Support Forums (separate site)

User avatar
drathbun
Former Team Member
Posts: 12204
Joined: Thu Jun 06, 2002 3:51 pm
Location: TOPICS_TABLE
Contact:

Re: [ALPHA] Checkbox Challenge 0.5.0 (2007-05-11)

Post by drathbun » Sun May 13, 2007 1:09 pm

The problem that I ran into with randomizing the number of checkboxes is that I have to know which checkbox is the valid one. And that "knowledge" can't be passed as part of the submitted form or a bot could simply read the code and figure it out. Without posting too many details about how / why the defaults are set the way they are, let me just say that the code as it's set up now allows me to determine if the proper checkbox (in a random position) has been marked or not.

If I were to randomize the number of checkboxes (and even randomize the number of required checkboxes, which is another idea I toyed with) I would have to store stuff in the database just like the visual confirmation process does. I have thought about that for version 2. For now the MOD works as designed, but I do appreciate your input.
I blog about phpBB: phpBBDoctor blog
Still using phpbb2? So am I! Click below for details
Image

dahlsim
Registered User
Posts: 5
Joined: Thu Aug 19, 2004 6:16 pm
Contact:

Re: [ALPHA] Checkbox Challenge 0.5.0 (2007-05-11)

Post by dahlsim » Fri May 18, 2007 3:51 pm

I have a phpbb board that's having a lot of problems with bogus registrations. I assume that since this mod is being worked on that there is no established mod that has really solved this issue?

This mod looks interesting but I'm curious as to why the built-in option that supposed to require users to enter what they see on an image doesn't stop bot registrations? It seems to do the same general thing that these checkboxes are doing right?

Have bots found an easy way around the image traps now or is the 'write what you see on this image' trap not working?

What about a way to simply ban certain domains from registering, is that something that's easily implemented in phpbb?

User avatar
Balint
Registered User
Posts: 952
Joined: Tue Aug 06, 2002 2:19 pm
Location: Germany
Contact:

Re: [ALPHA] Checkbox Challenge 0.5.0 (2007-05-11)

Post by Balint » Fri May 25, 2007 8:17 pm

Great MOD, now all we need is an implementation for guest posts. I'll switch from Amigalink's Advanced Visual Confirmation to this MOD now... :mrgreen:

Post Reply

Return to “[2.0.x] MODs in Development”

Who is online

Users browsing this forum: No registered users and 11 guests