Anti-Spam Thread!

The 2.0.x discussion forum has been locked; this will remain read-only. The 3.0.x discussion forum has been renamed phpBB Discussion.
Locked
Truden
Registered User
Posts: 70
Joined: Sun Jun 15, 2003 11:40 pm
Location: Johannesburg/South Africa
Contact:

Post by Truden »

It seams to me that you guys don't like me much :lol:
That is my last post in this topic.
Sorry, guys.

Please accept my apology.
Test TruBar in my test forums.
alvo
Registered User
Posts: 713
Joined: Thu Jun 22, 2006 3:57 am

Post by alvo »

Techie-Micheal wrote: ... nothing is 100% effective against spam ...

Bots aren't capable of abstract thinking, so any method that uses that to stop them can be 100% effective against them. The only way to get past this type of challenge is to have manually programmed into the bot ahead of time all the variations of the challenge and the answers to them. The Anti Bot Question mod uses this approach. It asks a simple question, chosen at random for all the questions written by the forum moderator. The questions require thinking to answer, such as "What is the color of milk?" Easy for a person, impossible for a bot unless they've been given the question and matching answer before hand. The VIP mod requires following instructions to get a code to enter into the registration form and as long as they are placed differently on every site it will be hard for a bot to be able to interpeert those instructions and follow them.

Truden's mod is effective because it's really hard to read (by people and bots) so bots have trouble deciphering it and because it's not used enough. If it widely used the bot script authors would probably break it, but until then it should be pretty effective.

Jonathon's code wouldn't be an effective prevention if a lot of people used it as it used scripting to insert a provided number into a hidden form field and it would be really easy to alter a bot script to do the same thing.
User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Post by Techie-Micheal »

alvo wrote:
Techie-Micheal wrote:... nothing is 100% effective against spam ...

Bots aren't capable of abstract thinking, so any method that uses that to stop them can be 100% effective against them.
The problem isn't just bots. I still see humans going through and registering and then sicking bots on posting. There is still a human behind the bot, so as long as humans are involved, there is nothing that will be 100% effective.
The only way to get past this type of challenge is to have manually programmed into the bot ahead of time all the variations of the challenge and the answers to them. The Anti Bot Question mod uses this approach. It asks a simple question, chosen at random for all the questions written by the forum moderator. The questions require thinking to answer, such as "What is the color of milk?" Easy for a person, impossible for a bot unless they've been given the question and matching answer before hand.
It is also easy to program a bot to read that text and attempt answers, based on doing some work on identifying your victim.
The VIP mod requires following instructions to get a code to enter into the registration form and as long as they are placed differently on every site it will be hard for a bot to be able to interpeert those instructions and follow them.
But there is still a human involved, and there are a variety of ways to get past that, including social engineering.
Truden's mod is effective because it's really hard to read (by people and bots) so bots have trouble deciphering it and because it's not used enough. If it widely used the bot script authors would probably break it, but until then it should be pretty effective.
I haven't checked it lately, but last time I did, I was able to defeat it easily using automated processes. So unless he has really changed it from the original which was taken from another site, chances are it won't be very long until a bot is able to read it.
Jonathon's code wouldn't be an effective prevention if a lot of people used it as it used scripting to insert a provided number into a hidden form field and it would be really easy to alter a bot script to do the same thing.
Never trust the client.
Proven Offensive Security Expertise. OSCP - GXPN
Vic D'Elfant
Former Team Member
Posts: 6203
Joined: Sun May 02, 2004 6:21 pm
Location: NL, Maastricht
Contact:

Post by Vic D'Elfant »

The problem that I see with all these methods is that it is really easy to detect whether the registration went wrong or not. Some methods come back with a nice message, saying that the registration failed, others have a die() call, etc. If I were to be the developer of a spambot, I would try to register "the normal way" (i.e. by faking the post fields) and would queue the forum for manual processing if the bot didn't get the regular confirmation message. Simple, effective, and really easy to implement. Combine that with checking the email inbox in case the bot comes across a board that thinks to be smart and displays the "You have successfully been registered" notice to make the spambot think that it registered successfully, and you'll basically have a fool-proof system. Manual processing is getting more and more popular (sadly enough), so this combination of automatic and manual processing would be the perfect and most cost-effective way to spam boards.

Something like this would take a few hours to develop and test, so don't think it would take another few years for this method to become popular.

Vic
midd.ag • DTP, web development & printing
http://www.midd.ag
User avatar
EXreaction
Former Team Member
Posts: 5666
Joined: Sun Aug 21, 2005 9:31 pm
Location: Wisconsin, U.S.
Name: Nathan

Post by EXreaction »

True, giving them that die message lets them know immediately that they can't do whatever they did...

But without that die message, if the owner of the board does not install everything correctly, normal users might get screwed because it looks like they are registering, but it never saves the data in the database, so as much as they try they won't ever be able to register. :(
Vic D'Elfant
Former Team Member
Posts: 6203
Joined: Sun May 02, 2004 6:21 pm
Location: NL, Maastricht
Contact:

Post by Vic D'Elfant »

Of course - the trick is to combine showing the "fake" confirmation message with one of the methods described elsewhere in this topic, i.e. something a normal user can't accidentally cause by himself.

Vic
midd.ag • DTP, web development & printing
http://www.midd.ag
User avatar
Dog Cow
Registered User
Posts: 2498
Joined: Fri Jan 28, 2005 12:14 am
Contact:

Post by Dog Cow »

Vic D'Elfant wrote: Of course - the trick is to combine showing the "fake" confirmation message with one of the methods described elsewhere in this topic, i.e. something a normal user can't accidentally cause by himself.

Vic


But then you're back to square one: making a registration form for humans and so that bots can't complete it. If the message is going to be fake, why bother triggering and showing it?
Moof!
Mac GUI Vault: Retro Apple II & Macintosh computing archive.
Inside Allerton bookMac GUIMac 512K Blog
olpa
Registered User
Posts: 255
Joined: Tue Jan 25, 2005 6:44 pm
Location: Saint-Petersburg, Russia
Contact:

Post by olpa »

Ooh, jonahan, yet another payware! I wonder about its success when alternatives exist.

You says that you've read MANY topics regarding phpBB spam. Would you please compare your MOD with the alternatives? If you don't want answer in this thread, answer here.
olpa
Registered User
Posts: 255
Joined: Tue Jan 25, 2005 6:44 pm
Location: Saint-Petersburg, Russia
Contact:

Post by olpa »

And in another locked thread you says:
you had to install 10 different mods and even then it didn't stop the spambots very well

Would you please elaborate on this? What are the mods, and what's the reasons they didn't stop spambots very well?
User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Post by Techie-Micheal »

Instead of concentrating on the symptoms, why not concentrate on the source of the problem? Right now, these different confirmation systems are going for the symptoms - a user, presumably a bot, attempts to register or post. But how do we know that? Because they fail the visual confirmation? Perhaps they are blind. Voice confirmation? There's already work being done on automating bots to defeat that. Turing test on thinking? Perhaps the user is handicapped in a way that prevents them from answering. Perhaps the test doesn't allow for a certain type of response, even though it is completely valid.

Instead, I propose we concentrate on the source of the problem. The users themselves. Doesn't matter if they are automated or not. As website owners, we know what is spam for our site, we know what behaviors are indicative of a spammer. But instead of trying to quantify those behaviors, we just block the source of the problem - the user who is the troublemaker.
Proven Offensive Security Expertise. OSCP - GXPN
alvo
Registered User
Posts: 713
Joined: Thu Jun 22, 2006 3:57 am

Post by alvo »

We know what spam is when we see it, we also know that the content of it seperate from the form. OK, porn and pill links in a signature are spam, but how does one differentiate them without human intervention. It requires abstract thinking, something we can't automate. How does one quantify behavors? It's not all that difficult to differentiate between a bot and a person if you target the limitations of one over the other. Sure, that doesn't stop manual spamming, but that's never going to be as efficient as scripts are. Perhaps yhou can elaboriate on what you're thinking of? If you have some thoughts on identifying what spam is in an efficient enough a way to allow one to keep it out whether it's from a person or a bot, it would be good to know.
Techie-Micheal wrote: ... Turing test on thinking? Perhaps the user is handicapped in a way that prevents them from answering. ...

Probably means they won't be able to follow a thread and make useful contributions either.[/i]
Vic D'Elfant
Former Team Member
Posts: 6203
Joined: Sun May 02, 2004 6:21 pm
Location: NL, Maastricht
Contact:

Post by Vic D'Elfant »

alvo wrote: Sure, that doesn't stop manual spamming, but that's never going to be as efficient as scripts are

The problem is that most spam isn't being posted manually - I bet that 95% of the spam posts is being posted by an automated system (not including those by members that want to advertise their website, services, etc. of course). The problem is that, in most cases, the spam bot will either sign up automatically or by falling back on a human processor, and the bot itself will post the actual spam on the forum. Once it gets past the registration page (in one way or another), it can start spamming since the posting page isn't protected against spambots, and simply can't be protected with things like a CAPTCHA or simple, logical questions since that would annoy your board's users and will very likely make them leave your board. I would, for one, leave a board if I would have to fill out a CAPTCHA or answer some question for every single post I make.

Vic
midd.ag • DTP, web development & printing
http://www.midd.ag
DiscoverKate
Registered User
Posts: 56
Joined: Thu May 16, 2002 3:02 pm
Contact:

Post by DiscoverKate »

Retro King wrote: Most of my spammers at the minute dont actually have web addresses as signatures but all seem to have a @bk.ru email address.


Is there a way to disallow all email joiners from a specific domain?

IE .ru or cashette.com??
User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Post by Techie-Micheal »

alvo wrote: We know what spam is when we see it, we also know that the content of it seperate from the form. OK, porn and pill links in a signature are spam, but how does one differentiate them without human intervention. It requires abstract thinking, something we can't automate. How does one quantify behavors? It's not all that difficult to differentiate between a bot and a person if you target the limitations of one over the other. Sure, that doesn't stop manual spamming, but that's never going to be as efficient as scripts are. Perhaps yhou can elaboriate on what you're thinking of? If you have some thoughts on identifying what spam is in an efficient enough a way to allow one to keep it out whether it's from a person or a bot, it would be good to know.
Techie-Micheal wrote:... Turing test on thinking? Perhaps the user is handicapped in a way that prevents them from answering. ...

Probably means they won't be able to follow a thread and make useful contributions either.[/i]


Albert Einstein couldn't tie his shoes, but that didn't stop him.

Yes, humans are generally able to determine between a bot and a human. But if you attempt to quantify those behaviors, it is much harder. And by quantifying, that means listing the behaviors and writing a program to understand those. That takes advanced Artificial Intelligence and heuristics scanning. Both of which are very difficult to do. Why? Because you are trying to tell software what a human would do and wouldn't do. Then, after all of that, you are still left humans spamming, so you cannot have 100% of spam stopped.

As an example of the AI and heuristics needed, look at the email we receive. Ever notice the seemingly random paragraphs at the end? Sometimes called SpamAssassin busters or bays busters by the spammers, those texts look normal to a computer, but to the human eye we know that the paragraphs do not fit with the body of the email. But are you able to give me an effective list to tell a computer what to look for? Probably not. Nobody has been able to effectively tell a program to look for those texts and know if they fit with the email or not, that I know of. Therefore, it is difficult to quantify human behavior and bot behavior.

Instead, for bulletin board spam, you want to go after the source. Who is the source? The user. The user can be a bot or a human, or both. A human registers, but the bot spams. But once the human is in, what's to stop them from manually spamming? Here comes the problem again of trying to quantify what a human would do and what a bot would do and what either wouldn't do. What I'm proposing is a service that identifies the user, and not their actions. Or rather, the community identifies the user, and the community bans the user.
Proven Offensive Security Expertise. OSCP - GXPN
Wo1f
Registered User
Posts: 2039
Joined: Fri Jan 28, 2005 3:20 am

Post by Wo1f »

Techie-Micheal wrote: Instead, for bulletin board spam, you want to go after the source. Who is the source? The user. The user can be a bot or a human, or both. A human registers, but the bot spams. But once the human is in, what's to stop them from manually spamming? Here comes the problem again of trying to quantify what a human would do and what a bot would do and what either wouldn't do. What I'm proposing is a service that identifies the user, and not their actions. Or rather, the community identifies the user, and the community bans the user.


But then, how do you propose to reliably enforce a "global" ban on a user permanently, without some form of a "mac-like" UID? What about the risks that an innocent potential new member gets automatically mislabeled (because of a signature)? False positives? I imagine you're also talking about a centrally located repository? What about the impact execution-wise, bandwidth-wise, availability-wise etc?
Locked

Return to “2.0.x Discussion”