Anti-Spam Thread!

The 2.0.x discussion forum has been locked; this will remain read-only. The 3.0.x discussion forum has been renamed phpBB Discussion.
Locked
User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Post by Techie-Micheal »

Wo1f wrote:
Techie-Micheal wrote:Instead, for bulletin board spam, you want to go after the source. Who is the source? The user. The user can be a bot or a human, or both. A human registers, but the bot spams. But once the human is in, what's to stop them from manually spamming? Here comes the problem again of trying to quantify what a human would do and what a bot would do and what either wouldn't do. What I'm proposing is a service that identifies the user, and not their actions. Or rather, the community identifies the user, and the community bans the user.


But then, how do you propose to reliably enforce a "global" ban on a user permanently, without some form of a "mac-like" UID? What about the risks that an innocent potential new member gets automatically mislabeled (because of a signature)? False positives? I imagine you're also talking about a centrally located repository? What about the impact execution-wise, bandwidth-wise, availability-wise etc?
The catch is that you don't ban a user permanently. The risk is too high that innocent users will get in the way. What if an innocent user does get caught in the cross-fire so to speak? There should be a system that will allow users to request removals. This of course requires abuse checks so spammers won't be able to request they be removed from the system. False positive should be very low, because of the checks implemented.

As for availability, the impact on server and client is very low, and bandwidth use is extremely low. Edit: I decided to go ahead and post the bandwidth stats.

Get ready for it.

A board that has 200 posts per day, and 200 registrations per day will use only 6MB in addition to what they already use with bbProtection installed. That's per month. 6MB per month.
Proven Offensive Security Expertise. OSCP - GXPN

Wo1f
Registered User
Posts: 2039
Joined: Fri Jan 28, 2005 3:20 am

Post by Wo1f »

The numbers are very good. :wink:

Without revealing your "secrets", from an administrators perspective, what kind of involment are we talking about?

User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Post by Techie-Micheal »

Wo1f wrote: The numbers are very good. :wink:

Without revealing your "secrets", from an administrators perspective, what kind of involment are we talking about?


Here's what an administrator will have to do. All but reporting are one time steps per board. And of course only one account for the site.

1. Register at the site
2. Register a board and select the package that meets the requirements for your board's activity. The main package will be free and should fit the majority of the boards.
3. Install the client
4. Report spammers on your board, and let the rest of the community do the same.

Edit: Depending on the permissions you set on your board, you can also have moderators report spammers. But for obvious reasons, this should be a very trusted group of moderators.
Proven Offensive Security Expertise. OSCP - GXPN

Wo1f
Registered User
Posts: 2039
Joined: Fri Jan 28, 2005 3:20 am

Post by Wo1f »

Allright, that's what I expected.

<devil's advocate ON>
I'm a frustrated spammer, labelled as one and banned. I install phpbb and decide to subscribe to your "protection" program. After a certain period of time, I start submitting false reports on fictitious spammers, which are in fact responsible and participating members in your program.
<devil's advocate OFF>

The goal is just to create chaos. Did I succeed?

Vic D'Elfant
Former Team Member
Posts: 6203
Joined: Sun May 02, 2004 6:21 pm
Location: NL, Maastricht
Contact:

Post by Vic D'Elfant »

No, you didn't :)

An account holder is not able to file two complaints about the same user, so this would require the spammer to sign up for multiple bbProtection accounts, add a (new) board to his account, etc. It's not very likely that they will be able to register enough accounts to successfully spread chaos, also because we check our own anti-spam database before allowing someone to sign up for an account with us.

Vic
midd.ag • DTP, web development & printing
http://www.midd.ag

User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Post by Techie-Micheal »

Wo1f wrote: Allright, that's what I expected.

<devil's advocate ON>
I'm a frustrated spammer, labelled as one and banned. I install phpbb and decide to subscribe to your "protection" program. After a certain period of time, I start submitting false reports on fictitious spammers, which are in fact responsible and participating members in your program. The goal is just to create chaos.
<devil's advocate OFF>

Did I succeed?


No you did not. We are getting in to the trade secret area, but since it came up, we allow only one complaint per board per set of information. To make this even harder, it takes a percentage of complaints we set for a certain piece of information to become banned. Harder still, we limit the number of boards that can be registered for a free account. So spammers would have to dish out money to spam. To further complicate the spammer's life, we will monitor for people using multiple accounts on our site. Of course, no system is perfect, but I try very hard to make a spammer's life very difficult.

Edit: What Vic said. :P
Proven Offensive Security Expertise. OSCP - GXPN

Wo1f
Registered User
Posts: 2039
Joined: Fri Jan 28, 2005 3:20 am

Post by Wo1f »

Ok, very good. But do we agree that spammers are a very well organised bunch that make a living out of spamming and anything that "seriously" hinders their bottom line is going to be dealt with without mercy. That worries me as far as the availability of the service is concerned.

So keeping this in mind, I would still need to maintain a "local" anti-spam defence, right? So on the one hand, I subscribe to your service which allows me to identify and submit a spammer which is then cataloged, expediting his need to eventually seek other forms of employment (hopefully), and on the other hand I continue to do what it is that I do to combat spam locally. Is this accurate?

For having been involved in the "anti-cheat" movement with PunkBuster, I have a very good idea of where you are going with this. And, I seriously believe that it should be encouraged, but the bottom line remains that this is a very labor intensive and involved process (compounded by a review mechanism) that demands constant attention and vigilance on the part of many many many players.

You guys are nuts! :lol: ... and obviously very serious and prepared.


Thanks for the info and you did manage to get my attention.


Regards,
Wolf

User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Post by Techie-Micheal »

Wo1f wrote: Ok, very good. But do we agree that spammers are a very well organised bunch that make a living out of spamming and anything that "seriously" hinders their bottom line is going to be dealt with without mercy. That worries me as far as the availability of the service is concerned.
Certainly. We do have plans to mitigate attacks against the service, and I do have backup plans should it become necessary.
So keeping this in mind, I would still need to maintain a "local" anti-spam defence, right? So on the one hand, I subscribe to your service which allows me to identify and submit a spammer which is then cataloged, expediting his need to eventually seek other forms of employment (hopefully), and on the other hand I continue to do what it is that I do to combat spam locally. Is this accurate?
Absolutely you should keep on with having the visual confirmation enabled, requiring users to authenticate their accounts, etc. But for those that get through that, we have a special surprise in store. ;)
For having been involved in the "anti-cheat" movement with PunkBuster, I have a very good idea of where you are going with this. And, I seriously believe that it should be encouraged, but the bottom line remains that this is a very labor intensive and involved process (compounded by a review mechanism) that demands constant attention and vigilance on the part of many many many players.
Yes. But have gone to great lengths to ensure this system requires as little effort as possible. Yes, admins will still have to do their part, and yes, people are going to have watch, but that leads to one very important thing that I feel is missing from the bulletin board world - communication between communities. Look at what the blogosphere has done. RSS, pinging each other, and so on. Where is that communication in the bulletin board world?
You guys are nuts! :lol: ... and obviously very serious and prepared.
You bet we are nuts. :P
Thanks for the info and you did manage to get my attention.


Regards,
Wolf
You're welcome and glad we have your attention. :)
Proven Offensive Security Expertise. OSCP - GXPN

Wes of StarArmy
Registered User
Posts: 288
Joined: Fri Mar 04, 2005 2:59 am
Location: StarArmy.com
Contact:

Post by Wes of StarArmy »

Ok, very good. But do we agree that spammers are a very well organised bunch that make a living out of spamming and anything that "seriously" hinders their bottom line is going to be dealt with without mercy. That worries me as far as the availability of the service is concerned.
Not necessarily. For spammers (like the rest of us), time is money, right? So if something can't be automated and/or takes too much time and effort, they're going to focus on more fruitful methods elsewhere.

User avatar
Dog Cow
Registered User
Posts: 2495
Joined: Fri Jan 28, 2005 12:14 am
Contact:

Post by Dog Cow »

Wes of StarArmy wrote:
Ok, very good. But do we agree that spammers are a very well organised bunch that make a living out of spamming and anything that "seriously" hinders their bottom line is going to be dealt with without mercy. That worries me as far as the availability of the service is concerned.
Not necessarily. For spammers (like the rest of us), time is money, right? So if something can't be automated and/or takes too much time and effort, they're going to focus on more fruitful methods elsewhere.


Right. The Spammers go where they think the money is. A spammer's life must be pretty pathetic, if you stop to think about it. So many people already know about spam, delete it on site, use anti-spam technology, etc. It makes me wonder why they bother posting spam or sending spam email at all.

There still must a be a group of naive internet users out there who still respond to spam, who actually open spam email.

Therefore, I conclude that one powerful weapon against spam is education: if everyone in the world, or at least, more than do now, knew exactly what to do with spam, then the spammers would make no money.

I've read the statistic that some human spammers get paid as low as .70 USD and hour to post spam or send spam email. But money doesn't come from thin air. Someone is paying these poor suckers to spam. If there's no money in, there'll be no money out and theoretically, much less spam all-around.

Or at least, that's what I think! :)
Moof!
Mac GUI Vault: Retro Apple II & Macintosh computing archive.
Inside Allerton bookMac GUIMac 512K Blog

Vic D'Elfant
Former Team Member
Posts: 6203
Joined: Sun May 02, 2004 6:21 pm
Location: NL, Maastricht
Contact:

Post by Vic D'Elfant »

Dog Cow wrote: Therefore, I conclude that one powerful weapon against spam is education: if everyone in the world, or at least, more than do now, knew exactly what to do with spam, then the spammers would make no money.

I agree, but I'm afraid that's a rather optimistic view. The majority of the users are novice users who simply click on anything that says "Click me or your computer will crash" (as a matter of speaking). The day that one has educated enough users to effectively bring down the number of people that respond to spam will very likely, and sadly enough, be decades from now, even we even get that far.

I also think that the spammers and the ones who "employ" them think like "no-one will know about my website if I don't send my spam, so let's just send it so I will have at least some chance that someone will accidentally end up on my website and buys something". Narrow minded, yes. Ineffective, yes. Annoying, yes. But it's still here.

With the growing popularity of bulletin boards, spammers have found a new market to abuse and will very likely change their focus to bulletin boards. Their websites will even get a higher pagerank if they get their spam on a high number of boards, which would result in even more potential visitors. Adding the "nofollow" attribute to the URL tags would prevent them from actually getting the higher pagerank, but also effectively blocks genuine links to websites that really are useful and should get a higher pagerank. And then again, this way of trying to discourage the spammers won't help; there are still millions of websites and bulletin boards out there that don't use something like the nofollow attribute so spammers will post their spam anyway.

That's why you shouldn't try to discourage them by adding some simple counter measurements, but to block them at the source. Whether it's a bot, a human, or even a monkey that was taught to post spam, it's still coming from a computer somewhere on the internet, and can be identified and blocked that way.

Vic
midd.ag • DTP, web development & printing
http://www.midd.ag

User avatar
Dog Cow
Registered User
Posts: 2495
Joined: Fri Jan 28, 2005 12:14 am
Contact:

Post by Dog Cow »

Vic D'Elfant wrote:
Dog Cow wrote:Therefore, I conclude that one powerful weapon against spam is education: if everyone in the world, or at least, more than do now, knew exactly what to do with spam, then the spammers would make no money.


I agree, but I'm afraid that's a rather optimistic view. The majority of the users are novice users who simply click on anything that says "Click me or your computer will crash" (as a matter of speaking). The day that one has educated enough users to effectively bring down the number of people that respond to spam will very likely, and sadly enough, be decades from now, even we even get that far.


It may be overly optimistic, but it will always help. The more novices who are informed, the better!
Remember: It is better to have half of something, than all of nothing.
Vic D'Elfant wrote: That's why you shouldn't try to discourage them by adding some simple counter measurements, but to block them at the source. Whether it's a bot, a human, or even a monkey that was taught to post spam, it's still coming from a computer somewhere on the internet, and can be identified and blocked that way.


You are indeed correct, to attack the source, 'nip it in the bud' so to say. But I believe that a dual-approach is best: local spam protection and the global blocking system. It's the best of both worlds.
Moof!
Mac GUI Vault: Retro Apple II & Macintosh computing archive.
Inside Allerton bookMac GUIMac 512K Blog

User avatar
stevemaury
Support Team Member
Support Team Member
Posts: 51191
Joined: Thu Nov 02, 2006 12:21 am
Location: The U.P.
Name: Steve
Contact:

Post by stevemaury »

I realize that what I am posting deals with only a small number of boards and is no help to many. But there may be some types of boards that will find it useful. My board has a small number of users (~35) but a large number of posts (>350/day) and it is a private board. In 2 years, I have had no spam and no registration attempts. Here is what I did:

1. The domain (www.mysite.xxx) has no index.html file. It is immune from google searches, therefore, as it displays only :Directory Listing Denied
This Virtual Directory does not allow contents to be listed." and that text is not actually on the page but is generated elsewhere.

2. The board is installed in a folder below that to which the domain points. Therefore, the only way to get to the login page is www.mysite.xxx/root.

3. Both the Memberlist and Who's online are suppressed with standard code mods widely posted on this board.

4. Disallow Names in ACP includes "*", which disallows EVERY name. Therefore, even if someone got to the login page, they, or a bot, could not complete registration. Each new user can only be registered by the Admin, who would take the "*" out of Disallow names, register the user, and put "*" back.

5. Verification is set to Admin, although this wouldn't really matter in light of the other settings.

That's it. No spam, no hacks, nothing. Hope this helps someone.

DstrucTIonS
Registered User
Posts: 4
Joined: Thu Nov 09, 2006 5:21 pm

Need Some Help

Post by DstrucTIonS »

I have spammers that are bypassing my registration page and creating accounts in phpBB. I am seeing returned registration email (in Brazillian ... my site is english) for the spammer. I have multi-language turned off. Anyone have an idea of how they are doing this? Is there a known issue with 2.20?

Any help is appreciated.

D

User avatar
Jim_UK
Former Team Member
Posts: 18478
Joined: Tue Oct 12, 2004 5:36 pm
Location: Darwen N.West UK

Re: Need Some Help

Post by Jim_UK »

DstrucTIonS wrote: I have spammers that are bypassing my registration page and creating accounts in phpBB. I am seeing returned registration email (in Brazillian ... my site is english) for the spammer. I have multi-language turned off. Anyone have an idea of how they are doing this? Is there a known issue with 2.20?

Any help is appreciated.

D


:!:
You are one version behind so you need to update and if you had read the posts in this topic starting with the first page then you would not need to ask that question. All the info is there on what to do to stop this spam when it is from bots. Humans are a little harder to deal with.
Read the posts in the first few pages.

Jim
The truth is out there.
Unfortunately they will not let you anywhere near it!

Locked

Return to “2.0.x Discussion”