Anti-Spam Thread!

The 2.0.x discussion forum has been locked; this will remain read-only. The 3.0.x discussion forum has been renamed phpBB Discussion.
Locked
Zenith63
Registered User
Posts: 22
Joined: Fri Jan 20, 2006 9:11 pm

Post by Zenith63 » Sat Jan 13, 2007 5:37 pm

I haven't read the 34 pages of this thread so maybe this has already been discussed, but has anybody else noticed some of these bots seem to get around the user email activation? I've had serious spam problems over the last few weeks so changed activation over to Admin. I now get an email to say a new user "Abposterterup3" has registered, then an hour later I get an failure notice from my mail server to say it couldn't send the new user message to that user. This is happening with all new registrations by these spammers. With this in mind it would fairly safe to assume the activation emails weren't making it to the spammers before I switched it over to Admin Activation right? So how were they able to post?
When a new user registers they're sent a URL they click on with some sort of ID in it, anybody know how it is generated? Is it possible the spammers are just generating the code and activating themselves? If this is the case just customising how this code is generated for your forum might work?

Thanks!

User avatar
EXreaction
Former Team Member
Posts: 5666
Joined: Sun Aug 21, 2005 9:31 pm
Location: Wisconsin, U.S.
Name: Nathan

Post by EXreaction » Sun Jan 14, 2007 5:45 pm

Yes, many spam bots can activate their own users.

They just have the mail sent somewhere that they can read it. ;)

Zenith63
Registered User
Posts: 22
Joined: Fri Jan 20, 2006 9:11 pm

Post by Zenith63 » Mon Jan 15, 2007 1:35 pm

Yes that would make sense, but what I'm noticing is that all the activation mails are bouncing when I have it set to Admin verification. If they're bouncing they must not be able to read them? Or maybe they only accept email that are verification emails and bounce the rest, in which case there should be some sort of customisation that can be made to the verification email (eg. random subject line) so they wouldn't accept them...

User avatar
Blaine
Registered User
Posts: 83
Joined: Mon Jan 15, 2007 3:07 pm
Location: Atlanta, GA

Post by Blaine » Mon Jan 15, 2007 3:44 pm

I've just finished reading this thread. I've collected some good information and I want to thank everyone who posted. I recently installed phpBB and have about 150 users. I get 1 - 10 spammer signup attempts per day right now. I went into the code of usercp_register.php and added a self written logging feature for everyone who attempts to register.

I'm interested in both increasing security and enhancing user experience.

Here is what I discovered. Almost all of my spam comes in one of two flavors. I believe all of it is bot spam, none of it is human spam. It seems to either come from two different programs, or the same program configured in two wildly different ways.

No bot fails to decode the captcha. About 10% of the real users cannot decode the captcha; the most common mistake seems to be entering all lower case when the visual confirmation requires all upper case. I'm inclined to turn off visual verification and probably will soon.

I added two fields to the registration page, one hidden and one blank. No bot has failed to provide the value of the hidden field. No bot has failed to leave the blank field blank. About 10% of real human users fill in the blank field despite a warning label telling them it is important to leave it blank.

Just as phpBB has vulnerabilities and is a target because all boards work the same, I decided to target my spammers because they all work the same. For a variety of reasons, including scanning my log of registrations, it is easy for me to see which the spammers are and which are the real users. I can do this without viewing any URLs or email addresses. I have zero false positives and have no spammers who place a URL in profile or message missed.

My solution works 95% of the time (well, 100% in actual practice) not because it is a good method, but because the spammers I have lack competence and because my method is custom written. If it was put into general use it would no longer be effective.

My question is what should I do when I catch a spammer who is trying to register? At first I executed a die message and sent something that looked like an internal error. Now I am sending a 404 error as well.

What would be most effective? I cannot imagine that any spammer actually looks at the results of a spam attempt. How do I get out of their database? What is the automated program looking for so it can give up and go away?

User avatar
Dog Cow
Registered User
Posts: 2491
Joined: Fri Jan 28, 2005 12:14 am
Contact:

Post by Dog Cow » Mon Jan 15, 2007 10:04 pm

Just pass them the Registration Successful page even though it wasn't :twisted:
Moof!
Mac GUI Vault: Retro Apple II & Macintosh computing archive.
Inside Allerton bookMac GUIMac 512K Blog

User avatar
Tresclub
Registered User
Posts: 123
Joined: Sat Dec 20, 2003 6:28 am
Location: Oroville, CA USA
Contact:

Post by Tresclub » Mon Jan 15, 2007 10:08 pm

Blaine, "...I went into the code of usercp_register.php and added a self written logging feature for everyone who attempts to register."

Is this something you can share with us, or send it to me in an EM or PM?

Warren

User avatar
Tresclub
Registered User
Posts: 123
Joined: Sat Dec 20, 2003 6:28 am
Location: Oroville, CA USA
Contact:

Post by Tresclub » Mon Jan 15, 2007 10:09 pm

Dog Cow wrote: Just pass them the Registration Successful page even though it wasn't :twisted:

DC, and how, pray tell, do you do this?

Warren

User avatar
Blaine
Registered User
Posts: 83
Joined: Mon Jan 15, 2007 3:07 pm
Location: Atlanta, GA

Post by Blaine » Tue Jan 16, 2007 12:22 am

Dog Cow wrote: Just pass them the Registration Successful page even though it wasn't

I think I have seen Dog Cow posting a lot in the anti-spam threads, so I have some measure of respect for him.

But I would take a contrarian view and suggest that this will do little to stop a spam bot. I seriously doubt that any bot spammer looks to see if his spam gets through. But I suspect the bot is programmed to spam again if it does get through. Also I suspect that many of the bots have been programmed to not come back if they can determine they are not successful.

Understanding this element of the spam bot can give the spammer a metric he is not successful. Since there are thousands, well, tens of thousands of boards that are open to spamming, I suspect he will drop my board go onto other, less protected, boards.

My spam defense is not that I have a good method of protection, but that I have a method that is not the general rule.

User avatar
EXreaction
Former Team Member
Posts: 5666
Joined: Sun Aug 21, 2005 9:31 pm
Location: Wisconsin, U.S.
Name: Nathan

Post by EXreaction » Tue Jan 16, 2007 3:27 am

Zenith63 wrote: Yes that would make sense, but what I'm noticing is that all the activation mails are bouncing when I have it set to Admin verification. If they're bouncing they must not be able to read them? Or maybe they only accept email that are verification emails and bounce the rest, in which case there should be some sort of customisation that can be made to the verification email (eg. random subject line) so they wouldn't accept them...


If it is set to admin verification the emails are sent to admins to approve, not users. ;)

User avatar
olpa
Registered User
Posts: 255
Joined: Tue Jan 25, 2005 6:44 pm
Location: Saint-Petersburg, Russia
Contact:

Post by olpa » Tue Jan 16, 2007 4:13 am

Blaine, thanks a lot for your great report!
No bot fails to decode the captcha. About 10% of the real users cannot decode the captcha; the most common mistake seems to be entering all lower case when the visual confirmation requires all upper case.

I expected that Visual Confirmation is good for bots and bad for humans, therefore I wrote Textual Confirmation mod. But I didn't expect that numbers are so impressive.

Did you use the default Visual Confirmation, or Advanced Visual Confirmation?
I added two fields to the registration page, one hidden and one blank. No bot has failed to provide the value of the hidden field. No bot has failed to leave the blank field blank. About 10% of real human users fill in the blank field despite a warning label telling them it is important to leave it blank.

Nice statistics.
My question is what should I do when I catch a spammer who is trying to register? At first I executed a die message and sent something that looked like an internal error. Now I am sending a 404 error as well.

Textual Confirmation re-displays the registation page, with an error message.
I seriously doubt that any bot spammer looks to see if his spam gets through.

Unfortunately, often there is a human behind a bot. At least, it is so for my SEO-optimized forum.

User avatar
Blaine
Registered User
Posts: 83
Joined: Mon Jan 15, 2007 3:07 pm
Location: Atlanta, GA

Post by Blaine » Tue Jan 16, 2007 6:19 am

olpa wrote: I expected that Visual Confirmation is good for bots and bad for humans ... But I didn't expect that numbers are so impressive.

Did you use the default Visual Confirmation, or Advanced Visual Confirmation?

I use the basic Visual Confirmation provided with phpBB. My 10% of humans fail statistic because they use lower case is skewed because I do not have a large enough sample to make the statistic meaningful. Plus the statistic was a guess. I went back and actually counted and here is what I got:

For the short period I had 11 "real user" registrations. I define a real user who has trouble as someone who posts no spam, has an IP address based near me (within 25 miles) and used lower case to initially respond to the Captcha.

7 (64%) Real Users had trouble or failed to register
2 (18%) Real Users failed to register due to Captcha difficulties

So basic captcha denies 18% of my potential real users and makes it hard or impossinle for 64% of my users.

I'm concerned about user experience, so when someone tells me to beef up my captcha I ... well... I look for alternatives. But with what I have now I have stopped all current spam attempts. I suspect my spam would still be zero if I threw away the visual confirmation, which would give me a better user experience.
olpa wrote: Textual Confirmation re-displays the registation page, with an error message.

I'd not considered this option. Thanks. To tell the bot he failed the Visual Confirmation. I'm going to wait and see how the 404 error works, then I'll try this next.

User avatar
Blaine
Registered User
Posts: 83
Joined: Mon Jan 15, 2007 3:07 pm
Location: Atlanta, GA

Post by Blaine » Tue Jan 16, 2007 6:52 am

Tresclub wrote: Blaine, "...I went into the code of usercp_register.php and added a self written logging feature for everyone who attempts to register."

Is this something you can share with us, or send it to me in an EM or PM?

The code to log activity to a SQL table is reasonably simplistic. All I really did was create a new table like the user table and added IP address and a couple of other things to it.

If you don't know how to create the log file yourself, I'd suggest you try running some SQL queries on your user table. It is almost the same information and the benefit is not in creating the log, but in running queries against it to create intelligence about your board.

User avatar
Aquillar
Registered User
Posts: 17
Joined: Tue Nov 08, 2005 3:59 am
Location: Canada
Contact:

Post by Aquillar » Tue Jan 16, 2007 3:09 pm

I saw an interesting solution recently.

The registration page had a big note at the top saying "LEAVE ALL THE FOLLOWING FIELDS BLANK OR REGISTRATION WILL FAIL. You can modify your profile after you register by going to...bla bla"

Unfortunately I don't remember where that was or what forums it was running, phpbb2 I'm pretty sure

User avatar
Dog Cow
Registered User
Posts: 2491
Joined: Fri Jan 28, 2005 12:14 am
Contact:

Post by Dog Cow » Tue Jan 16, 2007 10:10 pm

Aquillar wrote: I saw an interesting solution recently.

The registration page had a big note at the top saying "LEAVE ALL THE FOLLOWING FIELDS BLANK OR REGISTRATION WILL FAIL. You can modify your profile after you register by going to...bla bla"

Unfortunately I don't remember where that was or what forums it was running, phpbb2 I'm pretty sure


While these are good ways to rpevent bots, they do require some thought on the part of the user.

I generally prefer anti-spam methods that require no thought or interaction on the part of the user; methods that are "invisible."

I read in a post here that bots make their own forms and then submit them to your site. Is this true? If so, then it would be really easy to include a hidden check variable on the form, one that is set by a $_POST var.

If the bot is accessing registration or posting.php through the "default" way, then this check variable won't be present and the process will fail.

Since we expect legitimate users to click the links, the check variable will be included, albeit hidden in the page, and the process will pass.

That is the basis for my MODification, Spam-bot Surprise!
Moof!
Mac GUI Vault: Retro Apple II & Macintosh computing archive.
Inside Allerton bookMac GUIMac 512K Blog

babykids
Registered User
Posts: 5
Joined: Tue Jan 16, 2007 3:52 pm

Post by babykids » Wed Jan 17, 2007 3:01 am

http://www.lithiumstudios.org/phpBB3/vi ... p?f=10&t=4

with this link there a error to dl.


The requested topic does not exist.
:?:

Locked

Return to “2.0.x Discussion”

Who is online

Users browsing this forum: No registered users and 3 guests