Kellanved wrote: Pony99CA wrote:
That all makes sense in some ways, but my experience is counter to that.
First, my custom profile question (basically, "Are you a spammer?") has stopped all spam registrations (and, yes, registration does work
). That has a 50% chance if you guess and a 100% chance if you use the "Choose the non-default answer" strategy, but it works.
The experience made by individual board admins and board software vendors are naturally different. You can use a drop-down, it works purely because the bot software author never bothered with implementing a brute force attack using that field - why should he for just one board?
Exactly, why would they for just one board.
However, the "select the non-default option" strategy would probably work across boards. To fix that, board admins would need at least two custom profile questions, one set to the wrong answer and one set to the right answer.
Second, how can bots build a database if the admin creates the questions and answers? Each board would have a different set of questions. Does the Q&A mod use some other way to generate the questions (random math problems, for example)? And, even if it does, if the answers are constrained to a small range (integers 1-100, say), that's basically multiple choice anyway.
The number of questions and answers on any board is finite. Give the possible answer and the bot will weed the answer for every single question by brute force. After he has the answers, he will register dozens of sleeper accounts to keep your board spammed, even if you change the questions.
True, but that contradicts your first point. Why would a bot do this for just one board? Will the bot build a database of questions for every
board on the Internet?
And while it's true that the number of questions a board can hold is obviously finite (because it's storage is finite), the number of questions across boards that a bot would need a database for can get very large.
That goes back to my previous comment that "time has no meaning" for a bot master. The question becomes how robust does somebody make a bot? Does he make a bot that will bother to brute force thousands of times, or does the bot master make the bots give up after a few times and move on to their next target? I think the whole point of CAPTCHAs is that most will do the latter.
As for registering sleeper accounts, I've seen what seems to be that behavior. However, if you keep on top of new registrations and check them for spamminess (what time zone are they from, does their E-mail address look real, is the E-mail domain registered to spammers, etc.), you can delete those.
Obviously, that's simple for a small forum like mine, but more difficult for a large, very popular forum. I once spent 2-3 months clearing out 600+ spam accounts on a board that I was an admin on after I hadn't been able to participate much for several months. (I think I might have been the only admin to worry about spam registrations.) That board had maybe 1200-2000 valid users.
The key is to have the chance of success per guess and the number of registration attempts allowed be low enough to makes bot success unlikely (say 5% or less). Having a 1 in 50 chance (for example, "Lansing is the capital of what state?" for U.S. boards) with multiple choice and three registration attempts comes close to that goal (5.8808%).
If you have finite questions and given answers, the probability of a bot solving the question over time approaches 1. Brute force with a database.
Again, how much time is a bot going to spend at a given board before it moves on to a new target?
Of course, even if a bot only has a 1% chance of getting a question right, just randomly guessing will probably get you in after 50-100 attempts no matter how big the database of questions is. There's probably no need to build a database of questions and tried answers.
The question is whether bots are smart enough to recognize that a board is using multiple choice or not. Given that my board has not gotten a spam registration in months, I'm guessing they aren't -- yet. (And, if you look at my list of banned domains
, you'll see I was a target for bots in the past, so I assume that bots are still visiting. Most of those domains were from spam registrations on my board; a few were from spam registrations on the vBulletin board I helped to admin.)
By the way, checking up on what bots are trying to register is one reason I wish there was a guest log.
Kellanved wrote:Multiple Choice wouldn't work, were it part of the default package - as Q&A now is.
I'm not sure what that means. Is Q&A part of phpBB already (or will it be in 3.0.6)?
There's a tour about the supplied plugins in the blog post
So there isn't Q&A in 3.0.5 and I wasn't missing anything. Thanks for clarifying that.