Inappropriate Material System

[Drexion]

Getting people to do it is significantly more expensive and time-consuming than leaving a single machine or botnet to attack verification procedures.

As Roberdin mentioned, many people actually contribute to the spamming without even knowing it. I must admit, the ingenuity used by these guys can be impressive.

Lets say a brand new captcha algorithm is released, it may take weeks to months (for example's sake) for them to write an ocr script capable of bypassing it.

Now, at any point in time there's millions of people searching / browsing for free porn on the net. So this is how the procedure works.

(1) Random guy visits free porn site
(2) Somewhere else, a forum spambot encounters not-yet-bypassable captcha on a forum
(3) Spambot grabs the captcha image from the forum, and passes it to a script on the free porn site
(4) The script displays the captcha for the random guy on the free porn site, stating he needs to complete it for access
(5) Random guy fills in the captcha, the script sends the text back to spambot
(6) Spambot fills in the not-yet-bypassable captcha on the forum, and successfully bypasses it
(7) Forum is spammed.

Theres always millions of people searching for free porn on the net, at any point in time. There will always be a human available somewhere who can be fooled into doing things without them even knowing they are doing it, like helping spamming.

No doubt about it, the ingenuity in these techniques can be amazing.

[Denyer]

Theres always millions of people searching for free porn on the net, at any point in time. There will always be a human available somewhere who can be fooled into doing things without them even knowing they are doing it, like helping spamming.

It's wise to not rely only on image verification, if for no other reason than some are barely interpretable by the average user.

Does anyone have any stats on the porn site image methodology, by the way? It crops up periodically in conversation, usually in reference to obtaining things such as webmail accounts where there's something particularly useful to gain (account to route spam via, etc.) Not much sign of it as other than proof-of-concept for forums and guestbooks.

Trivially easy-to-answer questions are another good basic morphing defence, ideally not using a predefined bank of questions. Assuming access is desirable enough, though, just getting real people to sign up will happen. We can only stop the bots, since the forms are intended as a method of entry.

[Highway of Life]

It would be interesting to see if it would make any difference if you protected CAPTCHA’s from being hot-linked.
That should eliminate any possibility of that happening with phpBB3 if they just added an .htaccess file for the CAPTCHA to do that.

The posts above have some good thoughts/ideas, however, this topic is specifically regarding posting of inappropriate material, not necessarily stopping spambot registrations.

[Drexion]

It would be interesting to see if it would make any difference if you protected CAPTCHA’s from being hot-linked.
That should eliminate any possibility of that happening with phpBB3 if they just added an .htaccess file for the CAPTCHA to do that.

Won't help, the script captures on a pixel by pixel basis. Think of it like taking a picture of the screen with a camera.

If you're familiar with capture/ocr software for photocopiers/scanners, its pretty much what it does - takes a picture "scan" (except with software and not hardware), and then passes the "picture" to the ocr software to attempt to decipher the letters on it. The original isn't needed - its just a bunch of bytes in memory. Just like the original phpBB captcha isn't needed to be hotlinked, its already stored as a bunch of bytes in memory

Does anyone have any stats on the porn site image methodology, by the way?

Just like software piracy, you'll hear a different number from anyone you ask, its just the sort of statistic that only wild guesses can be made about.

[Roberdin]

It would be interesting to see if it would make any difference if you protected CAPTCHA’s from being hot-linked.
That should eliminate any possibility of that happening with phpBB3 if they just added an .htaccess file for the CAPTCHA to do that.

Well apart from compatibility issues with .htaccess, the bot could simply store the image that it has downloaded, acting as a browser, then regurgitate it from "memory" to show the appropriate user. I image that's what they do now, rather than provide an image link to the original CAPTCHA.

[Highway of Life]

Well apart from compatibility issues with .htaccess, the bot could simply store the image that it has downloaded, acting as a browser, then regurgitate it from "memory" to show the appropriate user. I image that's what they do now, rather than provide an image link to the original CAPTCHA.

Right, so as in, exactly what Drexion said?

Thanks Drexion, I had not thought of that, but that makes more sense.

[Denyer]

this topic is specifically regarding posting of inappropriate material, not necessarily stopping spambot registrations.

It won't work. There are always more domains, IP ranges, proxies, borrowed connections, image hosts, etc. If someone really wants you to see goatse for the umpteenth time, it'll stick around until manually deleted or until you disallow links and inlined images. The best defence is only issuing privileges on a per-user basis as you decide they can be trusted (with or without some automated logic to assign privileges on basis of postcount, feedback from other users, etc) and hoping no-one has access to the machines used by trusted users in order to nab cookies or other authentication.

Might as well appoint a few good moderators, tier account privileges if it suits the situation and worry about the things we can control.

(On that note, if you're using anything like unsalted MD5 for passwords, it might be worth running the hashes of passwords for moderators through as many lookup databases as you can easily find or make, to search for weak passwords. Or checking common keywords related to your site against whatever hashing method is in use, then running those past the forum database. People who have the personalities for modding aren't always equally sharp at security.)

Just like software piracy, you'll hear a different number from anyone you ask, its just the sort of statistic that only wild guesses can be made about.

I'm thinking instances are a very small number, TBH. We all know basically how it works, and the principle's sound for attacking a specific site where the verification methodology is known (as long as session fixation is possible, or the pages with the images to be passed to unknowing users can be queued for long enough without expiring) but I've never so much as seen a porn site ask verification in this way... a rapid and steady stream of data entry would be needed in most instances, so it'd have to be a popular site with sufficient content pay-off to keep drawing people in. The people who want access to forums, guestbooks and even free webmail accounts to spam via are mostly smaller league, and looking for paths of least resistance.

All makes for a fascinating mental puzzle to think through, though.

[Roberdin]

I think, as has been said, the only reliable solution is allowing users you trust to post only.

[Eelke]

Actually, I haven't heard anyone mentioning content filtering similar to email spam-filters. I think systems like GMail actually use filtering that gets input from all spam-reports and do not have strictly personal filters. I think there are in fact similar systems from comment spam (on blogs, but could also work on forums), where a message is checked against a central filtering system and is marked spam or not (the client system could then decide what to do with it; enter it into a moderation queue, or just reject it completely). The only problem is that your board would have to call outside to some server to check the content of every message, but maybe there's a solution for that as well (some kind of caching mechanism).

Alternatively, a stand-alone email client like Thunderbird has its own trainable spam-filter. No need to contact remote servers. I would say similar principes should be appliable to forums.

[Denyer]

Something like a Bayesian quarantine for messages? Moderators would flag examples of content that would cause a post to be entered into a moderation queue, and the system could 'learn' from that, selecting matching future messages to be queued automatically. If posts are in queue they could possibly be displayed as place holders in a thread as confirmation that the message was sent successfully.

On the other hand, if legitimate users got caught up in it, most would just keep resubmitting stuff until it wasn't trapped in the moderation system. Lots of redundant slight-differing posts caught in the system that need to be attended to or cleared.

You also have the problem that it would only work efficiently on text, and not differentiate between thumbnail links to holiday snaps and pictures of tubgirl. Might be suitable for an area specifically intended for youngsters, though, where you don't want them capable of posting information that's too personally identifiable, or inlining images without each one being moderated.

[Eelke]

Exactly. The user will indeed need to have somekind of feedback that their post needs to be approved. I think that when people try to abuse the system they can be handled in the same way you would handle abuse of any other apsect of your board.

BTW, I see this as much, probably more, as a mechanism to battle spam, not (just) "legitimate" users that post unwanted content.

[KFCSpike]

I think most of the posts here (not all) are missing the original point and going off on a tangent.
iEcstacy was quite clear that he/she was looking for a way to block users based on what they post on another forum.

Hi, I've been lurking around forums and recently I've seen many postings of inappropriate material in places where large amounts of minors access and can view these images, including myself.

They are spambots and there are plenty of ways to get around them. See the sticky at the top of the 2.0x support forum.

Yes, but on many forums they aren't spambots. Their people who get kicks out of posting rude images.

Its not a Spambot argument, its about 'inappropriate' posts by human users?

Our board is for over 18s only, and no it doesn't contain porn - its best described as adult humour but there are some things in there that I don't think under 18s should be viewing and we make this clear.
We are happy to allow some jokes/videos etc that might be considered 'inappropriate' to many other sites.

If I am understanding the initial post correctly, iEcstacy is looking for a system that would automatically ban me and our users from other forums?
Sorry iEcstacy - I have to disagree with that.
I use a lot of other boards as well and would never even think of posting anything that was 'inappropriate' by their rules. If I did, I would deserve a ban, but I don't deserve an automatic ban because I posted something that I wouldn't want minors to see in an 'appropriate' place.

[pentapenguin]

Something like a Bayesian quarantine for messages? Moderators would flag examples of content that would cause a post to be entered into a moderation queue, and the system could 'learn' from that, selecting matching future messages to be queued automatically. If posts are in queue they could possibly be displayed as place holders in a thread as confirmation that the message was sent successfully.

There is something like that already. It's a site called bbProtection created by Techie-Micheal.

Let me chime in here. IMHO, everybody is missing the basic principal here. It's not whether p0rn is bad or not, but that it's vandalism, pure and simple. People tend to forget that websites are indeed private property just like your home or a store. Just because a website is more visible and more open still doesn't change the fact that it's private property owned by an individual or a company. When you let guests into your home you expect them to obey certain rules of decorum: i.e. don't root around in your personal stuff, don't make a mess (parties excepted ), etc. When stores let the public in they expect certain standards as well: no shoplifting, no harassing other customers, etc. When websites let the public in, they expect them to read and become familiar with their site rules.

If a visitor deliberately and maliciously violates those rules, by posting content deemed objectionable by the board's owner or otherwise breaks the rules, than they are no different whatsoever from a punk that spray paints a building. Granted, posting objectionable content doesn't take as long to clean up, but it still takes valuable time to clean up and deal with. So the spammer hurts the board's reputation and steals time from the board's staff. Thus spammers and other troublemakers who deliberately cause trouble are petty criminals in my view.

[iEcstacy]

Well, thank you phpBB forum members for replying to my thread. I'm sorry if any of you got mad about the topic.

I posted this for a variety of reasons:

• I'm a minor, myself, and cannot afford nice, flashy hosting packages that allow you to host you belly dancing or your latest mutilated slab of meat. (I'm probably going to get a bunch of replies saying there are other minors who can afford it and whatnot, blah, you're missing the point.) So if you don't understand this, my free host doesn't allow pornographic images.
• For a while now I have been a frequent member of "paper doll/avatar" forums such as GaiaOnline, a forum, that if you didn't know, started out as phpBB. I was browsing a few of these forums and one in particular got a large amount of hate threads containing pornography and other vile images from members of other paper doll/avatar phpBB forums. Being a member of most of them, I made a few threads about the posting of pornography on other forums by their forum members. Sadly they could not do anything while the attacked forums sat there rotting.
• Yes, though, the forum's moderators took care of the threads, but there was a very long amount of time between when it was posted and when it was taken care of. I just want it to not even be posted.

Since you have said that this system cannot be done, I say fine, I was just wondering. Someone said that this system could not be done due to the management of the list; another mentioned how they would be punished for what they did on one forum and cannot post on others. If such a system was made, you would be able to join the main system's forums and post on it to negotiate your banning. How you prove that you are a just user and you won't do what you have done, again, I have no clue.

Please, if you are to describe the faults in such a system, describe technically what you cannot do. I am not a programmer or coder, that is why I made a discussion to ask if such could be made.

Edit: Oh and thank you the two above posters, I quite enjoyed reading your posts.
@ pentapenguin: I'll definitely check out bbProtection, thank you. Your post addressed a few of my views but in written words.
Oh and to whom else actually referred to my username, thank you, and to others: do not think it has anything related to the drug ecstacy.

Happy Easter everyone!
~ Brandon

[Denyer]

iEcstacy was quite clear that he/she was looking for a way to block users based on what they post on another forum.

All that's feasible is to talk to the staff at other forums -- but to verify users as being the same individuals will require sharing profile information, not just IP addresses. It'll need permission (well, if the trust of users is wanted) and many people don't have information that's static between sites (dynamic IPs, different email addresses used to register, different handles.)

everybody is missing the basic principal here

How so? People are responding to each other as well as to the initial poster. And it's likely that anyone posting on a forum development board runs one or more forums, doesn't appreciate vandalism more than anyone else, etc.

another mentioned how they would be punished for what they did on one forum and cannot post on others. If such a system was made, you would be able to join the main system's forums and post on it to negotiate your banning. How you prove that you are a just user and you won't do what you have done, again, I have no clue.

More to the point, how are you going to stop them in the first place? Anyone with a little knowledge and tenacity will cycle/proxy IPs, grab another email address, etc. It's as much a social problem to deal with as it is a tech one. Make it harder to do whatever it is they're trying to do and they're likely to get bored, which has as much to do with denying them the response/audience/exposure they want. Up the number of staff capable of dealing with things, silently delete, don't let other members give griefers the attention they're thriving on.

cannot afford nice, flashy hosting packages that allow you to host you belly dancing or your latest mutilated slab of meat

Generally price isn't the determining factor as to whether you're allowed to host Ogrish, it's the local laws of wherever you're hosted.

Unfortunately, things come down to it never being safe to allow visitor content unless it's actively policed. Filters and white/blacklists help a bit, but you're still trusting to strangers.