[OT] serious spam issues

[artaxerxes]

Hey,

I visit Exult's forum several times a day. Having editor privileges I do a lot of cleanup but sometimes it's just too frustrating. Just today someone posted a spam comment with embedded porn pictures! It's really time to do something.

What about implementing the measures that were previously suggested, like changing the name of the page from which comments are added to the forum?

I would like to also suggest a couple more: you can only use and if you are registered and for at least 1 day, otherwise, it's only plain text.

Also adding a captcha would be nice. For instance, replace the post button by a list of randomly generated images, one of which is ultima-related and at the same time the only one that can successfully add the post to the forum.

What do you think?

Artaxerxes

[wjp]

I added some more tricks. Let's see for a while how those work out... The level of spam indeed starting increasing again lately after the last relatively quiet period.

[Dominus]

What about implementing the measures that were previously suggested, like changing the name of the page from which comments are added to the forum?

While this is really a good idea generally and works great for guestbooks (thanks Dino for this idea, my guestbook has been spam free since then), it is not that great for a forum because internet searches would for a long while produce dead links to the old forum address.

a lot of help for us moderators would be if we had some of those forum admin buttons in normal view. Actually just the delete button would be enough. To open a post and then select delete is just a bit cumbersome especially with the slow loading times.

And we really should do something with the porno pictures. Probably somethng like all posts with img tags needing approval (if not posted by a moderator). I'd be quite willing to log into the forum admin every day to review posts awaiting approval.

[keldorn]

Not just this forum, the one over at TFL seems to be suffering from it too.

[MV]

Well, Griffin over at ozformers solved his problem (was getting the same amount of stuff as you guys here, and was getting rediculous), by making registration a requirement (yea, I know, not the best), but, in registration general transformers questions are asked, which any real fan would know, and accounts are individually allowed/not allowed by the administrator.

Could work here with ultima type questions before allowing. Plus it would be pretty obvious who a spammer would be by their username. I notice a few validating members regularly on the list at ozformers, and you just know they are spam, and yep, no spam posts there ever since. Of course the forum is still read only to guests.

Have a think about it guys. I know I don't really like registration because of all the accounts I already have, but it's the only real way.

[dino]

While this is really a good idea generally and works great for guestbooks (thanks Dino for this idea, my guestbook has been spam free since then), it is not that great for a forum because internet searches would for a long while produce dead links to the old forum address.

I'd like to say something about this...

Well, the idea of renaming the posting page doesn't actually work for long. It seemed great when I first tried it, as it kept spam away from my guestbooks for a few weeks, but in the end the spambots still find your guestbook again. Then you can either keep renaming the posting page, or just give up.

So... ignore what I suggested earlier. It's not worth it.

Due to the sheer amount of spam my sites were getting (I had about 6 guestbooks and 3 fora), I simply decided to disable all posting scripts. I don't even have time to update my sites any more, let alone clean up spam.

The only way that seems able to keep out spammers is to use a visual captcha. However even this is fallible, and I have seen phpbb with such a captcha being spammed. I have even tried to develop my own ways of keeping spam out, but my efforts were laughable at best.

[Dominus]

we are losing the battle. Let's give up the Internet and play old games instead

[Colourless]

But if everyone left the internet... there would be no spam anymore...

such a paradox.

[artaxerxes]

like I mentioned, I come to Exult's forum several times a day already (even if I've not been too vocal lately), so I could assist Dominus in his proposal.

But check out http://hotcaptcha.com/ (SFW). If we did something similar with this forum, making the images U7-related, it might help.

I've read several sites concerning spamming issues, and here is a list of suggestions I saw:

* copy a phrase: you leave a field blank and you require users to copy a random-generated phrase in it. To foil spammers, ask the user to remove all vowels. EX:

Copy the following phrase and remove all vowels and spaces into this form field: Ultima rulez
--> the user enters "ltmrlz"

* tripwire field: spambot tend to interpret fields to guess what data is expected. For instance, if a field is named "username", they will put something in there to that effect. You could make a hidden field, name it in a way that bots will think it's important and prevent any posts that contain a value for that field when the form is posted. It could happen the bot is smart not to fill hidden fields, in this case make it plain and instruct users not to fill it.

* javascript seal: similar to the tripwire field. A hidden field, but this time it gets filled with data thanks to javascript. Most bots are too dumb to interpret js. The seal should make sense (not just random blather). I happen to have some potent js script to do that kind of sealing.

* multiple submit buttons, but only one is ok to press, being decorated with css for instance as also bots are too dumb to interpret css properly. Clicking on the wrong one prevents the post from going through.

* multiple submit buttons version 2: use css to hide the wrong buttons so that the user can't get confused.

* javascript submit: the form action parameter () is blank or invalid, but javascript corrects it when the page is loaded in a browser.

* javascript turing test: ask the user to click on buttons in a sequence to restore the action="..." parameter of the form tag.



You could combine the above for a more effective protection.

Artaxerxes

[dino]

I don't mean to talk against your efforts, but a lot of the things you mentioned are tricks that bots can easily overcome and that can confuse humans in good faith.

Something I've tried, for example, is making the name of a field (e.g. username) as a random string instead of a fixed name. This random string would then be stored in a $_SESSION variable so that it could be retrieved for processing and yet spambots posting to the same field would not know the name of the field.

A friend of mine bypassed the security by simply writing a perl script that retrieved the HTML page, used regular expressions to get the name of the field from the HTML code, and posted to the form.

I could be wrong but in practice nothing's going to work because:
1.) If any information is written in the HTML code, hidden or otherwise, it can be harvested by the spambot and used to bypass security
2.) If there is a test that requires human judgement, the spammer can simply figure it out and tune the spambot to react to it
3.) Visual captchas can be bypassed by OCR

In my opinion if someone finds a perfect way of stopping spam, he deserves the Nobel Prize.

[m4yh3m]

As little as I've been on here for as long as I've been reading on here, I haven't come across very many threads with pics. I'd say... none? But it seems the need to post pics is somewhat important, so why not write a server script that checks for image tags, and checks to see how old the account is. If it's less than a week old, do not allow it. Maybe you could have a "safe list" of hosts (like photobucket, etc.) that users would be required to use for posting images. IIRC, photobucket checks for vulgarity in the pics anyways.

[artaxerxes]

the reason why you don't see pix is because we remove them as soon as we find them. With about 8 people with moderator privileges, it's not surprising we could remove them that fast.

That said, OCR cannot decode images like those illustrated by hotcaptcha. It can only decode text, not photographs.

Artaxerxes

[Skutarth]

I totally support anti-spam measures. You may also look into disabling links for the same criteria as images.

[marzo]

Maybe require unregistered users to fill some Ultima-related captchas similar to those from hotcaptcha, as well as requiring these captchas for registration?

[Crysta the Elf]

"Not just this forum, the one over at TFL seems to be suffering from it too."

Thats because due to a screwup or two noone other than Wiz has mod access, and things have been to hectic for him to change that. :\

[m4yh3m]

I think the simple solution is to just ban and . Not that my input carries much weight since I rarely visit, but to simplify things it's just easier. Just on the overall content of say 90% of the messages on here, none of them justify having embedded images. As for hyperlinks, what's wrong with cut-n-paste? I can understand the need for embedded images and links on another forum I am on which discusses electronics (where people need schematics and such). But if the only pictures that are being posted are porn, then just K.I.S.S. Remove images. If enough people can justify the need for them, bring them back and then worry about that issue when the time comes

[drcode]

Maybe an unregistered user should have to answer one of the U7 copy-protection questions before posting:-)

[m4yh3m]

Before posting a J-P-G, you must answer me these questions three!

What is your name?
What is your quest?
Why do you have a little brat with a sling shot in your party to help save the world?


And for fun: What is the air speed velocity of an unladen gargoyle?

[artaxerxes]

what do you mean? an Underworld gargoyle or a Terfin gargoyle?

[Dominus]

well, whatever wjp did, it kept the spam at bay since we started this thread
(and if anyone knows or guessed what he did, keep it to yourself, we don't want to tell the bots )

[artaxerxes]

I'd like to publicly thank wjp for his wonderful filter. I haven't seen one spam pass through in weeks.

Well done Willem!

Artaxerxes

[Dominus]

two or three made it through the other day, but that seemed more like a scout mission.

[m4yh3m]

I found an interesting article about spam block improvements... don't know if it'll work with the forum software you're using, but what the hell -- couldn't hurt to try:

Spamblock Improvements (note: fixed by Artaxerxes)

[m4yh3m]

and i totally fudged that up. oh well. feel free to fix it.

[Dominus]

wow


(edit, this was an exclamation after a spam post appeared in this very thread - still wanted to delete the spam post, but this way the posts make sense for anybody else )

[artaxerxes]

I keep deleting spam messages going, as if from spite, in this thread!

Artaxerxes

[Dominus]

You do? I never saw one except for the one above I just deleted.

[artaxerxes]

I have done it about 3 times this week alone!

Artaxerxes

[Malignant Manor]

spam
spam
spam
humbug


Why don't you just lock the thread?