how to help fight forum spam

This is an archive of a topic from NESdev BBS, taken in mid-October 2019 before a server upgrade.
View original topic
how to help fight forum spam
by on (#231717)
When registering an account on the forum, there is an NES-related question (chosen randomly from a list). In the past, changing the questions seemed to have slowed down the spam for a while. So I figured it would be a good time to try that again. But this time, why not go further and add a lot of questions? I could use some help with that.

If anyone wants to write a question or two, we could maybe get a decent list going and hopefully make it tougher for them to register. I guess they can just google it, but if we're making dozens or hundreds of them waste their time, then good.

Just send the Q/As to me in a PM, not in the thread itself (for obvious reasons). It's kind of tough because you want it to be obscure, but not too obscure. Also, one question can have multiple answers.
Re: how to help fight forum spam
by on (#231873)
I hope the new questions help a bit now.
Re: how to help fight forum spam
by on (#231877)
Out of curiosity, can we also incorporate other things like google's "i am not a robot" captchas?
Re: how to help fight forum spam
by on (#231884)
gauauu wrote:
Out of curiosity, can we also incorporate other things like google's "i am not a robot" captchas?

This solves nothing -- the people doing the sign-ups are not robots/automated scripts, they are human beings who can read/understand English.
Re: how to help fight forum spam
by on (#231885)
Really? My experience in the past is that more questions don't seem to help. An attacker would only need to answer one question before they can automate the process and brute force it.

I even tried doing it using a webpage full of GUIDs in different styles. The questions were then just "Copy paste the green words from the following web page". Within maybe two days at most of changing the GUIDs out I would start to get spam accounts again. It was miserable and I finally just shut the forum down. The admins had collectively given up on trying to fight the spammers by that point so the traffic went from a dozen or so daily posts to basically 0. :-\

As far as I've ever heard, the only good way to keep spammers out of PHPBB is not to use PHPBB or to write your own custom captcha. -_-
Re: how to help fight forum spam
by on (#231886)
gauauu wrote:
Out of curiosity, can we also incorporate other things like google's "i am not a robot" captchas?

For one thing, ISPs in the People's Republic of China block reCAPTCHA, as do web browsers that are set to refuse to run proprietary JavaScript. For another, some people report that reCAPTCHA leads to several minutes of identifying cats, street signs, and the like.

slembcke wrote:
The questions were then just "Copy paste the green words from the following web page".

I guess that might work on a forum with no blind members.

A few other systems exist:

  1. Shadowban all newly registered users. Allow a user to post, but hide these posts from the public and from non-staff users until staff release these posts.
  2. Require a referral from an existing member to join. This is the essence of the Vouch extension to Webmention. Some communities make initial contact with newcomers through an IRC channel.
  3. Require ownership of a personal domain and subscription to web hosting to join. The wiki on IndieWeb.com uses IndieAuth protocol.
Re: how to help fight forum spam
by on (#231889)
slembcke wrote:
The questions were then just "Copy paste the green words from the following web page".

I guess that might work on a forum with no blind members.[/quote]

Sadly it didn't really work regardless of people's abilities. :(

Does PHPBB support first post moderation? Years ago that worked pretty well on the idevgames forums. Basically your posts don't show publicly until after you have been blessed by a moderator. Easier to review the first post of a new member than every post that shows up on the site.
Re: how to help fight forum spam
by on (#231892)
I guess that catching spammers after they register is more effective than trying to catch them during registration. Can't new members get a limited number of trial posts, in which they can't post links to external sites? When the trial posts are over a mod can then choose whether to make them full members or ban them. Maybe this decision can even be made before the end of the trial posts, if their behavior makes their legitimacy obvious.
Re: how to help fight forum spam
by on (#231894)
That proposal is similar to what we currently do on the wiki for talk page posts by newly registered users. They may edit only talk pages, and adding external links requires solving a CAPTCHA. Promotion happens automatically after two talk edits and a few days in this new user state. But in some cases, spammers have proceeded anyway with "copy and paste and remove spaces".
Re: how to help fight forum spam
by on (#231901)
tepples wrote:
  1. Shadowban all newly registered users. Allow a user to post, but hide these posts from the public and from non-staff users until staff release these posts.
  2. Require a referral from an existing member to join. This is the essence of the Vouch extension to Webmention. Some communities make initial contact with newcomers through an IRC channel.
  3. Require ownership of a personal domain and subscription to web hosting to join. The wiki on IndieWeb.com uses IndieAuth protocol.


a: This solution usually works great. Only downside is that it requires very active moderation as you wouldn't want someone writing stuff for two days wondering why people just ignore them
b: This only works for larger and popular sites, who benefit from filtering in only people who are truly dedicated
c: I assume this was a joke
Re: how to help fight forum spam
by on (#231910)
I agree that b. would not work. I have yet to meet someone in person who has heard of NESDev.
Re: how to help fight forum spam
by on (#231928)
A lot of forum seem to have restrictions until you've reached a certain number of posts. Like, not being able to participate in for sale threads and the like.

For all new users starting with a post count of 0,
-suspend rights to edit posts until you've made a handful of them.
-likewise suspend rights to make a signature until you've made enough posts.

I've seen this too, so maybe:
-suspend rights to make a new thread in most subforums until you've posted at least 1 reply or made an introduction thread in an appropriate subforum.

But often people register when they have a question, and then hopefully some of them stay to become active members, so the 3rd point might be a bit of a hindrance to community growth.
Re: how to help fight forum spam
by on (#231947)
tepples wrote:
For one thing, ISPs in the People's Republic of China block reCAPTCHA,

Last time I was there, nesdev was blocked entirely in China.

Quote:

Quote:
[*]Require a referral from an existing member to join. This is the essence of the Vouch extension to Webmention. Some communities make initial contact with newcomers through an IRC channel.
[*]Require ownership of a personal domain and subscription to web hosting to join. The wiki on IndieWeb.com uses IndieAuth protocol.[/list]


A couple minutes of clicking streetsigns isn't acceptable, but requiring a personal domain is?

koitsu wrote:
This solves nothing -- the people doing the sign-ups are not robots/automated scripts, they are human beings who can read/understand English.

Now here's the right answer. Koitsu's point is correct -- it won't help if these are real people.
Re: how to help fight forum spam
by on (#231949)
create a captcha system that hides an answer in a NES rom

(spammers won't have NES emulators installed)
Re: how to help fight forum spam
by on (#231950)
Good luck with hiding the answer in a ROM if your first question is emulator tech support. Or should that be done directly with the emulator's developer?
Re: how to help fight forum spam
by on (#231951)
gauauu wrote:
Out of curiosity, can we also incorporate other things like google's "i am not a robot" captchas?

For God's sake, NO, NO, NO !! I absolutely LOHATE those things and refuses to take part of this game whenever I can (sometimes I don't have the coice but it's rare). I don't want to be forced to spend 5 minutes working for Google's custommers sorting their datas without being paid just because they arbitrairly tought I could be a robot. I think the law should forbid those.

For example I had to do 10 minutes of those when (recently) deleting my google and facebook accounts (*) - because obviously they don't want people to delete their accounts. Google especially. They tell you you're logging in from an unusual place, or whathever. Fuck them, this is none of their buisness.

(*) Actually it wasn't a captcha but another time-confusing idioty of the same style.
Re: how to help fight forum spam
by on (#231972)
pubby wrote:
create a captcha system that hides an answer in a NES rom

(spammers won't have NES emulators installed)


Hahah, I love this idea.
Re: how to help fight forum spam
by on (#231992)
I'm "so good" at those captcha things that the site thinks I'm a robot and needs to often do it 3~4 times. Hours of fun ^^;;; Often you look at the question and you are like "but this part could be what they asked" and just add it and it just fail since it would be how an automated way would find it (like that small street sign that is very, very far away but nobody would select it but if you check properly, it's there!). So I have to think more like "what would people usually select?". I hate site that uses it and waste so much time because of that.
Re: how to help fight forum spam
by on (#232012)
Thankfully, there are further lines of defense once they get past the Q/A. It's not perfect, but is holding up pretty well. There aren't any stats on how many fail the Q/A, but I have been able to see what happens when the spammers pass the Q/A but fail the subsequent check. It can get pretty insane, I've seen it range between one account every couple weeks when the questions are fresh, and more like 100 per day when they must have broken the Q/A, I had to stop tracking it because tepples and I were getting blasted with user activation request emails.

It looks like there is a (disabled) interface to Akismet, anyone have any experience with that service, if it's any good? I guess it monitors posts (until user reaches a certain number of posts), but it costs money. For all I know it could just lead to more work by false positives. I might just give a 1-month test run at some point, at an unannounced time.

Summary of the current spam status is that it's annoying to see any get through, but we're kinda lucky so far. It's no exaggeration to say it could potentially be 1000 times worse than it is.

But yeah with captcha and stuff I hate those, it's annoying and a major barrier for people who have color blindness or worse impairments. I miss the old days of having anonymous posting allowed. Gotta agree that idea of having an NES ROM as a registration test is pretty funny and interesting. But it sorta has the same problem as the Q/A test, we'd either have to generate/validate the ROM per session, or they'll just get the right answer once and bypass it forever.
Re: how to help fight forum spam
by on (#232016)
Pre-generate 1k roms, select one at random. Re-generate monthly.
Re: how to help fight forum spam
by on (#232051)
pubby wrote:
create a captcha system that hides an answer in a NES rom

Hah, I had the same idea today.

As tepples said, it could be frustating if somebody can't solve it (for example, dsibrew and 3dbrew want (or wanted) people to enter a linux commandline, which is not so funny if you don't use linux). But in this case, I guess almost anybody remotely interested in NES-development (or just in NES-gaming) would know how to use a rom-image in an emulator (or on real hardware). Unless there are people frequently asking "how to download my first emulator plz help"?

One extra idea would be modifying the rom-image on the fly (if that is possible without too much effort), like storing the user name or email address in the rom-image, and then using the NES code to compute a checksum on that string to produce a 4-digit "PIN" number that works only for that specific user.
That would avoid people re-using a known captcha answer, but won't help if they are hiring somebody with a NES emulator to create some dozen/hundred accounts for them (or rather unlikely: disassemble the NES code).

And, of course, the NES rom could additionally do something like this (repeat dozens of times with different challenges):

The Internet wants You to do this: Click on Street Signs!!!
* Signature
* Street Art
* Shop Front
* Street Signs
* Google!


Or some more complex and subversive variation, like a game that allows to vandalize/decorate all shop fronts with graffiti (perhaps writing your user name), or steal street signs and sell them at a flea market (or to google)... which might ultimately end up with a school bus steering off a cliff in lack of proper warnings about dangerous road stretches, so you might better avoid doing that in real life.
Re: how to help fight forum spam
by on (#232231)
Bregalad wrote:
For example I had to do 10 minutes of those when (recently) deleting my google and facebook accounts (*) - because obviously they don't want people to delete their accounts. Google especially. They tell you you're logging in from an unusual place, or whathever. Fuck them, this is none of their buisness.

To be fair, actually deleting your account is an irreversible process, and it makes sense to increase security tenfold on that action. If someone hacked access to your account, deleting it is second probably only to getting access to money stuff.
Re: how to help fight forum spam
by on (#234966)
Just got some PM spam...
Re: how to help fight forum spam
by on (#240460)
Does the database save which question the user answered to create the account? You can rotate out questions that the spammers can easily answer.