next »

[FARTRON]

I tried getting in touch with derek about this, but he never responded, so here it is in public.

About 90% (totally unresearched #) of the new signups for this board are spam accounts that just want to get links on tigsource.com to other sites so as to leach our popularity and increase their PageRank.

I've frequently complained about the quality of the board software in terms of usability, but now the crappiness is being leveraged by scammers to make money.

Anyone who cares to see for themselves can either just watch the number of registered users increase absurdly fast, or go into the member list and start randomly clicking names.

Here's the list alphabetically and if you click around on some you'll find they have never posted and have links in their signatures to prescription drugs and cubic zirconia and shit like that.

If you check the list sorted by most recent registrations the problem rapidly becomes much clearer.

[Hangedman]

Is there even a captcha during registration?

There's a new one every few minutes.

[bento_smile]

Unfortunately a captcha won't keep them all out, as a bunch of them are probably humans and not robots.

[Hangedman]

Do what a lot of forums do and ask them an easy question that nevertheless requires extra effort. I know such a construct exists.

"Name Derek Yu's roguelike platformer."

[[RM8]]

Oh yes I like this game it's my favorite ever click here to buy prescription drugs.

No, but really, those are a lot of spam accounts.

[s0]

Do what a lot of forums do and ask them an easy question that nevertheless requires extra effort. I know such a construct exists.

"Name Derek Yu's roguelike platformer."

Already exists, just checked a minute ago. Doesn't seem to help though.  

[Cthulhu32]

Do what a lot of forums do and ask them an easy question that nevertheless requires extra effort. I know such a construct exists.

"Name Derek Yu's roguelike platformer."

If you can gather all of the possible captchas, it is very easy to create an auto joiner. As for the captcha avoidance, its pretty easy to get around the letter based captchas. All you need is a clever way to identify the area letters are in, estimate what parts of the darkened color are letters and what are not, then throw it into an open source hand-writing recognition software like Java OCR: http://sourceforge.net/projects/javaocr/

What we need because this forum has gotten popular enough to hit this many spam accounts is something like ASIRRA ( http://research.microsoft.com/en-us/um/redmond/projects/asirra/ ) Its free, it should stop the MAJORITY of spam accounts, and they have examples for every language to setup.

[Christian Knudsen]

Most forums have mods that allow you to delete all members with zero posts that haven't logged in for a while. Here's one that does part of it:

http://custom.simplemachines.org/mods/index.php?mod=995

Otherwise, just access the database itself and run a script to drop all members that haven't posted or logged in since registering.

[ஒழுக்கின்மை (Paul Eres)]

it's a security flaw in this forum's version of smf, update the forum software to the latest version and the problem will be fixed

[Christian Knudsen]

Which flaw specifically are you referring to?

[ஒழுக்கின்மை (Paul Eres)]

(17:33:40) Cthulhu32: RinkuHero: post the flaw you're talking about
(17:39:24) RinkuHero: the current version of smf is
(17:39:26) RinkuHero: 2.0
(17:39:31) RinkuHero: and they're using 1.1.11
(17:39:56) Cthulhu32: yeah that shouldn't open up their registering system
(17:40:01) Cthulhu32: I thought you meant you saw a specific version
(17:40:13) RinkuHero: no but i had the same problem
(17:40:26) Cthulhu32: ahh
(17:40:26) RinkuHero: when i was using 1.1.11 on my forums i got tons of registrations randomly with spam links
(17:40:32) RinkuHero: and when i updated to 2.0 they stopped
(17:40:36) Cthulhu32: you should mention that
(17:40:39) RinkuHero: so i assume it's some flaw in the software
(17:40:45) RinkuHero: even though i don't know the details of it

[increpare]

I get it still with some 2.x SMF forums I run.  They seem to have slowed down now that I've added a zillion authentication layers :/

[ஒழுக்கின்மை (Paul Eres)]

perhaps we should put it on manual approval for a while, and require someone to email derek to prove they're human

[bento_smile]

Wouldn't that be a lot of work?

[Christian Knudsen]

I guess the Anti-Spam Verification Questions mod isn't installed correctly? Was it installed manually since this board has a custom theme?

If the anti-spam is installed correctly, I see only two possible ways for the spammers to register: they're either humans doing it manually, or they're bypassing the registration and accessing the database directly. I'd love to have a look at the register.php file, or whatever it's called on an SMF board.

EDIT: This anti-bot mod sounds very interesting and clever. Perhaps worth a try?

[ஒழுக்கின்மை (Paul Eres)]

perhaps they just brute forced the solution and used it over and over. change the question?

[Christian Knudsen]

Yeah, but it's not the capthcha that seems to have been circumventeed (well it has, but that's almost to be expected), it's the question verification thingie. And I don't think somebody on another random site will now what the G in TIGForums stands for.

It could be brute force, but wouldn't all the brute force attempts show up in the log? Possibly even hurt the forum performance considerably? I can't even image the number of attempts at trying to brute force three questions! That's three strings of undetermined length that can contain any characters...

[randomshade]

Most forums have mods that allow you to delete all members with zero posts that haven't logged in for a while. Here's one that does part of it:

http://custom.simplemachines.org/mods/index.php?mod=995

Otherwise, just access the database itself and run a script to drop all members that haven't posted or logged in since registering.

Sadly, that would have deleted my [real...I think] account, which was rarely logged into for a couple of years when I was crunching like mad. But if cutting corner cases like me help the community, so be it.

Someone also mentioned manual checking: they did this, with a minimum post count before the user's posts showed up, on the indie gamer forums and it's horrible. The board gets more "why can't I post/pm/do jack shit" posts than spam, and threads become weird when hidden replies magically start showing up in the middle of conversations.

Edit: Just noticed the newest member (in the span of me writing this post) is "credit12approval"...yikes.

[Cthulhu32]

I really think a better captcha system would work:
http://research.microsoft.com/en-us/um/redmond/projects/asirra/

Its easy to add, no hassle to the admins.

[J. R. Hill]

Ban everyone and start over.