Printable Version of Topic

Posted by: djellison Oct 2 2008, 12:53 PM

Currently we, along with many other Invision boards, are getting dozens and dozens of spam registrations per day.

To protect the server and the forum, registration now includes a custom field to filter out automated spammers, as a very simple question.

If you have registered in the past week, but are still waiting for an approval email - please re-register, as your details were almost certainly lost in clearing out the vast number of spam registrations.

Doug

Posted by: Ant103 Oct 2 2008, 04:51 PM

I'm wondering if it's not possible to put a visual code to type manually to clearly make the difference between a spam robot and a human…

Posted by: djellison Oct 2 2008, 04:55 PM

It's called CAPTCHA, and we already have it in place. This recent bout is actually using people.

Posted by: Stu Oct 2 2008, 05:07 PM

The price we're paying for the hi-profile plug by the BBC..?

Posted by: djellison Oct 2 2008, 05:57 PM

Nope - loads of Invision boards have all had the same problem, starting at the same time.

Posted by: tty Oct 2 2008, 06:51 PM

Apparently spammers are now using "CAPTCHA slaves" from poor countries to get around the code.

Posted by: Greg Hullender Oct 3 2008, 01:31 AM

Grin. We need a UMSF-specific CAPTCHA that won't be so easy for uneducated folks. "What planet is this?" "What shape is this orbit?"

Of course, they probably don't let you replace the CAPTCHA.

--Greg

Posted by: djellison Oct 3 2008, 07:21 AM

A custom field for registration (something as simple as "Which red planet is fourth from the sun" ) is on the cards, but I'd rather see if the invision team come up with something a little less dumb than that.

Posted by: Ant103 Oct 3 2008, 09:21 AM

What about a random raw picture of a spacecraft and a question : "what spacecraft took this?".

Posted by: djellison Oct 3 2008, 09:46 AM

And when the person doesn't know?

I've added a custom field which should halt the automated spamming. It's a very VERY simple question.

Invision Board 3 will include an updated version of CAPTCHA, which is a bit more bot resistant - but a simple think like the custom field will actually defeat everything but the very persistent manually registering spammers.

Posted by: charborob Oct 3 2008, 12:58 PM

This may be a stupid question, but why would spammers want to register on this forum?

Posted by: ugordan Oct 3 2008, 01:01 PM

To umm.... spam?

Posted by: djellison Oct 3 2008, 01:18 PM

To post links to porn, scams, and in this particular high intensity glut of spamming, links to the very software they use to do the spamming.

Posted by: stevesliva Oct 3 2008, 02:11 PM

Post a link to some porn, get it spidered by google, increase the target page's pagerank...

Google's inevitable response is to give forum comments very low weighting, which is annoying. If we link to websites and say, "This is a great page about _____," it should affect pagerank! Darn spammers. I'm sure blog comments are already given basically zero weighting.

Posted by: Greg Hullender Oct 3 2008, 04:41 PM

I managed Microsoft's anti-spam effort for Live Search for two years before my retirement, so I might be able to suggest something here. The reason spammers are targeting you is that forums that allow posts with registration can still contribute "page rank" (or the equivalent) while forums that allow just anyone to post have long ago been zeroed out by all the major search engines. Getting past the registration is therefore a big win for a spammer. Success for the spammer is like getting a free ad from Google, Yahoo, or Microsoft -- not because people read their post on UMSF but because the link from UMSF to the spammer's porn site confuses the search engines into thinking that UMSF "endorses" the porn site. (And simply by noting how often a UMSF page is the result of a query to Google, Yahoo, or Microsoft demonstrates that UMSF has a very high reputation with all three engines.)

The key points for defense are that, first, UMSF probably isn't someone's specific target; the spammers are trying to get into ANY serious forums, so they won't be doing anything specific for UMSF. That means things that make UMSF different will likely cause it to be passed over -- even by cheap human labor. Second, the defense doesn't have to be perfect. I assume you can handle a small number of leaks manually. A perfect defense is probably impossible, but an excellent one is doable.

So I think you have the right idea for defeating the automated systems, but you might need to update the thing monthly or so. For the human ones, here's a proposal that might work. Have the system ask a question that's answered somewhere on the forum. If they get it wrong, point them to the thread that answers it and let them try again. No human spammer will be allowed to spend enough time on a single CAPTCHA to read much of a thread. Nor to read a Wikipedia article, for that matter. Some few will get through simply because they happened to know the answer already, but that number should be small.

You'd need a bunch of different questions, though; if it's the same one every time, all it takes is for one human to find the answer and share it with his friends. And the spammers have very active online communities (in China and Russia, at least) that are every bit as creative and inventive as UMSF itself is. Again, though, I seriously doubt that UMSF itself would be a specific target for them.

Finally, if the spammers are hiring so much third-world labor that they can actually have individuals specialize in specific sites, then this can still work, but you'd need lots and lots of different questions. In that scenario, the goal is to make it unprofitable for them, since the UMSF expert would only register a few percent as many times as one on a softer target. (But legitimate applicants would also take many times longer to register for UMSF than for other forums.)

Best of luck here, Doug. Beyond CAPTCHA's, I'm afraid the next line of defense is going to have to be requiring people to give a credit card number or some equivalent "hard id."

--Greg

Posted by: djellison Oct 3 2008, 07:12 PM

All we really needed was a subtle tweak to sort out this current torrent - not a single spam registration so far, whereas we would have had 40 in a similar period a day ago. All registrations go thru a manual approval process anyway.

Posted by: elakdawalla Oct 3 2008, 09:11 PM

For a regular supply of easy-to-Google questions, you could use the weekly Planetary Radio Trivia question. Once in a while they'd not be appropriate, but mostly they're pretty easy to find the answers to.

--Emily

Posted by: Greg Hullender Oct 3 2008, 11:51 PM

Very cool. But that does make it seem that the attack was automated, not manual. Be interesting to see how long it stays fixed.

And I think Emily's suggestion is brilliant. :-)

--Greg

Posted by: imipak Oct 4 2008, 01:39 PM

Small world, I work for (but don't manage! ) a spam-filtering company. One point, CAPTCHAs have been repeatedly broken by clever but evil programmers. It's only worth the effort for high-value targets (webmail, especially - Gmail, Yahoo and Hotmail http://arstechnica.com/news.ars/post/20080415-gone-in-60-seconds-spambot-cracks-livehotmail-captcha.html http://blogs.zdnet.com/security/?p=1986 http://it.slashdot.org/article.pl?sid=08/02/27/0045242 by this) but if the same Invision CAPTCHA's used by all IPB sites that might make it attractive enough. So a random, very easy UMSF-related question might be a better Turing test,.. until the blackhats develop a natural language parser, anyway

Posted by: djellison Oct 4 2008, 02:17 PM

It doesn't even need to be random to avoid this recent problem. It's 'Mars is known as the what coloured planet (lower case)?'. That just stops the automated spamming. Manual spammers may well still get through - but I've not had more than a handful of spammers in the last year that I've had to pick up at the approval stage

Posted by: ElkGroveDan Oct 4 2008, 04:07 PM

Just something to make them go back and look at the board would be enough of a deterrent. Like, name one UMSF member with more than 1000 posts.

Posted by: dmuller Oct 4 2008, 05:26 PM

I just want to throw in a word of caution ... whatever measures are introduced, try not to punish the legitimate applicants. Someone just starting out on this topic may not be able to provide the correct answer (or be able to spell it in English), and hence that person('s interest) may be lost.

I'm talking from my own experience here. Some i**** spammers are spoofing my email, and I promptly ended up on one of those anti-spam databases. The result: I submit quotes and proposals by email, my emails get blocked, potential customers dont receive them and I don't get the work and income. And if you find out about it 1 month later, then it's all too late. And of course you're never able to contact those anti-spam database managers, if you know who they are in the first place. That's been my major frustration for the weekend. I'm glad Messenger Mercury II is coming up :-)

Posted by: djellison Oct 7 2008, 07:39 AM

The new system is working beautifully. Normal registration numbers, not a single spammer.

Posted by: Tom Tamlyn Oct 9 2008, 01:15 AM

Is there an admin address that will go to everyone on the team for reporting an infestation?

Doug is presumably asleep right now, and I don't know who's on duty.

TTT

Posted by: elakdawalla Oct 9 2008, 01:52 AM

Yep. At the lower left of each post is a button that looks like "!REPORT" Just report the post, and a PM goes to everyone on the admin team.

--Emily

Posted by: Shaka Oct 9 2008, 02:09 AM

That's a cool feature I didn't know about, Emily.
On another issue, would it perhaps be helpful to Members if Administration posted some guidelines on how UMSF should handle the issue of Rover Driver (Paolo) and our recent work with him on Terrain Drivability Analysis. Does any further discussion fall under the 'politics' ban, or is there an acceptable way to continue this thread?
Thanks for your time.

Posted by: stevesliva Oct 9 2008, 05:04 AM

Just assume that he's still reading.