QUOTE (djellison @ Oct 3 2008, 01:46 AM)
And when the person doesn't know?
I've added a custom field which should halt the automated spamming. It's a very VERY simple question.
Invision Board 3 will include an updated version of CAPTCHA, which is a bit more bot resistant - but a simple think like the custom field will actually defeat everything but the very persistent manually registering spammers.
I managed Microsoft's anti-spam effort for Live Search for two years before my retirement, so I might be able to suggest something here. The reason spammers are targeting you is that forums that allow posts with registration can still contribute "page rank" (or the equivalent) while forums that allow just anyone to post have long ago been zeroed out by all the major search engines. Getting past the registration is therefore a big win for a spammer. Success for the spammer is like getting a free ad from Google, Yahoo, or Microsoft -- not because people read their post on UMSF but because the link from UMSF to the spammer's porn site confuses the search engines into thinking that UMSF "endorses" the porn site. (And simply by noting how often a UMSF page is the result of a query to Google, Yahoo, or Microsoft demonstrates that UMSF has a very high reputation with all three engines.)
The key points for defense are that, first, UMSF probably isn't someone's specific target; the spammers are trying to get into ANY serious forums, so they won't be doing anything specific for UMSF. That means things that make UMSF different will likely cause it to be passed over -- even by cheap human labor. Second, the defense doesn't have to be perfect. I assume you can handle a small number of leaks manually. A perfect defense is probably impossible, but an excellent one is doable.
So I think you have the right idea for defeating the automated systems, but you might need to update the thing monthly or so. For the human ones, here's a proposal that might work. Have the system ask a question that's answered somewhere on the forum. If they get it wrong, point them to the thread that answers it and let them try again. No human spammer will be allowed to spend enough time on a single CAPTCHA to read much of a thread. Nor to read a Wikipedia article, for that matter. Some few will get through simply because they happened to know the answer already, but that number should be small.
You'd need a bunch of different questions, though; if it's the same one every time, all it takes is for one human to find the answer and share it with his friends. And the spammers have very active online communities (in China and Russia, at least) that are every bit as creative and inventive as UMSF itself is. Again, though, I seriously doubt that UMSF itself would be a specific target for them.
Finally, if the spammers are hiring so much third-world labor that they can actually have individuals specialize in specific sites, then this can still work, but you'd need lots and lots of different questions. In that scenario, the goal is to make it unprofitable for them, since the UMSF expert would only register a few percent as many times as one on a softer target. (But legitimate applicants would also take many times longer to register for UMSF than for other forums.)
Best of luck here, Doug. Beyond CAPTCHA's, I'm afraid the next line of defense is going to have to be requiring people to give a credit card number or some equivalent "hard id."