Make a barrier for users producing spam?

[[-hh]]

..........

[Simon]

Ahh heck,
Was just trying to sell my louis vuitton purse.
Didn't match my double breasted suit.

yeah, they suck.

Simon

[bangkok]

Or a system to forbid a "user" to post 73 messages in a few hours !

No "real" user would do that in "real" life. It doesnt make any sense.

Plus how come a robot can type a "capcha" correctly, when creating the account ?

Is it possible to make a system :
-when a user create an account, he can post only 2 or 3 messages the first 24 hours ? And then 3 to 5 the following 48 hours, etc. you know what i mean ?

PHPBB software is so popular, that some specific plugins/addons to fight this scum should exist

It's really frustrating and humiliating to see those torrents of ridiculous spam in our precious forums.

[BvG]

There's lots of ways to fight spam, and RunRev has enabled a few of those. Sadly, they've chosen to only use build in stuff

• the captcha used is known to keep out some bots, but it's so well known that there are a lot of workarounds (fake sites re-showing the captcha, low wage countries gold farming etc.).
• it used to be that a users first post gets looked at by an admin, but it seems that has been disabled, or is not working properly.
• there are moderators (members of the community) who can delete posts, but they're few. Also, most of them are europeans and do it at their workplace, which means there's noticeable dead times when the "guards" sleep.
• There's tons of other, more useful possibilities that would be possible to implement, but RunRev does not care enough to even try them out.

[MarcVanCauwenberghe]

I for one am willing to do my part if no other solution is set up. But I'am another european....

Have a nice sunday everybody....

Marc

[heatherlaine]

Dear BVG,

I'd like to point out that Richard Gaskin is also a moderator, and lives in the US. We have quite a few anti-spam measures implemented, which include external modules as well as built in options available with phpbb. We keep an eye on things and add more as required. There is a balance to be struck between keeping out spam, and keeping out legitimate users. To say that we do not care is simply not true.

Regards,

Heather

[bangkok]

To say that we do not care is simply not true.

That's not what I meant.

But to speak about sunday, an account was created at 2 AM, and the robot managed to post 73 messages in 5 hours.

PHPBB settings :
ACP, General, User Registration settings, New member post limit

And then what appears to be a super captcha system :
http://www.phpbbsmith.com/projects/phot ... nfirmation

[FourthWorld]

To say that we do not care is simply not true.

That's not what I meant.

Fortunately that wasn't directed at you. She was replying to someone who wrote, "...but RunRev does not care enough to even try them out."

As one of the volunteer moderators, I share your concerns but I also have more interaction with Heather with regard to forum security. There may well be additional measures one could put into place to reduce spam activity, but to suggest they're not even trying is unfair to both them and the many hours I and other moderators put in here each week.

But to speak about sunday, an account was created at 2 AM, and the robot managed to post 73 messages in 5 hours.

Sundays I'm usually not at a computer much, sometimes not at all, so a gap in what is otherwise fairly prompt deletion/banning process will happen from time to time, as apparently it did.

You've no doubt noticed the increase in spambot activity following the FOSS initiative. This is to be expected, since as the popularity of a forum goes up its value to criminals goes up with it.

I agree it would definitely be helpful to have not only more moderators who can delete spam posts, but more with elevated privileges which also allow banning by both user name and IP range.

The latter, IP ranges, is the only method by which we can minimize activity from farms running from a given location. But IP range exclusion must be done with great care to avoid locking out legitimate users. Before I ban an IP I first look up its geographic assignment at GeoBytes, and while those assignments are of minimal value these days (with Tor and other node-hopping tools, botnets, IP block trading, and mechanical turks - see below) they help a lot in making the decision to ban the IP and/or its range.

So more mods would be useful, but they have to agree to be somewhat diligent about it, and few have the time or patience.

PHPBB settings :
ACP, General, User Registration settings, New member post limit

The limits already in place for posting have been frequently noted as an annoyance to regular users. The specific limit you're requesting here may also be worth adding to the mix, but we can expect at least some to be annoyed by it as well.

I'd vote for adding it, but we all have to recognize up front that any limitations on activity will annoy a legitimate user sooner or later. If y'all are willing to help explain to those who complain why a given limit was added when folks complain about them, it'll help encourage the mother ship to try them out.

And then what appears to be a super captcha system :
http://www.phpbbsmith.com/projects/phot ... nfirmation

While PVC is helpful for bots, there's evidence that a growing number of these seeming bots aren't bots at all, but a small army of low-paid human workers employed in a black hat usage of Amazon's Mechanical Turks crowdsourcing system, and others like it. PVC or similar solutions won't be able to stop those, and there are apparently many of them.

A study by NYU academics Professor Panos Ipeirotis, Dahn Tamir and Priya Kanth reviewed new Mechanical Turk requester accounts that were created over a two-month period and found that more than 40% of their requests were for the workers to perform spam-related tasks:
http://www.behind-the-enemy-lines.com/2 ... -spam.html


In brief, I agree that there's more that can be done to help trim the amount of spam activity here. But I also recognize that Heather and the others at RunRev have not been ignoring this problem; on the contrary, they've been adding new mechanisms to slow that tide on a fairly regular basis.

Moreover, if you're not seeing the same level of spam on other forums it may well be only because those forums have more volunteers working to fight the increasing amount of human-originated spam. At the Ubuntu forums, for example, they have a very large moderator staff, yet I still see spam there from time to time, as you will on any site with a large enough audience to attract criminal attention.

Some of those sites will have more volunteers so that they may make it look easy, but I can tell you from direct experience and my friends who moderate larger forums: ultimately spam is a very expensive problem, as it requires a large human staff to fight the large human pool of spammers.

[BvG]

To say that we do not care is simply not true.

Dear Heather

• I and many others who regularly offer to help & want to improve LC have not been asked to be moderator, super user, or admin. I assume RunRev does consider the amount of free helpers it enabled in the past to be enough.
• No one from the company ever asked for suggestions about good security solutions to implement. Your customers are IT specialists, so use the powers that you inherited.
• Update the software you use. Outdated software facing the public internet is the second largest security risk on servers (after social engineering).
• https://www.phpbb.com/community/viewtop ... &t=2122696 (especially what he calls the mcgirr solution)
• Disable memberlist: http://www.webmasterworld.com/forum103/274.htm (entry 3.2)

It took me 5 minutes to research these basic routes to take. It seems no one at the company can invest 5 minutes to research better anti-spam measures. It seems it does not want to ask the community for help. Under those circumstances, you have to live with me accusing RunRev (which is not a person) of not caring.

Because, in the end, I can only comment on what I see.

[FourthWorld]

[*]Update the software you use. Outdated software facing the public internet is the second largest security risk on servers (after social engineering).
[*]https://www.phpbb.com/community/viewtop ... &t=2122696 (especially what he calls the mcgirr solution)

Respectfully, those links were from years ago. Check out the link I posted above about Mechanical Turks. It's frightening stuff when you consider the scale at which humans can be employed cheaply for spam.

[*]Disable memberlist: http://www.webmasterworld.com/forum103/274.htm (entry 3.2)[/list]

On this I wholeheartedly agree. I've offered to delete banned accounts from the system so they - and their links to potentially dangerous sites - don't show up there, but simply turning off that feature is far simpler. Very good suggestion.

[Simon]

They are at it again.
Cool thing they (were) stopped at 5 posts.

Simon

[FourthWorld]

Update: As you may have seen, Heather's turned off the Birthdays listing on the front page, so that's one more improvement done - thanks for that suggestion.

I also received an email from her and others on the team discussing possible options for further spam control. More on that as those plans flesh out. I just wanted to let you know they remain aware of the issue, and are actively working on making the forums an ever safer and more enjoyable venue.

[BvG]

Oh, so being annoying as well as super dickish when going about it does work!

I should have known earlier

[FourthWorld]

I think in this case it was the content of the suggestion that was helpful more than the form in which it was delivered.

[BvG]

Actually I think that it's the constant stream of suggestions and complains that worked. It's a pain for everyone involved, and only has to be so painful because RunRev is always super phlegmatic. If it'd be a person it'd probably be classified with self-destructive passive-aggressive depression symptoms.