Fixing the Spam Attacks

Are you lost? Having registration problems? Contact us here.
User avatar
Exalted Brewmaster
Exalted Brewmaster
Posts: 7630
Joined: Mon Aug 25, 2003 10:08 pm
Cash on hand: Locked
Custom Rank: Grand Wizard

Fixing the Spam Attacks

Post by Marcallo » Fri May 15, 2009 7:28 am

First, we should probably purge this board of all posts since they aren't really relavent, but that's neither here nor there.

Second this is a cut and paste from my guild message board on how the admin fixed the spam problems we were having seems relatively simple and should make it so you don't need to babysit the signups anymore.
Post mortem analysis of spam attacks on our boards:

Captcha was enabled. That was not the issue. The captcha solution used by phpBB was hacked around the 10th of February 2009 and spam posting bots started to use the new attack to break into any phpBB forum that could be breached. The common solution to this was to tighten the board security with two changes. Don't allow anonymous posts and add a custom user field to each account that is required at registration. Doing these two things forces everyone to register and changes the default fields needed to create an account, thereby, defeating the common spam bot attacks.

More attacks will happen in the future once the bot scripters figure out that they can create reactive solutions to the custom user fields.

There is a centralized captcha service called reCaptcha that records the IP of all requests for the captcha image, so it is able to start denying access by creating a blacklist of IPs from suspected bots. This will most likely be the next step once the spammers break the custom user field solution. This too can be broken but I don't want to give hints on how.

I'm going to consider the spam post issue closed at this time unless someone can point out new spam posts. There may be a few holes if some of the spam bots are smart enough to use existing users in the system that are already registered on a previous spam.
Dog carcass in alley this morning, tire tread on burst stomach. This city is afraid of me. I have seen it's true face. The streets are extended gutters and the gutters are full of blood and when the drains finally scab over, all the vermin will drown. The accumulated filth of all their sex and murder will foam up about their waists and all the whores and politicians will look up and shout "Save us!"...

...and I'll look down, and whisper "no."

User avatar
Your Admin
Your Admin
Posts: 11187
Joined: Mon Jan 20, 2003 5:38 pm
Cash on hand: Locked
Bank: Locked
Custom Rank: Petrichor
Games: Guild Wars 2
Location: California

Re: Fixing the Spam Attacks

Post by Lightfeather » Fri May 15, 2009 7:50 am

I actually don't mind watching the signup notifications that get sent to my email and scanning them for names I recognize.

Like the post you quoted states, there is no surefire way to combat spammers. No matter what I do today, they will get through it tomorrow. So I waste time adding new hoops for them to jump through and they'll figure out how to jump through them.

I can keep adding fields and complicating the registration process or I can just check my email once a day and delete all the spam accounts which takes two seconds of my time and makes me feel useful.