Long Term Solution to SPAM, accounts, etc

[nitefyre]

In the long run, I would suggest a validation code be given with each Cantr playing account for forum access upon registration. In this way, we will be killing a lot of birds with one stone. This includes and is not limited to cutting down on forum spam accounts, other malicious accounts, other multiple accounts, etc. Since the PD already does the work to make sure of it before allowing the creation of the Cantr playing account, this will be multiplying the effect of their work without doing anymore unnecessary work. Additionally, it may help with linking forum accounts to Player accounts. On the other hand, we will also promote visitation of the forums by new users so that they can grow more easily accustomed to the game if they need help.

The repercussions of ignoring or neglecting preventionist work, like in real life examples such as periodical dental care or protecting the environment, will inevitably mean the problem will come back to haunt us. One possible outcome, which can actually be foreseen, of letting the spam accounts increase will be a potential burden on the server.

I should add that this would be a system implemented for future accounts, not affecting those already established.

[Sho]

Good idea. I don't know how much work it would be to implement this in the forums, though - unless a plugin is already out there to make phpBB work with this sort of system, it would probably be too much work for ProgD to open up an off-the-shelf product and add the feature.

[tiddy ogg]

If you go down the horrible "fuzzy picture" route, make sure there is an alternative for those using textt-only browsers, or have visual impairment.

[formerly known as hf]

There are various mods which exist for phpBB which could do something like this, but I honestly think it's more trouble than it's worth. Unless multiple accounts are something which the PD have problems identifying, but as far as I was aware, they weren't a major issue?

And we shouldn't use those picture-only 'validation codes' which stop bots, as they also stop people who use text-to-voice software or text only

(EDIT: sorry tidy, I didn't see that you'd posted the same)

[Chris Johnson]

The linking of forum accounts to player accounts is not really going to work , there are a good number of bonefide posters who for one reason or another have no active player account These range from lapsed / banned users to new prospective players who have yet to sign up or get approval.

Another alternative is turning on Administrator Approval for all new accounts - this already exists in the forum s/w but this is a large overhead for the administrators

I have made a small change to how search engines view the Cantr site - This should stop the membership list and user profiles being included in data collection exercises by search engines spiders. These are the main reason the board is spammed - Spammers add their websites to forum user lists so that search engines see them - this raise their page index rating (i.e. their net presence/importance) . Stopping search engines seeing our member list is unlikely to stop the spammers but I take satisfaction in knowing that their spam won't be effective.

An alternative is to remove websites from the profiles of forum users - This is less straight forward but would possibly help - I'll look further into this

[formerly known as hf]

Can it not be set that profiles can not incllude a website?

[Chris Johnson]

It can programmatically - but we'd want to avoid that - I don't believe it's a built-in option but I don't have admin access so can't see - that's one of the things I was going to look at


EDIT: A little later and a shiny new phpBB forum on my laptop - no - turning off the web page profile entry is not an option on the latest verson of the Forum s/w - There may be a Mod somewhere but generally we like to keep the s/w in it's vanilla format (the attack on the forum a couple of years ago was through an unsecure mod - though I did like the Cantr Green look)

[formerly known as hf]

Something needs to be done, we're getting more of it recently, including porn-bots.

I don't have admin to check the options available with standard phpBB, but here are two possible thoughts.

E-Mail verification. I'm sure there are a few bots out there who can now deal with e-mail verification, but it stops a few of them. I can't remember if that's currently done when registering?

A fuzzy picture. My initial instincts were to say no, but I've had a search, and it's difficult to find an alternative. Text-to-speech programs rely on text being there, whilst the whole point of the 'fuzzy pictures' is that it can't be read by text-readers.

I had a sniff around the official phpBB forums to see what they do for registering. They require an account verification via e-mail, and a code verification (fuzzy picture)

Looking at the documentation, both options are currently part of vanilla phpBB:
'Enable Account Verification' needs to be set to 'User' - this will mean the user will have to check e-mail and verify the link there.
'Enable Visual Confirmation' needs to be set to 'Yes' - this will use a 'fuzzy picture'

Checking the phpBB site, the fuzzy picture comes with additional text, which says:
'If you are visually impaired or cannot otherwise read this code please contact the Administrator for help.' - with a link to an e-mail address to contact
This, unfortuantely, means that those not able to access the 'fuzzy picture' will need to have an account created by an admin. This might result in a delay for some, and I'd rather find an alternative option, I'll have a look now - I'd appreciate it if anyone has any ideas?

[Chris Johnson]

The current verification method is already set to user - i.e. requiring user verification via a valid email address - As you can see many Spam bots already handle this perfectly well.

There is another verification level above user (the administrator level) whereall new members are manually ok'd by an administrator - This is in itself not infailable and is a big burden on the administrators

I knew of the distorted image (or CAPTCHA) method was available but wasn't aware that an alternative administrator contact message was also presented by default - whilst not ideal this is a step in the right direction
I have heard of aural CAPTCHA methods discussed in the past but I'm not sure this is available as a Mod for phpBB - and strictly speaking the Admin contact could be considered as an alternative method - it maybe the best option we have

As I also mentioned before - we could programmitcally remove the website setting from the sign-up process - not impossible - it should break most spam bots - but it's an unknown quantity as to how easy this would be - ProgD resources could be better spent bug fixing and implementating accepted suggestions.

[Sarah]

I logged out and clicked "register," and found that the distorted image method is already being used.

[formerly known as hf]

I logged out and clicked "register," and found that the distorted image method is already being used.

I assume it's 'cos Chris just changed it?

I don't really think the issue is bad enough that the ProgD need to mess about modding the forums, hopefully the new code requirement will ease things somewhat, if not stop it entirely.

One thing that does need to be changed is the e-mail for the administrator. It's curently jelkink@yahoo - last time I knew, that was a defunct e-mail.

It should probably be changed to the either the GAC, GAB or ProgD address - whichever one has the most forum admins amongst the staff members. Or the CD could do it, considering it's a forum issue, but it'd need admin rights changed. If we can ensure a fairly quick response, using the picture code shouldn't be too much of an issue.

EDIT: I found what I was looking for on this issue - I'd forgotten about www.w3.org which I've used before.
They have a paper on the CAPTCHA system, with some possible, accessible alternatives http://www.w3.org/TR/turingtest/
Unfortunately, none of the alternatives are possible with phpBB without finding/making a mod. I think, as long as admin response can be fairly prompt, there shouldn't be too much of an issue.

[Chris Johnson]

I logged out and clicked "register," and found that the distorted image method is already being used.

I assume it's 'cos Chris just changed it?

No - I didn't change it - it must have been on already - so it looks like the
current sign ups are real people ...*sighs* ... or very good bots

In which case that's all we can really do at this stage

You are right about the admin email - it probably should be changed to gab@cantr.net - as all Gab members are admins

[formerly known as hf]

I doubt it is real people. I remember reading somewhere about the economy of getting sweat-shop labourers at computers (like the ones they already have working away at WoW, EVE and the like) to spend their time cracking these, and even for the pittance it costs to pay them, it's not economically effective. The chances are, these are bots.

A bit of a search and I found this:
The phpBB CAPTCHA is apparently 97% crackable by PWNtcha - http://sam.zoy.org/pwntcha/
Which, whilst it's not freely avaialble, indicates that the chances are some spammer has cracked it just as well using another program.

There is a mod for a different CAPTCHA systemhttp://www.phpbb.com/phpBB/viewtopic.php?t=382890 but by the looks of things, it's not even really understandable by humans, so it's probably best to avoid it anyway...