Foiling Spam Bots - Update

Baak · Post by **Baak** » Tue Sep 26, 2006 4:20 am

Just a quick update on my own experience foiling those frickin' spam bots on the OoH phpBB2 forum:

I've installed a mod I found that removes fields that most spam bots like to have during registration: website, signature, etc. - they register to post their crappy sites in their website and/or signature and then post bogus replies, etc., just to get that website/signature in people's faces. You can adjust this mod to allow people to set these values in their profile after X number of posts, or never. It works great BUT this weekend I had three more spam bots register using only their email addresses - which of course are bogus. Grrrrrrrr...

So I decided to look at the registration process myself and why/how the Captcha code (the visual confirmation stuff) could have been broken (which it has been).

After a couple hours adding my own twist (an hour of which was finding where to tweak the php forums code), I may have a solution to the captcha problem and thus a way to stop the frickin' spam bots registering in the first place.

But I need to let it run for awhile (a week or so) to see if it works. If it does, I'll outline how to create your own using the same method. The nice thing is, even if it's cracked somehow you can always re-tweak it every couple of months.

Post by **TarousZars** » Tue Sep 26, 2006 10:27 am

Tarous Zars initially wrote:I wonder if there is a mod for asking simple questions that a bot could never answer unless it was programmed specifically for this site (which I find doubtful).

You could then do myth trivia, with a link to the answer in case someone doesn't know.

For Example.
What is the name of the first level of Myth: TFL

Crow's Bridge
It could even be multiple guess. So you don't have to worry about typo's. Just have a list of answerd w/ the default being wrong.

Mb after I finish the web project I'm working on now I'll see if there is a mod, or make a mod that does this.

I started w/ that, but it led me to an easier idea I think.

I seriously doubt we are gonna have a bot targetted specifically at this site. All we need to do is have a mod that ads 1 additional checkbox anywhere on the registration page that they must click in order to register. If they fail to click the checkbox registration fails.

This should stop all the bots on the internet that are targetted at a traditional phpbb2 install.

Baak · Post by **Baak** » Tue Sep 26, 2006 4:08 pm

Exactly - anything that throws in a curveball should do it.

What I noticed with that other mod I have installed is the bots seem to be adapted to enter *less* data, but not more/different. This makes sense as it's relatively easy to make them adapt in that manner.

Here's another idea: A second text field with the caption: "Enter a number from 100 to 5000". Simple enough. Heck, you could even spell out the question: "Enter a number from one hundred to five thousand". A bit trickier.

It's all a matter of finding the places in the PHP code, which I have pretty well nailed down - although adding the extra form field is a little more work. Once done it would be simple to add more/different ones. Again, just a matter of tweaking the right files and testing it.

The one advantage to a Myth-related question is that it should keep the human spammers away as well. If a genuine (non-spammer) user has a problem, they can always email the board Admin (as it says on the registration form). I would keep this as an option only if one started getting lots of human spammer registrations, but I think it's a good one.

I must admit it is *extremely* satisfying to know those f***ers can't get through on our forums right now. What irks me most is the fact that someone out there was expending ZERO effort to basically invade our forums - like some slob showing up in your living room spilling food/beer everywhere and stinking up the place - nice to know they are being foiled.

Post by **haravikk** » Sun Oct 01, 2006 5:27 am

There's actually a relatively simple fix to the current problem, which you can read about here, it still doesn't solve the fact that the visual confirmation is crap, but it helps. I've changed mine to refuse entry to anyone who submits a URL when registering, because the URL field is now missing on registration

Baak · Post by **Baak** » Sun Oct 01, 2006 11:50 pm

Hey Haravikk,

I actually installed that (or equivalent - I couldn't access that link just now for some reason) and it worked nicely - until two days later when I started getting auto-registrations from Spam Bots that ignored all those registration fields! They were perfectly happy to register with *just* their fake email address! DOH! So I came up with one method that uses a parallel visual confirmation and voila - no more Spam Bot registrations!

Then I realized there's an even simpler method: Just add a line in the "Enter confirmation code" instructions that says something like:

Enter the letters "XYZ" plus the visual confirmation code above (e.g. "XYZ75RL23"). The code is case sensitive and once you've added the "XYZ" in front is exactly NINE characters long.

and adjust the phpBB2 code accordingly. The trick was finding all the places in the code that needed tweaking.

I've submitted this version to Doobie for him to check out, and have posted the relevant phpBB2 files to edit with instructions here (these are my notes so are not HTML-formatted yet):

http://www.orderofhpak.com/BSPSBARD.txt

It's not as elegant as the extra visual confirmation one I implemented on the OoH Forums, and it *may* be that the spam bots will figure it out (by parsing the Enter Configuration Code text - you might need to adjust it in that case (like say "X", "Y", "Z" or X, Y, Z)), but it's certainly simple to install - just be sure you *backup* the current files!

One of these days when I have some spare time I'm going to make a nice little MOD of the parallel visual confirmation method I used on our forums and/or post the instructions for it, but until then this should do the trick.

The beauty of this simple method is you can always change it around later any time you like. I haven't made it random yet, but you certainly can if you wish. You can also do things like "Enter the confirmation code shown backwards", or "Enter the first five characters of the confirmation code" (while keeping the HTML form allowing 6 characters, otherwise the bots will succeed by default!), or "Enter the letters X, Y, and Z along with the visual confirmation code shown, but NOT in the order listed".

It's really wide open to what you can do, as long as you make it more difficult for the bots (and don't make the default let them slip through), while not making it too difficult for the non-spamming human registrants. One of the things in my instructions shows where to edit the "error code" that displays when a user makes a mistake - here you can add a hint to the real users to let them know what they did wrong.

The nice thing about the MOD you listed where the URL and other fields aren't allowed (the one I installed lets the admin turn these on/off or on after X posts) is that then humans who register to promote their spam don't have the usual places to do so, namely the URL and Signature (in my case I turn off Signatures at all times). Thus the two together make things extra hard for them, which is always nice.

As of today it's been *seven days* since we've had a spam bot registration whereas before it was 1-2 per day. Needless to say this is very, very sweet. The latest registrant here (on Magma) is "Russian_brides" - LOL! - yeah, that sounds like a Myth handle...

vinylrake · Post by **vinylrake** » Mon Oct 02, 2006 9:18 am

Baak wrote:The latest registrant here (on Magma) is "Russian_brides" - LOL! - yeah, that sounds like a Myth handle...

Sweet, do you happen to know her email addr?

Post by **haravikk** » Mon Oct 02, 2006 10:30 am

Baak, the mod I linked to doesn't do that. What it does is shows you an easy way to change the agree=true variable (added to the URL after you click "I agree to the terms and conditions"). Since the spam bots submit their info directly they bypass it, so provide the agree=true variable along with their info. So if you change this, then they can't register because they haven't agreed to the terms and conditions.
I went a little step further and randomised it so it changes depending upon the day and stuff.

The mod that I did myself to remove the web-site field goes a step further. Since the web-site field is removed at registration, you can assume that anyone who registers WITH a web-site entered is a bot who has bypassed the form by submitting the info directly. As such anyone submitting a web-site address when registering can be ignored completely. The mod you're talking about simply ignores the information unless they have X posts or days registered, mine goes further and ignores the registration entirely if they gave me a web-address when they shouldn't have been able to (because I removed the box for it)

Baak · Post by **Baak** » Mon Oct 02, 2006 6:15 pm

Sounds sweet, Haravikk - I'll have to check it out!

Sorry, VR. After I signed up 500 times they ran out of brides.

Lugas · Post by **Lugas** » Tue Oct 10, 2006 3:01 pm

This is just an idea, but you could make Users who are filling in their Registration to type in a code that is displayed on a picture next to the box (where you type it in).

Also, something I've noticed that's strange: A spambot called pete1964 has been online for a long time, but hasn't posted anything. his website is a drug shop like the others.

Baak · Post by **Baak** » Tue Oct 10, 2006 3:09 pm

This is exactly what I did on our forums site. It's just slightly more involved, but I plan to post the complete "how to" as soon as come up for air from work.

In a nutshell, it's very similar to the solution I posted in the link above. You just need to add an extra image on the registration page. I added ours right next to the current default Captcha image by simply putting an HTML table around the two. I then refer to the text in the new image in the registration instructions (i.e. "enter all the characters shown for a total of NINE characters blah blah blah").

By using the image it prevents any would-be spam bots from screen-scraping the registration form and entering in any and all text they might find that differs from the default (that's what I would do if I were planning various attacks). You can always change the image whenever you like and thus keep them guessing forever. At some point I'd like to make a phpBB Mod out of it - but there are several projects before that.

We have now gone 15 days without a single spam bot registration (was 2 to 3 per day)!

Lugas · Post by **Lugas** » Tue Oct 10, 2006 4:15 pm

Baak wrote: We have now gone 15 days without a single spam bot registration (was 2 to 3 per day)!

Is that you or us? We're still getting SpamBots daily.

Baak · Post by **Baak** » Tue Oct 10, 2006 4:21 pm

Lugas wrote:
Baak wrote: We have now gone 15 days without a single spam bot registration (was 2 to 3 per day)!
Is that you or us? We're still getting SpamBots daily.

That's the OoH Forums. These (the Magma) forums are definitely getting more.

I passed the info on to Doobie. I'm sure he'll get to it just as soon as he comes up for air from work.

I passed on the "simpler" version above as an idea to get a quick fix up and running. The image version could always be added later very easily when there's more time.

The Tain

Foiling Spam Bots - Update

Foiling Spam Bots - Update