| View previous topic :: View next topic |
| Author |
Message |
Dennis Wilkinson
Site Admin
Joined: 20 Jul 2004
Posts: 312
Location: East Freetown, MA
|
 Posted: Sun Nov 14, 2004 2:10 pm
Post subject: Anti-spam security change |
 |
|
This won't affect anyone who has already registered, but I thought I'd post a quick note about a change I made this morning to the registration process.
Over the last few days (since our site is now in most of the major search engines and indexes,) I've seen a number of users added by a "spam 'bot" - an automatic process - whose sole purpose seems to be adding users to the forum whose "home page" link goes to a scam site (the ones I've been fighting with have been to shady "cash advance" sites.) The users didn't have anything valid about them except the web site, and never posted any messages, but it is still an annoyance.
I have deleted all the users added by this process.
To help prevent this from happening again, I've added some code to the registration process that displays a picture of a random sequence of letters and numbers that someone signing on must enter exactly as it appears in a new spot on the registration form. The actual code is not present anywhere as text, and the graphic is "fuzzed out" a little to defeat 'bots that might try to use character recognition to figure it out without making it illegible to actual human beings. This won't stop an actual human trying to create such an account, but these kinds of things are usually done by automatic software anyway. You get 3 tries to enter the right code, after which you're locked out of the registration process for the rest of the session (about an hour.)
Since it only happens at registration time, it shouldn't be a big deal to users. The only thing that might catch people signing up off guard is that the code is case-sensitive (i.e. "A" is not the same as "a"), but this is noted on the form.
Note that nobody's accounts were compromised or anything like that, this was strictly new, invalid, accounts being created that would show up in the member lists. Because invalid email accounts were being supplied, they'd never even have been allowed to post.
Many thanks to Jeff Dumais for spotting the first such user (and telling me about it!)
_________________
Dennis
Minister of Propaganda, Webmaestro, and Chief Bottle Washer
"Everything that passes unattempted is impossible." - Stephen R. Donaldson |
|
| Back to top |
|
 |
Dennis Wilkinson
Site Admin
Joined: 20 Jul 2004
Posts: 312
Location: East Freetown, MA
|
Posted: Mon Dec 11, 2006 1:44 pm
Post subject: Another change to fight the spam bots... |
|
|
Since I put the "visual confirmation" described above into place, the spam-bots have gotten a bit more intelligent, and several of them can now "read" the graphic and get by that block. This has resulted in several fake users being registered and used to post spam, mostly in the form of ads for online gambling, pharmaceuticals, and the other usual suspects. I've been deleting nearly a dozen a day over the last few weeks.
Since several other people who use the same forum software that we do have reported success with the technique, new users will now have to enter a "forum key" when they register. This key can be found on the forum FAQ page. Apparently, the combination of the key word being mixed in with plain English and being on a different page entirely do the trick, at least today, with blocking the 'bots from registering.
Anyone who has difficulty registering for the forum can always drop me an email. I'm more than happy to create an account for you.
_________________
Dennis
Minister of Propaganda, Webmaestro, and Chief Bottle Washer
"Everything that passes unattempted is impossible." - Stephen R. Donaldson |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
|
