UseBB Community

By what I mean from other post...

Disallow posting, full profile changes till they activate account. They will still be able to login, just not do anything till activated. If email activation is set.

I don't see the difference with regular email activation, where you cannot log in at all when not activated.

Just noted lots of spam accounts here as well. Most of them haven't posted anything though.

As said, if these are actually humans, there is not much you can do. Nowadays spam companies even pay people to do nothing but registering, solving CAPTCHA and questions, activating and posting/passing around login information.

Thus, the usual measures don't work. A more intelligent system is required.

One thing that can already be done is making sure the user profiles are not visible to guests. Since most accounts are filled with links in the signature and website field.

Doesn't really matter, hate to say it, mybb has it to where new registrations are set to Account Not Activated, admin can choose what to allow or disallow. Thats 1 of 3 small things that I liked about mybb.

For my forum needs, UseBB is it. Just like to see other options. Now, I am not sure how that would affect UseBB being light.

Dietrich wrote

A more intelligent system is required.

Yep, I'll leave that to you.

Although profiles are hidden to guests on this forum, lots of accounts have been registered and filled with links in the website field and signature.

You can see most of them through the SQL query:

SELECT id, name, signature FROM usebb_members WHERE ( signature LIKE '%http:%' OR signature LIKE '%www.%' ) AND posts = 0

You can clear the spam using:

UPDATE usebb_members SET website = '', signature = '' WHERE ( signature LIKE '%http:%' OR signature LIKE '%www.%' ) AND posts = 0

Also, using dnsbl.tornevall.org as server with DNSBL bans blocks quite a few IP addresses (217 upto now).

Plus I have changed anti-spam questions and uploaded the latest SVN revision with an anti CSRF token system, and have not gotten any new ones since half a day.

I have entered three questions, but still spam accounts are comming through. I had to delete 500 (!) in one forum and ~20 in two other forums.

500 of them, thats not good, must of been a pain in the arse to clean up.

Wish I could think of something to contribute.

Haven't got spam on mine, yet. Google and Yahoo index site without having to submit site, haven't even submitted my site anywhere.

1.0.13 will get the possibility to disable website URL and signature for certain users.

I will also see if an ACP module can be made to mass delete these spam accounts.

So far, since I had my forum up (April 4th), have removed 3 spam accounts, might be a low number, not to bad for now, knock on wood.

The strange thing is, only one forum is massively spammed with bot accounts, the other two forums I have had only a few accounts. So can you please improve security of the validation hash and CAPTCHA? I think this why they can break through, weak "payload hashes" and to easy to guess confirmation links.

I would recommend you a site key, which is a random string stored locally (e.g. in database or config files). Here is an example:

$conf['site_key'] = 'abc123def456';

Just hash that string (please use another more random one like t024ut2834u23y80gtu2348gu or so! And do not use that one I typed here!) together with the rest you have already hashed and the confirmation link's hash and registration "payload hash" which will be very hard to "guess".

Another thing could be interesting and easy to implement:
- Allow users with at least X posts to change their profile

This would possibly lead to spamming users (posting nonsense posts to gain the right to change their profile) but it renders that profile to useless to a spammer because he cannot link his homepages. This would also limit down the possibility that (legitimate) users only register with a forum for only changing their profile (mostly homepage URL) to get more links to their homepages.

As a precaution I have now set 'guests_can_view_profiles' to 0. This will render the spammer's attempts to gain more links to their homepages close zero because (as I hope so) no search engine bot will "see" his spammed links.

The confirmation stuff can be changed, but the question is whether these spam accounts are created by bots or humans. I see SMF also has problems with the same "family" of spam accounts, even though I believe SMF does have image CAPTCHA etc.

If the bots are created by humans, human verification will most likely always be useless. (This doesn't mean this will not be expanded in future UseBB versions.)

I discovered a few links on this issue, e.g. http://stackoverflow.com/questions/5783600/countering-human-paid-spammers and http://drupal.org/node/632288. I will read these shortly.

Quote

Another thing could be interesting and easy to implement:
- Allow users with at least X posts to change their profile

This is already on the TODO for 1.0.13.

I didn't saw any "secret key" in the config file so I wondered how you make it sure that the spammer cannot guess it?

Quote

So can you please improve security of the validation hash and CAPTCHA? I think this why they can break through, weak "payload hashes" and to easy to guess confirmation links.

Personally I don't think the keys are guessed. The current range for characters in 1.0.12+ is 93, and a random key has 10 characters. Which makes 93^10 possibilities. There cannot be HTML entities in the password (fix for the encodings and i18n problem, see wiki), so if we make a rough guess and forget about & there are still 92^10 possibilities, which is 4.34388454 * 10^19.

To verify I downloaded my access log for this month, and investigated the activate URLs. There were a few distinct keys for the same user ID, but it seems this mostly was for the same key with an \r appended (some e-mail program or script glitch I suppose). So I don't see any trace of bots guessing keys.

Rather I presume the e-mail addresses are valid and simply get checked for the activation mail. Many recent spam accounts simply have hotmail.com addresses.

As for the site key, when computing a hash it's still the same size, and thus has the same chance of getting guessed, so I don't see the point of doing that in this case. Typically these salt strings are used for passwords and such, but the activation keys are not a hash, only a random string that needs to match. Plus the spam bots don't have access to the DB. So I think you are confusing something.

(However note in UseBB 2 this whole registration/activation stuff will be rebuilt from the ground up, and will probably use hashes for activation, which have more possibilities than 92^10. In that case salt strings can be used.)


CAPTCHA surely should be more difficult. UseBB never had image CAPTCHA's. Instead I relied on the custom questions, which were not being guessed as long as the answer hasn't been put in a database, or the bot isn't actually a human solving the questions.

Now the random questions don't suffice, but I am afraid other CAPTCHA's don't as well. As you can see from the posted URL, people are having problems even when using reCAPTCHA. Most likely because people are answering these questions, and not programs.

Quote

...
Now the random questions don't suffice, but I am afraid other CAPTCHA's don't as well. As you can see from the posted URL, people are having problems even when using reCAPTCHA. Most likely because people are answering these questions, and not programs.

True, when I first posted my question, I also had recaptcha already, which led me to think that a lot of these spammers are real people. For such cases, I can only think of human interaction as the means to solve the problem. This could only work for a forum where you don't get too many registration requests, though. I don't have anything specific in mind, other than manually approving each account and having some sort of box right next to the users' nicknames, where admin can ask a quick question whenever s/he is suspicious of a certain user- like "what is your relationship to the nuclear physics field" or whatever the forum is about. Tricky business, this spam is... Thank you guys for updating this thread!