SMF Development > Feature Requests
Is There a Real Anti-Spam-Bot Strategy Being Worked On?
ForumGuy789:
This is a question for the devs or others working on the SMF project.
I'll start by saying SMF 2.0 is a great piece of work. Adding an extra security question for registration has all but eliminated spam-bots creating 40+ accounts every day. True post/topic moderation has also been great.
But I think it's becoming more clear that any forum software that is going to survive anymore is going to have to deal with these bots head on. We can't just rely on mods from the community, etc. We can not just ignore the problem.
Telling users to ban their IP is telling the user to go off and waste their time. I doesn't matter if they spend all day, every day, doing it because it's not a solution. Anyone who has actually looked at the problem knows that these spam-bots have an almost infinite number of IP addresses that they use at different times.
I realize that it's an extremely difficult thing to deal with - almost impossible. But a few small things would be extremely nice - and EASY to implement. For instance, I'd love to actually be able to USE my Error Log. But if you dare ban any spammer then your error log is constantly filled with garbage when they keep coming back trying to access the website.
Easy and Quick Suggestions:
* Let admins choose whether or not certain errors are shown on the error log. Right now it's all errors are shown or no errors are shown
* Do I really need to see pages of errors saying "Sorry XXXXX, you are banned from using this forum!"
* Do I need to see "Password incorrect - XXXXXX" every time hoards of spambots fail to log into someone elses account?
* When moderating a post/topic a "Delete Post/Topic and Ban Member" option would be much quicker for removing spam and banning someone at the same time. Otherwise once you remove the post/topic you have to search for the member (if you wrote the name down even). Or, you can click on the members name, ban them, then work your way back to the topic/post again and remove it.
More Aggressive Suggestions:
* Look at the security/spam-bot protections that other forum software has used. IP-Board is a great example. They have some type of huge database of spammers and check every user accessing the website against this database. It works wonders. I've tested their software. If something slips through, then admins can add them to the database. But usually it's completely automated and turn-key. An admin rarely even needs to deal with it.
* IP-Board also has many other features for security and spam-bot prevention.
* When banning a member/IP actually ban them, instead of giving them a message. Ban them like a firewall does - so they use very little of your resources.
So is development of features still continuing for SMF and are any of my suggestions or other solutions being planned or worked on? If so I will probably become a charter member.
Btw, I can tell you the spam-software doing most of the damage out there is called XRumer. If you need more info about it and what it's doing let me know. I've never used it but have heard much about it - SEO companies use it.
青山 素子:
--- Quote from: ForumGuy789 on September 21, 2011, 01:40:33 PM ---Let admins choose whether or not certain errors are shown on the error log. Right now it's all errors are shown or no errors are shown
--- End quote ---
Would be useful. Depending on how errors are logged, it shouldn't be too difficult to do. Right now, it looks like they are only logged by severity. This means the logging system might need an overhaul to make more granular options.
--- Quote from: ForumGuy789 on September 21, 2011, 01:40:33 PM ---Look at the security/spam-bot protections that other forum software has used. IP-Board is a great example. They have some type of huge database of spammers and check every user accessing the website against this database. It works wonders. I've tested their software. If something slips through, then admins can add them to the database. But usually it's completely automated and turn-key. An admin rarely even needs to deal with it.
--- End quote ---
That sounds like an online service. The SMF software has traditionally avoided depending on external services in the core product. If those services change, go offline, or otherwise have issues, it will be SMF that is blamed. Also, many SMF users have installs where the general Internet isn't accessible (via closed internal networks). Having such services required would make it more difficult for those users.
--- Quote from: ForumGuy789 on September 21, 2011, 01:40:33 PM ---IP-Board also has many other features for security and spam-bot prevention.
--- End quote ---
Like what?
--- Quote from: ForumGuy789 on September 21, 2011, 01:40:33 PM ---When banning a member/IP actually ban them, instead of giving them a message. Ban them like a firewall does - so they use very little of your resources.
--- End quote ---
Handling an actual IP ban at the server level will vary considerably depending on how the install is done. Most of the time, web server applications aren't allowed to modify a server software firewall. Likewise, you can't depend even on htaccess restrictions as some hosts don't allow htaccess directives, or use different server software (IIS, nginx, ...) that doesn't use that type of file. Then you have the added work of removing the ban that was put in place. Note that this all would only work for an IP-based ban.
Even if SMF doesn't display an error, it still has to process the request and check the ban list.
--- Quote from: ForumGuy789 on September 21, 2011, 01:40:33 PM ---So is development of features still continuing for SMF and are any of my suggestions or other solutions being planned or worked on? If so I will probably become a charter member.
--- End quote ---
Your post probably really should have gone in the feature requests section. I'm sure a staff member will move this eventually.
--- Quote from: ForumGuy789 on September 21, 2011, 01:40:33 PM ---Btw, I can tell you the spam-software doing most of the damage out there is called NAME REMOVED. If you need more info about it and what it's doing let me know. I've never used it but have heard much about it - SEO companies use it.
--- End quote ---
That's the thing. It's a commercial product. There is a lot of money involved to make sure it can bypass any kind of protection out there. We're talking millions of dollars in income annually, more than likely. Heck, the newer versions even integrate a captcha-bypassing service that uses real humans (not dropping names, they don't deserve the publicity).
It's like e-mail spam. As long as there is a huge economic benefit to the tactics, they will exist and all you'll get is an arms race between the spammers and those trying to stop them. The only real way to stop it is to provide very large disincentives (huge monetary payments for damages, prison time, etc) that outweigh the benefits and to then enforce these at a level that convinces 90% of the spammers that it's a bad idea to pursue that avenue of income.
By the way, some of the better services right now are CloudFlare and Project Honeypot. CloudFlare actually uses the Project Honeypot database, so the two services keep growing in sophistication and detection of threats.
Kindred:
As noted: The best anti-spam measures depend on a third party (stop forum spam and project honeypot) As such, they will probably never be included in the base install - for the reasons motoko already mentioned. That being said, they are one click installs as mods.
xpubstargamingx:
I have 1.1.14 with Stop Forum Spam and Project Honeypot. No issues anymore for my community.
N. N.:
I'd have just a quick question for the moment, ForumGuy (I will come back on this),
Can you please tell, why do you say that you can't rely on mods from the community? There are (as you can see here in this topic as well as elsewhere) mods that have proven very useful, actively maintained and supported by their developers.
Navigation
[0] Message Index
[#] Next page
Go to full version