News:

Want to get involved in developing SMF, then why not lend a hand on our github!

Main Menu

Remove extra periods from Gmail addresses

Started by mrhope, February 05, 2021, 04:02:28 PM

Previous topic - Next topic

mrhope

As most probably know, Gmail e-mail addresses ignore periods allowing the user to have different e-mail addresses. For example, "[email protected]" could also be "[email protected]," "[email protected]," etc.

This feature is nice. However, it's also used by spammers. I just fished deleting over 1,000 spam accounts using this technique to spam our forum.

I think it could help if SMF forums removed the periods for any @gmail.com or @googlemail.com submitted e-mail address or not treat Gmail addresses with extra periods as different addresses.

Having this ability can give a spammer the potential to create dozens of accounts for a single e-mail address.

Tip for those suffering from the same problem, to help find accounts using these tactics, you can search your forum members using search e-mail strings similar to the following examples.

*.?.*@gmail.com
*.??.*@gmail.com
*.???.*@gmail.com

vbgamer45

I can write a quick piece of code to do it for you.

I like keeping those accounts since it is easier to tell if it is a spammer or not.
Community Suite for SMF - Take your forum to the next level built for SMF, Gallery,Store,Classifieds,Downloads,more!

SMFHacks.com -  Paid Modifications for SMF

Mods:
EzPortal - Portal System for SMF
SMF Gallery Pro
SMF Store SMF Classifieds Ad Seller Pro

Kindred

you know, there are much easier ways to spot and stop spammers.....
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

mrhope

Quote from: vbgamer45 on February 05, 2021, 04:42:38 PM
I can write a quick piece of code to do it for you.

Might take you up on that vbgamer45, am I ok to PM you?

Quote from: Kindred on February 05, 2021, 04:59:16 PM
you know, there are much easier ways to spot and stop spammers.....

Well, I'd welcome suggestions. I've read and tried a lot of different suggestions and we have always got hammered with spammers. I've tried various captcha mods, re-create random questions on registration, and right now are doing verified posts for new users and temporarily verifying new accounts through Admin account. I believe a lot of our issues right now is using Cloudflare, which means we cannot ban off IP address, because it's using shared Cloudflare IP's and cannot get real IP from Cloudflare because IPv6 isn't supported SMF without heavy modification with the IPv6 mod.


vbgamer45

Community Suite for SMF - Take your forum to the next level built for SMF, Gallery,Store,Classifieds,Downloads,more!

SMFHacks.com -  Paid Modifications for SMF

Mods:
EzPortal - Portal System for SMF
SMF Gallery Pro
SMF Store SMF Classifieds Ad Seller Pro

GL700Wing

Quote from: Kindred on February 05, 2021, 04:59:16 PM
you know, there are much easier ways to spot and stop spammers.....
Agreed - especially as this would effectively invalidate what are otherwise perfectly valid email addresses.

I use several gmail accounts with one or more period characters in them and AFAIK none of the forums/websites I use them on have ever stripped the period character(s) from my email address.

Also, the '+' character is also valid in email addresses to enable one email address to be used in multiple ways - example:
[email protected]
[email protected]
[email protected]

I think the approach should be to use verification questions/challenges to prevent spammers from registering  - I have done this for many years with my SMF forums with a success rate of more than 99.5% (ie, less than 1 in 200 new members is a spammer) - rather than creating work for admins who then have to deal with these spammers after they've been allowed them to join.


Quote from: mrhope on February 05, 2021, 05:09:33 PM
Well, I'd welcome suggestions. I've read and tried a lot of different suggestions and we have always got hammered with spammers. I've tried various captcha mods, re-create random questions on registration

I also use the BadBehavior for SMF, httpBL, Image for Anti-Spam Verification Questions and StopSpammer mods.
Life doesn't have to be perfect to be wonderful ...

Kindred

build 20-30 questions, ask 2 during registration -- you do have to cycle them every year or so.

I have not had a spammer register in 3 years now.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Matthias

gmail should be a goal these days.
A lot of human spammers somewhere in dark rooms use it, because you can generate unlimited email addresses...
A nice way to get protect of them, is like kindred described. You can use questions for registration, maybe about 20 or above, regularly changing.
Quality first

vbgamer45

For 2.0.x Sources/Subs-Members.php
Find

// !!! Separate the sprintf?
if (empty($regOptions['email']) || filter_var($regOptions['email'], FILTER_VALIDATE_EMAIL) === false || strlen($regOptions['email']) > 255)
$reg_errors[] = array('lang', 'profile_error_bad_email');



Add Before

    $spacesDomainList = array('gmail.com','googlemail.com');
    foreach($spacesDomainList as $spaceDomain)
    {
        $tmp = explode("@", $regOptions['email']);
        $emailDomainCheck = array_pop($tmp);
        if ($emailDomainCheck === $spaceDomain)
        {
            $regOptions['email'] = str_replace(".","",$tmp[0]) . '@' . $spaceDomain;
        }   
   
    }
Community Suite for SMF - Take your forum to the next level built for SMF, Gallery,Store,Classifieds,Downloads,more!

SMFHacks.com -  Paid Modifications for SMF

Mods:
EzPortal - Portal System for SMF
SMF Gallery Pro
SMF Store SMF Classifieds Ad Seller Pro

Shambles

Good one VB, though to catch @Gmail.com and @GMAIL.com derivatives, I'd make a slight change:

$emailDomainCheck = array_pop($tmp);

to

$emailDomainCheck = strtolower(array_pop($tmp));

Col

There are genuine people who use several periods in their (gmail) email address. After more than 90,000 registrations (a large proportion of them spammers, but stopped by other measures) I decided to try to better-tackle spam registration at the actual point of registration a few months back. I observed the multiple uses of periods by spammers. But after some checking, I could find no genuine account with more than four periods in the email address before the @, and no more than three periods after the @. So I added the two following rules to my email ban list.

*.*.*.*.*.*@*

*@*.*.*.*.*

Of course, the above, or something like them, should be added to the ban list with caution. Else you will inadvertently ban already registered, genuine members - I checked against the the full (admin) memberslist before adding the bans.

They, and some other ban entries worked well, cutting out a lot of spam registrations. However, far from perfect and the positive effect was short-lived.

More recently, I reviewed my anti-spam questions. In the past, I have found them effective for only a relatively short period of time. Worse, when they are being circumvented, there is no record of which questions are answered correctly/incorrectly and by which accounts. A log would be very useful to determine which questions are effective against spammers and/or are subsequently circumvented, and which ones genuine members struggle to answer. (I don't suppose something like this has been added to SMF 2.1?)

So, I decided upon a single, well-crafted question. It has operated without a hitch for two months now. And when it fails, I'll not be left wondering which question I need to replace.

Arantor

I really should port over the rework I did in Wedge for this stuff where it was smart enough to handle not only dots but also plus addressing so you could ban [email protected] and still catch [email protected] type stuff and of course vice versa. (And also, optionally, treat a domain as if it behaved like Gmail with dots and labels)

I'd also note that there are some measures in 2.1 to stop the offenders at the door that we don't talk about but that never made it into mainstream 2.0... but yes, stopping them at the door has always been preferable to bans after the fact.

Kindred

Again, I will state - 30 decent questions, asking 2 at registration has stopped spammer bots on my sites for years now. I change the quedtion pool once every 12-24 months.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Arantor

That doesn't negate the improvement I outlined which still has value - just not for *this* purpose.

Kindred

@Arantor -- My comment was directed at the Col, who commented that he would have ONE question - sorry for not making that more clear.  Your improvement is something completely different and attacks a different path of identifying spammers and my comment was not intended to criticize that in any way.... 
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Col

@Kindred - If a single question does the trick, and there is no ambiguity about which question has failed (unlike when you have thirty), what is the advantage of having thirty questions? It can be tricky to come up with any questions which will both foil spambots and be friendly to humans. When my question fails, I know exactly where the system has failed and I have only to create one new one. You will have thirty to replace. But as I wrote before, it would help if there was a log.





Arantor

Quote from: Kindred on February 21, 2023, 04:02:27 PMYour improvement is something completely different and attacks a different path of identifying spammers and my comment was not intended to criticize that in any way.... 

I know - I might even have acknowledged that very fact ;)

The advantage of having thirty questions is that you only show an attacker 1-2 of them and it takes that much longer for any question to appear in the shared Q&A database they maintain. (Yes, that's a thing.)

If you have one question, it's only as good as it takes for someone to input the answer, or for bots to throw it into Google and get the answer that way (yes, that's a thing too).

The 2-3 on display angle is to deal with the fact that *both* have to end up in the database for it to be a problem, and if you rotate them every so often, this is a non issue as Kindred cites.

Col

Quote from: Arantor on February 21, 2023, 04:40:00 PM
Quote from: Kindred on February 21, 2023, 04:02:27 PMYour improvement is something completely different and attacks a different path of identifying spammers and my comment was not intended to criticize that in any way.... 

I know - I might even have acknowledged that very fact ;)

The advantage of having thirty questions is that you only show an attacker 1-2 of them and it takes that much longer for any question to appear in the shared Q&A database they maintain. (Yes, that's a thing.)

If you have one question, it's only as good as it takes for someone to input the answer, or for bots to throw it into Google and get the answer that way (yes, that's a thing too).

The 2-3 on display angle is to deal with the fact that *both* have to end up in the database for it to be a problem, and if you rotate them every so often, this is a non issue as Kindred cites.
I understand your and @Kindred's argument, but if you do not know which question(s) have failed, you end up having to the replace the lot. Further, do we know how, exactly, questions are solved by bots? I suspect, in the main, a human reviews the site in a manner to allow them to cycle through all (or most) of the questions. In my experience, the questions seem to stop worming, more or less, in one go - where spam accounts just shoot up. So, I really do not get the great advantage of thirty questions (which all must be replaced when they fail) as opposed to one failed question. Well, that's my experience at least.

Arantor

Quote from: Col on February 21, 2023, 06:00:57 PMyou end up having to the replace the lot

Good practice really. Guarantees that everything gets refreshed periodically so even if you had some compromised questions balanced by not, that's gone.

Quote from: Col on February 21, 2023, 06:00:57 PMFurther, do we know how, exactly, questions are solved by bots?

Combination of throwing the question into Google and seeing if the result gets hit, and/or showing it to a human to backfill into a database that is shared amongst a number of spam outfits, most notably the Xrumer folks.

I should add, there is - or at least was - an entire cottage industry of folks completing CAPTCHA (esp Google reCAPTCHA) for money. Used to be something like $1-2 USD per 1000 completed. In some parts of the world this can be an entire business model. Other variations exist that reward people with completing CAPTCHAs/Q&A in bulk with ever-more-lurid pictures.

The thing is, your one question is your *only* line of defence; in the case of 30 questions of which only 2-3 are shown, you'd have to have a good number of them compromised *together* for that to be a problem.

Advertisement: