Theories As To How Verification Questions Stop Spammers

Started by xrunner, April 04, 2013, 09:59:48 AM

Previous topic - Next topic

xrunner

Since this topic is not specifically related to either SMF version, I've posted it here.

I'd like to understand how people think the security verification questions supposedly work to stop spammers. It seems at least three different reasons exist as to how/why they work. Referencing the following conversation:

ziycon's advice -

Quote from: ziycon on April 04, 2013, 07:58:38 AM
With the challenge questions you can set, make sure that the question is as specific as possible to your site/forum content as possible so maybe as what the initials of you site stand for or as the user to enter the initials of your site name, the more specific the better.

The reason given as to how it works is that you need to ask questions that are specific to your site, and since the spammers aren't interested in the specifics of your site they can't answer the question. Sounds reasonable. Then I gave this advice -

xrunner's advice -

Quote from: xrunner on April 04, 2013, 09:14:14 AM
This question I made up did wonders for me (none of it is true but the spammers don't know that) -


You can't post ANYTHING or use your account until an Admin approves your account based on spam databases and heuristic screening criteria - you will not be registered until this approval is complete - if you still wish to apply enter "notspammer" without the quotes in the box


My question works (it stopped spammers), but the reason I gave for why it works (which is my own speculation and could be wrong) was that since the spammers want to get in and post ads as fast as possible, they don't want to wait for their IPs to be checked and account to be verified, so they just don't bother. Using this theory I constructed my verification question shown above.

However Kindred said it worked a different way -

Kindred's advice -

Quote from: Kindred on April 04, 2013, 09:34:32 AM
because it is a sufficiently complicated sentence that their auto-processors or the non-english spammers don't quite understand what they are supposed to do.

I guarantee you, they don't read it, and if they did, they don't care what you say.

Simply because the question is long and complicated, it worked, but that negated the other two theories being correct.

So I'd like to hear from more people - just how do these questions stop spammers? As seen above there are three theories , but there could be more that I don't know about.

Thanks.

Kindred

no, it does not negate ziycon's statement.

Any question which can be easily parsed (1+1=?) or can be answered by autoscanning google
"What color is the sky?" is a bad question and won't stop spammers for long.

this one will work for a while...
"Is blue fire from propane hot or cold"
because it throws in an extra set of words that make it harder to autoparse/search.

one that I have is
"What is the side armour of the Eldar Waveserpent?"
(This is a question specific to the forum AoK)

I have also used
"What is five * 2 take away three adding 6 (spelled out)"

this is not a hard math problem, but it is sufficiently scrambled that the auto processor does not work
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Arantor

It's sort of dancing around all of these.

First up. Does a bot or human spammer know there are questions? Very likely, yes. The questions are presented in a consistent format each time. It is likely they can figure this out. The fact there are textboxes there should be a giveaway in the first place.

Secondly, math questions. Math questions are crazy easy for bots because the bots have the ability to process math questions. It's also been observed that bots can and do send questions to Google, and handily enough Google will take a math question and spit out the answer in big shiny letters.

Fact based questions, same sort of deal: the bots have been shown to look the answers up.

Niche specific questions, however, can't always be looked up automatically - this is why I always say to just take whatever question you have and search that question in Google. If you see the answer clearly and obviously in the first few results, the question's no good.

If a question is unique and not resolvable through general knowledge (but specific reading comprehension and/or niche knowledge), it won't be found on Google, and it won't necessarily be able to be solved by human spammers.

This is the second thing to contend with: people being paid $1 to solve 1000 CAPTCHAs or questions. In parts of the world, $1 USD is a lot of money. Buying 1000 solved CAPTCHAs means 1000 sites to register on. This is how reCAPTCHA was first broken.

But what also has been shown to happen is that once your site's question has been identified and solved, it can be added to a spam list which contains everyone else's answered Q&A too.

The trick, ultimately is not about keeping them out. It's about making yourself less of a target. Assume there will always be a weaker target than you.

Quotethey don't want to wait for their IPs to be checked and account to be verified, so they just don't bother

Nah. It's simply because it's not something that can be searched in Google and it hasn't been added to a spam list yet. It will in time then it will be no defence.

Spammers do not read what is in front of them.

xrunner

Quote from: Kindred on April 04, 2013, 10:17:02 AM
no, it does not negate ziycon's statement.

I understand your theory but it's not the same theory as ziycon's, because it has nothing to do with what the forum is about. Here's what he said -

"make sure that the question is as specific as possible to your site/forum content as possible "

According to your advice, the questions don't have to be specific to the site.

JohnS

All of them are valid, there is not one single reason why verification questions work.
There are two basic types of spamming, robots where the script has to be able to decipher what you are asking so it can reply accordingly. For example if you have three verification questions there is a good chance with a few attempts they will have all the possible answers and can program accordingly.
The second type is manual and uses people who are paid a few pennies for signing up to forums. More often than not they will use bogus email addresses, so they are unable to respond to emails that are needed to set up the account, even though they can read and answer the questions.
The complex questions point will also work on some as if they are not natural speakers of the language you use, they may find it difficult to answer the questions.
So verification questions in conjunction with requiring new members to validate their email addresses is a better combination than just having either of them.
I have taken it to a different stage where they have to email an auto responder to get the current password which has to be entered as the verification answer. I change the password from time to time. Since doing this spammers have dropped from several a day to none over the last three months. I accept this makes it a bit more difficult to join but this is not an issue for the forums I run.

Arantor

QuoteAccording to your advice, the questions don't have to be specific to the site.

They don't. It usually helps if they are, because that has the benefit of discouraging people who aren't spammers but aren't really going to the right forum. Having it about the niche of your forum tends to encourage the 'right' kind of people, whatever that is.

It is simply that it is a unique question, not solvable via Google that requires a little more effort to be able to process which is currently beyond bots.

QuoteAll of them are valid, there is not one single reason why verification questions work.

Correct. Though the reasons are very close together.

QuoteThere are two basic types of spamming, robots where the script has to be able to decipher what you are asking so it can reply accordingly. For example if you have three verification questions there is a good chance with a few attempts they will have all the possible answers and can program accordingly.

Eh, xrumer has a big ol' list of questions and their answers and it's shared with all other xrumer bots. The operator can be shown the questions and solve them themselves and then share the answers with others too.


Let me share what I do.

1. Anti spam questions. Even on a multi-lingual forum, that's not a problem (since I made the questions have multi-language support!)

2. Minimum time to enter the form. The time is recorded when the form is shown to the user, it is recorded again when the form is returned back, if it is too quick, the form is shown to the user again with an error.

3. Hidden field that must remain empty. Bots are not generally known to get this one right.

4. Bad Behaviour integrated.

5. Custom CAPTCHA complete with a custom font. I should also add the CAPTCHA has many different styles (not just variations on a theme), some of which are animated, which has been shown to have a very good track record.

xrunner

Quote from: Arantor on April 04, 2013, 10:19:56 AM
Spammers do not read what is in front of them.

Fair enough, I had only speculated on why mine worked because I have no way to gather actual data, but if what you say is true, then the questions, again, don't have to have anything to do with the content of your forum.

Kindred

no, they don't have to be related to your forum.

The reason we suggest that is because those questions are more likely to be niche, are more likely be to known by truly interested users and les slikely to be easily searchable.

Do note, that one of the questions I listed, above IS specific to the niche for my forum...   do you know what an eldar waveserpent is? :)   Do you know the side armour? Did you know that it's a number? Do you know what number?

see... :)
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Arantor

It also encourages admins to write better questions off the bat.

xrunner

What do you think about this question:

What jet like is it that your queen chocolate ice cream stated to inject my lasso and quite car driver drunk to the store the answer to the question is sunshine.

Arantor

I'm a native English speaker, I had to read that three times to figure out what the answer is. It'll stop spammers, for a while but it will also stop some English speakers too.

xrunner

Quote from: Arantor on April 04, 2013, 10:37:24 AM
I'm a native English speaker, I had to read that three times to figure out what the answer is. It'll stop spammers, for a while but it will also stop some English speakers too.

OK.

But although it's hard (too hard but I can adjust that) it would stop a spammer right?

What I'm trying to do is come up with a "standard" answer for people having problems with spammers. I don't want to give advice that is wrong. So even though my question seems to work the theory as to why it works seems to be wrong. I want to correct myself, and also give out the best reason for why the questions work.

Seems possible to do this. So far we agree the questions don't have to be specific to your forum, i.e. having those specific questions is not at the heart of what makes the questions stop spammers.

Arantor

QuoteBut although it's hard (too hard but I can adjust that) it would stop a spammer right?

For a while, yes. But not permanently.

QuoteWhat I'm trying to do is come up with a "standard" answer for people having problems with spammers

There isn't one.

QuoteSo far we agree the questions don't have to be specific to your forum, i.e. having those specific questions is not at the heart of what makes the questions stop spammers.

That's not actually what was said or what was agreed with, but never mind.

The key test is uniqueness. The more unique a site's defences are, the harder it is for bots to get in. Questions that are niche related fall into the pile of 'more unique' because they have the characteristics of 'not easily found on Google' and 'unlikely to be known by simply reading the question'.

If more and more people adopt your example, it will become more of a target and thus more likely that the bots will actually run into it - at which point someone will add it to the spam list and it will be precisely zero defence to you.

This is why you can't have specific examples - because the more the example is used, the weaker it becomes.

Your question works not because it is niche specific but it works for all the same reasons that niche specific questions work. This is what was stated already.

Account Abandoned

We (AAF) have recently had to add another question on registration (so two now) because it seems spammers are getting through them. I am wondering if the Questions method is starting to get beat now...

Arantor

Read the posts above. The reason should dawn on you fairly quickly.

vbgamer45

My setup on some of my sites.

I like doing the hidden field but hiding with css to make it invisible.
Also I renamed a couple of the SMF actions for register accounts
And the rename the fields on the registration form to help with bots.
Different captcha repcaptcha or something else.
Tied in with stopforumspam
Community Suite for SMF - Take your forum to the next level built for SMF, Gallery,Store,Classifieds,Downloads,more!

SMFHacks.com -  Paid Modifications for SMF

Mods:
EzPortal - Portal System for SMF
SMF Gallery Pro
SMF Store SMF Classifieds Ad Seller Pro

Advertisement: