Limit time for registration as a parameter

[gkawa]

I've been having a tough time dealing with spambots. It's like nothing works. I was thinking about a couple of tricks to defeat them working on the fact that a bot is a bot, it's fast and it's efficient. So, they're able to register in less than one second and they go straight to the registration.
One of these is already on SMF. But the time limit is too low and the bots are already working around it.

// Prepare the time gate! Do it like so, in case later steps want to reset the limit for any reason, but make sure the time is the current one.
   if (!isset($_SESSION['register']))
      $_SESSION['register'] = array(
         'timenow' => time(),
         'limit' => 30, // minimum number of seconds required on this page for registration
      );
   else
      $_SESSION['register']['timenow'] = time();

I set it at 30 seconds and the bot registrations stopped. After a while, they stopped even trying. Human registrations are working normally, I can't imagine someone going through the process in less time than that. Maybe for a gaming/coding forum, 30 seconds is too much. For my forum, where users don't have special computer skills, probably 60 seconds are not out of the question. That's why I think that having the value as a configurable parameter may help. Now I have to remember to put it back at its original value for updates.

The other trick I was thinking about involves the logo. I set the logo as a PHP call that serves the image. It's the same but it opens the opportunity to set a flag for that particular session that lets me know that the user opened the whole front page before entering the registration. Bots don't do that. I'm not working on that anymore now that the new time parameter is working so well. However, I'm sure that the spammers are going to find a way around it sometime. Better be prepared.

[Kindred]

you need to use the built in anti-spam measures.... or one or more mods that enhance them....

https://wiki.simplemachines.org/smf/Spam_-_my_forum_is_flooded_with_spam,_what_can_I_do

[gkawa]

you need to use the built in anti-spam measures.... or one or more mods that enhance them....

I tried. It doesn't work.
They pass Google captcha with flying colors. Questions and answers have to be updated frequently. I used a set of 500 and, after a while, they broke in. I have a list of thousands of IP numbers blocked by server policy and they keep opening accounts.

The worst part is that it's a forum with zero Internet presence, we rate so low on Google indexes that they had to create a new category just for us. It doesn't make sense. It's like they're using us as a sandbox to train bots. Just in February I detected more than 80 spam accounts, more than 2 per day. I've found more than 10 sometimes in one day.

Since I set the time limit at 30 seconds, it stopped. I checked the server logs and I could see the attempts. The first day was at the same rate, and then it went down until it stopped. I think a human may have opened an account to test it, trying to figure out what's going on with the bot. I saw that before. Sometimes they copy an old post, an introduction for example, change a small detail, and post it as their own. Those are easy to detect most of the time and for some reason they don't use those accounts to spam.

Anyway, so far, so good. I'm happy with this solution because it works. I'd like to be prepared for the next bot.

[Kindred]

captcha is useless -- and has been for ages now.

QUESTIONS are your number one spam prevention and there are at least 2 mods that enhance the questions feature.

30+ questions, ask 2-3 at registration ---  along with Stop Spammer -- and I have not had a successful spam bot register in years

[GL700Wing]

Questions and answers have to be updated frequently. I used a set of 500 and, after a while, they broke in.

Sounds like the questions/answers were too simple ...

You could use the Image for Anti-Spam Verification Questions mod where the questions/answers relate to an image - it's very effective!

[gkawa]

Sounds like the questions/answers were too simple ...

Well, they have to be. It's a forum on the Internet. If I use complex questions, like basic arithmetic, nobody can register 

The problem is the volume. I used sets of hundreds of different question/answer made with dozens of different patterns. Once they get a reasonable number, the bots try to register repeatedly until they hit a question with a known answer. I saw it in the web log.
Your suggestion is good, I like it. But to get to a reasonable volume I'll have to do a lot of work, complex images, lists of questions. The change in the time limit is working fine so far and doesn't require an addon. I didn't have one bot registration last month. Let's see how long it takes for them to figure it out. My only concern right now is that I had to change the code of the page and that will eventually interfere with future updates. That's why I suggest to have that as a configurable parameter.

[live627]

Always fascinating to see how people fight spam.

[Diego Andrés]

Probably anything under 10-15 seconds is very suspicious when you have anti spam questions and/or captcha.

The thought can be reinforced around the password strength. Unless (for some reason) you arrive to a site with a password in the clipboard, it's completely unrealistic to fly through the form.

[MobileCS]

I've tried reCAPTCHA and hCaptcha, but haven't had much luck with it.

I switched to Cloudflare Turnstile (a non-captcha solution), and as far as I can tell, I've had no spam registrations since turning it on a few days ago.



I've created a mod for it, so you can try it for yourself.

https://custom.simplemachines.org/index.php?mod=4430

You can find more information here :

https://www.cloudflare.com/en-ca/application-services/products/turnstile/