Security not Working

[loftus]

I recently installed.  But now I'm getting hundreds and hundreds of spam - bogus guest/member sign ups and greek text messages.  I initiated Captcha and Question/Response.  But they are not working.  I've tested registering for my PC as well as other PC's and there is not a registration challenge - either captcha or question/answer. 

The spam is so heavy I have already had to extend bandwidth.

What am I doing wrong?

Duane

[LiroyvH]

What SMF version? What mods (if any)?

[Arantor]

That might mean it's not actually been enabled properly. It is possible to turn these things off, after all. Yup, CoreISP is right - we'd need to know the above and then we can point you in the right direction

[loftus]

Version Information:
Forum version: SMF 2.0.5 (more detailed)
Current SMF version: SMF 2.0.5
GD version: bundled (2.1.0 compatible)
MySQL version: 5.0.96-community
eAccelerator: 0.9.6.1-ea
PHP: 5.4.19
Server version: Apache

It seems that it is not enabling the captcha or question/response features and the spammer are just coming in unchallenged.  When I registered under a different name from a different computer - there was not any challenge, captcha, questions, etc. 

[Arantor]

So what are the settings in Admin > Configuration > Security and Moderation > Anti Spam?

[Kindred]

http://wiki.simplemachines.org/smf/Spam_-_my_forum_is_flooded_with_spam,_what_can_I_do

[loftus]

Settings:

Anti-Spam Verification
Require verification on registration page CHECKED

Require verification on all guest searches  CHECKED

Guests must pass verification when making a post   CHECKED
(Automatically set if you specify a minimum post count below)

Post count under which users must pass verification to make a post
(0 for no limit, moderators are exempt)    5

Guests must pass verification when reporting a post   CHECKED

________________________________________
Maximum number of recipients allowed in a personal message
(0 for no limit, admins are exempt)   10

Post count under which users must pass verification when sending personal messages
(0 for no limit, admins are exempt)   5

Number of personal messages a user may send in an hour
(0 for no limit, moderators are exempt)     20

Configure Verification Methods
Below you can set which anti-spam features you wish to have enabled whenever a user needs to verify they are a human. Note that the user will have to pass all verification so if you enable both a verification image and a question/answer test they need to complete both to proceed.
Visual verification image to display  MEDIUM
The more complex the image the harder it is for bots to bypass


Number of verification questions user must answer   2
(0 to disable; questions are set below)

Verification Questions
If you want users to answer verification questions in order to stop spam bots you should setup a number of questions in the table below. You should pick relatively simple questions; answers are not case sensitive. You may use BBC in the questions for formatting, to remove a question simply delete the contents of that line.
Question
Answer

[Kindred]

and do you actually have any questions/answers added?

requiring two questions, without having actually ADDED any questions doesn't do a whole lot of good....

also - read the wiki that I linked.

[loftus]

Yes.  I have 3 questions and answers. 

Being new at this, I don't know how to download and install a mod as yet.  Is there a FAQ or Help article on that?   Possibly one or two of the security mods that were listed in the wiki you linked would help.

[Colin]

Sure:

Package Manager

[Arantor]

Hmm, so the options are all configured appropriately. Seems strange that it isn't working as expected, a link to the site would be useful so we can examine what's going on a bit further.

[loftus]

First - thank you all for your help. 

My forum is at http://www.loftusweb.com/smf

I think I found an error (on my part - of course) in the configuration of the questions/answer.  I had put in the questions/answers (3) but had not checked the box that proceeds it asking about the number of questions to be asked (2).  I found this because of the request to list the options checked that Arantor presented.

Please accept my thanks (and red face).  But if there are any other suggestions you have after viewing my site, they would be greatly appreciated!

[Kindred]

no worries....   the interface/UX could be improved to make that more obvious.

As for suggestions. Questions/answers is a good measure.
I use bad behavior+httpBL quite successfully on multiple sites as a firts line of defense even before the registration checks.

[Arantor]

Well, the options you've shown suggest it should be showing a graphical CAPTCHA image too but it isn't :/ Mind you that's not necessarily a bad thing as the bots were getting a bit good at beating that.

The one thing I did have a concern about were the questions, normally such factual questions can be solved by bots that search Google but after looking on Google for results, I'm not actually that concerned (take the question, plug it into Google and see what happens) - because of the way Google treats the question, the answer isn't clearly revealed

The Misc Anti Spam mod (mine) does quite a good job of stopping certain kinds of bots without any problems, heh, by tripping them up with a simple but effective pair of methods

[loftus]

Arantor, Kindred, Colin -

Thank you all very much.

I deleted most (not all) of the IP bans I had created to block spammers during this exercise.  Once I can figure out how to download, upload, install a mod I'll apply Arantor's mod and the bad behavior+httpBL mods. 

Duane

[Arantor]

Adding a mod is quite easy - it's all done with: Package Manager