Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum

[a10]

This seems to do the job at least on my forum.

Am amazed the 16.000 lines htaccess (have added ro, lv, lt + a few more countries) does not seem to slow things down.  the satisfaction of not seeing a single cn, ru etc ip or any bot registration for a month now.

[MacGig]

good tips. I finally gave up on version 1.1x... captcha has been broke a long time and no one is fixing it. mods are useless cause I'm not editing files...

just installed 2.0. so far so good... I removed all account with 0 posts.. 300 of them. why? bots join and never post. least thats what I have found.  if you have a small forum and want to check for bots use

http://botscout.com/search.htm

I agree on banning IPs or emails... I've tried all that. useless.

[青山 素子]

good tips. I finally gave up on version 1.1x... captcha has been broke a long time and no one is fixing it. mods are useless cause I'm not editing files...

It can't be fixed because spam tools are now using services that utilize real humans to solve them. Unless you want to make it impossible for all humans to pass, it'll only stop the simple bots.

[MrMike]

It can't be fixed because spam tools are now using services that utilize real humans to solve them. Unless you want to make it impossible for all humans to pass, it'll only stop the simple bots.

Yep. There are now a lot of services in India and China that use teams of people to solve or fill in CAPTCHA codes. They'll do 1,000  of them for a few dollars.

Tools like XRumer and Scrapebox are still used a lot and (not surprisingly) the code seems to get more adept with every release. Between stuff like XRumer and the paid CAPTCHA teams it's more of a challenge to keep a forum clean.

I highly recommend the Avatar Verification mod package; it's one of the most effective CAPTCHAs I've seen. It won't stop humans but it'll put a dent in the automated registrations.

[JeeK]

good tips. I finally gave up on version 1.1x... captcha has been broke a long time and no one is fixing it. mods are useless cause I'm not editing files...

It can't be fixed because spam tools are now using services that utilize real humans to solve them. Unless you want to make it impossible for all humans to pass, it'll only stop the simple bots.

I see the registration attempts for several weeks - a real pain. First I thougth
the build in CAPTCHA has a weakness, but after changing to reCAPTCHA
(who will update the SMF-package to fit the URIs to the know "owner" Google?
BTW: I have to write my own language mod for this package because german is not supported)
they passing the verification process again.
Now I am certain about the mentioned fact that real humans are working behind the scenes.

So far I found a way to keep them away, because the tool they are using fills
formular values for checkboxes in a different way than common browsers do
(e.g. for the  checkbox named "skip_coppa" in the registration form).
But its only a matter of time when this is fixed by the spammers ...

JeeK

[青山 素子]

Tools like XRumer and Scrapebox are still used a lot and (not surprisingly) the code seems to get more adept with every release.

Those tools already integrate the services of companies that exist simply to solve CAPTCHAs.

(who will update the SMF-package to fit the URIs to the know "owner" Google?
BTW: I have to write my own language mod for this package because german is not supported)

I'm the maintainer of that modification, so I will be updating the remaining URLs soon. The latest release did update the recaptchalib.php file, which got the majority of them. Also, if you would like, you can send your translation by PM for inclusion in the package.

[MrMike]

I highly recommend adding some time-gating to your registration form.  I use this technique on most of my contact and registration forms and it knocks out about 99.99% of all the crap and spambots, and that's without a captcha.

For a contact form, if I also disallow "http:" in the comment text it drops to about 99.999%.

I'm using some very simple time-gating on the GT5Cheats.com site as well as the GameThinker.com site (both SMF forums) and they each reject hundreds and hundreds of spam-bot attempts per day. The best part is that it almost never affects actual (real) users who are trying to register.

I'd be glad to contribute the code for this if someone would like to put it into a mod package. The code is very simple but extremely effective.

[MacGig]

I had my first bot join today (I think)... just one so far since installing smf 2.0 seven days ago or so... the users IP was fine, but their email and user name came up in the bot list at http://botscout.com/search.htm

so I guess smf 2.0 is not bot proof after all? I really hoped it was... it was looking like it was since installing it... 

I don't understand how they get past the captcha? or the questions I created? how could a bot know what questions I am going to ask, let alone enter in the answer?

is it possible a human made the account and not the bot?

how can i get the bots to stop crawling my forum? would disabling guest access help? I mean if their nothing there for the bot to see perhaps over time it will go harass someone else's forum?

[青山 素子]

so I guess smf 2.0 is not bot proof after all? I really hoped it was... it was looking like it was since installing it... 

Nothing is. If a human can get in, a reasonably well-programmed bot can as well.

I don't understand how they get past the captcha? or the questions I created? how could a bot know what questions I am going to ask, let alone enter in the answer?

How general are the questions? Things like "What color is the sky?" and "2+2" are easily bypassed. Questions like "What is the name of the main character in Gungrave?" are not.

As for CAPTCHAs, they have been broken for years. The most popular software uses special services that employ humans (in low-income countries) to solve them.

is it possible a human made the account and not the bot?

Yes.

how can i get the bots to stop crawling my forum? would disabling guest access help? I mean if their nothing there for the bot to see perhaps over time it will go harass someone else's forum?

If you disable guest access, you'll drop out of search engines, so keep that in mind. However, it could reduce the volume of attempts. It won't stop them completely unless you also completely disable registration.

[MacGig]

little disappointed. I thought smf 2 was finally the answer to a forum over run with bots for many many years....

I guess my questions are too easy?... "please enter the following word-"... all related to what the forum is about... some are a little more difficult... "please enter the first 4 letters of the following word", or "enter the last 5 letters of the following word"

Just one bot so far, so it's not too bad yet...  I may make the questions tougher...

[fwitt]

For my site I had a relatively easy job of picking questions that bots cant answer but thats because I all potential members of my forum are from members or family members of a youth group. So asking for the group colours is a question that they will easily be able to answer that is very difficult for a bot to answer.

However the other forums I admin on have a much harder time because they are open to a lot more people who may not even speak English.

smf arcade site is the worst out of the sites I admin. How do you set a question that someone using google translate can answer but a bot cant?

[MrPhil]

Well, I'll repeat what I've been saying for a long time. It is insufficient to have only a "hard crust" defense designed to stop bots from signing up. More and more, spammers are turning to farms of Third World people to do nothing but crack CAPTCHAs and answer "are you human" questions. Questions sufficiently narrow in scope to restrict correct replies to your intended audience may give false negatives due to ambiguity or multiple "right" answers. Besides, almost anything factual can be googled these days.

SMF is going to have to turn to monitoring post content to flag possible spams to be held for review. I discuss some of this in my sig > Projects. Spammer-like patterns of usage can be detected, such as exceeding 2 posts per day/7 posts per week for the first 30 days of an account. Suspicious posts can be held for review, or less suspicious ones can be challenged with a CAPTCHA and/or questions (like a registration). Not just for newbies: all posts are searched for excessive links, keywords, non-words (attempting to evade controls), and unquoted copying of earlier posts. And of course, no active links or sigs until a certain length of time and perhaps a certain number of posts.

[Aleksi "Lex" Kilpinen]

I would agree that most of that sounds like a good way to catch spammers - but posting activity?
I've had many members making around 10-20 posts a day from day one....

[MacGig]

almost all of the bots that join my forum never post. they just join.

my forum is about sports, football for example... why do people/bots/spammers go through so much trouble to hack into/join a forum then never post? I mean they can read the entire forum without joining. so whats the point? whats in it for them?

I dont' get it. Most are from china, russia, pakistan, japan, etc... a few from USA...

[MrPhil]

I've had many members making around 10-20 posts a day from day one....

A characteristic of spammers is to join, perhaps lay low for a while until they "age out" of any closely-watched newbie group (see post following yours), and then put out a burst of spam posts before they can be banished.

Personally, I've never seen anyone with something worthwhile saying, spewing out 10 to 20 posts per day from the get-go. Usually it's spammers going at that rate.

[Aleksi "Lex" Kilpinen]

Well, on my board it mostly seems people either join to post - or to lurk, and stick with their choice

[MrMike]

little disappointed. I thought smf 2 was finally the answer to a forum over run with bots for many many years....

There is no such thing, and there never will be. Any application that allows people to sign up to it will have to contend with bots and unwanted visitors in some fashion. CPATCHAs can help keep bots out, but nothing will keep a human out, since humans are supposed to be able to sign up.

In other worrds, stop looking for a 100% bullet-proof solution. It simply does not exist. The best you can do is add layers of protection to help screen them out and keep the numbers down.

I expect that many forums will go to "admin approval" only settings. Right now I do this, but in the registration page I instruct users to email us and tell us that they would like their account activated. Bots don't do that, and only a smattering of human spammers will bother. Between that and BotScout and CAPTCHAs, it's pretty well under control for me (and I run dozens of forums at the moment).

[MacGig]

yep guess my expectations were set a little too high. I may try your idea, admin approval and send an email... guess that works as well as anything else...

so far all of the mods i've seen for keeping out spammers are useless to me because I don't code. No sense in pretending I code, or even trying it. Waste of time for me trying to edit a half a dozen or more files.. Even installing mods via SMF don't seem to work like it should so forget that idea too.

[WillyP]

little disappointed. I thought smf 2 was finally the answer to a forum over run with bots for many many years....

I guess my questions are too easy?... "please enter the following word-"... all related to what the forum is about... some are a little more difficult... "please enter the first 4 letters of the following word", or "enter the last 5 letters of the following word"

Just one bot so far, so it's not too bad yet...  I may make the questions tougher...

You have to keep in mind these questions are now being answered by humans, who get paid piecework, ie like $1 for 1000 solved. So ideally the question would be very specific to your target demographics, for example, 'What is the name of the main character of the game this forum is a fan of?'. Often a forum is more generalized, and you might want to include a question that requires the candidate to follow a link to a specific post and read a paragraph or two to get the answer. A support forum for software could have the answer in the software. Now, of course a human solver could solve this, but it just isn't worth their time, when they can easily just move on to the next url on the list. Whereas, a real member wants to join and would take the time to find the answer as long as it is not too difficult.

lol: I once tried to join a support forum and they had a math question I could not solve. Turns out who ever wrote the question had made a mistake. Make sure your question can be solved reasonably easy.

I have only once or twice had a problem installing a mod, it is not that difficult.

[vertese]

I am feeling stuck, we are getting loads of spammers every day and have it set on member approval.
We are unable to update to 2.0 because we have Dilber MC Theme by HarzeM which we have heard is not compatable with 2.0
Please has anyone got any ideas on what we can do.
A good spam catcher that works with SMF 1.1.13 is what we need, please.