Verifications on posts

[Kindred]

Spam post was deleted.

[enypsrozar]

Thanks guys!

I totally understand why the verification is there, and knowing that I'll only have to put up with it for a few more posts makes it easier to tolerate.   

I know I mentioned this on a thread before (nope, I'm not copy-pasting), but I was staggered to find it was only 10. In my other forum it's 100.

What I'd like to know is how these spam-bots (since we are talking spam, which is related) are able to spam so fast and catchpa-answer so quickly. I don't wish to [edit.], and I will possibly even edit this post later, but in there they have spam flooding in 24 hours a day and spam-busters are flat to the wall endlessly getting rid of them. There are further restrictions I won't specify, but even these are curtailed in time. A new catchpa was implemented, but really, it was just an even easier to read catchpa that resembled hieroglyphics.

A Newbie mentioned re-catchpa which he cites is more effective. I've often wondered if it would be worth the trouble integrating (Lol, we have only recently upgraded to SMF 2.0.2 and it is like comparing Lord of the Rings to Buffy the Vampire Slayer -- no comparison) and if re-captchas are more effective at controlling spam. Information that I saw stated it was more effective than the  catchpa, but I guess I have to take their word on that one (b/c I can't be bothered arguing right now).

I have to admit, spam gets to me.

[Kindred]

Captcha is next to useless these days. ReCaptcha is just as useless. The spambots have broken the format of both of them.

(However if you insist, there is a reCaptcha integration mod for SMF already.)

I do not use ANY captcha on my sites.
I use questions, bad behavior+HttpBL and Stop Spammer.   I get ZERO spam posts and only one or two even make it through to the Stop Spammer "admin must validate" queue.

[enypsrozar]

Thanks for the information! I'll google them and find out some more, as it's a bit of a problem. Weird that ReCaptcha is just a useless though. If the spambots have already figured out how to crack it, it would be a waste of time implementing it even if there is a integration mod available.

Hmmm..... ZERO spam posts ..... that would certainly be a nice change for once.

[MrPhil]

Supposedly all the CAPTCHAs in wide use, including SMF's (and re-Captcha) have been pretty much broken to the point where cranking up the difficulty to the point where the bots can't handle it makes it near impossible for humans. That covers any CAPTCHA showing obscured/distorted Latin alphabet letters and digits. Maybe you could buy some time by ridiculously distorting the letters (way beyond what re-Captcha does). Maybe you could use nonletters, such as drawings of animals, symbols, etc., or clocks ("what time is it?") and the like at odd rotations. You have to be aware of how to present your drawings in audio format ("dog", "horse", etc. for visually impaired people), given that different languages need to be supported and different people will give different names to the same drawing (e.g., you want "dog" while a hunter types in "beagle"). For that, buttons with labels like "dog" could be helpful.

For now, forum- and audience-specific questions seem to be the only effective solution.

Eventually, SMF (and other forums) will have to concentrate on "defense in depth" (watching poster behavior such as how quickly they spew out posts, and what the content of those posts are (number of links, spam words, etc.) and get away from a "hard shell defense" of merely trying to keep bots from signing up in the first place.

[enypsrozar]

Eventually, SMF (and other forums) will have to concentrate on "defense in depth" (watching poster behavior such as how quickly they spew out posts, and what the content of those posts are (number of links, spam words, etc.) and get away from a "hard shell defense" of merely trying to keep bots from signing up in the first place.

I agree. I would think that detecting duplicate posts, or different posts with very similar content in them like spam keywords might be worth looking into. Of course, if this were possible, it probably already would have been done. I just don't know why it can't be done.

Have to feel for those that are forced to clean spam on a daily basis. It must be very thankless and repetitive. Lol, Kindred mentioned bad behavior+HttpBL and Stop Spammer, and b/c I am a newb I had to google them lmao (yeah, still looking at info, but I feel like I've been bombarded with information over the last few months and now the words just swim in front of me). Actually, I think there's a Stop Spammer mod on this site (modification, not moderator lol)

I'll have to get back to you on the blocking of flagged IPs (bad behavior+HttpBL works this way, correct?). Remember, I don't know about these 3 programs yet so need to look into it a bit. It's certainly an area I'm giving some attention to at the moment as it's a recurring problem for many sites/forums, and can be downright disabling if they are sufficiently bankrolled.

Thanks for your helpful replies.

[Arantor]

Mostly the problem is performance. Doing a check against content is computationally very expensive, even for exact matches. It doesn't take much to make it different enough to get around such systems.

Doing it for specific keywords is significantly cheaper, and there are systems around which can do this. Just that SMF isn't one of them and no-one can be arsed to write one for SMF (mostly because doing it properly is a lot of work, as I discovered when implementing such a system for another forum software)

[dimspace]

I cant read captchas, but tinypic use captchas from Solve Media which normally are good, until today I got confronted with

On what date does the new series of "a random program" start on channel 4?

Like I would know :S

[jackk]

SMFs captchas actually are hard to read, sometimes it's impossible to distinguish generated character, i have to re-type them several times until i get it right, but well i guess it's small sacrifice we have to make to keep spammers away.

[Arantor]

Once you've got to 10 posts, they won't be here any more for you

[青山 素子]

Supposedly all the CAPTCHAs in wide use, including SMF's (and re-Captcha) have been pretty much broken to the point where cranking up the difficulty to the point where the bots can't handle it makes it near impossible for humans.

Not so much broken as much as it's really cheap to use a CAPTCHA-solving service. These services hire people from poor countries to solve the puzzles and build out an API. Spam software makers then use these APIs to feed the puzzles to the service, which solves each one for pennies. As long as the financial benefit is greater than the cost of such a service, it neatly automates using humans to solve these things.

So, yeah, traditional CAPTCHA is basically useless against all but the most unsophisticated spamming attempts.

The next-best solution is to use domain-specific methods to detect a generic spammer from an interested individual. Things like the question/answer method built into SMF 2 work really well. The downside is that it's nearly useless for general-discussion forums as the only solid questions there would be general-knowledge (open to attack in the same way as general CAPTCHAs) and for multi-linguial forums where you'd need to use a language-neutral test.