Advertisement:

Author Topic: Security questions  (Read 5755 times)

Offline gkawa

  • Newbie
  • *
  • Posts: 7
Security questions
« on: November 03, 2018, 02:50:20 PM »
Hi there

I've inherited a forum using SMF and recently I moved it to a new hosting and updated it to the last SMF version. Since them, the site has been under spam attack. Nothing big, just annoying. I changed the registration procedure to admin approval and kept an eye on it. I've been advised to use security questions and it didn't work well at first. Using a small number of questions is a short time solution. I could see humans (I can tell based on the response time filling the form) registering many times and then the bots again at full speed. In some cases, using questions that are related to the forum itself can help. Unfortunately, it's not my case.

So, I'm trying a new approach and I'm posting it here in case someone else can benefit from it or help me refine it.
My plan is to use a large number of questions that are almost stupid, even the kind of question that a bot could solve, but make them in many different variations. This way, it would require a LOT of human interaction to create a bot able to answer them automatically.

For example: I created random sets of 10 letters and about 20 different questions of the type "what's the first vowel?", "how many vowels", "what's the last letter?" Even the way the text is composed varies: "what's the first uppercase letter? --> tTyhvBjhGhG" or "what's the first uppercase letter? ****tTyhvBjhGhG****" This way, even when the question can be easily identified, using different patterns and random lengths makes the analysis almost impossible of a simple script. It requires a long time of analysis and a complex script.

I created the first set with an Excel spreadsheet, 500 questions and 19 different patterns. I had almost 50 at first but it got complicated for questions that were impossible to answer for a randomly created set, like what's the letter after the A? when there's no A. So, I kept the 19 that work for any set of letters.
I'm thinking about doing it with a script, to make it easy to replace all the questions with one click as part of the maintenance of the forum.
I'll see if I can convert the Excel worksheet to a Google one, in case someone is interested. It's easy to use, the only thing that can't be done from there is the import in the database. That's why I think a PHP script would be better.

So, far, it's working.

Offline Kindred

  • The Mean One
  • Support Specialist
  • SMF Legend
  • *
  • Posts: 58,267
  • Gender: Male
    • Kindred-999 on GitHub
Re: Security questions
« Reply #1 on: November 03, 2018, 03:06:48 PM »
I have 30 questions, asking 2 during registration.
I change the question set once a year.

I have no had a single bot spammer in 3 years.

You do want to make it easy enough for USERS...   all of my questions are related to the forum topic.
Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

Offline Rock Lee

  • Native Language Support Specialist
  • SMF Hero
  • *
  • Posts: 2,666
  • Gender: Male
  • I also speak english :D
    • BomberCode.Oficial on Facebook
    • RockLee-BC on GitHub
    • @Bomber_Code on Twitter
    • Bomber Code ~ La nueva era del conocimiento
Re: Security questions
« Reply #2 on: November 16, 2018, 02:03:44 PM »
He used mail activation together with 2 questions of 8 that I have almost since he created the site. With the simple captcha (if I take it out they invade me) and an option is mandatory to choose at the time of registration. I have not had almost any spammer now registered 1 or 2 but I guess it's a human registering it, Another though I'm not a fan is blocking it via .htaccess for an IP range for example 5.234.89.xx (note the first 3 pairs of numbers were the same only change the last one) that you noticed were the spammers.


Regards!
¡Regresando como cual Fenix! ~ Bomber Code © 2018
Ayudas - Aportes - Tutoriales - Y mucho mas!!!


Ayudame via PayPal

Offline landyvlad

  • Sr. Member
  • ****
  • Posts: 861
  • Gender: Male
    • Michael Reed on Facebook
    • GSX1400 Owners ORG
Re: Security questions
« Reply #3 on: December 03, 2018, 10:22:49 PM »
I changed my questions a few months back. Have 15 questions (answer two) + simple captcha.
I am being invaded by spammers recently, though they do generally get caught in the 'awaiting approval queue' by one of the forum mods (httpBL or StopSpammer, I can't recall which). But even deleting them there is tiresome.
 

He used mail activation together with 2 questions of 8 that I have almost since he created the site. With the simple captcha (if I take it out they invade me) and an option is mandatory to choose at the time of registration.

What do you mean by "and an option is mandatory to choose at the time of registration" ?
Please do not PM, IM or Email me with questions on astrophysics or theology.  You will get better and faster responses by asking homeless people in the street. Thank you.

To paraphrase Kindred: "There are no technical solutions to social problems."

No hack nor blackhats, just persistent asshats.