Author Topic: Security questions  (Read 3064 times)

Offline gkawa

  • Newbie
  • *
  • Posts: 7
Security questions
« on: November 03, 2018, 02:50:20 PM »
Hi there

I've inherited a forum using SMF and recently I moved it to a new hosting and updated it to the last SMF version. Since them, the site has been under spam attack. Nothing big, just annoying. I changed the registration procedure to admin approval and kept an eye on it. I've been advised to use security questions and it didn't work well at first. Using a small number of questions is a short time solution. I could see humans (I can tell based on the response time filling the form) registering many times and then the bots again at full speed. In some cases, using questions that are related to the forum itself can help. Unfortunately, it's not my case.

So, I'm trying a new approach and I'm posting it here in case someone else can benefit from it or help me refine it.
My plan is to use a large number of questions that are almost stupid, even the kind of question that a bot could solve, but make them in many different variations. This way, it would require a LOT of human interaction to create a bot able to answer them automatically.

For example: I created random sets of 10 letters and about 20 different questions of the type "what's the first vowel?", "how many vowels", "what's the last letter?" Even the way the text is composed varies: "what's the first uppercase letter? --> tTyhvBjhGhG" or "what's the first uppercase letter? ****tTyhvBjhGhG****" This way, even when the question can be easily identified, using different patterns and random lengths makes the analysis almost impossible of a simple script. It requires a long time of analysis and a complex script.

I created the first set with an Excel spreadsheet, 500 questions and 19 different patterns. I had almost 50 at first but it got complicated for questions that were impossible to answer for a randomly created set, like what's the letter after the A? when there's no A. So, I kept the 19 that work for any set of letters.
I'm thinking about doing it with a script, to make it easy to replace all the questions with one click as part of the maintenance of the forum.
I'll see if I can convert the Excel worksheet to a Google one, in case someone is interested. It's easy to use, the only thing that can't be done from there is the import in the database. That's why I think a PHP script would be better.

So, far, it's working.

Offline Kindred

  • The Mean One
  • Support Specialist
  • SMF Legend
  • *
  • Posts: 57,221
  • Gender: Male
    • Kindred-999 on GitHub
Re: Security questions
« Reply #1 on: November 03, 2018, 03:06:48 PM »
I have 30 questions, asking 2 during registration.
I change the question set once a year.

I have no had a single bot spammer in 3 years.

You do want to make it easy enough for USERS...   all of my questions are related to the forum topic.
Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.