Security questions

[gkawa]

Hi there

I've inherited a forum using SMF and recently I moved it to a new hosting and updated it to the last SMF version. Since them, the site has been under spam attack. Nothing big, just annoying. I changed the registration procedure to admin approval and kept an eye on it. I've been advised to use security questions and it didn't work well at first. Using a small number of questions is a short time solution. I could see humans (I can tell based on the response time filling the form) registering many times and then the bots again at full speed. In some cases, using questions that are related to the forum itself can help. Unfortunately, it's not my case.

So, I'm trying a new approach and I'm posting it here in case someone else can benefit from it or help me refine it.
My plan is to use a large number of questions that are almost stupid, even the kind of question that a bot could solve, but make them in many different variations. This way, it would require a LOT of human interaction to create a bot able to answer them automatically.

For example: I created random sets of 10 letters and about 20 different questions of the type "what's the first vowel?", "how many vowels", "what's the last letter?" Even the way the text is composed varies: "what's the first uppercase letter? --> tTyhvBjhGhG" or "what's the first uppercase letter? ****tTyhvBjhGhG****" This way, even when the question can be easily identified, using different patterns and random lengths makes the analysis almost impossible of a simple script. It requires a long time of analysis and a complex script.

I created the first set with an Excel spreadsheet, 500 questions and 19 different patterns. I had almost 50 at first but it got complicated for questions that were impossible to answer for a randomly created set, like what's the letter after the A? when there's no A. So, I kept the 19 that work for any set of letters.
I'm thinking about doing it with a script, to make it easy to replace all the questions with one click as part of the maintenance of the forum.
I'll see if I can convert the Excel worksheet to a Google one, in case someone is interested. It's easy to use, the only thing that can't be done from there is the import in the database. That's why I think a PHP script would be better.

So, far, it's working.

[Kindred]

I have 30 questions, asking 2 during registration.
I change the question set once a year.

I have no had a single bot spammer in 3 years.

You do want to make it easy enough for USERS...   all of my questions are related to the forum topic.

[-Rock Lee-]

He used mail activation together with 2 questions of 8 that I have almost since he created the site. With the simple captcha (if I take it out they invade me) and an option is mandatory to choose at the time of registration. I have not had almost any spammer now registered 1 or 2 but I guess it's a human registering it, Another though I'm not a fan is blocking it via .htaccess for an IP range for example 5.234.89.xx (note the first 3 pairs of numbers were the same only change the last one) that you noticed were the spammers.


Regards!

[landyvlad]

I changed my questions a few months back. Have 15 questions (answer two) + simple captcha.
I am being invaded by spammers recently, though they do generally get caught in the 'awaiting approval queue' by one of the forum mods (httpBL or StopSpammer, I can't recall which). But even deleting them there is tiresome.

He used mail activation together with 2 questions of 8 that I have almost since he created the site. With the simple captcha (if I take it out they invade me) and an option is mandatory to choose at the time of registration.

What do you mean by "and an option is mandatory to choose at the time of registration" ?