JWPlatt wrote:There are currently about five spambot registrations per day. I assume with that few many might be failing CAPTCHA. I do have it turned up to be harder from the default. Far fewer registrations get successfully validated which I assume to mean most don't use good email addresses, or at least don't do a good job of using the validation emails, or validation emails get flagged as spam somewhere and aren't delivered (one hopes for poetic justice).
I dunno JW. My server logs show between 3 and 6 attempted spambot registrations every day - how many bot visits you get may depend on how many other sites link to you, but I suspect the CAPTCHA isn't stopping very many. Before I modded my forum registration page, at least some were getting through with the CAPTCHA X and Y noise turned up to around 9. I'm now back at 19, and
no spambots are managing to register. Some bots realise their registration didn't take and give up right away, others blindly continue trying to post. If they think they've registered, then those IPs keep reappearing in my logs.
By checking the server logs (bots are easy to spot because of certain characteristics in their behaviour), I can find the hosting services that are persistent offenders (KeyWeb aka KeyMachine aka Internet Service Team, Dragonara Alliance, Limit SureHost, VDHost, Panama Server, etc.) and block them at the site level - this has the effect of reducing the spurious traffic and the load on the server. Even then it's amazing how many bots are too stupid to understand 403 "Denied".
Another thing I see in the logs are attempts by various IPs (again mostly hosting services) to run cross-site scripting exploits. I've also had a couple of nuisance registrations on my wiki, not spam, just gibberish postings, but that was before I turned on the e-mail validation. I haven't needed to do any more than that so far.
Given the recent problems that GoMa had with their site being hacked, I'd strongly advocate against moving towards shared authorisation between applications (forum, wiki, mantis) as an exploit of one could expose admin credentials for all the others. It's not
that big a pain to have separate logins as we do just now.
Sorry, this has kind of drifted into a general discussion on website security.