OpenUru.org

Posted: **Thu Feb 26, 2009 4:04 pm**

Most spambot registration attempts are coming from gmail.com and mail.ru. These domains will almost certainly be banned soon. This will only prevent new registrations from these domains. Existing accounts will still have access. New accounts will need to use "real" (not free) email accounts. If spambots surge into other free services like hotmail, it will go as well. In a related matter, new registrations which are not validated have one week to live before they are summarily deleted.

As these problems get worse, our freedoms are diminished by the need for security. What a shame.

This topic has been left open for head-shaking and finger-wagging.

Posted: **Thu Feb 26, 2009 4:58 pm**

I would just like to point out that some people, like myself, do not have any other e-mail besides a web based e-mail. I understand why this will be happening but i just wanted to make you aware of this.

Posted: **Thu Feb 26, 2009 5:08 pm**

Exceptions can be made. If gmail.com or mail.ru is a new registrant's only gateway to email, they should email Webmaster@OpenURU.org to preregister their address.

Posted: **Fri Feb 27, 2009 1:24 am**

Uh, you're seriously going to ban gmail.com?

Posted: **Fri Feb 27, 2009 3:05 am**

Why not ban gmail.com. I personally get very little spam, but of what there is; 90% of it comes from gmail accounts. I'm thinking that the hive mind thinks that if it's gmail; it must be legitimate.

Posted: **Fri Feb 27, 2009 11:35 am**

Maybe we should compare notes JW

- I take a slightly different approach, as I don't bother trying to ban e-mail addresses. I go back to the IP addresses, and generally find that the spambots tend to originate from particular clusters of IPs. Many of these you can "whois" and find that these are actually assigned to hosting services. Since there is no reason that another host should be trying access my website, I just block access to the entire site for the range of IPs assigned to the hosting service (can either use httpd.conf or .htaccess for this). Some people have taken the approach of banning all .ru and .cn TLDs on the basis that "no real user ever registers from Russia or China" - unfortunately I do have real users from China, and Russia is also possible although there are none at present.

I've also modded my forums to prevent spambot registrations (100% successful so far, and I've now reduced the settings on the CAPTCHA as a result), but I know you're not keen on going away from stock phpBB. I tried to do that too, but I found that even with the CAPTCHA turned up to "almost impossible to read" levels, my forum picked up spam registrations within 10 minutes of going live

.

I have a list of over 600 spambot IPs now, collected in a little over a year. I am perfectly happy to share this info.

Posted: **Sun Mar 01, 2009 4:48 am**

Recaptcha?

Posted: **Sun Mar 01, 2009 1:01 pm**

We're going a bit off-topic now, but I'd be interested to hear from anyone who's integrated reCAPTCHA with phpBB3. I use reCAPTCHA to "secure" a custom form against what I'd call "opportunistic bots" (that just blindly fill fields whenever they find the <form> tags in a page, in the hope that it'll go somewhere), but I have my doubts about any of the popular visual CAPTCHAs used in combination with popular software like phpBB: It's just too easy a target. These are comments I posted on the GoMa site on this subject - Sorry it's a bit lengthy but I think it's worth repeating:

Yeah, unfortunately CAPTCHAs aren't really that good a defence against forum spammers.

The older CAPTCHA's (such as came with phpBB 2) have long since been readable by Bots. While the newer CAPTCHAs are presently proving reasonably effective against SpamBots, it's only going to be a short matter of time before the Bot OCR technology catches up. And you also have to look at how some spammers operate (Warning! long monologue begins)...

I had a forum that was being heavily hit by spam registrations (back in phpBB 2) days, mainly from China or Russia, despite having a CAPTCHA active on the registration page (BTW, in case anyone doesn't know: CAPTCHA = Completely Automated Public Turing Test To Tell Computers and Humans Apart). I assumed at the time, that the CAPTCHA image was being OCR'ed by the spambot software, and this was probably true, but more on that later. I found some phpBB patches on offer at the time that claimed to block SpamBot registrations but I think these had themselves aleady been largely circumvented by the Bots as they turned out to be quite limited in effect, and only reduced the number of registrations rather than stopping them altogether.

In searching for a truly effective solution, I discovered some disturbing facts: I had made an assumption that only bots would be doing this as the number of posts which actually generate revenue for the spammer's clients had to be such a tiny fraction of the total number of spam posts, that human involvement seemed inconceivable. This was obviously a "Western View" and I hadn't considered that in some Asian areas labour is so cheap that it is economical to employ gangs of people to solve CAPTCHAs - They do just that: They don't fill in the whole registration form (the bot does that), they just get the CAPTCHA image relayed onto their screen, for them to type in the answer, so one person can literally get through hundreds per hour.

Worse [#1], consider that once an image has been "solved" by a human operator, it can now be stored in a database. If that same image appears again on some other form, it can be answered directly by the bot. Otherwise back to the human operator.

Worse [#2]: How does the spammer reduce his costs further and get the human effort for free? Easy, as it turns out. Let's say the spammer also operates some legitimate websites, say a social networking site, a web-chat service, etc. - anything that generates lots of traffic and that uses web forms (i.e. the kinds of places where you might want to use a CAPTCHA). So what Mr Spammer does is to take the CAPTCHA images picked up by the bots and present them to the users of his "legitimate" site, so his users unwittingly solve his puzzles for him and he pays no-one. In fact his users probably pay him !

Of course, this kind of technique can be put to good use too. Anyone seen a reCAPTCHA? That's where you get two CAPTCHAs side by side and you have to supply two responses. This is part of Carnegie Mellon University's work in digitizing books: One of the images you see is a "real" CAPTCHA test the other is "work" - The first validates that you're capable of supplying a good answer, the second is a word that the OCR of a book failed to recognise with the image modified to look like a CAPTCHA. If you answer the test correctly then the response you give for the "work" is added as a probable solution for the problem word. Once they get a number of convergent replies for that word, then it is taken as a solution, and the image is removed from the reCAPTCHA database.

Anyway, where I ended up (and I know others have come to the same conclusion) is that the only reasonably reliable solution is not to use anyone else's - If something looks like a good solution, and lots of people start using it, then that fix itself becomes a target for the SpamBot, and it will, in time, be compromised. You have to make your site unique, so that the effort of coding a workround isn't worth it. So, adding a question to the registration form is good, even a very simple one, provided that the form field name is something unusual (so that a bot won't recognise it for what it is), and that the answer isn't a simple Yes/No (50% chance of guessing right). I'd also recommend against numerical questions like "What is 6 x 7?" as these aren't really that difficult for a bot to read. And you also have to be sure that a legitimate user can't give the wrong answer by mistake: "What is the capital of Australia?" will get lots of "Sydney" instead of "Canberra" answers

End of monologue. Sorry, you can probably tell it's something I've spent some time on

Posted: **Sun Mar 01, 2009 7:05 pm**

I've had the thought to alter the code to accept just one password on the CAPTCHA form regardless of the image presented. The instructions at the text box would be altered to say "Type 'human' here instead of the code you see." Spambots use the CAPTCHA image while real people type "human". I guess that wouldn't work on the human slave labor.

Posted: **Sun Mar 01, 2009 9:02 pm**

Instead of banning domains or CAPTCHA, I've seen another tactic that seems to work. The first two posts by a new user must be approved. this would still allow the spam bots to sign up, but this way anything that comes from a spam bot will be in a nice queue ready to be deleted. Rather than having to go around finding them. No matter what methods people try to get rid of spam bots they always find a way around the automatic filters.

OpenUru.org

Spambot Email Domains May Be Banned

Spambot Email Domains May Be Banned

Re: Spambot Email Domains May Be Banned

Re: Spambot Email Domains May Be Banned

Re: Spambot Email Domains May Be Banned

Re: Spambot Email Domains May Be Banned

Re: Spambot Email Domains May Be Banned

Re: Spambot Email Domains May Be Banned

Re: Spambot Email Domains May Be Banned

Re: Spambot Email Domains May Be Banned

Re: Spambot Email Domains May Be Banned