Large uptick in spam account registrations recently (General)

by WorldofBB, Saturday, November 03, 2018, 22:55 (42 days ago)

Not sure if it's just me - but in the past few weeks I've been getting several spam account registrations per day. I have all of the spam protections enabled and I'm using the latest version. The captchas available are fairly useless and none of the options make any difference one way or the other.

Would be great if reCAPTCHA was an option, as I find it to be one of the most effective ways to limit spam accounts these days.

Any suggestions?

Avatar

Bots or humans?

by Alfie ⌂ @, Vienna, Austria, Sunday, November 04, 2018, 00:35 (42 days ago) @ WorldofBB
edited by Alfie, Sunday, November 04, 2018, 18:22

Hi!

Not sure if it's just me - but in the past few weeks I've been getting several spam account registrations per day.

Not only you. 10–20 / day for years… Are you talking about registrations (without activation) or “true” spammers? The former ones should be deleted within 24 hours anyway.

The captchas available are fairly useless and none of the options make any difference one way or the other.

Agree. I had an “improved” version of the math-captcha (where the numbers to add are given as words) for ages. Useless. I’m timing how long it takes to fill in the registration form (from GET to POST). I removed it.
With captcha: x̃ 3.54 ms (2.04–8.70)
Without: x̃ 3.35 ms (0.55–7.51)
Lesson learned: It takes bots just a fraction of a millisecond to break the captcha.

Would be great if reCAPTCHA was an option, as I find it to be one of the most effective ways to limit spam accounts these days.

What about accessibility and Google’s questionable data protection?

Any suggestions?

According to my server-logs it takes humans (yep, and the true spammers as well) about one minute register. I’m considering to throw a nice

exit(header("HTTP/1.0 403 Forbidden"));

if the registration takes less than one second – and switch off all other filters I have now (query a recent local copy of StopForumSpam’s banned IPs, query remotely SFS and BotScout).

--
Best regards,
Alfie (Helmut Schütz)
BEBA-Forum (v1.8β)

Bots or humans?

by WorldofBB, Sunday, November 04, 2018, 16:32 (41 days ago) @ Alfie

Not only you. 10–20 / day for years… Are you talking about registrations (without activation) or “true” spammers? The former ones should be deleted within 24 hours anyway.

Well, I have been deleting them all pretty quickly - but they are probably bots. I didn't realize tha unactivated accounts are automatically deleted after 24 hours. If that's true then I will leave them and see if they actually get activated or not. If not, then problem solved!

Would be great if reCAPTCHA was an option, as I find it to be one of the most effective ways to limit spam accounts these days.


What about accessibility and Google’s questionable data protection?

Well, all captchas are going to inevitably be harder for accessibility visitors to deal with - but reCAPTCHA is better than most. For people who log into a google account they usually get authenticated without any intervention at all. As for data protection - I suppose it could be an issue for some - but considering how pervasive google is on the web along with how many websites already use google analytics and google ads - I'm not sure reCAPTCHA is contributing much difference one way or the other in the grand scheme of things. But considering how much better it is than other options it would be nice to at least have the option to use it for those that feel the tradeoffs are worthwhile.

Any suggestions?


According to my server-logs it takes humans (yep, and the true spammers as well) about one minute register. I’m considering to throw a nice

exit(header("HTTP/1.0 403 Forbidden"));

if the registration takes less than one second – and switch off all other filters I have now (query a recent local copy of StopForumSpam’s banned IPS, query remotely SFS and BotScout).

In the past I used ZB-Block from spambotsecurity, which worked perfectly for years. The original author stopped supporting it awhile back - but it's development has been picked up by someone else so while it's a bit of a kludge to configure at first it is definitely the best protection against spam I've ever used.

https://www.stopforumspam.com/forum/viewtopic.php?id=7161
http://zb-block.net/zbf/index.php

Avatar

Bots or humans?

by Auge ⌂ @, Sunday, November 04, 2018, 17:36 (41 days ago) @ WorldofBB

Hello

What about accessibility and Google’s questionable data protection?


… As for data protection - I suppose it could be an issue for some - but considering how pervasive google is on the web along with how many websites already use google analytics and google ads - I'm not sure reCAPTCHA is contributing much difference one way or the other in the grand scheme of things.

I think you are right, the range of the data collection of ReCaptcha is much smaller than of Google Analytics, Google's font and code hosting and so on. But in the first place I think we should not support the data collection at all, when we are able to prevent it.

In the past I used ZB-Block from spambotsecurity, which worked perfectly for years. The original author stopped supporting it awhile back - but it's development has been picked up by someone else so while it's a bit of a kludge to configure at first it is definitely the best protection against spam I've ever used.

As far as I know, Alfie used ZBBlock himself for several years. He will know, what you are talking about. :-)

Tschö, Auge

--
Trenne niemals Müll, denn er hat nur eine Silbe!

Avatar

Bots or humans?

by Alfie ⌂ @, Vienna, Austria, Sunday, November 04, 2018, 18:11 (41 days ago) @ WorldofBB
edited by Alfie, Monday, November 05, 2018, 01:20

Hi,

Well, I have been deleting them all pretty quickly - but they are probably bots. I didn't realize tha unactivated accounts are automatically deleted after 24 hours. If that's true then I will leave them and see if they actually get activated or not. If not, then problem solved!

Note that I’m using a heavily modified mlf 1.8beta – not 2.x. In my register.php (just after requiring the captcha) there is a line:

# remove not activated user accounts:
@mysql_query("DELETE FROM ".$db_settings['userdata_table']." WHERE registered < (NOW() - INTERVAL 24 HOUR) AND activate_code != '' AND logins=0", $connid);

That comes handy. Every time the script is called, not activated accounts are deleted. The more bots try to register, the faster. If less, it make take longer than 24 hours, of course.

Well, all captchas are going to inevitably be harder for accessibility visitors to deal with […]

Agree with Auge.

In the past I used ZB-Block from spambotsecurity, which worked perfectly for years.

So did I. Had to switch it off cause I changed my site to TLS and I couldn’t get it working (was locked out myself)…

The original author stopped supporting it awhile back - but it's development has been picked up by someone else …

I saw this thread at the SFS-forum and considered it as well. Was weary to give it a try (operation on the open heart).

… so while it's a bit of a kludge to configure at first it is definitely the best protection against spam I've ever used.

Past tense? Don’t you use it any more? If yes, why?

More comments in a reply to Auge.

--
Best regards,
Alfie (Helmut Schütz)
BEBA-Forum (v1.8β)

Avatar

Bots or humans?

by Auge ⌂ @, Sunday, November 04, 2018, 17:28 (41 days ago) @ Alfie

Hello

@Alfie: As first, thank you for your IMHO clear and understandable description of the situation.

Now @all:

Are you talking about registrations (without activation) or “true” spammers? The former ones should be deleted within 24 hours anyway.

There is a second "or". Beside the never activated registrations [1] and the registraions of "real" or "true" spammers, who activate the account within seconds or minutes and start with their first postings [2], there is a third group of registrations that get activated but stay silent for weeks or months without a further login.

One as a forum operator is not able to distinct between a silent reader or lurker of the forums content or a spammer who hits the forum after a siginificant amount of time after the registration. In the second case it happens often with several to hundreds of entries within a few minutes [3] and one will only know then, that this is a spammer.

The captchas available are fairly useless …


Agree. I had an “improved” version of the math-captcha (where the numbers to add are given as words) for ages. Useless.

Alfie discussed this with Milo and me in a Github pull request before. We came to the same conclusion (I hope, I'm speaking for all of us here). Captchas are useless and/or inaccessible in several cases.

Lesson learned: It takes bots just a fraction of a millisecond to break the captcha.

According to my server-logs it takes humans (yep, and the true spammers as well) about one minute register. I’m considering to throw a nice

exit(header("HTTP/1.0 403 Forbidden"));

if the registration takes less than one second – and switch off all other filters

That seems to be an adequate replacement for the not working checks but I see one problem with (only) it. Forum operators without "our knowledge" will ask why captchas got removed and will demand the reimplementation of captchas and further actions. While there is no enjoyment in explaining the uselessness of captchas again and again, I would not count alone on timing checks but …

I have now (query a recent local copy of StopForumSpam’s banned IPS, query remotely SFS and BotScout).

… find it useful to side the action with further procedures like checks against local copies of lists of banned IPs and e-mail-addresses from providers like Stop Forum Spam. Problem here may be forum hosters, who forbids script-based requests to other, foreign servers.

Would be great if reCAPTCHA was an option, as I find it to be one of the most effective ways to limit spam accounts these days.


What about accessibility and Google’s questionable data protection?

There is by design no data protection within a Google service because data is the currency we have to give for Google's services. And in the case of a ReCaptcha on a forums page it is not the decision of the visitor to give her/his own personal data, it is our decision as developers and forum operators to force our visitors to give the data to use our sites and forums or not to use our sites and forums.

That's IMHO a nogo as subject of the jurisdiction of the EU and the GDPR [4]. We developers are subjects of the EU jurisdiction because we live in the EU and IMHO we should respect the GDPR, what also makes the data of users, living outside the EU, a bit more safer as a welcome side effect.

And as the third point, not named by Alfie, there might be existing further comparable services. There might be lawful barriers for Google's services in several countries. Implementing the service of A, that might not being accessible in every case is crap in itself and contributing to A's monopoly while impeding service provider B and C from participation is not a good decision at all.

To come back to Alfies argumentaion, none of the captchas (Google's or others) is known to be accessible for all people, using the internet. I strongly encourage us to take accessibility into account for the further development. ReCaptcha (or what else) would be IMHO a step into the opposite direction.

Tschö, Auge

[1]: Normally accounts can't get activated because of a noit existing e-mail-address.
[2]: In this forum the spammers start often with two entries. Often they never come back after these two entries.
[3]: Alfie and I was able to observe such an attack with around 300 entries in 30 minutes a few years ago.
[4]: A data controller may not refuse service to users who decline consent to processing that is not strictly necessary in order to use the service. (Article 7(4)) (from Wikipedia: GDPR, section "Lawful basis for processing")

--
Trenne niemals Müll, denn er hat nur eine Silbe!

Avatar

Bots or humans?

by Alfie ⌂ @, Vienna, Austria, Monday, November 05, 2018, 01:07 (41 days ago) @ Auge
edited by Alfie, Monday, November 05, 2018, 12:25

Hi Auge & all,

@Alfie: As first, thank you for your IMHO clear and understandable description of the situation.

Welcome!

One as a forum operator is not able to distinct between a silent reader or lurker of the forums content or a spammer who hits the forum after a siginificant amount of time after the registration. In the second case it happens often with several to hundreds of entries within a few minutes [3] and one will only know then, that this is a spammer.

For your last case I would say one will know that this is a bot. As you noted [3] happened to me once in 14 years and was the reason to opt for ZBBlock.

[Edit]
Insight of the last ten years:

[image]

I had 1.2 registrations / day. In September 2012 I faced a wave of “fake-accounts” (16 / day) and installed ZBBlock in November 2012 which brought the number of registrations back to 1.2 / day.
In February to May 2017 a wave ZBBlock couldn’t handle (11 / day). After that better (2.4 / day) but twice of what I had before. The circles are true spammers.

Since June this year:

[image]

In mid July I changed to TLS and had to deactivate ZBBlock which increased the rate to 8 / day. On 19 October I implemented my AlGore rhythm
  regex for known spammer names (I keep a local file) →
  local copy of SFS’s bannedips.csv →
  remote query of SFS (IP) →
  remote query of BotScout (e-mail),
where “→” means that if no match is found, proceed to the next step.
This brought the rate down to 0.9 / day. Note that I don’t have the time limit of fast registrations in place yet. I expect that it will bring the rate down to zero.
The one true spammer I had on 27 October was reported to SFS’s data base ten minutes after the registration in my forum and still is not in BotScout’s data base. Can happen, of course.
[/Edit]

According to my server-logs it takes humans (yep, and the true spammers as well) about one minute register.

I had 71 spam posts this year from 13 (mis)users. I’m pretty sure they were human because

  • it took them 1–2 minutes to register,
  • posts were made 1–7 minutes apart, and
  • posts of the same spammers were similar but not identical (looks like copypasted from somewhere).

One posted even in different categories. IMHO, no bot would do that.

I’m considering to throw a nice

exit(header("HTTP/1.0 403 Forbidden"));

if the registration takes less than one second – and switch off all other filters


That seems to be an adequate replacement for the not working checks but I see one problem with (only) it. Forum operators without "our knowledge" will ask why captchas got removed and will demand the reimplementation of captchas …

Well, we could keep it. Doesn’t hurt. Only an annoyance for legit users. If an operator had it in the past, his|her|its users were used to it.

… and further actions.

What else?

While there is no enjoyment in explaining the uselessness of captchas again and again, I would not count alone on timing checks but find it useful to side the action with further procedures like checks against local copies of lists of banned IPs and e-mail-addresses from providers like Stop Forum Spam.

In mlf2.x we have the option to query SFS. OK, why not, though given what I observed in the last month I would say it’s a waste of time.

Problem here may be forum hosters, who forbids script-based requests to other, foreign servers.

I see. But: AFAIK, here we never got a complaint in this respect of forum maintainers.

Why not keep everything as it is and add an option “block speedy registration” to the forum settings?

Too lazy to look up the mlf2.x script. In my register.php after the line which deletes inactive accounts:

  $time_start = microtime(true);

and before SFS and any other anti-spam measures:

  $time_end = microtime(true);

Finally just before the new user will be accepted (inserted to the data base, activation e-mail sent, etc):

  if ($time_end - $time_start <= 1000000)
    exit(header("HTTP/1.0 403 Forbidden"));

BTW, I made a strange observation. With this header I got either the browser’s default “Access denied” page (Chrome, Opera, IE/Edge)* or an empty page (FireFox, Safari, SeaMonkey). OK, bots don’t care and go somewhere else but I don’t understand why I don’t get this error page though in my .htaccess I have

ErrorDocument 403 /hterror/403_forbidden.html

Other error-directives are observed. This one

  exit(header("Location: https://forum.bebac.at/hterror/403_forbidden.html", TRUE, 403));

doesn’t help. I don’t get it.

Try it in you preferred browser:

––
* Actually the source is also empty. Do the others have no “internal” 403-page?

--
Best regards,
Alfie (Helmut Schütz)
BEBA-Forum (v1.8β)

RSS Feed of thread
powered by my little forum