Large uptick in spam account registrations recently (General)

by WorldofBB, Saturday, November 03, 2018, 22:55 (1972 days ago)

Not sure if it's just me - but in the past few weeks I've been getting several spam account registrations per day. I have all of the spam protections enabled and I'm using the latest version. The captchas available are fairly useless and none of the options make any difference one way or the other.

Would be great if reCAPTCHA was an option, as I find it to be one of the most effective ways to limit spam accounts these days.

Any suggestions?

Avatar

Bots or humans?

by Alfie ⌂, Vienna, Austria, Sunday, November 04, 2018, 00:35 (1972 days ago) @ WorldofBB
edited by Alfie, Sunday, November 04, 2018, 18:22

Hi!

Not sure if it's just me - but in the past few weeks I've been getting several spam account registrations per day.

Not only you. 10–20 / day for years… Are you talking about registrations (without activation) or “true” spammers? The former ones should be deleted within 24 hours anyway.

The captchas available are fairly useless and none of the options make any difference one way or the other.

Agree. I had an “improved” version of the math-captcha (where the numbers to add are given as words) for ages. Useless. I’m timing how long it takes to fill in the registration form (from GET to POST). I removed it.
With captcha: x̃ 3.54 ms (2.04–8.70)
Without: x̃ 3.35 ms (0.55–7.51)
Lesson learned: It takes bots just a fraction of a millisecond to break the captcha.

Would be great if reCAPTCHA was an option, as I find it to be one of the most effective ways to limit spam accounts these days.

What about accessibility and Google’s questionable data protection?

Any suggestions?

According to my server-logs it takes humans (yep, and the true spammers as well) about one minute register. I’m considering to throw a nice

exit(header("HTTP/1.0 403 Forbidden"));

if the registration takes less than one second – and switch off all other filters I have now (query a recent local copy of StopForumSpam’s banned IPs, query remotely SFS and BotScout).

--
Cheers,
Alfie (Helmut Schütz)
BEBA-Forum (v1.8β)

Bots or humans?

by WorldofBB, Sunday, November 04, 2018, 16:32 (1971 days ago) @ Alfie

Not only you. 10–20 / day for years… Are you talking about registrations (without activation) or “true” spammers? The former ones should be deleted within 24 hours anyway.

Well, I have been deleting them all pretty quickly - but they are probably bots. I didn't realize tha unactivated accounts are automatically deleted after 24 hours. If that's true then I will leave them and see if they actually get activated or not. If not, then problem solved!

Would be great if reCAPTCHA was an option, as I find it to be one of the most effective ways to limit spam accounts these days.


What about accessibility and Google’s questionable data protection?

Well, all captchas are going to inevitably be harder for accessibility visitors to deal with - but reCAPTCHA is better than most. For people who log into a google account they usually get authenticated without any intervention at all. As for data protection - I suppose it could be an issue for some - but considering how pervasive google is on the web along with how many websites already use google analytics and google ads - I'm not sure reCAPTCHA is contributing much difference one way or the other in the grand scheme of things. But considering how much better it is than other options it would be nice to at least have the option to use it for those that feel the tradeoffs are worthwhile.

Any suggestions?


According to my server-logs it takes humans (yep, and the true spammers as well) about one minute register. I’m considering to throw a nice

exit(header("HTTP/1.0 403 Forbidden"));

if the registration takes less than one second – and switch off all other filters I have now (query a recent local copy of StopForumSpam’s banned IPS, query remotely SFS and BotScout).

In the past I used ZB-Block from spambotsecurity, which worked perfectly for years. The original author stopped supporting it awhile back - but it's development has been picked up by someone else so while it's a bit of a kludge to configure at first it is definitely the best protection against spam I've ever used.

https://www.stopforumspam.com/forum/viewtopic.php?id=7161
http://zb-block.net/zbf/index.php

Avatar

Bots or humans?

by Auge ⌂, Sunday, November 04, 2018, 17:36 (1971 days ago) @ WorldofBB

Hello

What about accessibility and Google’s questionable data protection?


… As for data protection - I suppose it could be an issue for some - but considering how pervasive google is on the web along with how many websites already use google analytics and google ads - I'm not sure reCAPTCHA is contributing much difference one way or the other in the grand scheme of things.

I think you are right, the range of the data collection of ReCaptcha is much smaller than of Google Analytics, Google's font and code hosting and so on. But in the first place I think we should not support the data collection at all, when we are able to prevent it.

In the past I used ZB-Block from spambotsecurity, which worked perfectly for years. The original author stopped supporting it awhile back - but it's development has been picked up by someone else so while it's a bit of a kludge to configure at first it is definitely the best protection against spam I've ever used.

As far as I know, Alfie used ZBBlock himself for several years. He will know, what you are talking about. :-)

Tschö, Auge

--
Trenne niemals Müll, denn er hat nur eine Silbe!

Avatar

Bots or humans?

by Alfie ⌂, Vienna, Austria, Sunday, November 04, 2018, 18:11 (1971 days ago) @ WorldofBB
edited by Alfie, Sunday, February 10, 2019, 15:05

Hi,

Well, I have been deleting them all pretty quickly - but they are probably bots. I didn't realize tha unactivated accounts are automatically deleted after 24 hours. If that's true then I will leave them and see if they actually get activated or not. If not, then problem solved!

Note that I’m using a heavily modified mlf 1.8beta – not 2.x. In my register.php (just after requiring the captcha) there is a line:

# remove not activated user accounts:
@mysql_query("DELETE FROM ".$db_settings['userdata_table']." WHERE registered < (NOW() - INTERVAL 24 HOUR) AND activate_code != '' AND logins=0", $connid);

That comes handy. Every time the script is called, not activated accounts are deleted. The more bots try to register, the faster. If less, it may take longer than 24 hours, of course.

Well, all captchas are going to inevitably be harder for accessibility visitors to deal with […]

Agree with Auge.

In the past I used ZB-Block from spambotsecurity, which worked perfectly for years.

So did I. Had to switch it off cause I changed my site to TLS and I couldn’t get it working (was locked out myself)…

The original author stopped supporting it awhile back - but it's development has been picked up by someone else …

I saw this thread at the SFS-forum and considered it as well. Was weary to give it a try (operation on the open heart).

… so while it's a bit of a kludge to configure at first it is definitely the best protection against spam I've ever used.

Past tense? Don’t you use it any more? If yes, why?

More comments in a reply to Auge.

--
Cheers,
Alfie (Helmut Schütz)
BEBA-Forum (v1.8β)

Avatar

Bots or humans?

by Auge ⌂, Sunday, November 04, 2018, 17:28 (1971 days ago) @ Alfie

Hello

@Alfie: As first, thank you for your IMHO clear and understandable description of the situation.

Now @all:

Are you talking about registrations (without activation) or “true” spammers? The former ones should be deleted within 24 hours anyway.

There is a second "or". Beside the never activated registrations [1] and the registraions of "real" or "true" spammers, who activate the account within seconds or minutes and start with their first postings [2], there is a third group of registrations that get activated but stay silent for weeks or months without a further login.

One as a forum operator is not able to distinct between a silent reader or lurker of the forums content or a spammer who hits the forum after a siginificant amount of time after the registration. In the second case it happens often with several to hundreds of entries within a few minutes [3] and one will only know then, that this is a spammer.

The captchas available are fairly useless …


Agree. I had an “improved” version of the math-captcha (where the numbers to add are given as words) for ages. Useless.

Alfie discussed this with Milo and me in a Github pull request before. We came to the same conclusion (I hope, I'm speaking for all of us here). Captchas are useless and/or inaccessible in several cases.

Lesson learned: It takes bots just a fraction of a millisecond to break the captcha.

According to my server-logs it takes humans (yep, and the true spammers as well) about one minute register. I’m considering to throw a nice

exit(header("HTTP/1.0 403 Forbidden"));

if the registration takes less than one second – and switch off all other filters

That seems to be an adequate replacement for the not working checks but I see one problem with (only) it. Forum operators without "our knowledge" will ask why captchas got removed and will demand the reimplementation of captchas and further actions. While there is no enjoyment in explaining the uselessness of captchas again and again, I would not count alone on timing checks but …

I have now (query a recent local copy of StopForumSpam’s banned IPS, query remotely SFS and BotScout).

… find it useful to side the action with further procedures like checks against local copies of lists of banned IPs and e-mail-addresses from providers like Stop Forum Spam. Problem here may be forum hosters, who forbids script-based requests to other, foreign servers.

Would be great if reCAPTCHA was an option, as I find it to be one of the most effective ways to limit spam accounts these days.


What about accessibility and Google’s questionable data protection?

There is by design no data protection within a Google service because data is the currency we have to give for Google's services. And in the case of a ReCaptcha on a forums page it is not the decision of the visitor to give her/his own personal data, it is our decision as developers and forum operators to force our visitors to give the data to use our sites and forums or not to use our sites and forums.

That's IMHO a nogo as subject of the jurisdiction of the EU and the GDPR [4]. We developers are subjects of the EU jurisdiction because we live in the EU and IMHO we should respect the GDPR, what also makes the data of users, living outside the EU, a bit more safer as a welcome side effect.

And as the third point, not named by Alfie, there might be existing further comparable services. There might be lawful barriers for Google's services in several countries. Implementing the service of A, that might not being accessible in every case is crap in itself and contributing to A's monopoly while impeding service provider B and C from participation is not a good decision at all.

To come back to Alfies argumentaion, none of the captchas (Google's or others) is known to be accessible for all people, using the internet. I strongly encourage us to take accessibility into account for the further development. ReCaptcha (or what else) would be IMHO a step into the opposite direction.

Tschö, Auge

[1]: Normally accounts can't get activated because of a noit existing e-mail-address.
[2]: In this forum the spammers start often with two entries. Often they never come back after these two entries.
[3]: Alfie and I was able to observe such an attack with around 300 entries in 30 minutes a few years ago.
[4]: A data controller may not refuse service to users who decline consent to processing that is not strictly necessary in order to use the service. (Article 7(4)) (from Wikipedia: GDPR, section "Lawful basis for processing")

--
Trenne niemals Müll, denn er hat nur eine Silbe!

Avatar

Bots or humans?

by Alfie ⌂, Vienna, Austria, Monday, November 05, 2018, 01:07 (1971 days ago) @ Auge
edited by Alfie, Monday, November 05, 2018, 12:25

Hi Auge & all,

@Alfie: As first, thank you for your IMHO clear and understandable description of the situation.

Welcome!

One as a forum operator is not able to distinct between a silent reader or lurker of the forums content or a spammer who hits the forum after a siginificant amount of time after the registration. In the second case it happens often with several to hundreds of entries within a few minutes [3] and one will only know then, that this is a spammer.

For your last case I would say one will know that this is a bot. As you noted [3] happened to me once in 14 years and was the reason to opt for ZBBlock.

[Edit]
Insight of the last ten years:

[image]

I had 1.2 registrations / day. In September 2012 I faced a wave of “fake-accounts” (16 / day) and installed ZBBlock in November 2012 which brought the number of registrations back to 1.2 / day.
In February to May 2017 a wave ZBBlock couldn’t handle (11 / day). After that better (2.4 / day) but twice of what I had before. The circles are true spammers.

Since June this year:

[image]

In mid July I changed to TLS and had to deactivate ZBBlock which increased the rate to 8 / day. On 19 October I implemented my AlGore rhythm
  regex for known spammer names (I keep a local file) →
  local copy of SFS’s bannedips.csv →
  remote query of SFS (IP) →
  remote query of BotScout (e-mail),
where “→” means that if no match is found, proceed to the next step.
This brought the rate down to 0.9 / day. Note that I don’t have the time limit of fast registrations in place yet. I expect that it will bring the rate down to zero.
The one true spammer I had on 27 October was reported to SFS’s data base ten minutes after the registration in my forum and still is not in BotScout’s data base. Can happen, of course.
[/Edit]

According to my server-logs it takes humans (yep, and the true spammers as well) about one minute register.

I had 71 spam posts this year from 13 (mis)users. I’m pretty sure they were human because

  • it took them 1–2 minutes to register,
  • posts were made 1–7 minutes apart, and
  • posts of the same spammers were similar but not identical (looks like copypasted from somewhere).

One posted even in different categories. IMHO, no bot would do that.

I’m considering to throw a nice

exit(header("HTTP/1.0 403 Forbidden"));

if the registration takes less than one second – and switch off all other filters


That seems to be an adequate replacement for the not working checks but I see one problem with (only) it. Forum operators without "our knowledge" will ask why captchas got removed and will demand the reimplementation of captchas …

Well, we could keep it. Doesn’t hurt. Only an annoyance for legit users. If an operator had it in the past, his|her|its users were used to it.

… and further actions.

What else?

While there is no enjoyment in explaining the uselessness of captchas again and again, I would not count alone on timing checks but find it useful to side the action with further procedures like checks against local copies of lists of banned IPs and e-mail-addresses from providers like Stop Forum Spam.

In mlf2.x we have the option to query SFS. OK, why not, though given what I observed in the last month I would say it’s a waste of time.

Problem here may be forum hosters, who forbids script-based requests to other, foreign servers.

I see. But: AFAIK, here we never got a complaint in this respect of forum maintainers.

Why not keep everything as it is and add an option “block speedy registration” to the forum settings?

Too lazy to look up the mlf2.x script. In my register.php after the line which deletes inactive accounts:

  $time_start = microtime(true);

and before SFS and any other anti-spam measures:

  $time_end = microtime(true);

Finally just before the new user will be accepted (inserted to the data base, activation e-mail sent, etc):

  if ($time_end - $time_start <= 1000000)
    exit(header("HTTP/1.0 403 Forbidden"));

BTW, I made a strange observation. With this header I got either the browser’s default “Access denied” page (Chrome, Opera, IE/Edge)* or an empty page (FireFox, Safari, SeaMonkey). OK, bots don’t care and go somewhere else but I don’t understand why I don’t get this error page though in my .htaccess I have

ErrorDocument 403 /hterror/403_forbidden.html

Other error-directives are observed. This one

  exit(header("Location: https://forum.bebac.at/hterror/403_forbidden.html", TRUE, 403));

doesn’t help. I don’t get it.

Try it in you preferred browser:

––
* Actually the source is also empty. Do the others have no “internal” 403-page?

--
Cheers,
Alfie (Helmut Schütz)
BEBA-Forum (v1.8β)

Large uptick in spam account registrations recently

by John yuip, Saturday, January 12, 2019, 05:57 (1903 days ago) @ WorldofBB
edited by John yuip, Saturday, January 12, 2019, 06:29

I've had a big problem with automatic submissions on Wordpress I manage but I wasn't the owner... the owner did not authorize the use of captchas of any sort, form or shape. For years the only thing was the Akismet Anti-Spam that sort it out, but since I installed the free "WPBruiser" I did get ride of all the automatic submissions.

One of the things it does is precisely one of the suggestions: require some number of seconds (one can change it to any value) before allow the message to be sent... if sent before that: goes automatically to the log of the extension as being a blocked message and doesn't appear anywhere else... but for the submitter is like everything was properly submitted (they have no way to know what is happening on the background... for all they know it may just be that the human did not authorize the message to appear... since all are moderated by human).

I did find that 3 seconds is enough (there) to stop spammers.
They do have other things like "Blocks most dangerous IP addresses involved in brute force attacks, cross-site scripting or SQL injection", "Blocks most dangerous IP addresses associated with web proxies that shield the originator's IP address" but the time alone is what stops almost all the spam messages from ever even appearing in the control panel to moderate.

mylittleforum could have the same thing in the registration process (and normal post messages) and have a "Your account/ message needs to be approved by a administrator before it is authorized" message, that would be true for normal none protected accounts, the administrator would need to activate it, for protected with time delay submissions... that would appear for the submitter as being all ok, because they would still get the e-mail to activate the account... but the difference would be that the administrator wouldn't even see it unless he/ she would go to some underneath page hide somewhere... and because the default behavior is not to have any delay the submitter has no way of knowing about that defense mechanism. The system could then delete the account/ message automatically without even showing anything to the administrator (unless he/ she wants to manually see how much he/ she is not missing :) ). The message part could also display the administrator needs to approve it, and either be true or it just checks for the time and if it does match the minimum requirement can be schedule to be allowed in some random time period (3 to 35 minutes, for example, set by the administrator, and up to a 2880 minutes delay... so that legit messages don't get blocked for ever by mistake)... and the same to new registrations... can also have the same automated random delay of approval if it passes the time delay check... so that in reality the administrator doesn't do anything (but bots and humans don't have anyway of know that).

You can also have those blank fields (visible or invisible) don't fill me with anything or these registration will not succeed... but should allow the administrator to choose the message to appear, like "Web site:"... but have a message in the beginning saying in some dissimulated way that should not fill anything besides username and password for example.

Another thing is the personalized anti-spam messages! These are also good ways to stop automated spammers and, in some cases, even human spammers from others countries trying to register in 1000's of forums.
For example: "What is the original creator first name of the mylittleforum?" that is something easy to find on the wiki page of the project but that some random person from China probably won't find the answer in their preferred search engine... and probably a automated bot will also not be able to guess.

One thing that prevented the need, on my web sites, of any recaptcha/ image captcha solution at all was the use of a free javascript called "GateKeeper 2" (I still use it!) instead of allowing direct access to the registration you could have some interception page where the user would need to enter some special word, or number... in order to even get into the create account page (that could have some special different url for every installation such that automated and human spammers can't simple submit directly). By my experience it stops 100% of automated system from even getting there. The user needs to find that information on either the page it self, the terms and conditions, or in some blog post for example.
You can make it more complex, by allowing the administrator to remove the "register" link on top and give him some code like [register-new-accounts] and/ or a Link to be posted manually somewhere where the "register" mode is changed to any other thing the administrator chooses (ex.: hruiqr ) but even that is just to get into the interception page where the user enters the special word and then is redirected for example to the mode with the name called for example "rg2719" and maybe forum can even change it automatically every hour or so, or create a dedicated address for every individual session that bypass the interception page... so that it can't ever be reused again by another bot session since it can be linked to IP and some session cookie for example.

RSS Feed of thread