New Forum Registrations Now Require Approval

[Xepher]

Apparently the captcha thing no longer works well enough at preventing spam, so I'm switching the forums to require approval from me on new member registrations. I've not used this before, so if it seems like you're being ignored or not being approved, feel free to email me (admin@...) and ask me to approve things. Make sure to include the forum username/email you used to register.

In the long run, I need to find something better for this, so let me know if you have any ideas on how to keep out the spammers.

EDIT: I'm being kinda biased here, but if you're in Asia/India, Africa, Russia, or Eastern Europe, I probably won't approve your registration unless you specifically email me about it.

[griever]

What about having a picture of something, like a shape, or a whole bunch of red things, and ask them a corresponding question?  Are those safe from spambots?

[Databits]

Some of the more advanced spam bots are able to get past common captchas. This is why things like generating an image with simple addition and asking the person to enter the answer work better.

Other methods that confuse spam bots are things like a bunch of images, named different animals with the corresponding animal in the image except one image (which would still be named the name of an animal but wouldn't actually be an animal), then asking which one isn't an animal. This method requires image processing techniques which are kinda far beyond the scope of a bot making your forum less worth the time.

Just keep in mind, some spammers are actually human so no captcha will stop them. That's where a good amount of decent moderators come in.

[Xepher]

Yeah, I'm pretty sure the recent spammers here have been human... or at least part-human. :-) I'm thinking of maybe making default new users have no post access, and then they can PM me if/when they want to post. I think one more hoop would make it enough so that they don't bother. Either that, or I may write something clever which requires a few multi-choice answers... something that's easy enough to find via google, but wouldn't be obvious to most people. E.g. the speed of light in furlongs per fortnight, the genus to which Megaloceros belongs, etc.

Heheh... yeah, that sounds like a fun one to write actually. Especially since http://www.google.com/#q=c+in+furlongs+per+fortnight works so well. :-)

[griever]

http://farm3.static.flickr.com/2353/2268237607_99ff9edc5d.jpg?v=0

That one makes my eyes water.

[Xepher]

Another good rule.. actually put in some info about yourself. Leaving everything blank but the username just makes me suspect "spammer" even more.

[otrstf]

I read a piece yesterday about a capcha-defeating operation that actually used a 4th world call center full of people; rather than software!  Just how profitable _is_ spamming forums?

[Virmir]

Hi Xepher,

Was just passing by and noticed this news post.  I clicked on the register link and it looks like you're using SMF's default CAPTCHA.  I'm pretty sure this has been cracked by spambots already.  You might want to check out the reCAPTCHA plugin for SMF.  I've had zero trouble since I installed it a few months back on my comic site.  Then again, wouldn't be much help if you think you're getting human spammers.  Best of luck.

[Xepher]

Thanks for the link, but yeah, most of the spam signups I get are human it seems.

[Xepher]

Just a reminder... I've got a lot of pending registrations, but if you register with an unpronounceable username, or anything else "suspicious" I probably won't approve it unless you email me. Anyone who's registering at all can feel free to email me to speed things up as well.

[Databits]

Funny thing is, "recaptcha" isn't any more secure than a normal captcha. I'm sure most bots adapted within less than a few days of that coming out that depend in cracking it. Chances are, if it can break the first word, it can break the second one as well just as quickly. The absolute best sort of captchas will never be the "type in this slightly obfuscated word" ones, but things like picture recognition or solid actual questions with real answers.

Then, as Xepher pointed out, if they have actual humans doing it, nothing short of actual human screening will stop them.

[Xepher]

I've tried a new trick... I've added some HTTP authentication to the new registration process. Basically, you have to put in a second username/password, but done at the HTTP level. It should be easy for humans, but the 401 response should help throw off the bots. It has the side effect of giving me an easy regex I can run on the log files and see who was actually a person. I know most of you don't care, but if the signup process breaks for new users, let me know (via email.)

FYI, ANY real registrations that want quicker approval, feel free to email me as soon as you sign up on the forum.

[Miluette]

I've been wanting to ask something. My SMF forum has been getting a ton of spammer signups in the past week. They may or may not be bots, and if they are then God help me (I already have the regular captcha set to strong and unregistered people can't post and all). I think they're actual spammers though, and if they are I have no idea how to stop them, either. ;A; How do I do it?!

[Xepher]

Well, for one... require approval like I do now. Meaning I have to check off on anyone. Sometimes someone "seems" legit, and still gets through though, but then they just get deleted/banned as soon as they post spam. Also, ban the countries that spam the most, like russia, china, and india. On the Admin control panel, you can go to "Ban List" and setup a hostname trigger. Add things like "*.ru", "*.in", and "*.cn" as bans. I just added .ru yesterday, and it's blocked 2600 hits already (mostly just repeats from the same few IPs, but still.)

I'm thinking about a comprehensive list of IPs from each country that I could ban at the apache level, and other people could easily use the same ban list if they wanted. I may put together something like that. For now, as mentioned above, I just added http authentication through an ugly hack. It interrupts the middle of the registration with a login prompt from the browser. I haven't gotten any new member signups since, so I'm curious to see if it works long term. If it does, I'll show others how to do it.

[Miluette]

The Russian spammers were getting me hardcore. The .ru block I set up has already helped tons.

And this is interesting, but the other day I was looking senshuu.com up on Alexa to see what had changed since I last looked, and suddenly it seems a whole bunch of...spammish? foreign sites are linking to it. Somehow. Some Russian, lots of Spanish, lots of forums and such. How does this happen? e_e;;