Bot attack
-
-
@a_5mith said:
@meetdilip https://github.com/akhoury/nodebb-plugin-spam-be-gone
Thanks. I am a bit reluctant as our ISP is a government owned and gives dynamic IP. These are highly misused by spammers. So I will be in effect blocking my target audience. Is there any way that I can add an extra layer of protection which does not involve blocking blacklisted IPs ?
-
@meetdilip I'm not sure on how this exact plugin works other than checking against project honeypot, but Project Honeypot & http:bl does more than just look at IP. It also checks the contents of the Header Request for things like the username & password used and if they match the honeypot, human users with blocked IPs are usually sent to a custom 403 page that contains a link for them to "unblock" the account, this basically asks them to fill out a range of spam busting questions, this then whitelists that IP. However I believe this is done by an apache extension, one for nginx doesn't yet exist. In addition, the http:bl can be set to only go back a set number of days, my SMF forum is currently set to 30 days and with a spam level of 25 (defaults) and it's blocked 1100 spam registrations in 7 days, an example has been posted at the bottom of this post.
Captchas haven't worked for years, I don't even bother using them in production, you have to make them so complicated that humans find them harder to complete than bots. So they're a waste of time, unless you create your own algorithm. Google have broken their own captcha system (the one that uses the picture of a house number and a string of numbers) so it's only a matter of time before bots can.
There's no 100% effective way of removing spam, even a Q&A could be bruteforced, it's the combination of many small spam protection techniques that make it effective. Integration of Q&A is definitely one method. Making it look like a password verification box, but requiring a completely different value, has stopped 80% of my spambot registrations.
In the below image, look at the entity field, passwrd2 is my question and answer form. Whether this is possible in this plugin, I'm not sure, we would have to ask the creator.
-
[plugins] Problem executing hook: filter:user.createWhat?Ignore that, that just means the hook returned an error, which was the registration denial in this case. I added a
stringificationto thaterrorat the end of this info in my captcha PR.@a_5mith @meetdilip
what about Q&A? how is that related to an anti-spam plugin?@meetdilip
the spam-be-gone plugin uses the following:- Honeypot Project: To check user's IP at registration time. At the moment, we only submit the IP, because @julianlam 's node module only supports that.
- Akismet: To check every single user post, this one uses IP, User-Agent, host URL, path to topic, username and the content of the post.
- Google recaptcha: (recently supported) no need to explain that, but that's only used at registration time at the moment.
You can use which ever ones you want or all, so if you're worried about Honeypot, the Captcha option may be enough for you, however, you would need to wait for the NodeBB 0.5.0 for a stable release.
All: The CAPTCHA support works in the latest spam-be-gone plugin v 0.2.0-8 with the NodeBB latest master branch, but it's really targeting the NodeBB 0.5.0 release.
if you want to use NodeBB 0.4.0 <= your version <= 0.4.3, please use the spam-be-gone v0.1.2
-
@bentael A Q&A box is just that, you supply the question, the answer that is entered must match what has be predefined in admin. So for example, you'll often see some sites that ask you
What's 4+2?You then enter 6 into the box, this is the correct answer, so registration passes. The answer box is given an id that makes it look like password verification to bots, but is human readable. Using a tougher question than that is always recommended. But if a question is relative to the forum being visited along the lines ofWhat is the name of the forum software here?the answer to this would beNodeBBanything else would fail.This is because spambots enter their registration details from an external form, so all form fields are passed inside the header. If you've got a form that looks like
Name: Email: Password: What's the answer to the question?But a bot would fill it out using the IDs, so
name email passwrd1 passwrd2This would fail the Q&A portion of registration because a spambot would enter chuburpy321 for passwrd1 and chuburpy321 for passwrd2. (Passwords used by spambot aren't limited to chuburpy321:))
-
@a_5mith Ahhh! I yea.. i get it.. not a bad idea actually.
I'll see if I can support to that. Thanks -
@bentael Thanks for the information!
-
@bentael said:
@a_5mith Ahhh! I yea.. i get it.. not a bad idea actually.
Even when using multiple questions which are rotated every time the registration form is loaded, this does absolutely nothing to ward targeted attacks. All it takes is a human to load the page a couple of times, see all the questions and send the answers to his or her bot, and the spamming can begin.
If it's a malignant user with particular beef with your forum, and not with a thousand others as well, all the ip-blacklist services this plugin provides will be absolutely useless as well, because there will be no record of this particular spammer yet. -
@Xiph
CAPTCHA will stop him, well to some extent.(
not unless that person operates another community with heavy traffic, then its bot would- capture captcha images
- use them as CAPTCHA images on his/her community where real humans are interacting, use the response against NodeBB forum, proxy the response to his/her forum
- basically having other people constantly entering the CAPTCHA for the BOT
__ or hire some Amazon mechanical turks to enter the CAPTCHAs __
) -
@bentael said:
@Xiph
CAPTCHA will stop him, well to some extent.(
not unless that person operates another community with heavy traffic, then its bot would- capture captcha images
- use them as CAPTCHA images on his/her community where real humans are interacting, use the response against NodeBB forum, proxy the response to his/her forum
- basically having other people constantly entering the CAPTCHA for the BOT
__ or hire some Amazon mechanical turks to enter the CAPTCHAs __
)Or, if it's a regular old Captcha instead of the fancy new ones (i.e. AreYouAHuman, which you can solve with just a bot , but it'll still block you anyway because it also analyzed how you solve it), just with some reasonably simple text recognition software.
-
@Xiph Please refer to post #11638 where I said the following:
There's no 100% effective way of removing spam, even a Q&A could be bruteforced, it's the combination of many small spam protection techniques that make it effective.
If someone is specifically targeting your forum, the fact of the matter is you can't stop them. The whole exercise of this topic and plugin is to stop automated spam. Human spam is something else entirely and quite frankly, defining human spam is even harder. Would you call it spam if someone joined and started talking about how good Discourse or phpbb is? Or would it be spam if they joined to sell you dodgy shoes. No registration process can tell if a human is a spammer or not. It's not possible. You can make it difficult for them though. This is a list of blocked email domains I use on my current forum: http://pastebin.com/sk59XdPG , this stops people using throw away email addresses on my site, so they have to spend more time either creating a genuine email. Or they're a genuine user. But still, think about how many spam emails you receive from someone from yahoo etc. "Fancy New Captchas" will be cracked at some point, it's a never ending torrent of trying to stay ahead of the spammers and their techniques.
-
@a_5mith said:
It's not possible
I think thats why it should be done by the community, if the community decides a user is a spammer(ie flags that user x times or clicks 'spam' x times) that user gets banned/deleted. Obviously this brings in other problems, like fake users flagging people to ban them
I guess that power should be given to users with reputation > y. -
@a_5mith said:
No registration process can tell if a human is a spammer or not. It's not possible.
You are right here. Eventually, all human processes can be simulated and replicated and thus verification of humanity will eventually be impossible.
I do wonder if AIs will just spam us to death instead of outright revolting and murdering us, or maybe just doing things like mass-committing something like identity fraud on their own accord. Plus, if they're really clever, they'll have seen the movies. Murdering us directly will inevitably invoke the wrath of a gun-wielding ex-con with a mullet who will be their demise.Also:
Checking against external blacklists and APIs has a couple of disadvantages, mainly:- A. Part of your spam protection dies when their service does.
- B. Refusing registration attempts when the external service is disrupted prevents your site from working properly and semi-randomly denying visitors the ability to sign up will most certainly not encourage them to do so. On the contrary, not doing so opens up an unnecessary vulnerability upon the disruption of the external service, which is not really a very good thing.
- C. You're essentially giving them a carte blanche to determine who does or who doesn't get on your website.
From personal experience, when one of these external blacklists actually triggers, some other method of spam prevention my forum (Not NodeBB. Yet.) has installed generally does as well. Although maybe if they decentralized the concept, bitcoin-style (or bitmessage, or bitsomething, or bitanotherthing, you get the deal, there's thousands of there projects now) it might become a bit more interesting, as it'd invalidate two out of my three main complaints. To negate the third, there's always the possibility of clever stuff. Don't underestimate some people when it comes to coming up with clever stuff.
-
@bentael said:
@a_5mith @meetdilip
what about Q&A? how is that related to an anti-spam plugin?@meetdilip
the spam-be-gone plugin uses the following:- Honeypot Project: To check user's IP at registration time. At the moment, we only submit the IP, because @julianlam 's node module only supports that.
- Akismet: To check every single user post, this one uses IP, User-Agent, host URL, path to topic, username and the content of the post.
- Google recaptcha: (recently supported) no need to explain that, but that's only used at registration time at the moment.
You can use which ever ones you want or all, so if you're worried about Honeypot, the Captcha option may be enough for you, however, you would need to wait for the NodeBB 0.5.0 for a stable release.
All: The CAPTCHA support works in the latest spam-be-gone plugin v 0.2.0-8 with the NodeBB latest master branch, but it's really targeting the NodeBB 0.5.0 release.
if you want to use NodeBB 0.4.0 <= your version <= 0.4.3, please use the spam-be-gone v0.1.2
Thanks for the insight @bentael. I guess Questions which are difficult for bot to answer are very common and effective these days.
Is there anyway that I can ignore Project Honeypot and use only other services. I use Akismet on my blog. It is very effective for me.
-
After installing npm install nodebb-plugin-spam-be-gone , my ACP is not working. I restarted a couple of times using terminal. I can see the plugin under plugins option but whatever button I click on ACP does not work. That include " Restart Nodebb ".
The I tried npm remove nodebb-plugin-spam-be-gone . The cursor kept blinking for say 10 minutes and I closed the terminal to get out of it. Then restarted. Still no luck. Any help ?
-
info: [meta/css] Minifying LESS/CSS
info: [sounds] Sounds OK
info: [meta/css] Done.
info: [themes] Compiling templates
info: [themes] Successfully compiled templates.
info: NodeBB attempting to listen on: 0.0.0.0:80
info: NodeBB Ready
warn: [plugins/nodebb-plugin-emailer-local] "callbacked" deprecated as of 0.4x. Use asynchronous method instead for hook: filter:admin.header.build
info: [meta/js] Compilation complete
warn: [plugins/nodebb-plugin-emailer-local] "callbacked" deprecated as of 0.4x. Use asynchronous method instead for hook: filter:admin.header.build -
Just to add my 2 cents, I've been an admin at a bunch of big forums in the past (phpBB); the best spam prevention has been a Q&A "what's the name of this forum" kind of thing in registration. Of course, anybody could easily write a bot to solve that, but I guess the idea is that a good chunk of forum admins can get by with minimal spam prevention measures as the aforementioned.
