• GNU/Linux Admin

    Can confirm that spam-be-gone works great... blocking many registration attempts.

    These are the last 10 lines from this community's output log:

    warn: [plugins/spam-be-gone] Joshuadal | duoduosha2@gmail.com was detected as spammer and was denied registration.
    warn: [plugins/spam-be-gone] ZnSGUwavuCo | hia.t.u.s.c.y.np.z.z.do@gmail.com was detected as spammer and was denied registration.
    warn: [plugins/spam-be-gone] ZnSGUwavuCo | h.iatusc.y.np.z.zd.o@gmail.com was detected as spammer and was denied registration.
    warn: [plugins/spam-be-gone] BPtiTRyfdu |  was detected as spammer and was denied registration.
    warn: [plugins/spam-be-gone] BPtiTRyfdu |  was detected as spammer and was denied registration.
    warn: [socket.io] Unrecognized message: meta.updateHeader
    warn: [socket.io] Unrecognized message: meta.updateHeader
    warn: [plugins/spam-be-gone] Joshuadal | duoduosha2@gmail.com was detected as spammer and was denied registration.
    warn: [plugins/spam-be-gone] Martinor | anjlvendel@hotmail.com was detected as spammer and was denied registration.
    warn: [plugins/spam-be-gone] Joshuadal | duoduosha2@gmail.com was detected as spammer and was denied registration.
    

    Edit

    warn: [socket.io] Unrecognized message: meta.updateHeader

    Speaking of that -- who the heck is still browsing NodeBB with client scripts from 2 weeks ago? 😄 F5 already...!


  • @a_5mith said:

    npm install nodebb-plugin-spam-be-gone

    FYI @julian when I turn on the Akismet portion I get the exact same results as the CashMod issue we went back and forth on the other day. Blank pages, pagination issues, etc..


  • @Steve Hmm, I didn't activate akismet, I've never actually used it in a live environment. It's usually the first thing I delete with something like Wordpress etc.

  • GNU/Linux

    Thanks for the input guys. Will try and update. AFK for sometime.


  • @a_5mith said:

    @Steve Hmm, I didn't activate akismet, I've never actually used it in a live environment. It's usually the first thing I delete with something like Wordpress etc.

    Yeah I don't generally use it either but I have a key and figured might as well plug it in and let er rip. No bueno.

  • Plugin & Theme Dev Anime Lovers GNU/Linux

    Same here with the bot attack. Works just fine now!

  • GNU/Linux Admin

    Three cheers for @bentael 😄

  • Plugin & Theme Dev Anime Lovers GNU/Linux

    Thanks @bentael

  • GNU/Linux

    @julian , @psychobunny

    Any way to add Q&A to the forum ? Also any update on log in attempt restriction ?


  • @meetdilip Log in attempts has been in for weeks, go into your ACP, General Settings, then User, it's about half way down, you can specify how many attempts and for how long they're locked out. As for Q&A, someone can ask a question, someone else can provide the answer in the form of a comment. If you're referring to a way of changing the order based on a best answer, then this issue should be relevant to your interests. #450

  • Plugin & Theme Dev

    ur welcome boyz. Captcha support is added, but not published yet pending PR merge,

  • Plugin & Theme Dev Anime Lovers GNU/Linux

    warn: [plugins/spam-be-gone] hgmgcrxzd | jh.u.a.mgab.hz.d.g@gmail.com was detected as spammer and was denied registration.
    info: [plugins] Problem executing hook: filter:user.create
    warn: [plugins/spam-be-gone] hgmgcrxzd | j.hua.mg.ab.hz.dg@gmail.com was detected as spammer and was denied registration.

    ??? info: [plugins] Problem executing hook: filter:user.create
    What?

  • GNU/Linux

    @a_5mith said:

    @meetdilip Log in attempts has been in for weeks, go into your ACP, General Settings, then User, it's about half way down, you can specify how many attempts and for how long they're locked out. As for Q&A, someone can ask a question, someone else can provide the answer in the form of a comment. If you're referring to a way of changing the order based on a best answer, then this issue should be relevant to your interests. #450

    Thanks. I thought it will be a plugin. As for Q&A, I mentioned while on registration.


  • @meetdilip oh you meant as validation, bentael has submitted a PR with captcha, not sure if Q&A is included.

  • GNU/Linux

    @a_5mith said:

    @meetdilip oh you meant as validation, bentael has submitted a PR with captcha, not sure if Q&A is included.

    Can you give the link please ....


  • GNU/Linux

    @a_5mith said:

    @meetdilip https://github.com/akhoury/nodebb-plugin-spam-be-gone

    Thanks. I am a bit reluctant as our ISP is a government owned and gives dynamic IP. These are highly misused by spammers. So I will be in effect blocking my target audience. Is there any way that I can add an extra layer of protection which does not involve blocking blacklisted IPs ?


  • @meetdilip I'm not sure on how this exact plugin works other than checking against project honeypot, but Project Honeypot & http:bl does more than just look at IP. It also checks the contents of the Header Request for things like the username & password used and if they match the honeypot, human users with blocked IPs are usually sent to a custom 403 page that contains a link for them to "unblock" the account, this basically asks them to fill out a range of spam busting questions, this then whitelists that IP. However I believe this is done by an apache extension, one for nginx doesn't yet exist. In addition, the http:bl can be set to only go back a set number of days, my SMF forum is currently set to 30 days and with a spam level of 25 (defaults) and it's blocked 1100 spam registrations in 7 days, an example has been posted at the bottom of this post.

    Captchas haven't worked for years, I don't even bother using them in production, you have to make them so complicated that humans find them harder to complete than bots. So they're a waste of time, unless you create your own algorithm. Google have broken their own captcha system (the one that uses the picture of a house number and a string of numbers) so it's only a matter of time before bots can.

    There's no 100% effective way of removing spam, even a Q&A could be bruteforced, it's the combination of many small spam protection techniques that make it effective. Integration of Q&A is definitely one method. Making it look like a password verification box, but requiring a completely different value, has stopped 80% of my spambot registrations.

    In the below image, look at the entity field, passwrd2 is my question and answer form. Whether this is possible in this plugin, I'm not sure, we would have to ask the creator.

    Blacklisted Attempt

  • Plugin & Theme Dev

    @trevor

    [plugins] Problem executing hook: filter:user.create What?

    Ignore that, that just means the hook returned an error, which was the registration denial in this case. I added a stringification to that error at the end of this info in my captcha PR.

    @a_5mith @meetdilip
    what about Q&A? how is that related to an anti-spam plugin?

    @meetdilip
    the spam-be-gone plugin uses the following:

    • Honeypot Project: To check user's IP at registration time. At the moment, we only submit the IP, because @julianlam 's node module only supports that.
    • Akismet: To check every single user post, this one uses IP, User-Agent, host URL, path to topic, username and the content of the post.
    • Google recaptcha: (recently supported) no need to explain that, but that's only used at registration time at the moment.

    You can use which ever ones you want or all, so if you're worried about Honeypot, the Captcha option may be enough for you, however, you would need to wait for the NodeBB 0.5.0 for a stable release.

    All: The CAPTCHA support works in the latest spam-be-gone plugin v 0.2.0-8 with the NodeBB latest master branch, but it's really targeting the NodeBB 0.5.0 release.

    if you want to use NodeBB 0.4.0 <= your version <= 0.4.3, please use the spam-be-gone v0.1.2


  • @bentael A Q&A box is just that, you supply the question, the answer that is entered must match what has be predefined in admin. So for example, you'll often see some sites that ask you

    What's 4+2? You then enter 6 into the box, this is the correct answer, so registration passes. The answer box is given an id that makes it look like password verification to bots, but is human readable. Using a tougher question than that is always recommended. But if a question is relative to the forum being visited along the lines of What is the name of the forum software here? the answer to this would be NodeBB anything else would fail.

    This is because spambots enter their registration details from an external form, so all form fields are passed inside the header. If you've got a form that looks like

    Name:
    Email:
    Password:
    What's the answer to the question?
    

    But a bot would fill it out using the IDs, so

    name
    email
    passwrd1
    passwrd2
    

    This would fail the Q&A portion of registration because a spambot would enter chuburpy321 for passwrd1 and chuburpy321 for passwrd2. (Passwords used by spambot aren't limited to chuburpy321:))

Suggested Topics

| |