Non stop spammer sign ups
-
@pitaj I want to get them before they even sign up otherwise, the users just keep getting filled up with useless accounts that have to constantly be cleaned up.
On phpbb, you have the following options without additional plugins. You can enable a captcha built right in which works really well. If they make it that far, then their first post can be moderated before they are allowed to post again without moderation. It works very well.
You could take all of these ideas or ask the locals what they have for ideas. I would keep it simple. I suggested at least one of these items many years ago when phpbb was struggling with spambots.
I can tell you from having run phpbb for many years that just the basics above do a great job. Keeping those spambots at bay is important especially on a board that has a huge amount of traffic.
-
I suspect you have something(s) misconfigured. Granted my boards are low traffic but they did survive years of tRump bot attacks w/very few successful attempts.
Additionally, the conclusion that PHP is more secure is erroneous. I run a WAF and a huge number of rules target php vulnerabilities. PHP itself invites much unwanted attention. And it is just a matter of time before one of the 100K per day knocks on your door finds a weakness to exploit.
Moving on.... it is hard to offer advice when we do not know what measures you presently have enabled. Maybe you could shed some light on them? For e.g., are you allowing "guest" posts? I presume not but... one never knows...
-
I never said anything about php other than mentioning that I used the phpbb board for many years and sharing what they are using to keep spampots off and it works.
I doubt anything is mis-configured since the board is new, nothing special, default settings other than admin moderation of new sign ups.
No guest posts, all default but I'm not talking about posts, I'm talking about sign ups.
-
@nodeham said in Non stop spammer sign ups:
I never said anything about php other than mentioning that I used the phpbb board for many years and sharing what they are using to keep spampots off and it works.
Uh... yeah... but... note the php in phpBB.... I coded php2 and php3 bitd but eschew php apps ever since. Just too big a target.
I doubt anything is mis-configured since the board is new, nothing special, default settings other than admin moderation of new sign ups.
Good to know. I do not use defaults. Most folks tweak things a bit to taste?
No guest posts, all default but I'm not talking about posts, I'm talking about sign ups.
Sign ups should be requisite for posting. Do they sign up but not post? Those are the more dangerous and worrisome as they are likely then using the account for probing your defenses from within. The ones that post do you a favor by standing out like a sore thumb and are soon banished. Depending on community and moderator vigilance.
As for new sign ups, there was a bug a while back w/earlier versions where folks could post after singing up but before email addresses were confirmed. I think that has been rectified.
Are you familiar with "IsTempMail"? There is an npm module that I employ to help defend against these miscreants:
Forget which plugin activates it off the top of my head (maybe this is in my WAF?). I forget. This is a pretty high efficacy one though.
Are you aware of the nodebb-plugin-spam-be-gone plugin? I boycott Akismet and Google due to privacy and big data concerns but do utilize Project Honeypot and stopforumspam.
In any case, hopefully some pointers above will prove helpful but bottom line is that it is damned tough to neigh on impossible to defend against dedicated attackers. Object is to raise the bar high enough that they move on to lower hanging fruits.
-
@gotwf said in Non stop spammer sign ups:
Do they sign up but not post? Those are the more dangerous and worrisome as they are likely then using the account for probing your defenses from within. The ones that post do you a favor by standing out like a sore thumb and are soon banished.
Right. Exactly. I just had the idea to require all new accounts to introduce themselves or submit some post within a certain time frame, say two weeks. I imagine making my Terms of Use say: "For security reasons, new accounts must create their first post within two weeks. A very simple introduction is all that is required. No stalkers."
All accounts without a post would get banned after a few weeks. Or would it be better to delete them? Thoughts?
-
Uh... yeah... but... note the php in phpBB.... I coded php2 and php3 bitd but >eschew php apps ever since. Just too big a target.
I'm really not sure why you keep bringing up php :).
It isn't even installed on this new nodebb server. I simply mentioned phpbb's registration process because I found it very effective without having to install any plugins.Good to know. I do not use defaults. Most folks tweak things a bit to taste?
It's always possible there is something I'm not noticing but I doubt it, it's pretty straight forward.
I've posted other questions about any things I wasn't sure about including double checking permissions since my board was converted from phpbb and there were a few messy things left behind but the plugin author used this conversion to update his code.These are obvious spambot signups, easily noticed by the consistent email names.
Do they sign up but not post? Those are the more dangerous and worrisome
Yes, they just create accounts, rarely post. I've changed it to moderated since and that seems to have slowed the sign ups down.I liked the way phpbb had a setting that would force any new users first or second or even up to third post to be moderated before they were fully registered. Meaning, they could get past the registration process but their first post would be moderated. If it was spam, you simply delete the user and all content. If it was legit, you allow it and the user is allowed to post freely from that point on. Never had a spambot/spammer since I enabled that method.
as they are likely then using the account for probing your defenses from within.
Yes, I understand what you mean though I believe you meant from the outside since they have zero access to inside. Other than the usual OS security measures and using common sense in the default settings, I get the sense that the nodebb devs are very much on top of security of the board code itself.
The ones that post do you a favor by standing out like a sore thumb and are >soon banished.
Agreed but I don't want to spend my time fighting spammers, I would prefer to have built in first level defenses so I'm not spending all my time having to deal with them without having to install more plugins.
As for new sign ups, there was a bug a while back w/earlier versions where
I keep everything fully updated, node.js and nodebb, all the latest so I assume all currently known exploits/bugs are fixed.
Are you familiar with "IsTempMail"?
Looks interesting. Hopefully it gets them at the sign up. Mind you I would be nervous that it could block legit people. I never ever use the same email on any site I use. I create an alias of the [email protected] so I can know which sites are selling my email address and to keep track of information.
Are you aware of the nodebb-plugin-spam-be-gone plugin?
I'm not very aware of the plugins available for nodebb just yet. This is something I'm working on the side that will be used to support members on another service. I'll have to look at what is available but I also tend to avoid plugins unless they are officially maintained by the main code devs, nodebb in this case.
I boycott Akismet and Google due to privacy and big data concerns but do >utilize Project Honeypot and stopforumspam.
Nice, I hope a lot of people are starting to do that. I wasn't aware of Askimet being a problem but way too much Google in our lives.
In any case, hopefully some pointers above will prove helpful but bottom line >is that it is damned tough to neigh on impossible to defend against dedicated >attackers. Object is to raise the bar high enough that they move on to lower >hanging fruits.
Yes but these aren't attackers, they are pesty spammers that we've all seen for countless years :).
Hopefully, some of these ideas will be implemented into nodebb.
-
I wasn't paying attention until I had to spend around 10 minutes going over the whole user base to see if I could notice anything obvious.
It slowed down since I added moderation but that could use some improvement too. Just seeing an email address and a name can in most cases show that it's a possible spammer but not always.
For example, the emails are often similar, like [email protected] or [email protected], etc. Those are pretty obvious but again, why should I have to be guessing.If the site could ask them a few questions at the sign up process that the user moderator could see, that could help. Right now, when moderating, all you see is their user name and email which is not enough to guess and I'd prefer not having to guess, nuking potentially valid users wanting to have access.
My board is not even a busy one and never will be, it's only used to support members of a service we offer. Yet I'm spending all this time messing around with spammers trying to get in.
As advised, I'm now using the post queue which appears to be similar to the phpbb first post/s moderation so that's cool to see. If they get past the sign up and into the board, that's a second way to weed the spammers out.
-
I didn't share this to try and challenge anyone or this product :).
I shared this as my own input on an amazing product because I'd like to see nodebb improve in the best ways possible and that takes input from its users.Some might not see the same problems as others but having options for many situations is what makes a product fit for more uses.
Being in the software business, I know full well how many will never even complain or offer input, feedback, if they don't like it, they will simply move on to something else and you'll never know.
So far, I very much like using nodebb compared to phpbb and I'd like to stick with it and eventually use that cool API to its full potential.
