Uh... yeah... but... note the php in phpBB.... I coded php2 and php3 bitd but >eschew php apps ever since. Just too big a target.
I'm really not sure why you keep bringing up php :).
It isn't even installed on this new nodebb server. I simply mentioned phpbb's registration process because I found it very effective without having to install any plugins.
Good to know. I do not use defaults. Most folks tweak things a bit to taste?
It's always possible there is something I'm not noticing but I doubt it, it's pretty straight forward.
I've posted other questions about any things I wasn't sure about including double checking permissions since my board was converted from phpbb and there were a few messy things left behind but the plugin author used this conversion to update his code.
These are obvious spambot signups, easily noticed by the consistent email names.
Do they sign up but not post? Those are the more dangerous and worrisome
Yes, they just create accounts, rarely post. I've changed it to moderated since and that seems to have slowed the sign ups down.
I liked the way phpbb had a setting that would force any new users first or second or even up to third post to be moderated before they were fully registered. Meaning, they could get past the registration process but their first post would be moderated. If it was spam, you simply delete the user and all content. If it was legit, you allow it and the user is allowed to post freely from that point on. Never had a spambot/spammer since I enabled that method.
as they are likely then using the account for probing your defenses from within.
Yes, I understand what you mean though I believe you meant from the outside since they have zero access to inside. Other than the usual OS security measures and using common sense in the default settings, I get the sense that the nodebb devs are very much on top of security of the board code itself.
The ones that post do you a favor by standing out like a sore thumb and are >soon banished.
Agreed but I don't want to spend my time fighting spammers, I would prefer to have built in first level defenses so I'm not spending all my time having to deal with them without having to install more plugins.
As for new sign ups, there was a bug a while back w/earlier versions where
I keep everything fully updated, node.js and nodebb, all the latest so I assume all currently known exploits/bugs are fixed.
Are you familiar with "IsTempMail"?
Looks interesting. Hopefully it gets them at the sign up. Mind you I would be nervous that it could block legit people. I never ever use the same email on any site I use. I create an alias of the email@example.com so I can know which sites are selling my email address and to keep track of information.
Are you aware of the nodebb-plugin-spam-be-gone plugin?
I'm not very aware of the plugins available for nodebb just yet. This is something I'm working on the side that will be used to support members on another service. I'll have to look at what is available but I also tend to avoid plugins unless they are officially maintained by the main code devs, nodebb in this case.
I boycott Akismet and Google due to privacy and big data concerns but do >utilize Project Honeypot and stopforumspam.
Nice, I hope a lot of people are starting to do that. I wasn't aware of Askimet being a problem but way too much Google in our lives.
In any case, hopefully some pointers above will prove helpful but bottom line >is that it is damned tough to neigh on impossible to defend against dedicated >attackers. Object is to raise the bar high enough that they move on to lower >hanging fruits.
Yes but these aren't attackers, they are pesty spammers that we've all seen for countless years :).
Hopefully, some of these ideas will be implemented into nodebb.