@pitaj Hmm, you're right. I wonder why we missed that.
Thank you :).
I didn't share this to try and challenge anyone or this product :).
I shared this as my own input on an amazing product because I'd like to see nodebb improve in the best ways possible and that takes input from its users.
Some might not see the same problems as others but having options for many situations is what makes a product fit for more uses.
Being in the software business, I know full well how many will never even complain or offer input, feedback, if they don't like it, they will simply move on to something else and you'll never know.
So far, I very much like using nodebb compared to phpbb and I'd like to stick with it and eventually use that cool API to its full potential.
I wasn't paying attention until I had to spend around 10 minutes going over the whole user base to see if I could notice anything obvious.
It slowed down since I added moderation but that could use some improvement too. Just seeing an email address and a name can in most cases show that it's a possible spammer but not always.
For example, the emails are often similar, like firstname.lastname@example.org or email@example.com, etc. Those are pretty obvious but again, why should I have to be guessing.
If the site could ask them a few questions at the sign up process that the user moderator could see, that could help. Right now, when moderating, all you see is their user name and email which is not enough to guess and I'd prefer not having to guess, nuking potentially valid users wanting to have access.
My board is not even a busy one and never will be, it's only used to support members of a service we offer. Yet I'm spending all this time messing around with spammers trying to get in.
As advised, I'm now using the post queue which appears to be similar to the phpbb first post/s moderation so that's cool to see. If they get past the sign up and into the board, that's a second way to weed the spammers out.
Uh... yeah... but... note the php in phpBB.... I coded php2 and php3 bitd but >eschew php apps ever since. Just too big a target.
I'm really not sure why you keep bringing up php :).
It isn't even installed on this new nodebb server. I simply mentioned phpbb's registration process because I found it very effective without having to install any plugins.
Good to know. I do not use defaults. Most folks tweak things a bit to taste?
It's always possible there is something I'm not noticing but I doubt it, it's pretty straight forward.
I've posted other questions about any things I wasn't sure about including double checking permissions since my board was converted from phpbb and there were a few messy things left behind but the plugin author used this conversion to update his code.
These are obvious spambot signups, easily noticed by the consistent email names.
Do they sign up but not post? Those are the more dangerous and worrisome
Yes, they just create accounts, rarely post. I've changed it to moderated since and that seems to have slowed the sign ups down.
I liked the way phpbb had a setting that would force any new users first or second or even up to third post to be moderated before they were fully registered. Meaning, they could get past the registration process but their first post would be moderated. If it was spam, you simply delete the user and all content. If it was legit, you allow it and the user is allowed to post freely from that point on. Never had a spambot/spammer since I enabled that method.
as they are likely then using the account for probing your defenses from within.
Yes, I understand what you mean though I believe you meant from the outside since they have zero access to inside. Other than the usual OS security measures and using common sense in the default settings, I get the sense that the nodebb devs are very much on top of security of the board code itself.
The ones that post do you a favor by standing out like a sore thumb and are >soon banished.
Agreed but I don't want to spend my time fighting spammers, I would prefer to have built in first level defenses so I'm not spending all my time having to deal with them without having to install more plugins.
As for new sign ups, there was a bug a while back w/earlier versions where
I keep everything fully updated, node.js and nodebb, all the latest so I assume all currently known exploits/bugs are fixed.
Are you familiar with "IsTempMail"?
Looks interesting. Hopefully it gets them at the sign up. Mind you I would be nervous that it could block legit people. I never ever use the same email on any site I use. I create an alias of the firstname.lastname@example.org so I can know which sites are selling my email address and to keep track of information.
Are you aware of the nodebb-plugin-spam-be-gone plugin?
I'm not very aware of the plugins available for nodebb just yet. This is something I'm working on the side that will be used to support members on another service. I'll have to look at what is available but I also tend to avoid plugins unless they are officially maintained by the main code devs, nodebb in this case.
I boycott Akismet and Google due to privacy and big data concerns but do >utilize Project Honeypot and stopforumspam.
Nice, I hope a lot of people are starting to do that. I wasn't aware of Askimet being a problem but way too much Google in our lives.
In any case, hopefully some pointers above will prove helpful but bottom line >is that it is damned tough to neigh on impossible to defend against dedicated >attackers. Object is to raise the bar high enough that they move on to lower >hanging fruits.
Yes but these aren't attackers, they are pesty spammers that we've all seen for countless years :).
Hopefully, some of these ideas will be implemented into nodebb.
I would really like to get this working.
Does anyone have any thoughts on why this code above might not work?
The board was converted from phpbb using a plugin. Is it possible that left something behind that is breaking the code shared above?
I never said anything about php other than mentioning that I used the phpbb board for many years and sharing what they are using to keep spampots off and it works.
I doubt anything is mis-configured since the board is new, nothing special, default settings other than admin moderation of new sign ups.
No guest posts, all default but I'm not talking about posts, I'm talking about sign ups.
@pitaj I want to get them before they even sign up otherwise, the users just keep getting filled up with useless accounts that have to constantly be cleaned up.
On phpbb, you have the following options without additional plugins. You can enable a captcha built right in which works really well. If they make it that far, then their first post can be moderated before they are allowed to post again without moderation. It works very well.
You could take all of these ideas or ask the locals what they have for ideas. I would keep it simple. I suggested at least one of these items many years ago when phpbb was struggling with spambots.
I can tell you from having run phpbb for many years that just the basics above do a great job. Keeping those spambots at bay is important especially on a board that has a huge amount of traffic.
I moved away from phpbb but certainly miss some of the security it had. Do I need to add yet another plugin to get some sort of security to slow that down?
PhpBB has some simple yet good ideas that should be implemented in nodebb. If I have to spend all my time fighting spammers signing up, it's going to be a problem using this board.
I have the latest nodebb up and want guests to be able to see all posts without having to log in. I am either missing something, a setting or there is no way to allow this?
As a guest, if I click on New topics, it tells me I need to log in.
So nginx runs as nginx user of course but the nodebb files were all changed to be owned by user nodebb when installing everything.
Somehow, the entire nodebb/build/public/templates/emails/
directory became owned by root at some point and that would not have been done by me so an update, a plugin, something else changed that entire directory.
Changing the owner for that sub-dir took the problem away.
The next odd thing I see is this.
I changed the template page to the welcome page to test.
I then hit save then I clicked on send test.
The received email was the banned one.
While it showed the welcome page being set, when I hit refresh, it always goes back to the banned template page.
@pitaj Hmm, I seem to have lost track of something alone the way here in terms of my learning how to use this.
I believe everything was in fact owned by user nodebb but at some point, got changed to root. I will take a closer look at this.
The permissions are all owned by root since nginx is being used as a proxy. The notice above only shows for which ever page I pick. If I pick the banned template, the error is the banned.js.
The permissions are;
-rw-r--r-- 1 root root 13314 Aug 19 10:53 banned.js -rw-r--r-- 1 root root 10509 Aug 19 10:53 banned.tpl -rw-r--r-- 1 root root 33997 Aug 19 10:53 digest.js -rw-r--r-- 1 root root 21667 Aug 19 10:53 digest.tpl -rw-r--r-- 1 root root 13708 Aug 19 10:53 invitation.js -rw-r--r-- 1 root root 11083 Aug 19 10:53 invitation.tpl -rw-r--r-- 1 root root 13985 Aug 19 10:53 notification.js -rw-r--r-- 1 root root 11128 Aug 19 10:53 notification.tpl drwxr-xr-x 2 root root 129 Aug 19 10:53 partials -rw-r--r-- 1 root root 13058 Aug 19 10:53 registration_accepted.js -rw-r--r-- 1 root root 10540 Aug 19 10:53 registration_accepted.tpl -rw-r--r-- 1 root root 13256 Aug 19 10:53 reset.js -rw-r--r-- 1 root root 13507 Aug 19 10:53 reset_notify.js -rw-r--r-- 1 root root 10866 Aug 19 10:53 reset_notify.tpl -rw-r--r-- 1 root root 10840 Aug 19 10:53 reset.tpl -rw-r--r-- 1 root root 12951 Aug 19 10:53 test.js -rw-r--r-- 1 root root 10508 Aug 19 10:53 test.tpl -rw-r--r-- 1 root root 13269 Aug 19 10:53 verify_email.js -rw-r--r-- 1 root root 10853 Aug 19 10:53 verify_email.tpl -rw-r--r-- 1 root root 12483 Aug 19 10:53 welcome.js -rw-r--r-- 1 root root 10064 Aug 19 10:53 welcome.tpl