Spammer Attacks the Forum

You may have found a rash of spam in your inbox this morning, or run into it on the forums if you spent any time earlier today having a look. We had a spammer send dozens of replies to dozens of threads last night with your typical "rolex watch" or equivalent spam that floats around on the web.

We have tried to keep a balance on the site by requiring both captcha and email verification on new accounts before a user can post anything. This has worked reasonably well since it keeps automated spamming scripts from creating accounts and spamming the forums like we had several years ago.

However … once someone does create an account they are free to spam. We get a regular flow of such spam though it has been at a low enough level that it has gone mostly un-noticed, and we have several senior community members who regularly detect such spam and remove the messages as well as disable the accounts. Last night’s spam unfortunately resulted in thousands of posts and was a lot more involved to remove them. If you subscribe to any give thread, then you will get email when someone responds to that thread which unfortunately includes such spam.

There are stronger options to try and further curtail spam though it’s always a tradeoff between the fight against spam and the disruption to you, the user. We could require new accounts to be moderated, but that means a new member who ‘desperately’ needs help is at the whim of someone enabling the new account. Even more extensive is to require moderation of posts. Neither of these are attractive to us.

For the short-term we have changed the forums so that most users will be required to enter a captcha when responding to a post. Personally, I hate captcha’s mostly because they are getting so hard to read that I can’t get them right half the time. I’m hoping that ours are not quite so bad. I’d like to hear from you how this is working out. If it ends up to be just a little bit of a hassle it may be well worth keeping. If it is really problematic then I would like to leave it up for a short time just to try and ward off another follow-up attack. (However … now that we have the tools in place, the next one won’t be nearly as bad to delete, though you will still get spammed if you subscribe to a thread).

If you happen to be a user type other than “tadpole” (which is our default authenticated user) then you should not be asked for a Captcha. That leads to another option, which is that we create a new user type that we can move people up to on request that does not require the Captcha. (Today we do have “Conributor”, “Developer” and “Leap Frog” which correspond to various users who have requested greater access to be able to edit more parts of the site and be generally more helpful.)

For now, thanks for your understanding and please do respond to this post if you feel that the Captcha is a real pain, or otherwise if you feel that it is not a big deal and not too hard to read in which case we can choose to live with it.

Philippe - on behalf of the FreePBX Team

The bots are typically designed for specific layouts. So if you change the names of the html form controls, that will confuse them. And because the bots typically enter information into every field, you can also add a form control that is hidden via the site’s CSS, but that the site will reject if it has data in it. These two things have reduced spam submissions to essentially zero where I work.

Glad to see a captcha but it looks fairly rudimentary. Was it a free one or did you buy it?

The Captcha is one of the modules available in Drupal, which is an OS content management system that we use.

If the Captcha stops someone from blasting thousands of spam messages which is what happened in this instance, then I’m happy if it is otherwise fairly basic as I personally do not like Captcha’s since the good ones are so hard to read they become a hinderance for everyone.

For now, so far so good on the extreme spam, we’ve had a few typical single spams but I suspect we would get those with a strong Captcha also.

I had to dig into this issue as I met the other side of this war. A young man who makes his living posting SPAM in forums. After my initial reaction of wanting to dismember him I started to listed as I wanted to learn and he was quite candid as to what he can do.

Most captcha decoding is now automated for the spammers. The software is very sophisticating reading content of posts and creating dialog with other automatically generated accounts with readable dialog. When you see a “thank you” or other nonsense polite message that is a sign of the bots in action. Fake praise is also a common ruse.

The payoff in link positioning is quite large. As the site becomes more popular the amount of SPAM will increase as the reward to these online thieves is so great.

Luckily we’ve been fairly lucky wrt to SPAM posts.

Most have been the simple post backs, usually one or two posts which are easy to manage.

We still require email confirmation for new accounts and that has also clearly made a big impact on the spam.

Unfortunately yesterday’s attack was fairly massive. My hunch is the Captcha would not have stopped some spam, but I don’t think it would have been anything near as intense as it was. It was clearly automated somehow, whether the tools used could have gotten through the Captcha, ???

For now, we at least have the tools to remove any new massive attacks like that, and we’ll see what the Captcha’s do for a bit.

i wonder if the forum software has a feature to limit the amount of posts/day on new accounts- ie limit all users under 60 days old to 20 posts per 24 hours.

Maybe we could put feature request in the forum softwares tracker :wink:

search Drupal, if there is a module that can do that we could look into it.

The difficulty of this sites Captcha is zero. I like it this way. This is a small price to pay for a really good forum where you can get some very useful help and information from. I have learned nearly everything that I know about the PBX world from this forum. I say keep it on the post for us new guys. However, can you put a refresh button there for those questionable Captcha’s.

Absolutely right- If people are in need of help, they won’t care if they need to enter a Captcha. In my opinion there’s already a lot of great effort put into this project: I hate to see some &(^*&^!! spammer create more work than there already is! Just about everything of import on the net AT ALL is protected by Captchas- why not this? It’s easy for both sides.
My $.02- and I’m happy to verify the Captcha at the end of this post! :slight_smile:

Sorry, I think you still should have dismembered him. :slight_smile:

Can’t they be automatically banned or deactivated?

well if we knew a way to automatically band and de-activate them, we would do so :slight_smile:

we clearly don’t enjoy having to manually deal with these.

So if you know of something or a module in Drupal that we don’t that might be able to do this, by all means share!