Deleting Spam

Jerry · 2009-07-06T16:57:28-05:00 (Monday)

Ok, so the CAPTCHA modules for CAOS have been updated, however there is still some spam making it on to the forum. Greg & Jeff think that this is manually entered spam, which means there is no automatic way to keep it from showing up.

Jeff, Greg, and I get notices for new accounts, and we delete suspicious ones. We also delete any associated posts.

However an occasional spam post gets left on for a little while. We will delete it eventually.

Here's my question: If I delete a spam post, should I delete a post by a regular CAOS member who posts a message saying the last post is a spam post?

Tangent Orchard · 2009-07-06T19:44:22-05:00 (Monday)

Quote from: JerryHere's my question: If I delete a spam post, should I delete a post by a regular CAOS member who posts a message saying the last post is a spam post?

Please? ^_^ The last few times we've had a spam post that was deleted, I came in after the fact and only saw the CAOS member's post, which seems to be about the same off-topic-wise, in all honesty.

raptor · 2009-07-07T04:13:49-05:00 (Tuesday)

Yes, When I delete spam I delete the post calling it spam as well. I try to check to forum at least once a day and keep an eye on things. Especially when I receive an email telling me of a new member joining (almost daily). The other officers have been informed to check, but may not be keeping as close an eye on things.

arcdrag · 2009-07-07T08:51:11-05:00 (Tuesday)

Quote from: SomethingFunny on 2009-07-07T04:41:27-05:00 (Tuesday)
Yep,it's very hard to control it.Anyway,spam is 1 part of the internet.We gotta accept it.

Coming from someone making their first post with 4 websites in their sig...I must say your name suits you.

I'm just really curious how bad one's life must be in order to reach the point where you think that the best way to make money is by manually spamming random web forums.

Shaun Martin · 2009-07-07T13:07:32-05:00 (Tuesday)

Wow, just wow. We've got spam bots with attitude on this forum!

raptor · 2009-07-09T04:22:37-05:00 (Thursday)

I just went through and removed these 'spam-esk' users who are from Vietnam and Pakistan.

Scott

raptor · 2009-07-15T12:54:32-05:00 (Wednesday)

So a conversation arose on a thread that was hijacked by a spammer. Essential the problem is such:

People, be it bots or actual people are creating accounts and making what are related yet irrelevant posts on old threads. They also use some horrible yet amusing broken English. These users happen to have spam ads galore in their sigs. This seems to be happening on a now daily basis.

I have opened the floor (and bribed with a CS @ SIUE shirt) to anyone who has a solution to the problem. Currently it seems as though most of these spammers are from distant foreign countries. I considered doing an ip check upon creating accounts, but that could prohibit people with valid reason from being members, and could be easily avoided with a proxy server.

Greg has suggested the following:

"How about a short English grammar exam on the registration page. Laughing

There is a small possibility that some of them are actually bots. There was a lot of news recently about bots getting better at breaking captchas. They were targeting Google at one point and generating massive numbers of spam email accounts. They go for whatever they can that will give them the most bang for their buck so to speak. Because SMF is so popular, there may be a group out there that specializes in writing bots that can beat SMF's captcha. If this is the case, all we need to do is make a trivial change to our captcha so that it is different enough from the standard that the specialized bots will not be able to figure it out. What I really want to do is change the fonts that are used. If you want to help, see if you can find some free, heavily styled font and convert it to the "gdf" type such that I can put it in CAOS's fonts directory (I'll need the individual letter gifs as well). If you do convert some obscure font, email it to me (I don't want some would-be hacker to download the zip from our site and add it to their arsenal). "

If anyone would like to do this please feel free. I am also open to other thoughts and ideas. Mark Sands suggested some nature of a test that someone familiar with the department would pass. Again I am concerned this could keep our legitimate users.

The only option I've thought of so far that would for sure work, yet isn't very nice to users would be requiring administrator/moderator approval before a new account is created. I considered maybe an audio only captcha but that won't work for people using machines without speakers.

Scott

Gregory Bartholomew · 2009-07-15T13:12:06-05:00 (Wednesday)

I've just disabled the audio option on the registration page as it occurred to me that the audio is probably easier for a computer to crack these days than the captcha. Let me know if this is unacceptable. As for the grammar test, I was thinking of something along the lines of:

Which of the following is proper English:

A. I was to tired to post yesterday.
B. They were happy, but there mouths didn't show it.
C. One plus one equals three.

We would need to build some sort of database of such questions to pull randomly from and having a higher ratio of incorrect to correct answers would be good to.

gb

Gregory Bartholomew · 2009-07-15T13:59:43-05:00 (Wednesday)

I just had a thought. To cut down on the number of sentences that we would have to contrive, could someone instead write a program that would generate random, simple sentences but substitute the more common grammatical errors? This way, we would only need a few lists of nouns, verbs, adjectives and the like. It wouldn't matter that the sentences didn't make any sense, only that the grammar was incorrect. The program would need to substitute common grammatical errors such as "your" in place of "you're" - things like what are listed here: http://news.zdnet.co.uk/itmanagement/0,1000000308,39273376,00.htm. I think we should still go with a database of correct statements though, just to be sure. I would also make it a rule that the "correct" sentences should not be logically correct or sensible to be sure that they blend in with what the computer is generating.

raptor · 2009-07-15T18:38:06-05:00 (Wednesday)

To be honest, I like this idea. We would make them answer like two or three of them. LOL example B is subtle, switching there and their. I'm not sure everyone would grab that right away.

Don't worry about audio disabled. I was simply throwing out thoughts.

Robert Kennedy · 2009-07-15T19:29:57-05:00 (Wednesday)

I'm just going to throw out a couple of low-tech ideas that I've seen other forums use.

1. Disable signatures/links in a user's posts until a user has x amount of posts
2. Only automatically approve users that have a semi-local IP address. All other users will require an admin approval.
3. Automatically lock threads older than x years.

Tangent Orchard · 2009-07-15T20:05:33-05:00 (Wednesday)

Just as a tangent from the original thread this came up in; I'm also not entirely certain these are actual bots. I've been going to a couple of different forums for several years now (long enough to get acquainted with the process) and we've had maybe two people that actually posted something that wasn't a deluge of e-commerce links. (But even then, they were posting a news article word-for-word.) These new spam-users look to be more like humans than any bot I've ever seen, which would make this task difficult. =|

As for the post above, I partially disagree with #2, although the admin-approval thing is nice if someone looks at it daily. I know of several students that go back and forth (sort of) from here to India, for example. We wouldn't want to block those by accident.

William Grim · 2009-07-15T22:43:44-05:00 (Wednesday)

Before jumping to a solution to a problem that may not exist and wasting a lot of someone's time, how do we know that CAPTCHA has been defeated? From what I understand, it was actual people being paid low wages to beat Google's CAPTCHA, not an algorithm. Though, look up the historical meaning of "computer" to see the irony about saying computers themselves weren't breaking the CAPTCHA; wikipedia can help with this.

How about we start simply and record the estimated number of spam accounts created per day. Next, make a very slight and simple change to CAPTCHA and see if the new number of spam accounts goes down. If it does, then the problem is CAPTCHA, and you need to improve it; if not, then the problem is most likely an exploit in SMF itself, and you should start searching there.

Secondly, if it is CAPTCHA that's the problem, the most awesome CAPTCHA system ever would be a playing a simple game from a random set of simple games. You'd have to win in order to pass.

UPDATE: I just saw another spam attempt. Greg, I think a scan of the Apache logs may reveal something useful to you, but I'm only guessing. Also, I'm too lazy right now, but perhaps you could use Fiddler for IE (or the Mozilla/Safari equivalent) to see if any odd websites are being loaded when you look at CAOS, which would indicate the site has been compromised.

William Grim · 2009-07-15T22:48:16-05:00 (Wednesday)

Also, just for the record, I have to disagree with #2 completely. I would have to stop coming here if the forum became hostile to friendlies.

raptor · 2009-07-16T07:41:15-05:00 (Thursday)

Ryan Balfanz proposed some English math...
Ex:
Q- What is you + me A- Us

But I think one can see how this could become not so straight forward in all cases

What about this:
When creating an account we show a simple picutre. A ball, a cat, a dog, a house.

The user has to type into a text box what the object in the picture is. We would use very straight forward simple images, and one word answers.

This will tell us right away if these are bots or real people.

Scott