Spam out of control: Q&A ineffective
 

You would think security Q & A would slow it down, but with the vB Q&A and a NoSpam! Q&A together, we still get 12~15 spammers a day who make it through the reg process. That's with StopForumSpam too.

If bots cannot solve Q&A, then there are people out there daily registering? Is that likely?

The vB Q&A goes something like this: What does a ship sail on? With the answers being waves, ocean, sea.

The NoSpam! question is more difficult:

Come on, no one can answer that question without spending 30 seconds googling, you mean to tell me there are Philippinos in a warehouse somewhere actually going to that much effort to spam our forums? :confused:

Any suggestions would be greatly appreciated.

Have you tried registering at your own forum and seeing if you can either just click through any of the questions or enter rubbish and still get through?

also make sure the solution is not mentioned within the page or the question, like our last question/answer was:

Which color does a red firetruck have?

Apparently, some bots were intelligent enough to try words which are bold and/or other words from the page. So we changed it to something not as obvious but still doable by humans and had no bot registration since, with 10+ registrations from bots with the old Q/A

That is exactly what is happening. People underestimate the number of human spammers out there.

You know that persistent mobile phone spammers here on vb.org ... they are all human spammers.

Here is what I do.

https://www.vbulletin.com/forum/show...-on-your-forum

Of course, and it does not allow registration when trying rubbish or variations of the proper answer (ex: "Tiranta" instead of "Tirante"). Good suggestion, though.

Yeah, it must be human, or there's something really wrong with the Q&A sceme. I worry that, because the answer of the Q&A is in the vB options, there's some way that a bot can find the answer and supply it to the Q&A. Has anyone checked that? Like I said, wow, it's hard to believe humans are googling an obscure WWII submarine question to sign up to the forum, when they are deleted within 2 hours every day. :p



Hey Andy, yeah, your post is famous, it's where I began my anti-spam crusade. I used to use the Q&A ideas from it, but I have made it harder, as you can see in my original post. I have created a Custom profile field, I will make it "required during registration", very good idea, thanks.

I was wondering the same thing one day. We get maybe 5-10 spammer registrations a day and I was wondering if they were human. I wrote some code to log questions shown and answers guessed. I only ran it for 1 day, but I found that there were a lot of "aborted" registrations, i.e. started to register but never offered any answer to the question, so I guess that those were bots that couldn't handle q/a. But the ones that did answer didn't do anything like entering a lot of guesses, they normally got it in one (and our questions don't have the answer as part of the question at all). There were also a few wrong answers like you'd expect from a human. In any case, I didn't see any signs of q/a being bypassed or guessed via brute force.

I also wondered about the possiblilty of a human finding the answer and somehow recording it for bots to use, but I find that changing the questions makes no difference to the number of registrations we get, and one time we got a few registartions right after I changed them.

Yeah, I think you're right, there must be a network where a human spammer is assigned to answer the Q&A, and then can set up bots to go from there. I need to add about 200 Q&A, that may help.

I will copy the message I have at vb.com, I am working on a spam tool with Eric, to help admins and moderators detect spam in new members who actually get past the registration but have not made a spam post that members will see and report. Generally, there are a lot of spammers who never post, but have spam in their sigs, or homepages. Eric based it off his new members mod, and I'm sure half of the people here can tweak that to achieve the same results as my Spam Check mod. I would rather reward him for helping me, and when it is finished, let him release it as a new mod (my contribution to the Global War on Spam ;)).

It's just a variation of the New Members mod, but it lists the user signature (if they have one) and homepage (if they have one) on the member roster, making it super easy to detect spammers with spam sigs or homepages. There is also an option for moderators to "Infract" them into a spammer usergroup, allowing you to Move/Prune them off the db.

I have asked him to add the custom user profile to it, that should be all it takes to easily detect and prune spammers at will.

Take a look at Zb Block - Stop Spam & 'bots @ Server Not only does it keep a lot of spam bots out of your hair, I was amazed at how much bandwidth we wasted each month on such.

EDIT: Fixed above LINK, extra http:// in there for some reason?

Internet Explorer cannot display the webpage :confused:

That's great - I think about that every day when I'm banning a few sig spammers. I used to wonder why some would register and then come back days or weeks later to post the spam, then we installed Spam-O-Matic which checks SFS and it became clear, they probably want to create a bunch of accounts before they get listed on SFS.

So, yeah, maybe something like flagging someone who hasn't posted but logs in just to edit their profile? And being able to list users that are somehow "flagged" as possible spammers, showing their posts and profile fields (and maybe lookup in SFS and any users with matching ips). I'd use that.

Even I used to think that all spam is posted by bots and was baffled as to how they can answer the complex questions I was framing. The only explanation that I could come up with was that some human was opening the door for bots to post spam. But I was wrong even there.

As I devloped more and more complex countermeasures to combat spam, I could see them resisting and trying to counter may antispam measures .. live. I literally had live battles with them. I even traced to where most of the human spammers come from - China, India and Nigeria.

In any case I finally won. I now know how to completely defeat all types of spam and despite all the efforts of all the spammers, they havent been able to post a single spam post on my forums for years. And no .. I dont moderate registrations or even ask new members to solve a captcha.

I hope to write a article on my experiences sometime.

Have you tried this? It is guaranteed to reduce bot spam to nothing (make sure all of the bot accounts are deleted before installing this to get the best results).

Wonderful :rolleyes: You know, this forum is where we help each other with things like this.

--------------- Added [DATE]1308031563[/DATE] at [TIME]1308031563[/TIME] ---------------

Well, that didn't work, even the spammers know an answer to the custom profile.

It will work if you use regexp to ensure that the word is written correctly, i use this ^[A-Za-z]{2}[,A-Za-z ]*$ in one of my profile fields to make sure users enter only letters in any case they wish, i want my users to enter a lcation in this fashion London, England, this particular expression will not allow them to enter London England, LondonEngland or London-England but will allow London, take a look at rexexp http://www.php.net/manual-lookup.php...ion=preg-match or search the next for it and build your own :)

Yes, I will expedite the work on my article. The only thing I fear is that once spammers know of my antispam system, they may take countermeasures.

All of these problem solving anti-spam measures like questions, captchas etc ... will only stop bots. They will not stop human spammers. For human spam you need entirely different anti-spam measures.

Well, that's true, but we are not really looking for another Q&A, where a precise answer is required. We already have 2 Q&A, this is just a custom profile field to see if the answer makes sense. They could answer "I dunno" or ""Not sure" and still be ok. With the two Q&A as mentioned above, I think it's enough of a hurdle for real new members to jump :)

Fair enough. I'm sure the turds who manage the spam factories read these forums. I know I read theirs. Maybe it would be better for you not to write this in public.

The mod I linked in the previous post and my signature stops human spammers. :)

Yes, thanks, I'm not interested in charging for membership at this point.

Thanks for sharing that. Even if it cost 49 cents [only once] for visitors to register and put money in your pocket, you still would not implement an extremely effective anti-spam measure? Well, any ranting from you past this is pointless; you just don't want that spam gone badly enough, eh? ;)

He is not ranting and he is being sensible. Most visitors will never pay for membership of a forum. And while your mod will surely keep away spammers but it will also keep away most visitors from joining the forum even though they may be potentially great forum members.

It a very drastic measure and is like throwing the baby with the bath water. It will also work in only certain rare niche forums where people are willing to pay for membership otherwise it can do more damage than spam by deterring members from joining.

Acceptable anti-spam measures should not just be effective but also not cost anyone anything and cause the least inconvenience to members or forum staff.

Call it ranting, voicing discontent, or complaining. They mean the same thing and there is nothing wrong with doing so until there is a solution to the problem. Then, it is "pointless" ranting because you have found a solution, maybe not one you are fully familiar with but a solution nonetheless, yet continue complaining. Implementing a registration fee, even 49 cents, adds value to your forum: it places worth on membership and adds demand; it must be worth something if you have to pay for it, no? Also, do you have any data to back up your seemingly speculative statements about visitors being kept away?

You seem to be omitting the registration amount for some reason. If your forum is not worth paying 49 cents to register on, you have bigger issues, wouldn't you agree?

World peace should not just be effective, but also not cost anyone anything or make anyone uncomfortable and cause the least inconvenience to everyone in the world. ...What you speak of is a fantasy solution. It does not exist. Any more questions?

It depends on the forum of course. I might pay to join something I really need, but probably not just to discuss something given the number of free sites there are. I won't even bother registering unless I'm pretty sure there's something I want. And it's not the amount, it's providing a payment method that's the problem. So while I don't have any data to back up the idea that it would discourage potential members, I think I can safely assume that some percentage feel like I do. I know a lot of people who are a lot more paranoid about their privacy than I am.

That said, it is an excellent way to discourage spammers.

The fact that your second question doesn't change hurts you, there is only one answer and once you have that, you might as well not have the second question.

The first question it looks like you have 4-5 questions, all moderately general knowlege, or at the very least some basic world history/WW2 history would get you past.

Actually i meant having the regex for the profile field :) but i understand what you're saying about making things lengthy for users, but i guess it's a fine balance between being sensible and killing your forum either through spam or making the hurdles to high ;)

You bring us to the topic of forum quality. If there isn't something you want, why would you register?

If a handful of people are paranoid, it's ok; the forum will continue working without them. Do you disagree?

And yes, it is an excellent way to prevent spam. :)

Wow, dude, just because I politely decline the mod you're pimping doesn't mean to have to switch full-auto to jerk mode. I'm sure it's very effective against spam, probably equally effective against new legit members :)

Yeah, you're right, I've added 5 similar questions for the first one, no way anyone will answer that without google ;) The easy question is justa first hurdle to stop bots.

Ah, gotcha. Thanks for that :up: Yeah, I think we are at the max inconvenience point for new members. We are still getting about the same number each day (25~35) and around 5 spammers make it past SFS, the two Q&A and the required custom field. After that, the moderators have to rely on the Spam Check page.

Well, I think forums work by "critical mass", so you'd want to make it as easy as possible if you're starting. I can't believe that if you were trying to start up a forum and have some of the costs paid for by ads that you'd want to make it any more difficult than necessary to join. On the forum I help out on, we have plenty (probably too many) volunteer moderators so spam isn't really a problem - it gets removed immediately. In fact we get very few spam posts, and we take turns removing the few sig spammers we get every day.

In any case, you're obviously trying to help people fight spam and promote yourself and your mods, so more power to ya. And if you have a site that's so valuable that people pay to join, that's great. But I guess we'll just have to disagree on whether paid registration would be right for everyone.

FWIW, why not have a newly registered usergroup who have no rights to change their profile and can only post in one place like an introductions forum, this way they cannot modify their sig, their post spam or not will only appear in one forum maiking it easier to weed them out, you, your admins and mods will only ever need visit one forum to find them :)

Charging members so they can have a spam-free experience is ass-backwards, IMO. It's your responsibility as the board owner NOT the members' responsibility.

Also, there are major privacy/security concerns with people paying, depending on the industry.

That's an interesting point of view. If you are just starting a forum, the spam may be manageable by conventional means such as captcha, Q&A, and old school moderation as you said. As you expand and get more traffic, even for a small-mid size forum, things get out of hand very fast. Factor in moderation time, negative impact on the brand's image, and ineffectiveness of conventional solutions on a larger scale; these things cost the administrator much more than the members would be paying to register, put together! Imagine how your volunteers could be used to spend their time and resources into creating positive change on your forums rather than destroying negative spam.

That said, members paying to register seems to be a recurring concern and I would just like to throw the idea out there that you can simply refund the fee. Thank you for inspiring this concept; maybe I will work it into the modification as a feature!!! :)

I work on making the modification right for as many people as possible! :)

Well, it wouldn't be a bad feature, but like I mentioned before I think it's more the idea of providing payment information rather than the amount. I do see your point of paid registrations making your forum seem more valuable, and if a forum is established and not desperate for new users then it might not be as bad to add another registration hurdle. But of course not everyone is in that situation.

Oh, I did not know it was about providing payment information. All payment information is stored at the processor (e.g. PayPal), and your address, in the case of Paypal, is only released if you are receiving tangible goods. Are there any other big concerns?

Yes, besides driving people who can pay you have to understand that not everybody has the ability to pay on the internet as well. There are countries in which paypal and other payment processors dont operate. Besides that not everyone has access to online payment modes.

Also please stop peddling your semi-commercial mod so aggressively. You may well believe in the value of your mod but others may not agree with that.

A vouching system could mitigate what is projected to be a very small issue; interesting point nonetheless! What, in your opinion, percentage of people in the average forum's target audience does not have the ability to pay [and get refunded] over the internet?

vBulletin supports quite a few payment processors out of the box (Paypal, NOCHEX, Worldpay, Authorize.Net, 2Checkout, Moneybookers, CCBill) so country restrictions should not be a huge concern. What country does not support all of those?

Peddling? Semi-commercial? Very strong words! The subject of this thread is spam being out of control and the ineffectiveness of Q&A implementations. What do you feel is semi-commercial about the paid registration mod freely available and supported here?

Stick to the topic please.

All the capchas in the world won't stop human spammers, and to answer the OP's original question, yes it probably is a human using google to answer that question.

How often does it change because if they can answer it once and add it to a database somewhere they never need to worry about it again.

Is your forum mostly specific to 1 country or area? Moderating entire countries from joining might be an option. https://vborg.vbsupport.ru/showthread.php?t=231315 - The mod is for 4.x but I think it will work on 3.8 too.