Argh!!!

[TheUsualAlex]

ARGH!! STUPID SPAMMERS!!!!!!!!!!!

[edward]

Yeah, I think we have no choice but to change *something* about the registration so that it's not the stock forum. Or else these spam bots will easily create new accounts.

[Jason]

Yeah, I think we have no choice but to change *something* about the registration so that it's not the stock forum. Or else these spam bots will easily create new accounts.

That was a fun one..

Yeah, you're right of course. We'll do something.

[Marc]

Did you delete some too J? I got two myself...

It was a busy day today. I managed to delete and ban over 5 accounts before they managed to spam us. This guy slipped through, I was willing to give him the benefit of the doubt cause I couldn't find his username in google ...

Any suggestions are welcome.

M

[TheUsualAlex]

I don't have any suggestions, but on the bright side of things, I finally got over 900 post now!

EDIT: Dang, Jason! How did I got so far behind you!

[edward]

Ok, I haven't tried this but how about we search and replace for "agree_to_terms" with "agree_to_odforce_terms_if_human" in both the skin template and php code. I found it in the register stuff in the skin and in register.php. I have no idea how smart the spam bots are but it might be a worthwhile test. It's probably not enough to just use "agree_to_odforce_terms".

How often are we being hit with spam registrations anyhow? I have no idea how much you guys delete each day?

[Marc]

Since the beginning of September I've denied or banned 33 people. So we're heading up to an average of 2/day. Some days, like today are particularly bad...

I'm also not sure how many are bots. I think alot of them are low wage workers who register at a bunch of forums and spam them.

[TheUsualAlex]

The security number confirmation doesn't work? How did the spammers managed to get pass that image-based security number?

[edward]

Well, it would be too inefficient to have real people post spam. You just need people to solve the image for you. So apparently, one scheme is to just cross-post the images to low wage workers that will just sit around and solve the images. As soon as it's solved, the spam bot can then go through its usual thing and well, spam. Another rumoured scheme is to cross-post them on porn sites and make people solve the images in order to get their porn. So the idea is to make it difficult for spambots to get to the point where they can fill registration forms. Do we have any logs about the spams users? Are they coming through to legitimate looking http referers, etc?

Or all this could be wrong, and it's just that the invision forum's CAPTCHA is easily solved automatically without humans.

[TheUsualAlex]

Hmm... Not sure I understand what you're saying...

How about making a portion of the form Flash-based (or Java based)? Does that prevent spambot from automatically filling the form? Or is it the idea that "if a human can fill the form, then spambot can also"?

[edward]

Just checked out the code a bit more and it seems like the CAPTCHA answer is simply a random number that is being seeded by the current time (in microseconds). I wonder if that is vulnerable. Plus it's only 6 digits. I wonder how fast can a spambot just brute force all 1 million combinations. If the user gets it wrong, I'm not sure if there's a time out. The images seem to be kept around for 6 hours.