Temporary fix for the Spammer issue

[Fhaolan 4,483]

Hey all,

Okay, we've set all new users (Blank Flanks) so that they are on mod queue until at least one of their posts is approved by a mod. The idea being that the spammer bots we're being inundated with recently won't be able to get past that as they don't seem capable of creating a 'normal' post before flying off onto selling us counterfeit degrees or whatever the heck they are doing.

I honestly don't know if that setting means that everyone who was already in Blank Flank when I flipped that bit is also going to be hit by this restriction. IP.B is weird, and it might do some things retroactively for all we know. If you seem to suddenly be on mod queue for no apparent reason, don't panic, it's not because of something you did.

This is temporary until the Poniverse developers free up some time to look at the Poniverse Universal Login system and put a captcha or something similar on the thing so spammer bots can't keep signing up for accounts in the first place.

[StrawCherry 1,673]

But I just wonder, why is there no captcha in the first place? As a Webdevelopment student, you learn to add captcha once you create your first form page or however I’m supposed to call that. I just assumed that it would be added by default as many websites seem to have it, so I guess I’m also just wondering what’s taking so long?

[Twisted Cyclone 🚓 6,257]

It's a start. That's for sure. Glad to see this good news today. Thank you.

[Foxy Socks 2,599]

That's good, though there may need to be more done eventually. For the recent spammers it should work, as they clearly are automatic.

[DJ Wolfe 5,334]

Great. Problems solved 

[Jeric 46,850]

18 minutes ago, StrawCherry said:

But I just wonder, why is there no captcha in the first place? As a Webdevelopment student, you learn to add captcha once you create your first form page or however I’m supposed to call that. I just assumed that it would be added by default as many websites seem to have it, so I guess I’m also just wondering what’s taking so long?

First place? As in six years ago? Or first place as in when they rolled out the custom login system in 2013? The site has evolved so much over the years with very little stability in development that it's hard to denote what exactly is the first time, and what solution would be viable for the first time you are talking about. 

Note: there is re-captcha integration with IPB 4 software, however you don't register and login on the forum software. The trick is integrating the two (or three). I'm sure they'll get to it when they can. 

The Chinese characters aren't that much of a bother to invoke an accusatory tone. Wait until something serious happens for that. 

 

[StrawCherry 1,673]

1 minute ago, Jeric said:

First place? As in six years ago? Or first place as in when they rolled out the custom login system in 2013? The site has evolved so much over the years with very little stability in development that it's hard to denote what exactly is the first time, and what solution would be viable for the first time you are talking about. 

Note: there is re-captcha integration with IPB 4 software, however you don't register and login on the forum software. The trick is integrating the two (or three). I'm sure they'll get to it when they can. 

The Chinese characters aren't that much of a bother to invoke an accusatory tone. Wait until something serious happens for that. 

 

First place as in at all. I wasn’t trying to sound accusing, I was just wondering.

[Jeric 46,850]

23 hours ago, StrawCherry said:

First place as in at all. I wasn’t trying to sound accusing, I was just wondering.

Back in 2011, it sucked hard. Didn't get much better for years.

reCAPTCHA captures an audience (Everyone started to like it)

Human Intelligence Tasks Can Break It (Why this is bad)

I don't honestly know why Feld didn't do it back in 2011, he was a youngling then. It wouldn't have worked against spam bots and only provided the illusion of safety. Something that is still relevant today with some vulnerabilities. 

Anyway, reCAPTCHA was not really part of any web development curriculum at the time, and wasn't as ubiquitous as it started to become a year or two later. It was popular and present, but not always implemented. 

 

[StrawCherry 1,673]

2 minutes ago, Jeric said:

Back in 2011, it sucked hard. Didn't get much better for years.

Suck

Hard

I don't honestly know why Feld didn't do it back in 2011, he was a youngling then. It wouldn't have worked against spam bots and only provided the illusion of safety. Something that is still relevant today with some vulnerabilities. 

Anyway, reCaptcha was not really part of any web development curriculum at the time, and wasn't as ubiquitous as it started to become a year or two later. It was popular and present, but not always implemented. 

 

Now thank you for that answer.  It makes more sense now.

…

[Jade Fire 7,059]

im glad ^-^ i was so tired of them ;-;

[Allen 1,387]

Because I suspected that this morning when I woke up the earliest , I let the administrators and moderators know that we have a spammer on this website spamming topics and posts and I want those spam topics to be deleted. The administrators and moderators took care of that spam stuff and deleted all the spam topics and posts, so good job to those who handled the spam on this website!

[Techno Universal 2,575]

Yeah it's just a captcha wouldn't exactly be enough to stop the hackers if they are manually creating the accounts themselves and then handing over control over the accounts to the bot programs once the accounts are up and running. Really the best solution would be to blacklist their computer's IP address or maybe even their network IP address so they can't access the website at all through their computer or home network. Though there are ways to get around those blacklists like they could change their network IP through using a VPN service or they could just use a program to fake their computer's IP address to the website server. Though before you blacklist their network or computer IPs you must make sure they the computer that they are using isn't a public domain computer like if it's a shared computer at a school, office or Internet cafe. That also goes for their network IP to!

[Twilight Sparkle ✨ 8,525]

13 hours ago, StrawCherry said:

But I just wonder, why is there no captcha in the first place? As a Webdevelopment student, you learn to add captcha once you create your first form page or however I’m supposed to call that. I just assumed that it would be added by default as many websites seem to have it, so I guess I’m also just wondering what’s taking so long?

There first needs to be an active staff developer to give such tasks to. It would be an understatement to say that there's been turnover since I started MLPF in high school in that regard which hamstrung MLPF's or Poniverse.net's abilities to get technical updates at all.

Are you volunteering to help? We could use it.

[Kyoshi Frost Wolf 41,278]

Might I suggest a forum registration blood-test captcha? Bots don't have blood so, that might work.

[Twilight Sparkle ✨ 8,525]

13 hours ago, Jeric said:

Back in 2011, it sucked hard. Didn't get much better for years.

Suck

Hard

I don't honestly know why Feld didn't do it back in 2011, he was a youngling then. It wouldn't have worked against spam bots and only provided the illusion of safety. Something that is still relevant today with some vulnerabilities. 

Anyway, reCaptcha was not really part of any web development curriculum at the time, and wasn't as ubiquitous as it started to become a year or two later. It was popular and present, but not always implemented. 

 

reCAPTCHA has historically been awful in practice and, as a professional developer, I wouldn't recommend it to anyone. Because it's so widely touted as the solution to spambots, it's also by far the most heavily targeted by spammers. In particular, it does nothing to stop business-savvy spammers who employ kids in Bangladesh for $0.10/hour to click pictures of traffic signs. There's also the philosophical issue of Google using reCAPTCHA to extract untold hours of labour from the unknowing masses, which gives them an incentive to not go too far in thwarting this particular kind of spammer. The list of issues goes on...

Any custom captcha that is specific to a given site is better than reCAPTCHA or other third-party captchas. They'll confuse human spammers who barely understand English and no bots will exist that understand them. MLPF had this in the form of a Q&A captcha that asked (easy) trivia questions from FiM's first season between its launch in 2011 and the introduction of Poniverse logins in 2013. It worked, and unexpectedly even hampered an attempted raid from a car forum at one point by trolls who didn't know anything about ponies.

For reasons I'm not going to delve into, having a similar captcha on Poniverse.net never made it to the top of the priority pile until recently, and we're short-staffed on developers the task can be given to. Yes, this is a low-key call for help.

[MickeyAdaptus 2,211]

Glad to see there now measures being taken against those spambots, they have been getting pretty rampant over the last 2 months at times, while I do not know much about these Captcha and registration things, I do know that the people who make these spambots are quite smart and usually find a way to bypass such type of things, new measures might hold them off for a while, but they might find a way around it or actually try to go through this 1 post mod approval system.

(Obviously not the automated spambots, but some might actually control that account to go past this 1 first post, and then activate the bot altogether. Not sure if that is how a spambot could work, but it is a good idea to look at what-if scenarios. 

[Courageous Thunder Dash 7,824]

As @StrawCherry said, a captcha would really benefit the site, considering the amount of people that join this site everyday...

[Feather Spiral 1,892]

The main issue with the form of CAPTCHA relying on warped characters is, it alienates users with poor vision (or trouble in the brain affecting recognition of characters somehow). If I already have trouble making out regular-looking letters, but can use text-to-speech (or other tricks) to read posts, I sure as hell won't feel like going through the pain of trying to read warped letters.

It's also a pain when one or more characters have look-alikes. Like "is that an uppercase 'i' or a lowercase 'L'? uppercase or lowercase 'O', or '0'? uppercase or lowercase 'p' and 's'?" You can be a legit fan of MLP who wants to join the community, but be unable to if you have no fucking idea what's even on the screen.

As for reCAPTCHA, we run into the same problem if it says "select all pictures with a sign" and 1+ of the pictures has a tiny piece of a sign. Or if it says "select all photos with a house" and some of the buildings look like they might be houses. Assuming it's a human who determines which photos are "right", it's all very subjectively defined.

The custom CAPTCHA with MLP trivia questions (I'm assuming legible?) is a brilliant idea though. The only spammers/trolls you get would be those who know their pony stuff, easy enough to handle.

Edited December 6, 2017 by Feather Spiral

[StrawCherry 1,673]

3 hours ago, Feld0 said:

Are you volunteering to help? We could use it.

If I could, I definitely would! But I’m only a student that has started in August. I’m in no way capable yet of helping with a professional website.  I hope all turns out well, though! The temporary fix could work well but I’m assuming it also consumes a lot of time.

[Twilight Sparkle ✨ 8,525]

3 hours ago, StrawCherry said:

If I could, I definitely would! But I’m only a student that has started in August. I’m in no way capable yet of helping with a professional website.  I hope all turns out well, though! The temporary fix could work well but I’m assuming it also consumes a lot of time.

> implying Poniverse is a professional operation

I'm a student, too. I only said that I was a professional developer myself; this organization is a scrappy volunteer effort. Please do get in touch if you see something at some point and think "sweet Luna, even I can do this better!"

[StrawCherry 1,673]

 

1 minute ago, Feld0 said:

> implying Poniverse is a professional operation

I'm a student, too. I only said that I was a professional developer myself; this organization is a scrappy volunteer effort. Please do get in touch if you see something at some point and think "sweet Luna, even I can do this better!"

 Hey, to me this is very professional.  I definitely will if I ever think that!

[Rikifive 24,080]

Oh great, they started to get problematic lately.  

 

I think it's not a bad solution to be honest. That way, you at least have a chance to see what the account was made for (after doing some magic behind the scenes, that is). It shouldn't be an issue for the members, as it would happen only once, at the very beginning (that first post). 

Also, sometimes I'm not sure if they're bots. If somebody wants to advertise their weird stuff so bad, they'll do that, even manually and that's what spam-preventing protection upon registration won't be able to catch, unless the posts themselves would be scanned for suspicious content, such as links or words specified in the word filtering list.

To me, it was a good step. Hope they'll get rekt!  

[Fhaolan 4,483]

Okay... so it's not quite working as intended. It's *close* but there's a bit of IP.B-style 'reasoning' that's causing this to act weird. It's not looking for the first 'mod approved' post to remove you from the mod queue. It's looking for the first 'mod approved' post in a forum that counts towards your rank. So posts in Welcome Plaza and Forum Games, for example, aren't counting towards getting off the temp queue.

Well, that's a bit annoying. I'll see if there's anything else I can think of using the settings I have access to... 

Never mind, I've just been informed that the Poniverse Login's account creation page now has a question/response process that will filter out bots, so we don't need the mod queue bit anymore. I'll still look into other options, and keep them in our back pocket in case we start getting waves of Troll accounts, which will require different treatment from the bots.

[Jeric 46,850]

7 hours ago, Fhaolan said:

Well, that's a bit annoying. I'll see if there's anything else I can think of using the settings I have access to... 

Never mind, I've just been informed that the Poniverse Login's account creation page now has a question/response process that will filter out bots, so we don't need the mod queue bit anymore. I'll still look into other options, and keep them in our back pocket in case we start getting waves of Troll accounts, which will require different treatment from the bots

I love the fact you do that. It conjures images that you have an implant and are getting feeds from the server. Poniverse cybernetics, coming soon to a Pony Con near you!

 

[Pripyat Pony 2,608]

Was gonna suggest a question and answer instead of a capcha as there are people who's job it is to solve captchas and pave the way for spambots. O_o

On one site I go on, there's a specific question you have to answer before you can register; it would be easy enough to answer if you're a genuine fan (it's an Ace Frehley site and the question is to pick out the Ace songs from a list) but a spambot wouldn't be able to do this. It works a treat.