Death to Link Spammers!

[ScottyDM]

This is the common werebadger in his hunt/kill configuration:




What does a werebadger like to hunt and kill? Trolls are tasty, if a bit chewy. Noobs, Dipweeds and Twizots are always on the menu. But the werebadgers favorite is Link Spammers. Ummm, Link Spammers!


After a few days of investigation the common werebadger has discovered the identity of TF Central's Link Spammer and has even managed to acquire a photograph. This is our Link Spammer :




Harmless? I think not. A most vile rodent. Link Spammers dig holes in the landscape (not that digging is so terrible, but they take it to extremes), eat all the vegetation, poop in public, use excessive bandwidth, smell bad (coming from a werebadger that is a damning acquisition), clog up the database with their shed hair, carry disease, drive down property values, and just generally make any forum they visit look like a ghetto. This werebadger has vowed to "take care" of any Link Spammers he can find.


To a werebadger, this is what a Link Spammer looks like:




Any questions?


Scotty

[catprog]

Here is an idea to maybe stop bots signing up.

Place another text box on the sign-up form and ask a question(e.g 1+1,1+2 or something similar). If they get it wrong no sign up for them

[Igm]

How about... personal email verifications? For example, apart from the regular verification you also have to send a reply justifying that you're actually a real person. I doubt that too many people register everyday, unless they're spammers, in which case they wont be able to post... The logical question one is not a bad idea also - why don't we combine both? You can have a random logical question be asked in each email, to which you would have to reply properly... Plus any reocurring mailserver/ip/email will also be automatically discarded.

[AshTR]

Very nice. Some sort of registration verification would be nice since the bots get irritating.

[ScottyDM]

The code that runs this site is by vBulletin. We have version 3.5.4 and the latest is 3.6.4, but both seem to use the same anti-spammer technique. Both use a captcha that consists of a distorted image of letters and numbers you must enter to get an account. A captcha is Carnegie Mellon's name for an automated Turing test.

There is a possible problem with vBulletin's captcha technique, which is based on how the data is passed between pages 3 and 4 of the signup process. I don't have access to the PHP source code so I can't tell if the possible problem is a real problem. I've been at vBulletin's site and sent them an e-mail asking about the issue, but since I'm not their customer they won't give me "support". I doubt if a developer will see my e-mail.

While on the vBulletin site and checking out their forums I found reference to a professional link spammer's tool set. I won't mention the product here. On that site they claim their "bot" can read nearly any distorted text-based captcha in only 1 to 5 seconds (there are 86,400 seconds in a day). I was skeptical, of course. Their base product is $450. Link spamming is a freakin business. Link spammers are not playing around and we should stop treating them like naughty children.

Carnegie Mellon University created the captcha and they say some forms of text-based captchas have been "cracked" by sophisticated character recognition programs. So perhaps that link spammer's tool set really can read captcha text. They don't need 100% success, 50% is good enough. Try it, fails, try again, fails, try again and success will mean success for 7/8ths of the attempts. Check out this picture based captcha, also developed at CMU.


I've been working on building some code from scratch for my website. I need a login system, user profile pages, story uploads, and more. This link spammer issue has been very educational for me. I hadn't really thought about adding a captcha, or even a system to ban users. What I do have is an awesome audit system that logs every time someone logs in or changes anything in the database (what they did, user id, IP address, etc.). I should probably think about a captcha and banning system and other things too. But quite frankly, without any user being able to affect any public pages, the value of my site to link spammers should be low (read that Register article to find out why).


Oh yea, vBulletin's official policy on link spam seems to be, "Add more mods." They don't understand how a small board with only a few members possibly be bothered by something like link spam.

I'd be astounded if the spammer bot people are not customers of vBulletin and every other publisher of forum, blog, and guestbook web code. I imagine they reverse engineer everything they get their hands on. Because of this we may be best off with splicing in custom anti spambot code. I did note that they (the bot people) do not run Java Script because not enough forums require Java Script for account creation. They also don't do picture or audio captchas. They are able to handle automated e-mail verification and are able to automatically grab free e-mail accounts at places like Yahoo, MSN, and Google.

Scotty

[Igm]

I suppose we need a new type of captcha algorithm... What if you combined the traditional alphanumeric text with small picture-symbols, or even algebra problems and geography questions? Or maybe faux-symbols, for example "type in the text without typing in the G's". Anything that requires a bit more logic, rather than simply typing in what you see in the image.

[ScottyDM]

Quote:

Originally Posted by Igm

I suppose we need a new type of captcha algorithm... What if you combined the traditional alphanumeric text with small picture-symbols, or even algebra problems and geography questions? Or maybe faux-symbols, for example "type in the text without typing in the G's". Anything that requires a bit more logic, rather than simply typing in what you see in the image.

True, except something like a geography test would exclude about 75% of Americans under 40 years of age (being over 40, I can say that).

The W3C is unhappy about the existence of captchas, claiming they discriminate against visually impaired Internet users. One could use an audio captcha, but that discriminates against the aurally impaired. And I'm afraid a logic or geography test discriminates against the intelligence impaired.

How do you broaden the test so you can include these groups of humans, while excluding machines?

Scotty

[ocalhoun]

The solution is really quite easy.
In the template page that controls how the registration page will look, add a line that says 'enter the code you see here BACKWARDS' in nice big letters that even noobs can't miss, then in the php code that is behind that section, add a line just before the entered string is tested to see if it matches the original string such that the one of them is reversed (the strrev() function, I think).

Bots wouldn't be able to understand that they should enter it backwards, and they would all fail to register. (except for the very, very rare case of a random string which reads the same forward and backward)

[Igm]

Quote:

Originally Posted by ScottyDM

True, except something like a geography test would exclude about 75% of Americans under 40 years of age (being over 40, I can say that).
Scotty

Heyhey, thats what Google is here for Come on, people aren't so lazy, to not even make as little effort as that

Quote:

Originally Posted by ScottyDM

How do you broaden the test so you can include these groups of humans, while excluding machines?

That backwards thing is not a bad idea... or even, the instructions on how it should be read could be randomized and imprinted on the captcha itself, next to the word - that will most surely confuse any type of bot.

[ScottyDM]

Quote:

Originally Posted by Igm

Heyhey, thats what Google is here for Come on, people aren't so lazy, to not even make as little effort as that

Are you sure? I have examples of lazy?


A few minutes ago I was staring at my "users" table for the website I'm building. My needs are different and I'm a glutton for punishment (as long as it's something fun that involves reading technical manuals) so I've been hand-coding my own system from scratch. I didn't have, then put in, then took out, an intermediate users table. My biggest concern was people who have multiple accounts so they could skew voting results, I hadn't thought much about bots and I don't yet have a way to ban users either. My plan was to just delete their account (and loose all information about them).

Now I'm thinking I should go back to having a NewUsersButNotYetApproved table so I don't clutter up the real users table with a bunch of randomness. I'm also thinking of having several Turning tests in the signup process. Most will be invisible and based on behavior. That is, some things a machine does far better than a human, so you need to not be so wonderful to pass; some things a human does better than a machine; and some things humans and machines do differently. Everyone who wants to signup may, and in the temporary-users table they will have their information and a score on how well they did on each of the tests. The final test will be to answer the e-mail (something both bots and people are equally good at).

Maybe I should call that table "purgatory".

To get out of purgatory one could have done exceptional on the Turing tests. Or I could move them out manually after reviewing the account information. Or I could let them post, but disable the ability to post links--then after so many posts they'd get their upgrade to normal userhood. And "I agree," or "Hi, I'm new here," just increases the number of posts you need to be able to post a link.


Since I don't have access to the source code for TF Central, I can't do too much here. But it's an education.

Scotty