Upgrading to phpBB3

[beowuuf]

It's getting late! Umm...no real coherent thoughts on this I guess. Anything stopping real users - bad

I'm just aware that all we do is police actions, so full porn images get posted, and a spammer could do some damage post wise to the forum before an admin came along to stop the user

[Sophia]

Perhaps the best option is, especially if we want to eschew image-based security, to go for our own security based around some easy-to-follow directions, but is something that isn't usually done so isn't easy for spam systems to just automatically circumvent. For example, something like typing the first letter of every word in a given sentence, or answering a very easy trivia question about DM... or text-based things along those lines. I'd be happy to contribute by writing up a bunch of tests/expected answers if we want to go with this, and I'm sure others could too, that way the only work for Gambit would really be adding the Q&A to the registration form.

[beowuuf]

I think the DM trivia would be best. Even link to the DME monsters section where the names are, and just present a different picture a computer would not realise is the same.

[Sophia]

I don't know about using a monster image. That makes it image-based again, and there's no need to introduce that.

In addition, that introduces further technical complications, requiring more assets (graphics of the monsters), a link to the proper place, and it inconveniences the user by having to look something up if the trivia is too tricky-- who's going to remember a word like "Oitu" if they haven't played this game in 15 years?

[linflas]

add a link to DME creatures page for help (if possible)

[Gambit37]

Simple text questions are enough to fool all bots. "What is eight plus four", "Are you a real person?" etc. It's when Human spammers get in on the act that this doesn't work.

[Parallax]

No well-designed system is going to block human spammers, since the point is to distinguish between humans and bots and, as much as it pains me to admit it, human spammers still qualify as 'humans' for the purpose of the test.

But if simple text questions are enough to fool bots then I'd say go for that instead. Is it possible to randomly generate the question as:
"What is {field1} {field2} {field3}?" with field1 taken from a list of numerals (in plain letters), field2 being either '+" or '-' and field3 being a numeral smaller than field1? I guess, more generally, how easy is it to add this type of question to the registration process currently? How easy would it be with phpBB3?

[Gambit37]

phpBB3 has this question thingy but stupidly, if you get it wrong, it tells you the right answer on a page refresh! How dumb is that? Bots will eventually work out how to harvest the right answer from the next page! Duh.... sometimes, I don't thing the phpBB devs have a clue.

[Parallax]

Darn, that's pretty dumb. Especially since you usually don't want even humans who can't figure out what five plus six is to register...

[cowsmanaut]

This has alternating information in it, and can not be desaturated as the whole image turns solid grey.

I imagine replacing the ones existing with things like this.. or perhaps with images (even though you mention hating them) of easily recognisable items. like an orange, spoon, mouse, cat, etc.. things that people can look at and immediately have the response

[Sophia]

That one is awful.
I can barely decipher it, and my eyesight is just fine.

I dare say this one is harder for humans than computers, too: The protection against "desaturation" is worthless since the image is a bitmap with two and only two distinct colors. That's ideal input for OCR. As for that horrible animation, it can be defeated by simply adding the frames together.

[beowuuf]

It also discriminates against red/green colourblind people. Why is nothing simple!

[Gambit37]

As I said, I'm against image based captchas on principal -- they are inaccesible to anyone with poor or failed eyesight for a start. While we might not have anyone with that problem in our audience, I'd rather not make the assumption.

Anyway, the upshot is that I am going to do the following for now:

1) Upgrade to latest v2 security patch
2) Install some of the mods outlined above
3) Sit back and watch the spammers vanish.

Don't know when I'll have time to do this, and depending on how far out of date the patch is, I might just have to ditch all our mods and themes are revert to subsilver to save time as I've edited many, many core files for the new custom themes. An inevitable downside I'm afraid.

Anyway, when it's in progress you'll know as I'll take the forums off line and you won't be able to post anything. Note that if you are an admin with a cookie saved, you'll still be able to login though. I'll post a note on the forums when it's going to go ahead.

[ChristopheF]

I agree about not using an image captcha (they are slowly getting harder and harder to decipher even for human beings) and see if a simple text captcha would be enough to make the spammers vanish.

[cowsmanaut]

you know what would be easy to do an a kind of fun addition

insert a multiple choice questionaire that only asks one question

Show a picture of "you know who" then have the following check boxes

1. Darth vader
2. Dark Helmut
3. Betty Crocker
4. Lord Chaos

it's simple to answer for any DM fan, and is something that would stump any bot, or non DM fan

[Sophia]

But it's still a picture.

[cowsmanaut]

ok, well since I don't think we are catering to the blind, since it is a visual game we are presenting in this forum..

[mikko]

Multiple choice with images or verbal questions wouldn't be anything special in my mind. It would be fairly easy to teach a bot which questions/images and answers go together and it could even automatically try the combinations to find out. There would have to be a ton of different questions or they would have to be dynamically generated to reduce the possibility of the same question appearing again.

Of course, if the questions and answers would be printed to a bitmap, the bot would first require text/image recognition to find out what it needs to know. To counter that the text would again have to be ciphered somehow to make it harder to read.. This is a difficult problem indeed..

[Gambit37]

Not really a difficult problem -- most spammers won't do the extra effort of building bots that can break random human-answerable questions; it's just not worth their while.

[mikko]

Well, most spammers probably don't build any bots but use the ones that other people have created. That kind of takes away the extra effort.

I haven't really studied what usual spam bots are capable of, but if one needs those stupid barely readable captcha images to keep them away, I'd say simple text matching isn't a big task.

Of course, anything is worth trying to see whether it really works or not. I'm not saying that the multiple choice check would absolutely suck. I'm just worried that it wouldn't be that effective.

[Gambit37]

I think you misunderstand. Asking a specific question that only a human can find the answer to will almost certainly stop all bots. It's not about text-pattern matching.

[mikko]

Yes, but I think that if the possible answers are displayed and you only have to choose the correct one, a bot can easily try them all and remember whether the answer was correct or not. And every time it tries to do that it knows more and becomes more effective.. That is why I think they should not be multiple choice questions where the possible answers are displayed on the same page. It's very easily hackable by trial and error.

[Gambit37]

??? I never suggested multiple choice. Of course that wouldn't be very sensible. Did someone else suggest that? It would have to be a question that someone could answer quickly and easily but without any reference to it on the site, otherwise it's pointless.

[mikko]

Yes! Cows did.. I was talking about multiple choice questions all the time. Talk about confusion.. But I totally agree with you there. Simple and easy for humans, but the answer should not be found on the same page.

[cowsmanaut]

mikko that would require someone to think it's worth it to write that code for our page alone

[ian_scho]

Ohhh, just found a great captcha..

[Gambit37]

Jeepers, what site was that on?!?!?!?!?

[Adamo]

site been hacked again! Please make a forum backup, Gambit.. in case someone delete all the stuff, shit like that may happen

[beowuuf]

That's twice now, are the hackers restoring everything or is it someone else?

[Paul Stevens]

I don't know anything about this but
I just received the following EMail:

from: pat_e_johnson@yahoo.com

You're one of the few people whose email I have. Each time I go to the forums I get this screen that says I've been hacked. I don't know what all that means but I think someone might have access to my account information. If there ends up being spam posted my by user name:Christopher, can you pass this email along to one of the webmasters there please? Thanks in advance.
Christopher