Spambot Prevention Suggestions

Joe Ross suggested the creation of this thread to discuss ways to stop the recent flooding of spam onto Chief Delphi.

Would this have to do with anything?

Here’s a re-post of what I posted in the soon-to be deleted thread:

I would be surprised if they don’t already, as they require one for every search if you are not logged in.

I agree. Minus the zapping and oblivion business. :wink:

A thought experiment: the problem becomes that the spammer will simply look at the image verification for the bot account they set up; e.g., do it manually. Also, to evade IP address detection, wouldn’t they just go to some other public network?

Security-wise, every measure you take is breakable – take hashing, for example. Even though it’s designed to be a one-way street with next-to-zero odds of collision, breaking them is still possible. However, it is designed to only brake under an insane amount of computational effort and expenditure of resources.

The problem with the current methods used to prevent bots is that they are all easily defeated with a small cost in resources – it takes a minute for the spammer to write down the image verification. IP address blacklisting is perhaps an order of magnitude harder to break – it probably takes, on average, 40 minutes to get to a local library plus the cost in time to generate an account. You could improve this by adding a cookie to the browser that generated the post the next time they come to CD (with a nice, graciously professional ban message, of course) that tells vBulletin to exclude the new account they are creating. But this would end as soon as the spammer cleared their cookies.

That’s the problem with spamming – the more security you put in for prevention, the harder it is for your actual users to get stuff done.

One feature that I would suggest is having a team contact that has to approve all accounts that are attempting to register for the team, in a manner like TIMS/STIMS. While it certainly wouldn’t apply to bots without a team, it would help the Juggernauts’ number from being abused all the time.

And my response to Joe Ross’ link to spam detection software:

Has this been relaxed lately? This particular bot in question was created this month. And has only posted once.

One thing I think would help would be to add moderator approval for a first post by a new user that doesn’t claim a team

Require new accounts to receive at least some positive reputation before they’re allowed to create a new thread, which is where most spam goes.

If all of us veterans know about this policy, I’m sure we’d be more than happy to keep an eye out for new accounts and rep them for making any contributing post.

If it isn’t too difficult, you could also have a 30 day waiting period for the account to do something relevant to a legitimate user, such as using the search function or browsing through several threads.

The point is that these simple methods could deter automated spammers, but wouldn’t be too much of a hassle for a human user. And if it is a human that is setting these accounts up, there isn’t much you can do to prevent it; although you could get more moderators to police the forums for spam.

Also trivial to get around. All users claim a team in some way–if you’ll notice, I’m currently set to team 0000 (unaffiliated/other). It’s not hard to put in something about team 0001 or 1234 or some other team, real or not.

Now, there is/was some sort of that thing set up a while back, IIRC, but it was automated or semi-automated. Might be time for Brandon to take a look at some of those parameters and see if they can be adjusted.

Or for any new user?

Perhaps eliminate the delay between allowing posts and emails for people reporting spam… I’m not sure how that could practically be done. Maybe based on # of posts or reputation?

Filter posts from new users with lots of hyperlinks. You rarely see spam without a big block of links at the bottom.

The problem is that some of the bots claim teams. A couple that I have seen calim to be from team 3 (both of which set their location to “india”), I think one from team 1, etc. EDIT: EricH beat me to saying this

Some spambots post on random threads responses that don’t make any sense to gain posts. That way they seem less likely to be a spambot. For instance, I’ve seen a couple posts from spambots saying “That is good advice” or “This will be beneficial to my well-being” or things like that. Recently one copied word-for-word what someone posted at the beginning of a thread and reposted it.

I do think that it is a good idea for a moderator to approve a new user’s first post, but it is kinda hard to weed out the good from the bad. Not to mention it would take up a lot of the CD Moderator’s time.

EDIT: I’m sure Koko Ed would love to see someone create a notspambot that goes to where the spambots hang out and post relevant things. That will teach them.

My original post:

Also, a thought. What if the forum was set up to pull a thread if enough people reported it, and it was posted by someone “questionable” (new user, no rep, low post count), and the thread would only be reinstated after a moderator approved it?

Such as this? I reported this, nothing happened, then the person added to the spam and someone else reported it. And it’s still there.

OK, if image verification or IP blacklisting won’t work, why not ask a FIRST related question. For example, what was the 2011 game name? Or, Which country are 1114 and 2056 located in? Or, what is one FRC supported programming language?

If the spammers know enough about robotics to answer those questions, then I can’t see why they would want to spam CD.

The other suggestion is to make Mods look at a posters first post before allowing them to post.

I’m wondering, as I have on occasion, how many of the listed moderators are actually active any more. Personally, a quick scan down the list of moderators shows that, for about half of them, I haven’t seen a post from them in quite some time, or they only moderate one or two subforums.

I realize that I don’t see all the moderator activity by any means, and actively posting isn’t necessarily the best means of finding an active moderator… but I suspect it may be time for the CD admin team to review the moderator list and assign some of them a couple extra subforums or something like that.

Reports don’t do any good if they’re sitting in a PM box that isn’t monitored by at least a semi-active moderator. Wonder if that’s at least part of the problem…

As hard as it to believe, a lot of FIRST participants wont know the answer to those questions, especially people making new accounts.

Fill in the blank with the missing word in the FIRST acronym?

I mean, even if they are new members, if they don’t know stuff like that, it maybe it’s time they do a Google search and learn it.

If a new member can do a search and learn it, so can a spammer. As I recall, there IS such a question (having to do with a core value of FIRST) already.

Captcha? Check.
FIRST-related question? Check.
Auto-moderator/quarantine? Check.

Anybody got any other ideas? BTW, these were all implemented either early on or after a particularly vicious spam attack.

Not allowing first time posters to start a thread. If you are a real FIRSTer, you must have something to say in a thread before you start your “PLEZ HELP ROBOT SMOKING” thread. It would encourage searching too!

Although strange locations and non-FIRST postings are among the activities of spambots, not all people who join CD that do those things are spammers.

Couple weeks ago, this person not affiliated with FIRST asked a viable programming question.

From what I’ve seen spambots only spam when they start their own thread, not on an existing thread. My suggestion is to pre-screen new thread requests from new users.

I also like Efoote868’s suggestion about basically granting more priveliges to those with higher rep.

I recall starting a thread when I first joined and seeing a message that said my thread would be previewed by Moderators before it was posted, and that I kept checking to see if it was approved. Was this feature taken away?

EDIT: I recall once seeing a viable thread started by a new user that was edited once it was posted to be spam. So the system can be fooled.

A lot of the spam threads contain 15+ links. Maybe a hyperlink limit/verification would be ideal?

Require new accounts to receive at least some positive reputation before they’re allowed to create a new thread, which is where most spam goes.

I disagree. I made my CD account specifically to ask a time-sensitive question during the build season. There is no way that I would have even bothered if I had had to weigh in on other discussions and wait for someone nice to give me rep points. I had, in fact, searched through CD several times, and my question hadn’t been asked.

OK, if image verification or IP blacklisting won’t work, why not ask a FIRST related question. For example, what was the 2011 game name? Or, Which country are 1114 and 2056 located in? Or, what is one FRC supported programming language?

I didn’t learn about 1114 and 2056 until the end of the 3rd year on my team. “Common knowledge” on CD is, quite frankly, not common knowledge for a lot of students/mentors out there.

Ask FIRST for the list of mentors they use to control access to the official question forum.
Then ask those mentors to register at ChiefDelphi.
Then give them the ability to confirm team member registrations.

No confirmation … no post without moderation.

Set up modrewrite on this domain.
Track inbound IP.
Anyone claiming to be one place posting from more than 1 adjacent state/province not mentor approved gets flagged.
Saves moderation time.

Use Bayesian rules to flag posts.

Any post flagged by 2 confirmed mentors is redacted prior to review.

Hyperlinks are shortened. Checked by SourceFire, RBL and local black list.
This allows caching as well.
Any non-confirmed poster with less then 10 posts no hyperlinks allowed.
Allow any confirmed users to flag a hyperlink as a threat then setup a warning or make it text.

Allow donations over $15.
Allow donations of FIRST items ChiefDelphi can resell.
Allow donors to select to be listed if they like.

Expire confirmed accounts after 4 years.

Asking a new question might not require a new thread; especially if there were one stickied for that purpose.