HTML Logo by World Wide Web Consortium (www.w3.org). Click to learn more about our commitment to accessibility and standards.

Moving forward with Composr

ocPortal has been relaunched as Composr CMS, which is now in beta. ocPortal 9 will be superseded by Composr 10.

Head over to compo.sr for our new site, and to our migration roadmap. Existing ocPortal member accounts have been mirrored.


Registration Questions & Answers

Login / Search

 [ Join | More ]
 Add topic 
Posted
Item has a rating of 5 (Liked by FadedOut)  
Rating:
#102290 (In Topic #20046)
Avatar

Community saint

For the determent of spambots!

Greetings,

Long time no see eh? Well I have a suggestion of an add-on (or perhaps part of the core product). Here it is, broken down into easy to digest parts.

1. Ability to set questions that must be answered during registration to regesture for an account on your ocPortal powered community

2. The questions have a set of answers that you set up before hand

3. The number of questions that you set up are up to you, could be as low as 1

4. The questions and answers should simple enough that real people would be able to easily figure them out based on the content of your site

The idea here is simple, you have a question or two in your registration process that the prospective member must answer to register. If they are a real person, they could easily look through the forum for that answer. If they are a spambot, they will most likely put some stupid link or something in it, and thus not get registered!

This is something that I've seen (and use) elsewhere that works great! I haven't had a single spam bot registration since - though they try daily! This is really important to me because while I love ocPortal (and miss using it dearly), I hate spambots and spending all day fighting them instead of enjoying my site. If ocPortal had such a tool to help make it harder for spambots to register, I'd be in heaven... and I bet other sites would benifit from this increased protection with the growing onslaught of spambots everywhere!

But yeah, this is my suggestion.

Legends of Nor'Ova: A site powered by ocPortal; home of the Legends of Nor'Ova tabletop RPG wiki and community.

Like ocPortal? Want to thank Chris and gang somehow? Then help out in the chat room! It really needs your help! Just open it in a tab everytime you open your web browser, and when you hear a "ding", check it out!

"Those who want help should first be willing to give help."
Back to the top
 
Posted
Rating:
#102294
Avatar

Hi,

It's a good suggestion, and I think the only reason it's been overlooked in the past is most sites don't have custom questions for this kind of thing, so it just seemed a bad idea (weaker than CAPTCHA). But yeah if the questions are customised, it is a very good idea.

This said, is ocPortal's CSS CAPTCHA really broken? That is, when we have the option to generate the CAPTCHA picture via CSS. Each pixel of the image is a coloured div, which stops most bots in their tracks because there is no image to easily pass to an OCR software. I'm not aware of anyone else implementing it (I came up with it myself). Obviously the CSS CAPTCHA could be broken, it's just more technically challenging as the hacker needs to either have specific support for how we render them, or a much more complex full webpage renderer and AI system to pick out what part is the CAPTCHA.

My understanding is sometimes spammers do get past our CSS CAPTCHA, but only because they've outsourced account registering to low-wage countries. Q&A would also be susceptible to that same issue.


Last edit: by Chris Graham


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#102296
Avatar

Honoured member

It's a nice suggestion and could also work as an optional second layer of protection too

Just Jarv
Back to the top
 
Posted
Rating:
#102299
Avatar

Community saint

Right, well any security measure by itself is not all that strong right? It all depends on how you set up your security measures and implement them.

By itself registration questions would be weak. Of course weak is better than none, but any site admin that is serious about site security would know not to depend upon one tool or one layer of security.

You guys both know that I love ocPortal, moreso than any other site/community software out there (or at least I hope you know that). The fact that I have had to turn to other software lately is something that I do not like. But here was the situation:

For many years my site was running fine on ocPortal. But - as I am sure you are aware - spam bots and site attacks have ramped up. I wouldn't call them more sophisticated attacks really, except in the case of some big name security breaches…but more so a bunch of script kiddies running code writen by bored expert hackers. But that's all beside the point.

My ocPortal got hit, big. If you may recall - because I posted about it here - it started when a spambot found a way to post in my guest friendly shoutbox. After that one spambot came in, a wave of them soon followed.

So I made the chatroom members only. Well, the spambots then started registering and posting spam in the news, making new categories and everything! I did the postgroup trick (inital members have to have stuff approved first kind of thing) but I still had to deal with all the spambots. I simply didn't want them as members of the site. So I had to go through and continually, day after day, deleted 20-40+ spam bot members. Mind you that still ocPortal has no real mass deletion (I asked about this and got the somewhat dangerous oCLE code method), so this easily took most of my time, leaving me with no real time to answer posts and participate with my community. And for that, my community suffered and nearly died. During this time I tried all kinds of tricks including cloudflare - but cloudflare caused too many problems for real members and setting it even lower allowed spambots in (also did honeypots and the like), and had always had the ocPortal captcha's and such in place.

I ended up having to rebuild my community using SMF for now (which turns out might be dangerous given their current situation). I am using their default registration questions with stop spam and honeypots - and have yet had a successful spam bot registration. Since the only difference here is the registration questions (despite the lack of ocPortal's CSS Captcha), I came to the conclusion that my set-up of the registration questions provided that extra bit of security that prevents these spam bots from registering. They still try! I still see around 20+ spam bot registrations a day, many of them not caught by the honeypot but by the questions part because they keep putting links in and such.

Are Registration Questions the be all, end all method of stopping spam bot registrations? No, of course not! Do they need to be set up with good (but simple for real people to figure out) questions? Yes, and some people might not be as successful at doing so. But the fact remains that set up right, along with other good security measures and tools, would greatly enhance ocPortal's (and the sites that use it) security against these spam bots.

Legends of Nor'Ova: A site powered by ocPortal; home of the Legends of Nor'Ova tabletop RPG wiki and community.

Like ocPortal? Want to thank Chris and gang somehow? Then help out in the chat room! It really needs your help! Just open it in a tab everytime you open your web browser, and when you hear a "ding", check it out!

"Those who want help should first be willing to give help."
Back to the top
 
Posted
Rating:
#102301
Avatar

To be honest, the problem I usually have with spam reports in ocPortal is they are anecdotal, and usually panicked, so hard to actually consider without doing a full manual investigation. To expedite things what we really need is hard facts…

a) What exact anti-spam/Guest-security settings are set up in ocPortal
b) Where the spammer is getting through
c) Their IP address
d) Their user-agent

We can look to see which category the case resides in:
  1. Incorrect ocPortal set up
  2. Manual spammer attack
  3. Insufficient protection within ocPortal

I suspect your case would have been between '1' and '3'. It might have been the CSS CAPTCHA required a hidden setting back then so the possibility of using it was not clear (it doesn't anymore).

I have logged your idea onto the tracker, and I would like to see it implemented. However I think something more important is we put together a Spam Avoidance tutorial, as we don't currently have one. Something that explains the different settings we do have, and how to make incident reports.

I'd also note that we have a lot of new anti-spam settings now related to spammer block-lists. I don't know if you had access to these or not when you were attacked.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#102302
Avatar



Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#102304
Avatar

Community saint

Well the spam attacks were happening during the period of ocPortal 8 and the first release of 9, so there may be some truth in that. I can't remember all the real specifics of the setup then to either confirm or deny.

I suspect what I will need to do then is - when I have some free time - load up ocPortal in a test domain and take a look. I could then set up some settings and see if spamers get through them or not. It is very possible (and hopefully so) that such things have improved since then.

The larger fear though is a false positive, so to speak. Say I do this and no spamer comes through so I think "OK, things are working great". I then do the migration and get ocPortal on my main domain where it belongs… and bam! Spam attack! I mean after all, the spambots may never know to go after my test subdomain.

Still I think that the Registration Questions idea (however it gets worded if implemented) would be a good extra bit of security. Hopefully others will agree and help to make this idea a possibility. I know it isn't some simple thing (nothing is!) so I can be patient lol.

Legends of Nor'Ova: A site powered by ocPortal; home of the Legends of Nor'Ova tabletop RPG wiki and community.

Like ocPortal? Want to thank Chris and gang somehow? Then help out in the chat room! It really needs your help! Just open it in a tab everytime you open your web browser, and when you hear a "ding", check it out!

"Those who want help should first be willing to give help."
Back to the top
 
Posted
Item has a rating of 5 (Liked by mythus)  
Rating:
#102305
Avatar

The larger fear though is a false positive, so to speak. Say I do this and no spamer comes through so I think "OK, things are working great". I then do the migration and get ocPortal on my main domain where it belongs… and bam! Spam attack! I mean after all, the spambots may never know to go after my test subdomain.

Well, if there is a clear case of our anti-spam security being broken, we're not going to sit by and ignore it. You just have to make it unambiguous that it is not working as should (clear report as described above), at which point whatever changes that are required would be implemented and no feature-sponsorship would be required.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#102335
Avatar

Honoured member

Chris Graham said


Cheers Chris

Just Jarv
Back to the top
 
Posted
Rating:
#102357
Avatar

Community saint

Well Chris, so far, so good!

I've seen plenty of "guest trying to join - watched as there were 5 on at one time doing so - all known spam bots, and none have gotten through yet! So you've obviously made HUGE improvements there!

There was one incident - a spambot abused the Feedback function of the site. But I fixed that by setting a caption on the feedback and sending any feedback straight to the trashbin forum. Members can leave feedback however they like though :P

I think the captcha part did the trick, no feedback has shown up in the trashbin yet!

Anyway, just wanted to give you the thumbs up there. I still think Registration Questions is a good idea! But at least ocPortal is keeping out the spam - so far!

Legends of Nor'Ova: A site powered by ocPortal; home of the Legends of Nor'Ova tabletop RPG wiki and community.

Like ocPortal? Want to thank Chris and gang somehow? Then help out in the chat room! It really needs your help! Just open it in a tab everytime you open your web browser, and when you hear a "ding", check it out!

"Those who want help should first be willing to give help."
Back to the top
 
Posted
Rating:
#102359
Avatar

Thanks for updating :).


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Item has a rating of 5 (Liked by FletchLiked by mythus)  
Rating:
#102416
Avatar

Fan in training

I would also like to just +1 to the OP idea of Q&A on registration option (keep what you have, just add this option to the core). I mean, what could it hurt? Leave off by default and just put it in with the CAPTCHA settings so its noticed.

Other big scripts out there like i'm using IPB right now for another site and it has the captcha and the Q&A option where I can fill out my own question then answer. I think having both is a great deterrent to bots. And options can only make more happy opposed to "oh you can't please everyone", because I know it would make me happy too :). And its not like you skimp on settings...this thing is loaded with them lol

Its not that your current captcha setup may not work, its that these bots are getting more creative everyday with their OCR's and such that captchas don't always beat them. Just added measures add extra walls for them.

+1 from another Webmaster
Back to the top
 
1 guests and 0 members have just viewed this: None
Control functions:

Quick reply   Contract

Your name:
Your message: