Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Messages - wizzle
1
Plugins / [Naming poll] Re: Packages
« on July 13th, 2011, 02:45 PM »
Mods >> modifies the core
Add-on >> might or might not
Plugin >> uses receptacles for power
Just the way I see it. ;)
Add-on >> might or might not
Plugin >> uses receptacles for power
Just the way I see it. ;)
2
Other software / Re: SMF 2.0 final THIS MONTH?
« on June 1st, 2011, 05:41 PM »Yeah, it's the OpenID bug, but as I just pointed out... that ain't new, nor even a surprise - it's been broken since at least RC3 (with the same reason)
I considered it an "unpleasant surprise" because it was found out just days before the planned release.
3
Features: Security / Re: Dynamic CAPTCHAs
« on May 28th, 2011, 05:41 PM »So you implement that. And let's say for the sake of argument that we add this by default and that we become popular, at least that can be mentioned in the same sentence as other free forums without the phrase "unlike phpBB or MyBB" in there. As soon as it becomes even remotely commonplace, xrumer's devs will adapt.
And the more "optional" security measures that are end user configurable the better. Doesn't mater if they are all used at once or only one, every one of them have to be detected and cracked. There comes a point when the cost of bypassing verses posting speed/processor load makes it a waste of time.
Take for example xrumers re-CAPTCHA auto solve feature. It puts a load on the processor slowing down posting to the point that some suggest not using it and using an external solving service, or just manually solve it.
I feel Wedges CAPTCHA will be the same way. :niark:
But you are absolutely correct in being unique and changing. You have to be!!
Anyway, I'll stop pestering you! LOL!
4
Features: Security / Re: Dynamic CAPTCHAs
« on May 28th, 2011, 12:24 AM »Did you set the flood control in Admin > Posts and Topics > Post Settings? That would mitigate (not solve) posters posting more than once so quickly.
As for posting a 2600 character message within 3 seconds, what happens if I already prepared my message in another editor and simply copy/paste it?
Note that as soon as the bot authors realise what's going on, they will simply alter the code to pause, or set it to not come back quite so often. It still doesn't really solve the problem :(
Going from 100 every 5 seconds to 100 every 30 seconds is a big deal when you have a list of 50K+ forums and 100 adds to blast.
Even if they set it not to come back as often, they would still have to wait xx seconds after hitting the new message page before submitting the post.
Look at from a humans point...
You hit the register page, the "Submit" button is grayed out with a timer counting down. It runs out and you join.
You go to post a message, same thing, the button is grayed out yada yada.. After x amount of posts, the timer is gone and you can post away.
Now,
From a spam bots point...
It hits the register page, it doesn't see the timer, but the url to submit. (Like it normally does)
It fills out the info, hits submit.. busted, rejected. xrumer shows a fail for that forum. (some will then remove the url others are to dumb)
IF it gets past the registration page, chances are, it will get nailed on the first post. Which will cause them to be suspended awaiting admin/mod approval, deletion or whatever. :)
A timer on the registration page is in use by some forums, and seems to work very well, from what I heard.
But keep in mind, a timer would not be common like CAPTCHA is, and therefore spammers are not going to bother adjusting the posting speed for just a few hundred forums. There are millions more they can post to. And I really don't think the authors would spend the time coding a parser either. At least not until it becomes as popular as CAPTCHA. But by then, we'll have something else to trow in their way. hehehe!
Please don't get me wrong! I'm defiantly NOT saying it's an end all be all solution! It's faaaar from that.
But, it is something that doesn't require checking internal or external anti-spam databases, keeping it updated, adding stuff to the htaccess etc...
5
Features: Security / Re: Dynamic CAPTCHAs
« on May 27th, 2011, 04:31 PM »
From the bots hitting my traps, the majority will login, and post within 1 to 5 seconds. (the record is 8 join,posts a second)
But generally, humans cannot/don't login and post a 2600+ character message within 3 seconds.Quote Slowing them down is only part of it. The other part of the variable timer thing is that they will hit the submit/post url before a human could.
Checking my traps logs I'd say the max time a bot will stay on a forum is 10 seconds. Seems the average is around 5, with 1 page hit per second. (roughly)
But generally, humans cannot/don't login and post a 2600+ character message within 3 seconds.
Yeah, slowing them down doesn't make too much difference in the real world of things, actually - all it means is the difference between 1,000 and a couple of hundred spam messages - either way it's still a royal pain to deal with.
Checking my traps logs I'd say the max time a bot will stay on a forum is 10 seconds. Seems the average is around 5, with 1 page hit per second. (roughly)
6
Features: Security / Re: Dynamic CAPTCHAs
« on May 27th, 2011, 04:54 AM »
Not sure if this is the correct place, but.... :whistle:
While discussing the nightmare of trying to block spammers via IP once IPv6 is in full swing, I happened to think of this.
One way of stopping spam bots would be to let them ban themselves. No anti-spam database required.
All it would take is a javascript timer (with random wait times) on the registration page. The submit url could be seen by bots, thus they would fill in the info, crack the CAPTCHA and hit the submit url before the timer ran out. At which time they would be instantly banned/rejected.
This could also be added to the "New Member" group, which will catch any that do get past the registration page.
The main key here is, slowing down the time bots can join and post, without causing to much frustration/irritation for humans.
Using CAPTCHA is an annoyance. But waiting a few seconds for a submit/post button to become active... not so much.
Of course they can just figure out what the maximum wait time is and set the bot accordingly. But, if the max time is say 30 seconds... and they have a list of 50K sites to spam..... :hmm:
Anyway, it was just a thought.
While discussing the nightmare of trying to block spammers via IP once IPv6 is in full swing, I happened to think of this.
One way of stopping spam bots would be to let them ban themselves. No anti-spam database required.
All it would take is a javascript timer (with random wait times) on the registration page. The submit url could be seen by bots, thus they would fill in the info, crack the CAPTCHA and hit the submit url before the timer ran out. At which time they would be instantly banned/rejected.
This could also be added to the "New Member" group, which will catch any that do get past the registration page.
The main key here is, slowing down the time bots can join and post, without causing to much frustration/irritation for humans.
Using CAPTCHA is an annoyance. But waiting a few seconds for a submit/post button to become active... not so much.
Of course they can just figure out what the maximum wait time is and set the bot accordingly. But, if the max time is say 30 seconds... and they have a list of 50K sites to spam..... :hmm:
Anyway, it was just a thought.