New users or not?
Page 1 of 2

Author:  Zepper [ Mon Jan 30, 2012 2:10 pm ]
Post subject:  New users or not?

I'm seeing around 4 ‎new user accounts each day, probably dummy users or bots. The thing is increasing... but could something be done... or it's just me?

Author:  lidnariq [ Mon Jan 30, 2012 2:23 pm ]
Post subject: 

They already can't do anything despite having made the account, so I'm not clear on why we should care.

Author:  tepples [ Mon Jan 30, 2012 2:28 pm ]
Post subject: 

The wiki gets a trickle of new user accounts, but none of them manage to post anything. All they can do is fill Special:RecentChanges unless they manage to establish themselves as good-faith users on the BBS.

My private wiki gets the same trickle of automated registrations, even with a reCAPTCHA installed, but I use a different method to keep them from spamming: the ABUSE filter.

Author:  Zepper [ Mon Jan 30, 2012 7:12 pm ]
Post subject: 

Well, yes, they cannot post anything... but the amount of such registered members is increasing more and more every day.

Author:  lidnariq [ Tue Jan 31, 2012 1:23 am ]
Post subject: 

Ok. Why do we care?

Author:  tepples [ Tue Jan 31, 2012 6:06 am ]
Post subject: 

Perhaps someone has Image the Atom feed of the wiki's recent changes in his feed reader and is tired of clutter from new user accounts created by automated processes.

Author:  RLError [ Tue Jan 31, 2012 1:30 pm ]
Post subject: 

I have seen a lot more message board spam lately. It's kind of sad.

Author:  Zepper [ Tue Jan 31, 2012 2:23 pm ]
Post subject: 

lidnariq wrote:
Ok. Why do we care?

You're nice, but please...


Author:  lidnariq [ Wed Feb 01, 2012 12:32 pm ]
Post subject: 

I really don't understand. They can't do anything, so what does it matter? It's not like they're clogging up parodius's disk with user accounts.

Author:  Zepper [ Wed Feb 01, 2012 5:17 pm ]
Post subject: 

A. They could block new registrations for a limited time.
B. They could erase such users by putting an expiring time of inactivity.
C. They could do nothing, as you suggested.
D. It could be created a registration approval for new users, like introducing themselves here.

Author:  lidnariq [ Wed Feb 01, 2012 6:52 pm ]
Post subject: 

If one agrees that the original problem exists, those are reasonable solutions to the problem. However, seeing as the would-be spammers cannot do any harm, I still don't understand what the objective in fixing this is. Would you please explain?

Author:  Zepper [ Thu Feb 02, 2012 7:49 am ]
Post subject: 

I have nothing more to say. Sorry.

Author:  tokumaru [ Thu Feb 02, 2012 9:48 am ]
Post subject: 

My OCD self is kinda bothered by the increasing number of dummy registrations, but when thinking about it logically I realize that it doesn't make any difference.

Author:  tepples [ Thu Feb 02, 2012 10:02 am ]
Post subject: 

Might it be the same sort of OCD discussed in this thread?

Author:  koitsu [ Thu Feb 02, 2012 3:32 pm ]
Post subject: 

Let me make this crystal clear to everyone:

With regards to the forum:

Every single time there is a spam post -- ABSOLUTELY EVERY SINGLE TIME, NO EXCEPTIONS -- administrative action is taken to ensure it doesn't happen again. This does not mean we just delete the account + posts and continue on our merry way. There are other things being done (manual actions I personally take every single time, again, no exception) to stop this from happening which I cannot/will not disclose. The reason I won't disclose them is because the spammers read English -- human beings are creating these accounts, NOT software/robots. The less they know about our methods, the better.

If anyone feels the forum now has more spam than it used to, I will be more than happy to remove all of the methodologies we have in place and let you experience the result. I can assure you that within a week you will have hundreds of posts, possibly thousands of accounts, with every thread on this forum with spam in it.

Because human beings are involved, things like captchas, "technical questions", mathematical questions, etc. absolutely do not work because the humans are capable of reading English. I can talk more about this in detail if people want to know, but all you need to know is that there are companies -- dedicated, fully-staffed companies -- in foreign countries which do nothing but create accounts on forums/wikis/etc. all day long and then sell those account credentials to bidders, or are hired by bidders to do exactly that. This is what commercialism and capitalism has brought the world.

With regards to the Wiki:

The aforementioned methodology for blocking the spammers on the forum is not applied to the Wiki. All we do use is the built-in mathematical question during account creation (as a form of a captcha). Let me explain why this is in place:

When we recently upgraded the Wiki, I disabled all forms of captchas because I was told it more or less didn't matter since only manually-approved accounts had edit/write access. Seemed logical to me. However, within about a week of the upgrade, I started receiving boatloads of "bounced mail" messages from the webserver specific to the Wiki. A quick investigation showed that the spammers were signing up using automated software, and were shoving randomly-generated Emails into the Email field during account creation. For verification purposes, the Wiki sends Email to this address and asks the person to verify.

So what was happening was that our mail servers were spewing mail to these invalid addresses, resulting in bounces, which I get copies of. In effect, the spammers were using the account creation form to hit Email addresses "for the hell of it". Really. It's completely 100% impossible for them to sign up for an account and somehow "insert content into the body of the verification mail" -- instead, these are just robotic scripts that are going batshit crazy creating accounts and resulting in Email storms. Nor would THEY ever get a copy of the bounceback, so they'd never know if the Email address they generated was legit or not. I do not understand the reason for this, but I really don't care why -- obviously it's unacceptable. Furthermore, disabling mail bounces is not an option -- we have actual people who use our mail servers and rely heavily on bounces for legitimate reasons ("oh crap I typo'd my mum's Email address").

As a result, I turned on the mathematical verification requirement, which appears to have completely stopped the Email bounceback situation. However, either humans or software are obviously able to do simple math, thus accounts keep getting created. Meaning: the spammer is creating an account with an Email address they have access to, so they get a copy of the verification mail, click the link to verify, then proceed to try and edit the Wiki to spam (and find they cannot because we only allow edit/write access to accounts which are pre-approved). At least I'm not getting bounced mail.

The problem I have with enabling something like an image-based captcha (instead of the mathematical verification) is that it's more intense on CPU time, and if a human is doing the account creation it solves nothing. And many image-based captchas are fucking annoying anyway -- I cannot tell you how many times I have signed up for an account somewhere and have been completely unable to read the captcha text because it's so horribly skewed/noised/buggered.

It might be worthwhile for me to apply the same methods to the Wiki as we use on the forum (and this is not difficult to do, nor does it make my life more complex), but the Wiki isn't something I keep too close of an eye on.

Page 1 of 2 All times are UTC - 7 hours
Powered by phpBB® Forum Software © phpBB Group