I'm seeing around 4 new user accounts each day, probably dummy users or bots. The thing is increasing... but could something be done... or it's just me?
They already can't do anything despite having made the account, so I'm not clear on why we should care.
The wiki gets a trickle of new user accounts, but none of them manage to post anything. All they can do is fill Special:RecentChanges unless they manage to establish themselves as good-faith users on the BBS.
My private wiki gets the same trickle of automated registrations, even with a reCAPTCHA installed, but I use a different method to keep them from spamming: the
ABUSE filter.
Well, yes, they cannot post anything... but the amount of such registered members is increasing more and more every day.
Perhaps someone has
the Atom feed of the wiki's recent changes in his feed reader and is tired of clutter from new user accounts created by automated processes.
I have seen a lot more message board spam lately. It's kind of sad.
lidnariq wrote:
Ok. Why do we care?
You're nice, but please...
I really don't understand. They can't do anything, so what does it matter? It's not like they're clogging up parodius's disk with user accounts.
A. They could block new registrations for a limited time.
B. They could erase such users by putting an expiring time of inactivity.
C. They could do nothing, as you suggested.
D. It could be created a registration approval for new users, like introducing themselves here.
If one agrees that the original problem exists, those are reasonable solutions to the problem. However, seeing as the would-be spammers cannot do any harm, I still don't understand what the objective in fixing this is. Would you please explain?
I have nothing more to say. Sorry.
My OCD self is kinda bothered by the increasing number of dummy registrations, but when thinking about it logically I realize that it doesn't make any difference.
Might it be the same sort of OCD discussed in
this thread?
Let me make this crystal clear to everyone:
With regards to the forum:
Every single time there is a spam post -- ABSOLUTELY EVERY SINGLE TIME, NO EXCEPTIONS -- administrative action is taken to ensure it doesn't happen again. This does not mean we just delete the account + posts and continue on our merry way. There are other things being done (manual actions I personally take every single time, again, no exception) to stop this from happening which I cannot/will not disclose. The reason I won't disclose them is because the spammers read English -- human beings are creating these accounts, NOT software/robots. The less they know about our methods, the better.
If anyone feels the forum now has more spam than it used to, I will be more than happy to remove all of the methodologies we have in place and let you experience the result. I can assure you that within a week you will have hundreds of posts, possibly thousands of accounts, with every thread on this forum with spam in it.
Because human beings are involved, things like captchas, "technical questions", mathematical questions, etc. absolutely do not work because the humans are capable of reading English. I can talk more about this in detail if people want to know, but all you need to know is that there are companies -- dedicated, fully-staffed companies -- in foreign countries which do nothing but create accounts on forums/wikis/etc. all day long and then sell those account credentials to bidders, or are hired by bidders to do exactly that. This is what commercialism and capitalism has brought the world.
With regards to the Wiki:
The aforementioned methodology for blocking the spammers on the forum is not applied to the Wiki. All we do use is the built-in mathematical question during account creation (as a form of a captcha). Let me explain why this is in place:
When we recently upgraded the Wiki, I disabled all forms of captchas because I was told it more or less didn't matter since only manually-approved accounts had edit/write access. Seemed logical to me. However, within about a week of the upgrade, I started receiving boatloads of "bounced mail" messages from the webserver specific to the Wiki. A quick investigation showed that the spammers were signing up using automated software, and were shoving randomly-generated Emails into the Email field during account creation. For verification purposes, the Wiki sends Email to this address and asks the person to verify.
So what was happening was that our mail servers were spewing mail to these invalid addresses, resulting in bounces, which I get copies of. In effect, the spammers were using the account creation form to hit Email addresses "for the hell of it". Really. It's completely 100% impossible for them to sign up for an account and somehow "insert content into the body of the verification mail" -- instead, these are just robotic scripts that are going batshit crazy creating accounts and resulting in Email storms. Nor would THEY ever get a copy of the bounceback, so they'd never know if the Email address they generated was legit or not. I do not understand the reason for this, but I really don't care why -- obviously it's unacceptable. Furthermore, disabling mail bounces is not an option -- we have actual people who use our mail servers and rely heavily on bounces for legitimate reasons ("oh crap I typo'd my mum's Email address").
As a result, I turned on the mathematical verification requirement, which appears to have completely stopped the Email bounceback situation. However, either humans or software are obviously able to do simple math, thus accounts keep getting created. Meaning: the spammer is creating an account with an Email address they have access to, so they get a copy of the verification mail, click the link to verify, then proceed to try and edit the Wiki to spam (and find they cannot because we only allow edit/write access to accounts which are pre-approved). At least I'm not getting bounced mail.
The problem I have with enabling something like an image-based captcha (instead of the mathematical verification) is that it's more intense on CPU time, and if a human is doing the account creation it solves nothing. And many image-based captchas are fucking annoying anyway -- I cannot tell you how many times I have signed up for an account somewhere and have been completely unable to read the captcha text because it's so horribly skewed/noised/buggered.
It might be worthwhile for me to apply the same methods to the Wiki as we use on the forum (and this is not difficult to do, nor does it make my life more complex), but the Wiki isn't something I keep too close of an eye on.
Follow-up to my own post:
I want to apologise (albeit slightly; that is to say, I don't feel bad for anything I've written, but I fully acknowledge it's very harsh) for what I wrote above. Rather than edit it, I felt replying would be more appropriate/fair.
Right now I have more things going on in my life that I think I've ever had to handle at the same time, some of which are demanding, others are devastating. So needless to say I'm under a lot of stress and my tolerance level (in general) is extremely thin. Don't take it personally -- just how things are for me right now. I imagine they'll be better (sort of) come April, but eh, outside of the topic...
koitsu wrote:
Follow-up to my own post:
I want to apologise (albeit slightly; that is to say, I don't feel bad for anything I've written, but I fully acknowledge it's very harsh) for what I wrote above. Rather than edit it, I felt replying would be more appropriate/fair.
Right now I have more things going on in my life that I think I've ever had to handle at the same time, some of which are demanding, others are devastating. So needless to say I'm under a lot of stress and my tolerance level (in general) is extremely thin. Don't take it personally -- just how things are for me right now. I imagine they'll be better (sort of) come April, but eh, outside of the topic...
My reply thanking you for taking the time to give a shit seems to have been lost or removed. Ah well. Thanks for taking the time and giving a shit!
cpow wrote:
My reply thanking you for taking the time to give a shit seems to have been lost or removed.
Perhaps someone inferred sarcasm from the phrasing. Some people's sarcasm detectors are mistuned, and this appears especially common among programmers for some reason. It may take extra effort to get across that a particular comment is in sarcasm mode or sincerity mode.
There needs to ba an admin appreciation day.
Thanks, man! You must do all kinds of stuff that is totally invisible to users like me, but it makes my user experience much easier.
Thank you.
cpow wrote:
My reply thanking you for taking the time to give a shit seems to have been lost or removed. Ah well. Thanks for taking the time and giving a shit!
Is this real? Looks like a bot replying... o.O
RLError wrote:
There needs to ba an admin appreciation day.
There has been for years, it's just that the entire world (not this board, I really do mean the majority of the world) doesn't care enough to consider celebrating it in some way. I guess I can't blame people, because most "admins" of things these days tend to not know anything about what they're administrating, so we actual admins are left celebrating it ourselves, by ourselves, with a beer or some tears. :-)
I knew I should have checked to see if there already was an admin appreciation day before making that post!
While I don't know all the technical details behind phpBB and MediaWiki, it seems like it ought to be possible to tie the wiki user accounts directly to the board accounts. So only board accounts in good standing even have wiki accounts.
That would allow your existing spam fighting to also combat wiki spammers (even if they only spam account creation). It would also remove the need for board members who want to edit the wiki to explicitly sign up, and also remove the admin overhead (small as it probably is) of approving such requests.
Of course, such a move would require developing a plug-in for phpBB, MediaWiki, or both. (Or, perhaps, some sort of standalone script that could be run from a cron job.) I suppose there may not be admin time (or skills, depending) to develop such a thing, but if there is, I think it would be an elegant solution.
It would make a single sign-on possible but wouldn't fix the spam issue since the BBS allow anyone to create users account, which now would allow to create spam on the wiki.
Since the real new users on the wiki are quite small, the return on investment would be too small unfortunately.