Help
I was actually just thinking about maybe asking the mods about creating a user-group of users, computer-literate, to have some input on stuff and see if they cant offer opinions and advice on problems. Take Osric, he might come up with something for the spambots.
There's a Troll in the Q&A Kill it.
#21
Lisheo 
- Difference Engineer
-
- Group: High House Mafia
- Posts: 2,306
- Joined: 04-June 07
- Location:Slowly returning, piece by piece.
- Interests:All of the things.
Posted 11 November 2008 - 07:57 PM
“People have wanted to narrate since first we banged rocks together & wondered about fire. There’ll be tellings as long as there are any of us here, until the stars disappear one by one like turned-out lights.”
- China Mieville
- China Mieville
#22
Silencer
- Manipulating Special Data
-
- Group: Administrators
- Posts: 5,674
- Joined: 07-July 07
- Location:New Zealand
-
Interests:Malazan Book of the Fallen series.
Computer Game Design.
Programming.
Posted 11 November 2008 - 08:00 PM
It depends, some can, some can't.
However, the IP's used have randomly generated parts, and common parts. Usually the first 3 bits are the same, and the last bit is different. What this allows us to do is perform a search for any users using the first 3 parts - with a wildcard for the last bit. If no registered user has those first 3 parts, we can ban those three parts - the spambot using that IP must now change which IP they are using. It's not a perfect system, but spambots are always there, and will always be a problem.
The thing with the questions is that they may slow down the number of bots, but not permanently. For example, if we can have a cycle of questions, then it's fine. If we are limited to one question, all the bot needs to do is figure out that answer once...and then it can get in forever more.
As for extra measures that IPB offers...not really. We're always up to date, and it's not really possible to do anything...without changing the location of the forums affected. (Not fun).
Some third-party plug-ins offer more protection, but that sort of thing is dangerous. Because plug-ins integrate with the ACP if it's faulty, has a known/findable exploit, or if it simply is a means of hacking the board, then it becomes hugely dangerous in terms of what can happen (think Admins locked out of the ACP, all members banned, all threads deleted, etc).
As I said, they tend to come in waves. Bloody annoying, and always there.
Cross with Lisheo. It's possible. Over on MC Theoderich and MrHide handle that sort of security stuff. MC still gets spambots. It's a matter of how far you want to go. If it gets bad enough, and we can't find a reasonable pattern for some of the IP's, then yeah, it's worth it.
Any help is appreciated, of course.
However, the IP's used have randomly generated parts, and common parts. Usually the first 3 bits are the same, and the last bit is different. What this allows us to do is perform a search for any users using the first 3 parts - with a wildcard for the last bit. If no registered user has those first 3 parts, we can ban those three parts - the spambot using that IP must now change which IP they are using. It's not a perfect system, but spambots are always there, and will always be a problem.
The thing with the questions is that they may slow down the number of bots, but not permanently. For example, if we can have a cycle of questions, then it's fine. If we are limited to one question, all the bot needs to do is figure out that answer once...and then it can get in forever more.
As for extra measures that IPB offers...not really. We're always up to date, and it's not really possible to do anything...without changing the location of the forums affected. (Not fun).
Some third-party plug-ins offer more protection, but that sort of thing is dangerous. Because plug-ins integrate with the ACP if it's faulty, has a known/findable exploit, or if it simply is a means of hacking the board, then it becomes hugely dangerous in terms of what can happen (think Admins locked out of the ACP, all members banned, all threads deleted, etc).
As I said, they tend to come in waves. Bloody annoying, and always there.
Cross with Lisheo. It's possible. Over on MC Theoderich and MrHide handle that sort of security stuff. MC still gets spambots. It's a matter of how far you want to go. If it gets bad enough, and we can't find a reasonable pattern for some of the IP's, then yeah, it's worth it.
Any help is appreciated, of course.
***
Shinrei said:
<Vote Silencer> For not garnering any heat or any love for that matter. And I'm being serious here, it's like a mental block that is there, and you just keep forgetting it.
#23
Osric
- Captain
-
- Group: Malaz Regular
- Posts: 190
- Joined: 02-October 08
- Location:Holland
- Interests:Books, Games, Programming, Beer, Women, Movies
Posted 11 November 2008 - 08:36 PM
Thing is, these bots collect a database of suitable answers and get the codes from the pictures to match the answers, or they soft-force their way through the registration page by having a small collection of all possible answers. So basically, all we would have to do is make our own since the bots only have the generic Inivision password list, nobody's gonna bother making one just for our website. Pictures will do, or obvious answers that we can think of, like what's 1 + 1. It'd mean modding the forums ourselves though. If anyone can do it than that would solve it, it doesn't have to be anything special because the only thing these bots can get past is the standard inivision stuff, cos so many forums use it.
That is, assuming that the bots get's past the actual registration and isn't using injections into the database to register itself. If that's the case I'd be extremely disappointed in inivision, cos that's a major security problem.
That is, assuming that the bots get's past the actual registration and isn't using injections into the database to register itself. If that's the case I'd be extremely disappointed in inivision, cos that's a major security problem.
Wise words are like arrows flung at your forehead. What do you do? Why, you duck of course.
-Bult
-Bult
#24
Lisheo
- Difference Engineer
-
- Group: High House Mafia
- Posts: 2,306
- Joined: 04-June 07
- Location:Slowly returning, piece by piece.
- Interests:All of the things.
Posted 11 November 2008 - 08:39 PM
Osric, on Nov 11 2008, 08:36 PM, said:
That is, assuming that the bots get's past the actual registration and isn't using injections into the database to register itself. If that's the case I'd be extremely disappointed in inivision, cos that's a major security problem.
I have some suspicions that some might be doing that, ones that create "guest" accounts.
“People have wanted to narrate since first we banged rocks together & wondered about fire. There’ll be tellings as long as there are any of us here, until the stars disappear one by one like turned-out lights.”
- China Mieville
- China Mieville
#25
Osric
- Captain
-
- Group: Malaz Regular
- Posts: 190
- Joined: 02-October 08
- Location:Holland
- Interests:Books, Games, Programming, Beer, Women, Movies
Posted 12 November 2008 - 09:34 AM
Alright did some research,
This might be an interresting thread and a viable attempt to solve it:
http://www.theadminz...ead.php?t=54885
So basically, they do get past the captcha, somehow, either using the binary code in the picture or using font detection, probably the latter though since I got no clue how the first would be possible. Basically it wouldn't be too hard to make a program that identifies letters in the captcha pictures, all you need to do is get all the letters from the existing default captcha set, which are located in style_captcha/captcha_fonts/ in the directory where the forum is installed, then using them to compare to a picture. I think if I spend some time on it I'd be able to make that, not that Id be interrested, but Im sure someone else can.
So basically another solution would be to a different font set that is a true-type font (.tff file) into the style_captcha/captcha_fonts/ folder, replacing the default ones, probably renaming the new .tff file to the ones already there, actually replacing the font sets used now by captcha. This should stop the bots imo and it's pretty simple to do. Just replace the font with a font that is readable by users.
This might be an interresting thread and a viable attempt to solve it:
http://www.theadminz...ead.php?t=54885
So basically, they do get past the captcha, somehow, either using the binary code in the picture or using font detection, probably the latter though since I got no clue how the first would be possible. Basically it wouldn't be too hard to make a program that identifies letters in the captcha pictures, all you need to do is get all the letters from the existing default captcha set, which are located in style_captcha/captcha_fonts/ in the directory where the forum is installed, then using them to compare to a picture. I think if I spend some time on it I'd be able to make that, not that Id be interrested, but Im sure someone else can.
So basically another solution would be to a different font set that is a true-type font (.tff file) into the style_captcha/captcha_fonts/ folder, replacing the default ones, probably renaming the new .tff file to the ones already there, actually replacing the font sets used now by captcha. This should stop the bots imo and it's pretty simple to do. Just replace the font with a font that is readable by users.
Wise words are like arrows flung at your forehead. What do you do? Why, you duck of course.
-Bult
-Bult
#26
Osric
- Captain
-
- Group: Malaz Regular
- Posts: 190
- Joined: 02-October 08
- Location:Holland
- Interests:Books, Games, Programming, Beer, Women, Movies
Posted 12 November 2008 - 09:50 AM
Alright I attached an example of the captcha this board uses. As you can see it's not that complicated.. All that a bot needs to do is change the contrast of the picture and extract the letters.
It would make it a lot harder for the bot if the picture had lines through it that are the same colour as the letters. I dunno if that's possible though, it might take some actual programming in the ip.board code..
Im kinda dissapointed in Inivision's shitty captcha. Even I could make a better one than this lol.
It would make it a lot harder for the bot if the picture had lines through it that are the same colour as the letters. I dunno if that's possible though, it might take some actual programming in the ip.board code..
Im kinda dissapointed in Inivision's shitty captcha. Even I could make a better one than this lol.
Attached File(s)
-
captcha.JPG (3.42K)
Number of downloads: 1
Wise words are like arrows flung at your forehead. What do you do? Why, you duck of course.
-Bult
-Bult
#27
Lisheo
- Difference Engineer
-
- Group: High House Mafia
- Posts: 2,306
- Joined: 04-June 07
- Location:Slowly returning, piece by piece.
- Interests:All of the things.
Posted 12 November 2008 - 02:57 PM
Osric, on Nov 12 2008, 09:34 AM, said:
Alright did some research,
This might be an interresting thread and a viable attempt to solve it:
http://www.theadminz...ead.php?t=54885
So basically, they do get past the captcha, somehow, either using the binary code in the picture or using font detection, probably the latter though since I got no clue how the first would be possible. Basically it wouldn't be too hard to make a program that identifies letters in the captcha pictures, all you need to do is get all the letters from the existing default captcha set, which are located in style_captcha/captcha_fonts/ in the directory where the forum is installed, then using them to compare to a picture. I think if I spend some time on it I'd be able to make that, not that Id be interrested, but Im sure someone else can.
So basically another solution would be to a different font set that is a true-type font (.tff file) into the style_captcha/captcha_fonts/ folder, replacing the default ones, probably renaming the new .tff file to the ones already there, actually replacing the font sets used now by captcha. This should stop the bots imo and it's pretty simple to do. Just replace the font with a font that is readable by users.
This might be an interresting thread and a viable attempt to solve it:
http://www.theadminz...ead.php?t=54885
So basically, they do get past the captcha, somehow, either using the binary code in the picture or using font detection, probably the latter though since I got no clue how the first would be possible. Basically it wouldn't be too hard to make a program that identifies letters in the captcha pictures, all you need to do is get all the letters from the existing default captcha set, which are located in style_captcha/captcha_fonts/ in the directory where the forum is installed, then using them to compare to a picture. I think if I spend some time on it I'd be able to make that, not that Id be interrested, but Im sure someone else can.
So basically another solution would be to a different font set that is a true-type font (.tff file) into the style_captcha/captcha_fonts/ folder, replacing the default ones, probably renaming the new .tff file to the ones already there, actually replacing the font sets used now by captcha. This should stop the bots imo and it's pretty simple to do. Just replace the font with a font that is readable by users.
Osric, on Nov 12 2008, 09:50 AM, said:
Alright I attached an example of the captcha this board uses. As you can see it's not that complicated.. All that a bot needs to do is change the contrast of the picture and extract the letters.
It would make it a lot harder for the bot if the picture had lines through it that are the same colour as the letters. I dunno if that's possible though, it might take some actual programming in the ip.board code..
Im kinda dissapointed in Inivision's shitty captcha. Even I could make a better one than this lol.
It would make it a lot harder for the bot if the picture had lines through it that are the same colour as the letters. I dunno if that's possible though, it might take some actual programming in the ip.board code..
Im kinda dissapointed in Inivision's shitty captcha. Even I could make a better one than this lol.
I have told hetan about your ideas.
Hopefully she'll pop in later and post a comment or two.
“People have wanted to narrate since first we banged rocks together & wondered about fire. There’ll be tellings as long as there are any of us here, until the stars disappear one by one like turned-out lights.”
- China Mieville
- China Mieville
#28
- Group: Unregistered / Not Logged In
Posted 13 November 2008 - 04:57 PM
I've installed the latest version 2.3.6 which is supposed to have the upgrades to the Captcha system already on board.
We'll have to see if it makes any impression. What I am baffled about is why the Q&A thread? It seems to be a magnet to the bastards.
We'll have to see if it makes any impression. What I am baffled about is why the Q&A thread? It seems to be a magnet to the bastards.
#29
Obdigore
- ThunderBear
-
- Group: High House Mafia
- Posts: 6,165
- Joined: 22-June 06
Posted 13 November 2008 - 06:55 PM
Is this feasable for an invision board?
Have any currently registered users be able to 'approve' a new user before they can post, and then have some simple questions on the registration, such as
'Favorite Author'
'If you read this type 'bees''
Questions like the above that cannot be answered by a bot. Then, have a new user have to be ok'ed before they can post, anyone wiht a current username can ok someone... I'm not sure how those people would be notified.
If it is in the backend of the site if you do enable ok'ing, I understand how this would not be possible, just a suggestion.
Have any currently registered users be able to 'approve' a new user before they can post, and then have some simple questions on the registration, such as
'Favorite Author'
'If you read this type 'bees''
Questions like the above that cannot be answered by a bot. Then, have a new user have to be ok'ed before they can post, anyone wiht a current username can ok someone... I'm not sure how those people would be notified.
If it is in the backend of the site if you do enable ok'ing, I understand how this would not be possible, just a suggestion.
Monster Hunter World Iceborne: It's like hunting monsters, but on crack, but the monsters are also on crack.
#30
Silencer
- Manipulating Special Data
-
- Group: Administrators
- Posts: 5,674
- Joined: 07-July 07
- Location:New Zealand
-
Interests:Malazan Book of the Fallen series.
Computer Game Design.
Programming.
Posted 13 November 2008 - 09:29 PM
Sadly, it's in the Admin Control Panel. So it's not really feasible to give everyone in the forum access to that!
To me, the spambots are not that bad, atm. Sure, they are annoying, and we have to keep banning them. But this really isn't that much of a bad wave. Eventually, we will start seeing patterns - I've already found three sets of common IP's, and I'm just waiting to make sure that no users are using the beginning component of these IP's before banning them with wildcards.
Sadly, spambots are a fact of forum life. There are more people out there creating them than there are trying to prevent them. Besides, they can be quite easily replicated and so you end up with a whole load the damn things. Even with the new Q&A on IPB3.0, it's not going to stem the tide for very long, unless we can set our own questions.
To me, the spambots are not that bad, atm. Sure, they are annoying, and we have to keep banning them. But this really isn't that much of a bad wave. Eventually, we will start seeing patterns - I've already found three sets of common IP's, and I'm just waiting to make sure that no users are using the beginning component of these IP's before banning them with wildcards.
Sadly, spambots are a fact of forum life. There are more people out there creating them than there are trying to prevent them. Besides, they can be quite easily replicated and so you end up with a whole load the damn things. Even with the new Q&A on IPB3.0, it's not going to stem the tide for very long, unless we can set our own questions.
***
Shinrei said:
<Vote Silencer> For not garnering any heat or any love for that matter. And I'm being serious here, it's like a mental block that is there, and you just keep forgetting it.
