Slashdot: News for Nerds


Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Preventing Forum Spam-bots?

Cliff posted more than 8 years ago | from the evolved-beyond-captcha dept.


A concerned reader asks: "Recently it seems that forums have become the new target for spam bots advertising everything from porn to casinos. The forums that I admin are constantly harassed by these bots even though you must enter the visual confirmation code code (the picture with letters/numbers) as well as reply to an e-mail in order to register. This only started a few months ago so I'm suspecting that some new spam program was released that somehow gets around these anti-bot measures. How can I get rid of these annoying bots?"

cancel ×


One word: (5, Informative)

MadDog Bob-2 (139526) | more than 8 years ago | (#15088131)

kittens []

Re:One word: (1)

Kelson (129150) | more than 8 years ago | (#15088343)

I like the idea (even with the cute overload), though I'm not sure it really improves much over a single captcha image. Aside from the obvious anticipation of OCR improvements.

It seems a bit process-intensive, though, judging by the load time I'm getting. The success message on the demo seems rather appropriate, given last weekend's Slashdot layout...

Re:One word: (1)

TikiTDO (759782) | more than 8 years ago | (#15090013)

This also creates the problem of how many different kitten images you have to work with. It you have 10 kittens you can choose from it would take a few minutes to see them all, and write a program to recognise each (And this would work on all the forums with lazy admins who won't change default images). If you have a few thousand then you're using a few MB for the sole purpose of authentication.

Re:One word: (0)

Anonymous Coward | more than 8 years ago | (#15091115)


Please use correct terminology (4, Informative)

Raul654 (453029) | more than 8 years ago | (#15088135)

For the record, those blurred/skewed letters and numbers are called a "Completely Automated Public Turing [] test to tell Computers and Humans Apart" - Captcha [] .

Also... (3, Informative)

Raul654 (453029) | more than 8 years ago | (#15088171)'s patented. [] (and Turing is spinning in his grave...)

Re:Also... (1)

Loconut1389 (455297) | more than 8 years ago | (#15089109)

That patent speaks of riddles and the user guessing the answer, how does that translate into the CAPTCHAs we recognize these days?

Re:Also... (1)

Raul654 (453029) | more than 8 years ago | (#15089153)

The claim section (the only part of the patent that has any legal weight) covers "modifying at least one perceptual attribute of the string of random characters to form a riddle configured to be easily answered by a human being with no advance knowledge of the riddle while being substantially difficult to answer by an automated agent unaided by human being, the string being a correct answer to the riddle; " -- the perceptable attribute that is modified is the readability, and the riddle that the human must solve is the skewed picture.

Re:Please use correct terminology (4, Insightful)

croddy (659025) | more than 8 years ago | (#15088182)

Before you implement a captcha, please consider the effect this will have on visually impaired users. Obviously, any system relying on an image will not be accessible to blind people; systems making use of colored images may not work for colorblind people. Providing audio captchas would help, but this will be a problem for people who are deaf -- and one cannot simply assume that users are not both deaf and blind.

I have seen some captchas that ask users in plain text to solve a simple arithmetic or logic problem. This is going to be far more accessible than anything relying on embedded media.

If you're sure that none of your users are blind or colorblind (which would be plausible only for an extremely small user base), then I suppose something like KittenAuth [] might be appropriate.

Re:Please use correct terminology (0, Flamebait)

Shut the fuck up! (572058) | more than 8 years ago | (#15088259)

Give me a fucking break. Someone always pulls out the "WON'T SOMEONE PLEASE THINK OF THE BLIND PEOPLE" bullshit when this topic comes up. It's too bad, but I'd rather prevent my BBS from being overrun by spam than worry about accomodating a few blind people. Audio captchas? Hey, that discriminates against me because I don't use speakers. WHHHAAAAAAAAAAAAAA!!!!! WON'T SOMEONE THINK OF THE PEOPLE WITHOUT SPEAKERS???

Re:Please use correct terminology (1)

SillyNickName4me (760022) | more than 8 years ago | (#15088607)

Flamebait but nonetheless, it never got into that thing you have for a brain that you can in fact buy speakers? If eyesight was for sale in a meaningfull way you can count on it that many blind people would buy it.

Re:Please use correct terminology (1)

cammoblammo (774120) | more than 8 years ago | (#15090126)

I'm not sure I understand your reply, but I think the GP was making the point that speakers won't help someone who is both deaf and blind.

Re:Please use correct terminology (4, Insightful)

Xibby (232218) | more than 8 years ago | (#15088267)

The forums that I run have a "If you are visually impaired or cannot otherwise read this code please contact the Administrator for help." with a mailto link.

This has yet to be a problem as the forums that I run are orientiated around shooters or MMPOGs. :)

Re:Please use correct terminology (1)

ReverendLoki (663861) | more than 8 years ago | (#15088329)

Though not a bad idea, even plain text arithmetic is far from foolproof [] . You could go more complex, but then you run the risk of excluding those who have trouble solving those problems, either in translating the word problem into a solvable mathematical format, or whatever. It would seem that a simple logic problem might be better at differentiating human from bot, but I can imagine that it would have an even higher false negative detection rate.

Visual tests with an audio alternative for sight impaired users covers most of your user base in most situations. When it comes to sight and hearing impaired users, though, is there even a standard human interface device for this situation? If so, then the nature of this device will heavily influence what options exist for user athentication.

Re:Please use correct terminology (3, Interesting)

stevey (64018) | more than 8 years ago | (#15088360)

You could also go for the cuteness approach:

Click on the three images which are OMG Kittens and you're identified as human.

Re:Please use correct terminology (1)

alienw (585907) | more than 8 years ago | (#15088478)

This is even worse than logic puzzles. How many unique kitten pictures is that thing going to have? Ten? Twenty? Maybe fifty? All you have to do to is to get 60% of the kitten pictures programmed into the spambot. Then you just have to compute a CRC of each image served, and bang, you have cracked it. And it's not like it's any better than the scrambled text authentication. If you wanted to reduce server load, you could generate and cache a couple of thousand unique text strings. This approach makes it rather simple for the spambot.

Re:Please use correct terminology (2, Insightful)

Dr.Evil (47264) | more than 8 years ago | (#15088692)

If you read the article introducing the kittens concept, you'll see that the author intends it to be customized to each site, thus preventing spambots from simply memorizing the pictures. And randomly picking three out of 9 images only gives a possiblity of success of 1/84, better than many word captchas are achieving these days.

Anyone who wants to custom-program a bot for a single site would just be better off manually posting their spam.

Re:Please use correct terminology (1)

alienw (585907) | more than 8 years ago | (#15089085)

No need to custom program anything. The program can grab 20 or 30 different captchas, figure out which images you are using, and simply have a human mark the kitten ones. This function will be implemented in all the spam software if this technique ever becomes widely used.

Also, I fail to see how a word captcha could be guessable. A 5-letter sequence composed of alphanumeric characters would yield a 1/60466176 chance of guessing it right. That's one in 60 million. You'd be better-off playing the lottery.

Re:Please use correct terminology (1)

1110110001 (569602) | more than 8 years ago | (#15090245)

Oh that's easy. Write a script that takes your kitten pictures and do add different borders or save in different qualities, ... It's easy to get >30 versions of every picture and the CRC would always be different. Now your Bot writer has to analyze the pictures to find the ones that are similar.

Re:Please use correct terminology (0)

Anonymous Coward | more than 8 years ago | (#15088366)

How could one even use a computer, if one were blind and deaf? I doubt that there are no or extremely few, maybe 5 such users in the whole world. Losing this audience would be no big deal.

Re:Please use correct terminology (1)

croddy (659025) | more than 8 years ago | (#15089219)

By using a refreshable braille display [] .

This is why it's important to think of accessiblility and standards. Not only is there a huge base of people using browsers other than MSIE -- there's a base of users who interact with computers in entirely different ways than most of us.

Re:Please use correct terminology (4, Funny)

Jester998 (156179) | more than 8 years ago | (#15088398)

I have seen some captchas that ask users in plain text to solve a simple arithmetic or logic problem.

While not illegal, some may considering it amoral to discriminate against stupid people.

Re:Please use correct terminology (2, Insightful)

Fulcrum of Evil (560260) | more than 8 years ago | (#15089531)

While not illegal, some may considering it amoral to discriminate against stupid people.

Immoral? Hell, it's a moral imperative!

Re:Please use correct terminology (1)

alienw (585907) | more than 8 years ago | (#15088430)

I have seen some captchas that ask users in plain text to solve a simple arithmetic or logic problem.

This is not a good captcha. If someone wants to flood the forums, it takes about 3 minutes to write a regexp to crack these. You aren't going to implement more than 20 or so different logic puzzles, and it's rather trivial to automatically parse these. Also remember that you only need a 5-10% success rate to completely shitflood the forums. I don't think it's possible to create a captcha that is usable by vision-impaired users, except maybe a sound recording (and even that's trivial to run through a voice recognition program).

Re:Please use correct terminology (1)

Raul654 (453029) | more than 8 years ago | (#15089162)

"I don't think it's possible to create a captcha that is usable by vision-impaired users, except maybe a sound recording" - someone else in this thread has already describedjust such a thing. Any visually impaired reader could use the voice->sound function to pass that captcha, or one of those electronic braile monitoring things.

Re:Please use correct terminology (1)

fistfullast33l (819270) | more than 8 years ago | (#15088592)

I have seen some captchas that ask users in plain text to solve a simple arithmetic or logic problem

I actually implemented this on my blog a little while back as a quick deterrent(Because I didn't have the resources to implement it). The system was quite simple - it basically was scientific notation like so:

seven times one hundred plus eight times ten plus six

Answer: 786

Simple enough to check and because it's text it takes a little more effort to write something to crack it. I didn't get a comment spammer but the site was pretty low traffic so I don't know how effective it was. Hopefully just enough for people to think it wasn't worth the effort.

Re:Please use correct terminology (1)

corbettw (214229) | more than 8 years ago | (#15089575)

seven times one hundred plus eight times ten plus six

That's incredibly easy to circumvent. Just use dred+plus+eight+times+ten+plus+six&start=0&ie=utf- 8&oe=utf-8&client=firefox-a&rls=org.mozilla:en-US: official []

((seven times one hundred) plus (eight times ten)) plus six = seven hundred eighty-six

Re:Please use correct terminology (1)

Kelson (129150) | more than 8 years ago | (#15088770)

I've seen some that use linguistically-based tests. Things like "What color is an orange?" or "Please type Bob's first name."

Of course, if you're really getting hammered, you'll need to vary the structure of the questions (and the keywords) a lot, and probably move into the realm of general knowledge questions -- and then you need to make sure you're not relying on vocabulary or knowledge that would exclude more people than you intend.

And the simple ones only work because it's not worth the spammers' time to write a sentence parser.

audio captcha for the blind (1)

judd (3212) | more than 8 years ago | (#15089192)

My bank's [] system allows you to listen to a computer generated .wav instead.

OCR (1)

mnemonic_ (164550) | more than 8 years ago | (#15088704)

I'll probably get downmodded for this but some GNAA members (a couple of them are MIT students) developed OCR tools that defeat captchas, very long ago.

Re:OCR (1)

GrumpySimon (707671) | more than 8 years ago | (#15089925)

There's also a proof-of-concept called PWNtcha ( [] which can automatically work out a large number of common CAPTCHAs (including PHPbb and vBulletin's standard ones ) with well over 90% correct.

CAPTCHAs are NOT the best solution - they're just a band-aid, and they make your site harder to use ( especially for low vision people ). Personally I prefer web-server level blocking of dodgy UA's, IP ranges, POST payloads with something like the wonderful mod_security [] for Apache, coupled with word filtering ( Spamassassin or just a black list ).

One word: (0)

Anonymous Coward | more than 8 years ago | (#15088140)

tedious (I hope, it's kinda hard to read)

Captcha! (0, Redundant)

Dwedit (232252) | more than 8 years ago | (#15088141)

Use a Captcha, which is a tool that displays a distorted image containing a word, or sequence of letters. The user must enter in the correct sequence in order to post.
Captcha's aren't perfect, some have readability problems for the people, and they completely exclude blind people unless you use an audio captcha as well.

Require completing captcha to create a new account, or post as a guest. Once users have an account and are logged in, you can drop the requirement to use the captcha on every post.

Re:Captcha! (1)

oni (41625) | more than 8 years ago | (#15088177)

Did you read the post??

even though you must enter the visual confirmation code code (the picture with letters/numbers)

sounds to me like he's already using captcha

CAPTCHA can't stop real humans. (1)

WoTG (610710) | more than 8 years ago | (#15089229)

I've got a small phpBB bulletin board setup to support some of my websites. For the last 4 or 5 months I've been using a CAPTCHA. It has done almost nothing to reduce SPAM because most of the spammers are from people in "cheap labour" areas who get paid to post. I assume that there's some sort of exchange market out there where people can hire people to make posts for pennies a piece. I don't know how they would track performance, but I assume that they've got that figured out.

Re:Captcha! (1)

November 1, 2005 (927710) | more than 8 years ago | (#15089268)

Shut the fuck up. You're a fucking dildo. Go burn in hell jackass.

Grace period? (1)

!equal (938339) | more than 8 years ago | (#15088144)

Maybe have a grace period between the time one registers and the time they are allowed to post or post replies?

Re:Grace period? (3, Informative)

Donniedarkness (895066) | more than 8 years ago | (#15088272)

While this will keep some of the bots away, it will also cause the site to lose members. When I sign up on a forum, it is usually because I want to post RIGHT THEN. Of course, I'll probably continue to post on it.

If a site makes me wait three days, though, I'm likely to forget about it in that time.

Or were you talking about smaller grace periods? Perhaps 10 minutes? That might work well.

Re:Grace period? (1)

LocoMan (744414) | more than 8 years ago | (#15089136)

Maybe a system where a moderator has to allow your first 2 or 3 posts or something like that. Not sure how to do it, but depending on traffic and the amount of administrators/moderators you have, there might be a system that when you register, the first three posts have to be read by a moderator and allowed in. Maybe set a system that forwards them to all moderators, and then as soon as one of them clicks on "allow", it shows up on the forum.

Re:Grace period? (2, Insightful)

FLEB (312391) | more than 8 years ago | (#15089603)

It would work reasonably as well in reverse: Allow the person's posts, but forward them to a moderator. If the moderator determines them to be spam, that poster gets the boot (along with all their posts). Add in some intelligent "Find Similar" logic, and you'd have y'erself a good start at a forum anti-spam system.

Re:Grace period? (1)

silvwolf (103567) | more than 8 years ago | (#15090010)

A forum I'm on implemented a minimum post count before users can post links.. I guess the one or two spammers we got per month was too much. The only effect that I've seen is legitimate users have to jump through hoops to post links (even lurkers that have been registered for months still can't post links). It did get rid of most of the spammers though, it seems.

But, it didn't completely stop them.. Two nights ago we had a guy spam us and told us to Google for his company's name and click the first link to get to the webpage.. As I google for "company google," today, I see two other forums that he hit.. Googlebot must have indexed the pages before their admins got to the posts because the links now lead to post not found pages.

It's funny that this story was posted because I was looking through the pcHDTV forum tonight and saw a ton of spam dating back several weeks.. Guess the company can't be bothered to read their own forums and clean em up!

Easy (4, Funny)

Kj0n (245572) | more than 8 years ago | (#15088155)

Just display a confirmation page with the picture.

Anyone who can still click on the confirm button is not human.

Re:Easy (1)

Dachannien (617929) | more than 8 years ago | (#15088218)

I dunno, it seems like there'd be a lot of false positives from vomit shorting out people's keyboards.

Re:Easy (1)

pete6677 (681676) | more than 8 years ago | (#15089323)

What is this goatse picture I've heard so much about? It sounds like something pretty nasty.

Re:Easy (0)

Anonymous Coward | more than 8 years ago | (#15090116)

You must be new here.

Goatse is this: 04goatse.jpg [] (only real, not unreal). Search and you may find. And you will KNOW when you find *G*O*A*T*S*E*.

Re:Easy (1)

cammoblammo (774120) | more than 8 years ago | (#15090134)

I won't do it to you. In fact, I won't even do you the favour of posting a link. But I will tell you that you can find information on Wikipedia.

Don't say you weren't warned.

Visual code (1)

The Lerneaen Hydra (885793) | more than 8 years ago | (#15088158)

What's to stop a spammer/script kiddie from making a script that does all the registering except for the visual code, giving an average reg. time of maybe 5 seconds per site?

add ad hoc customizations (3, Insightful)

etymxris (121288) | more than 8 years ago | (#15088183)

Add hidden variables to submission forms that change everyday. This will force the bot software to do pagescraping for your specific webforum, which probably isn't worth their time. They will go to the easier targets first.

But if they are defeating captcha, there is probably someone who just sits there manually spamming forums through anonymous proxies. The amount of money that can be made by doing this spamming is probably enough to pay people with lower standards of living to just do it manually. And if that's so, there's just no way to get around it. I started logging how many bots the captcha and hidden variables were catching, and it was tons. Still, I get spammers. Just not nearly as many.

Re:add ad hoc customizations (1)

TubeSteak (669689) | more than 8 years ago | (#15088784)

But if they are defeating captcha, there is probably someone who just sits there manually spamming forums through anonymous proxies.
Well maybe, but not necessarily.

There is at least one public [] and many 'private' tools that can brute force captcha while rotating proxies between attempts.

Plenty of freely available OCR components can be incorporated into your own program. It'd make much more sense to pay one programmer (or DIY) to whip up a quality OCR proggie than to pay monkeys to sit around typing in captchas. []

I'm pretty sure .Net has it's own OCR library/API built in

Why does it have to be a program? (0)

Anonymous Coward | more than 8 years ago | (#15088184)

This only started a few months ago so I'm suspecting that some new spam program was released that somehow gets around these anti-bot measures.

Maybe, they've hired a bunch of folks in: India, Mexico, whereever, to just manually register. It'd be cheaper than hiring a coder to figure it out. Also, that would be some really great image scanning software to read those words with all the crap that's drawn through them. I can barely read the ones for /. when I post - as AC.

Sometimes, it is a vocabulary lesson, though :-)

Re:Why does it have to be a program? (1)

titzandkunt (623280) | more than 8 years ago | (#15090044)

"...Maybe, they've hired a bunch of folks in: India, Mexico, whereever, to just manually register...."

Why hire people at all, when there's one born every minute who'll do it for free if you dangle a free [gadget of the day] in front of their greedy, gullible snouts?

From a previous /. discussion [] :

** THIS IS NOT BULLSHIT! ** I just received my PSP today via UPS totally free by typing words on some site. I thought it was BS at first but man was i suprised when the UPS guy showed up at my door with a frikkin PSP. Just for typing 50 words. Before you flame me and call me a d*ck just remember I was totally suprised I got my PSP and jsut wanted to share the love with you all. Free for typing some words is way better than paying a lot of money. Here is the link for anyone interested: [] [] I hope you all are enjoying your PSP as much as I am. Peace and love.

The link led to a reasonably well designed page which was scraping captchas from blackplanet [] , images direct from Sony and getting retards to bust 50 captchas in the hope of getting a their free PSP.

No money need change hands...


There are two ways around captchas (0)

Anonymous Coward | more than 8 years ago | (#15088191)

One is to write a program which recognizes the characters in the captcha. Algorithms for a surprising number of captcha types exist, so you may simply need to look for a better/harder captcha generator.

The other method is to provide a popular service and guard it with a remote captcha. This is usually done with free porn sites. The site promises to show the visitor some pictures, but only if he proves that he isn't a bot by entering the letters from the captcha. The captcha is the one from the forum that the porn site admin wants to post to. When the visitor solves the captcha, the forum post is made and the result of the captcha test on the forum site is taken as the result for the porn site as well. Since porn sites have a steady stream of visitors, they can spam many forums, so long as they use a standard posting verification scheme. A way around that may be to obfuscate the fact that you're using a captcha and what the captcha image is (compared to a standard installation of your forum software).

Two good approaches (3, Insightful)

aiken_d (127097) | more than 8 years ago | (#15088228)


Better: dynamically change the names of form fields ("subject", "message", etc) based on the current time. MD5 hash the current hour with the field name, and have the software only check the current and previous values. Spam bots generally have to be told what field names to look for.

Best: have good moderators who kill spam and block IP's more or less instantly. Not practical for smaller sites, of course.


Don't use well known forum software (4, Interesting)

savala (874118) | more than 8 years ago | (#15088232)

Don't use phpbb, vbulletin or whichever other forum software everyone uses. Don't name your registration page "register.php" or something similarly easy to guess. Don't give your username and password fields name and id attributes of "username" and "password". Etc, etc. There is no security in obscurity, but there sure as hell is lots of convenience and freedom from automated harassment.

The rewards for writing scripts that can handle the subscription process for all the big software packages are simply too large. Yes, these software packages will now start up the arms race, same as has happened with weblogs and email and referer spammers (does anyone else have the feeling we've won that last one, btw?). You can try and follow along and update your forum software every other day. But it's much more convenient to simply duck under the radar. Chances are no spammer is going to bother figuring out how to register at your custom-built/modified forum.

Re:Don't use well known forum software (2, Informative)

Spudley (171066) | more than 8 years ago | (#15088552)

Don't use phpbb, vbulletin or whichever other forum software everyone uses

Much as I hate to agree with that, he speaks the truth -- the bots are written to target specific forum packages, and they almost always go after the popular ones. phpBB has taken a lot of stick for one or two security problems that came up, but in truth it's as good, if not better than its competition; the reason it gets hit so badly is simply because it's so popular.

So if you can use a less-well-known package, that will keep you away from the prying eyes of most of the bots.

Alternatively, you could mod one of the well known packages, so that the bots no longer work with it. That could be something as simple as changing the fieldnames on the registration form, or changing the URL of the registration page. If you know enough PHP/ASP/whatever to make the necessary changes, that would be a good solution; you'd still have the features of your favourite package, but not the bots.

While you're modding the forum, it would also be a good idea to add a block to prevent new members from posting links. (if you're really lucky, your forum packages may include this feature already). Spambots aren't any use if they can't post spam, and spam requires a link, so kill off the links, and you'll kill off the bots. Members should only be able to post links after they've proved themselves trustworthy.

CAPTCHA is a great idea, but if you're using a common one (ie the one included in your forum package), the odds are that the spammers have cracked it already. But again, the bots are likely to be programmed with the specific CAPTCHA-cracker for their forum, so if you can replace it with a less-common method, that will also bamboozle the bots.

If you are still using a well-known forum package after all that, you should also consider modifying the page template to remove references to the software name and version. Some bots look for specific versions of a forum to attack a known weakness, so stripping out the identifying marks will make it harder for them.

Security by obscurity is a much hated phrase around here, and with good reason. It is highly effective against the blind automated attacks of your average spam-bot, but whatever you do, even if it seems to be working, don't take your security for granted. Never let your guard down.

Re:Don't use well known forum software (0)

Anonymous Coward | more than 8 years ago | (#15089021)

Just to get the name out, there is another forum type I have come across. It is not exactly the best organized, but it is clean. I guess it would be best for small groups. []

What email addresses are they using? (2, Interesting)

oni (41625) | more than 8 years ago | (#15088244)

If they are using something like hotmail, then maybe just disallow hotmail. Nobody with a brain uses it anymore anyway.

If they are using gmail, then maybe google would be nice enough to start a service where you could report addresses that bots are using. The great thing about google requiring invites is that google now has this neat chain of responsibility. If they see a pattern where all of the addresses created by invites from a certain person's account have been used as bots, then they could delete all those accounts and all the accounts they invited. That would seriously screw the spammers.

Re:What email addresses are they using? (2, Insightful)

John Miles (108215) | more than 8 years ago | (#15088480)

That's actually a really good point. You could require a GMail account for registration -- effectively leveraging Google's spamfighting capabilities for your own purposes.

Re:What email addresses are they using? (0, Flamebait)

Anonymous Coward | more than 8 years ago | (#15088926)

You want me to register for both your forum and a webmail service? Fuck you and your site that I'd never visit again.

Not everyone thinks gmail is the greatest thing since leavened bread.

Re:What email addresses are they using? (0)

Anonymous Coward | more than 8 years ago | (#15089708)

"You want me to register for both your forum and a webmail service? Fuck you and your site that I'd never visit again."

Ass, exit stage left.
Door, meet ass.

What worked for me (2, Interesting)

FreelanceWizard (889712) | more than 8 years ago | (#15088261)

I'm guessing you're using phpBB. I've actually been hit by these guys on my boards; it wasn't a problem for me until they started to post. It appears to be actual people and not robots. I should also note I didn't have this problem until I added Google AdSense to my boards. After I did that, I started to get two or three of these spammers each week. Another phpBB board I administer hasn't gotten a spam user yet.

What worked for me was checking the registration e-mail addresses of these people and putting in bans for "*" and "*@*.info". On phpBB, you'll have to manually add these to your ban list table in the forum database. Given that a US board isn't likely to have legitimate users coming from Russia or with .info e-mail addresses (.info generally being the Internet equivalent of the sleazy parts of a big city), I don't think I'm really affecting potential new users. I haven't gotten any complaints or new spam users yet, so my technique seems to be working.

Re:What worked for me (1)

Skater (41976) | more than 8 years ago | (#15088455)

My forum had people registering accounts every day with adult/gambling/etc links - the registration message would fail, but they didn't care; they just wanted those URLs in the db.

I did a search on phpBB's site about this and found I wasn't the only one with the idea of removing the URL field from the user name information. The phpBB people were not interested in creating a mod to do that, and they instead suggested I try the mod to block requests from proxies.

The proxy mod worked for a while, and I kept it updated, but eventually the spammers came back. I'd have four or five accounts to delete every day. Finally since only spammers were using the forum, I shut it down.

Re:What worked for me (1)

NeoThermic (732100) | more than 8 years ago | (#15088741)

If you are using phpBB, the first suggestion I have is to change the VC code to something else. It doesn't have to be hard to break, it just has to be diffrent.

There's also a huge topic on [] which details a few things you can do to stop them. Of main suggestion is the Instan Ban mod ( [] ) which will modifiy the registration page in such a way that automated attempts get banned. It is done in such a way that a normal user can't trip it either, so false positives will be very much 0.

I've also taken to logging the attempts that failed (in terms of username, password, website and e-mail). Of intrest is that out of 1339 failed attempts, 153 attempted a e-mail address, so banning it is advisable.


Re:What worked for me (1)

Fulcrum of Evil (560260) | more than 8 years ago | (#15089543)

What'd be really cool is a stealth ban where you can see your posts, but nobody else can.

Be proactive! (4, Insightful)

BertieBaggio (944287) | more than 8 years ago | (#15088289)

There are a number of options you have, depending on how aggressive you want to be. You may have implemented some of these suggestions already, but they may help other forum admins in a similar quandry.

Firstly, disable anonymous posting. What works for slashdot does not necessarily work for phpbb. This may sound obvious, but a forum I check on now and again is slowly haemorrhaging members due to guest bot spam.

Secondly, find yourself a list of public proxy servers. Ban them. Find some more. Ban them too. Also, take note of the IPs the spambots were using to post. Ban them as well (unless they are AOL IPs -- be smart and do an nslookup). Keep this list of banned IPs, and are them with the blacklist groups, or other forum admins you know. You help them, they help you.

Thirdly, augment your signup process. You say you are using CAPTCHAs, but if the bots are getting arond or through them, you have to do more. Write a few hundred straightforward questions; you can get your community to help you for this one. Have one o two of those questions displayed at regitration time, along with the CAPTCHA. For example:

Which of this is not one of the seven dwarves?

  • Doc
  • Sleepy
  • Bashful
  • Horsey

Or would you like another question ?

Keep this as simple as possible. "What color is the sky?" is about the level you are looking for. A bot won't be able to answer these unless it is specifically programmed to. Need I say you should serve a random question?

For bonus points on this one, make the questions something to do with the topic of the forums. If the forums were about widgets, you could ask something (really basic) like "What is the most common color of widget?". Or make come of the questions about the TOS. You know, the thing everyone checks the box saying "I agree to abide by the TOS". This may alienate some people, though, which you may or may not want. Also remember to consider non-native English speakers.

If you are sill getting those darned bots, consider manually approving by hand all registrations. This will obviously depend on how many new signups you get, and what kind of manpower you have (think moderators and "trusted community members"). On the other hand, you should be able to spot and stop bots right off the bat.

But why stop there? Be even more proactive! Set up a honeypot. Disallow a certain directory with robots.txt, and ban all IPs that find their way there. Include an invisible link to the disallowed location and see what falls in the trap. Remember that blacklist you started earlier? Add (and share) these IPs!

Finally, let your community know what you are doing. They will appreciate the effort (If you have noticed the spam, so have they). Set clear guidelines, and encourage community vigilance.

In the end, remember: spam is beatable.

Re:Be proactive! (1)

ObsessiveMathsFreak (773371) | more than 8 years ago | (#15088806)

In the end, remember: spam is beatable.

Ahhhh! The optimism of youth!

Re:Be proactive! (1)

TubeSteak (669689) | more than 8 years ago | (#15088825)

That sounds like an awful lot of trouble.

I can't remember which forum(s) allow you to do this, but at least one of 'em allows to you set a user up so that they can keep posting, but only they see their own posts.

I think it makes a lot more sense to relegate the trolls and spammers to their own personal little playpen. Automated spammers aren't likely going to check if everyone else gets to see their posts... and as always, better an enemy you know than an enemy you don't.

If they think their accounts are working, you won't have to play cat & mouse with the bastards. The spammers will adapt their techniques to all the choices you suggested. My suggestion means, that at worst, you will get less blatant spam posts.

Use Slashdot's method (3, Insightful)

c0d3h4x0r (604141) | more than 8 years ago | (#15088295)

"Captcha" techniques aren't bulletproof. If someone can automate all but the "captcha test" part of the posting process, then someone can sit and repeatedly answer the captcha test and still post spam pretty efficiently.

The only truly effective way to stop this crap is to require a certain amount of time to elapse before being able to post another post, like the way Slashdot does it, and to implement some kind of moderation+filtering system so the crap can be all be modded down by vigilant users. Combine that with a couple other requirements (you must have a user account to post, and new users can't post for the first 48 hours), and you'll easily sqaush the spam problem.

Unstoppable captcha-buster (1)

arrrrg (902404) | more than 8 years ago | (#15088960)

No matter how fancy you make your captcha, human labor is cheap. This is especially true when you consider the lengths people are willing to go to get free internet porn. The most genius way I've heard of to beat CAPTCHAs:

1. Find links to a handful of free thumbnail galleries 2. Set up a webpage with links to said galleries 3. Make every outgoing link require filling in a CAPTCHA

When your page gets a hit, you pull down the CAPTCHA image (or whatever) from the target site, and serve it up to the masturbator. He/she (using left hand only) types the answer to the CAPTCHA, and gets free porn. You relay the answer to the target site, and get your account on. SPAM ahoy!

Re:Unstoppable captcha-buster (2, Insightful)

Baricom (763970) | more than 8 years ago | (#15090186)

I've wondered what would happen if you distorted the CAPTCHA using a site's name or URL instead of a random background. Do you think at least some people would hesitate a moment if you went to some random porn site and had to type a CAPTCHA with watermarked in the background?

by the users, for the users (3, Interesting)

McCarrum (446375) | more than 8 years ago | (#15088321)

i wont echo the above (kittens and altering html templates to make a more unique code process - both well worth it) but i say that on one site i used to run, we allowed anyone with 1000 posts, all members of a screening club .. and every new user had to have their posts screened before being posted .. once an account got to 10 non-spam posts, their group changed to allow normal postings.

i do recommend you use your community to help your community .. and odds are, they'll help as well

attack your site (3, Interesting)

kebes (861706) | more than 8 years ago | (#15088326)

I'm certainly no expert in such things, but here are some suggestions. The idea, of course, is to make life difficult for the spam-bot (or the spam-bot writer I suppose) without making life hell for your users. You seem to already be using a CAPTCHA [] , but you could switch to a different one. Everytime you switch, the bot-writer has to update his code. This is annoying for him but is no big deal for your users, since they are humans and can pass whatever simple visual test you give them. You might also consider making small changes to the HTML of those "make new account" pages. It's likely that that bot is making many assumptions about how your page is organized. Changing the names of forms (or having random names), or changing subtle things about the layout (things that a human wouldn't even notice, but which would break an HTML parsing program that was expecting your page to be organized in a certain way) are also good ways to slow down the bots. Make the HTML obfuscated. Include bogus hidden forms, for instance.

Perhaps the best way to fix your site is to attack it yourself. Try to write a simple bot that automates the login process, and see what happens. You may suddenly notice a subtle hole in your security (maybe the filename for the captcha gives away what it is... or maybe after a successful verification, the same cookie can be used to create another account... or something). In the process of attacking your own site you may uncover something you've missed before.

Re:attack your site (1)

TubeSteak (669689) | more than 8 years ago | (#15088847)

You seem to already be using a CAPTCHA [], but you could switch to a different one. Everytime you switch, the bot-writer has to update his code. This is annoying for him...
I'd doubt it. Newer OCR engines are quite flexible.

At worst, they might have to make up a new profile to process your captcha. Though, I'll admit, some are really tough, even for humans to decode.

Some people don't realize that a simple "type in the black letters on white background" isn't going to cut it anymore.

I had a similar problem with phpbb2 (1)

PIPBoy3000 (619296) | more than 8 years ago | (#15088333)

I host a phpbb2 bulletinboard to help coordinate a team of amateur game developers. It's not linked anywhere, nor is it installed in the default directory. Still, one of these spam bots managed to find it and within a week had 50+ registrations of people with bogus web addresses.

My solution was to implement the visual check that everyone's talking about. I still get some registrations, but much fewer. What's crazy is that by default, these users can't do hardly anything. Unfortunately creating spam is basically free on a per-bulletin board basis.

I'm tempted to post some of them, just so they can feel the mighty power of Slashdot, but my account would probably be banned for life as I bet many of these sites have malware all over 'em.

Good moderators help... (1)

SmoothTom (455688) | more than 8 years ago | (#15088353)

...but those moderators burn out pretty damned quickly under the load that a concentrated attack can bring - every damned day.

The most recent batch to hit the site where I'm one of the mods, often use a * e-mail address and eight to ten character random character strings as the registered name.

Most of those we are getting link to sites like the following: [] []
http://internet-casino-gambling-online.snow-send.c om/ [] [] [] []

Be nice to be able to nuke 'em from orbit...


Re:Good moderators help... (0)

Anonymous Coward | more than 8 years ago | (#15088512)

You're an idiot or an asshole.

Re:Good moderators help... (1)

alienw (585907) | more than 8 years ago | (#15088540)

Why don't you just implement an auto-ban filter? Attempt to post a URL with 'xanax' or 'casino gambling' in it, and you get your IP permanently banned.

Re:Good moderators help... (1)

SmoothTom (455688) | more than 8 years ago | (#15088851)

A part of the problem is that each linked-to URL is DIFFERENT and each posting IP is DIFFERENT.

We ARE banning IDs and IPs, which MAY explain why there are no repeat posts from them, but there seems to be a virtually unlimited number of IPs, from around the world (UK, US, Poland, Japan, Germany, France, etc.), that these turkeys hit from.

Re:Good moderators help... (1)

alienw (585907) | more than 8 years ago | (#15089104)

Yeah, they are probably using hijacked PCs. I'm just saying that you could ban giveaway addresses. For example, I really doubt any legitimate user will be posting URLs with 'xanax' in them. Of course, the spammers could also get smarter.

Maybe you should set up SpamAssassin to filter forum posts. After all, it does a pretty good job of detecting spammy keywords and such. Sort of like Slashdot's filters.

Another possibility is to put in a probation period. Let's say, if you have been registered for less than a week, you cannot post URLs or use HTML in your forum posts. This is a minimal annoyance to legitmate users, but stops spammers dead in their tracks.

Re:Good moderators help... (1)

ocelotbob (173602) | more than 8 years ago | (#15088617)

Problem there is that most of the domains used are only used for a few days, a week or two at most. After that, the malicious user moves on to the next throwaway domain name. Blog spam is all about getting one's pagerank high, so that someone looking for terms like xanax, or texas hold-em, will see the spammer's site above more legitimate sites. If you have mod_security installed, you may want to try the comment spam blacklist [] as a starting point. I recommend only using entries that are a couple months old, after that, spammers just don't use those domains.

Re:Good moderators help... (1)

CastrTroy (595695) | more than 8 years ago | (#15088673)

Blog spam is just about page ranks. There's bots scouring the net for anything that looks like a blog or Bulletin Board and posting tons of crap. I started getting a lot of blog spam on my site a couple of months ago. Thing is, links couldn't even be posted. There was a bunch of URLs, but none of them had links in them, because I don't allow any kind of HTML in the posts specifically for this reason. The thing that annoyed me the most was how ugly these things make the site look. Anyway, I implemented a bunch of rules, and haven't had much of a problem since. I think google should fix their pagerank system so that the spammers don't get anything out of spamming.

Re:Good moderators help... (2, Informative)

drspliff (652992) | more than 8 years ago | (#15088998)

Google, Yahoo and MSN have already done this. Simply insert 'rel="nofollow"' into all the tags that people post in the comments, and although they still show up it makes it pointless for those spammers trying to increase their PageRank.

I know this won't help with the unsightly comments on your website, but since this is the slashdot crowd just flag all the comments with URLs in them as 'hidden' and on a daily/whenever basis go through them deleting spam and unhiding legitimate comments. Stick this all in a central control panel and it's unlikely to take up more than 10 minutes of your time.

In addition to that, just stop any client with a useragent string that contains a URL or one of the known spambot names. [] - A quick implementation of a bot-trap, which bans bots which don't follow your robots.txt directions.

Re:Good moderators help... (2, Informative)

Baricom (763970) | more than 8 years ago | (#15090192)

Stick this all in a central control panel and it's unlikely to take up more than 10 minutes of your time.

I basically gave up on blogging because I had to sort through 500 spam comments a day. I know another blogger who had to clean 7,000 (yes, thousand) spams out of his blog every day.

It took both of us longer than 10 minutes.

A couple thoughts. (1)

ThomasHoward (925022) | more than 8 years ago | (#15088427)

First of all, check the user agents of the users/bots doing it, although this should be fairly obvious to check for and change, but its worth a look anyway. Another idea is to prevent all new users from posting links for a week or so, or even anything that looks like a link, like anything that contains "http://", "www", "w w w", and such like, anything that you can block that wont restrict normal conversation on the forums too much. Although, I suppose its possible that they may then turn to using gibberish, like the gibberish encountered in spam.

radical measure (2, Interesting)

dario_moreno (263767) | more than 8 years ago | (#15088457)

I saw a forum which required that you post a (non-'shopped) picture of yourself holding a 45 rpm record of the artist the forum was about before getting an signal/noise ratio I ever saw with rec.guns, which seems to be moderated by gods because of the very high flame and spam potential!

Solution (0)

Anonymous Coward | more than 8 years ago | (#15088538)

Easy way of fixing the problem:
Install mod_security [] for Apache. Install the current development version (2.0.0-dev1) and use DNSBl with mod_security to block most of those spam-bots. Go to got root? [] and download their rule set and include it into your mod_security configuration.

That's it! This gives you a good tool set to fight the spam bots. I was able with the above mentioned setup to block ALL spam bots and all the anoying linkdumper bots, without any problems.

Check your capchas (1)

91degrees (207121) | more than 8 years ago | (#15088591)

Some of these are glitchy, and the code can be obtained from hidden form values or the image URL.

How about using referrer logs to filter them out? (1)

rubberbando (784342) | more than 8 years ago | (#15088748)

Block reoccuring IP addresses used by spammers, non browser programs (yes bots do tend to identify themselves in access logs), and those who seemed to have directly access (bookmarked perhaps) the post page from nowhere.

Won't help (1)

68kmac (471061) | more than 8 years ago | (#15090241)

IP addresses: The big boys use open proxies all over the world. You'll often get spam which is clearly from the same source but comes from IP addresses all over the place.

User agent strings: Again, the big boys use proper user agents so that they look like regular browsers.

Referrers: Those are unreliable even with human visitors, as proxies (as e.g. used by companies) often filter those out. By relying on referrers you'll block a good portion of your regular visitors.

Having said that, there are tools like Bad Behavior [] which take a closer look at the HTTP requests, checking for non-conforming HTTP requests and typical indications of spam bots that do work quite well most of the time.

Cheep medz (4, Funny)

fm6 (162816) | more than 8 years ago | (#15088790)

My advice involves Porn (1)

TubeSteak (669689) | more than 8 years ago | (#15088853)

Go ask the porn webmasters which CAPTCHAS work and which don't.

A better idea is to ask the people who spend their time brute forcing porn sites. They'll know what is undefeatable and what isn't, where the webmaster may only be worried about limiting the damage instead of preventing it outright.

how to get around captchas (0)

Anonymous Coward | more than 8 years ago | (#15088930)

(well, how i *used* to do it)

1) set up some cheapo site (keygens, torrents, whatever)
2) have captchas for every torrent; use the images from your target
3) ...
4) Accounts!

Bots may be using humans (1)

grantdh (72401) | more than 8 years ago | (#15089180)

You know, it's possible the spam-bots are using human-based systems to bypass your "computer can't recognise it" authentication method. Here's two ways:

1. Spammer farms out registration to third world sweatshops - for US$1 per day, a person just sits there and fills in registrations then passes them on to the bot system to use.

2. Spammer's system redirects your challenge to a "Free Porn Sign Up" page - now nudie hungry humans are filling doing it so they can see free naughties.

Either way is not impossible to figure out and implement - the former costs a small amount to run but could churn out heaps of applications. The latter would produce as many registrations as there are people hanging for "Free Porn" (a rather large number, no? :)

Me thinks a previous poster's comment about throwing in random questions based on the forum topic/theme/etc would help in either of these situations, no?

I've got the answer. (1)

delusrexpert (578176) | more than 8 years ago | (#15089191)

But im never taken seriously see this [] . What I can say its got nothing to do with images, questionnaires, javascript, java, active x, ajax etc. But I took a different approach being an ex email, forum, blog spammer and needing to create tens of thousands of accounts per day. I know how to get around CAPTCHA devices using OCR techniques etc and I have throughly tested my code and it works. I need help to protect my Idea and I would have expected at least someone from one of the bigger companies to at least contact me. My system is section 508 friendly and is transparent to the end user. Im not asking for any cash to be sent to me just legal advice and any copyright/Patent cost to be covered for this I would be offering a percentage of Royalties and with the number of sites requiring such a system it would be a very lucrative business venture. So if someone signs my disclosure I will explain how it works and show examples in exchange for information and the cost involved in copyrighting-patenting this software worldwide. My email is delusrexpert(i already get)@(heaps of spam) With companies like Google, Yahoo, Hotmail, Lycos using Captcha I thought they would have contacted me straight away. Note my system is totaly transparent as stated above to the end user (unless they look at the html source code which really show nothing unusal) and all processing is carried out on the server side I have also created an ASP model so I can deliver forms from my server that can be placed in third party websites as to keep all the IP inhouse. I expect a number of numb nuts to flame me but I have it and you dont, ignorance is bliss.

What's worked for me: easy damage control. (2, Informative)

WoTG (610710) | more than 8 years ago | (#15089258)

I run a quiet phpBB for forum support of some websites of mine. For the last few months SPAM has outnumbered real posts by a large margin. I tried a CAPTA module (I think it was the built in one) and it did next to nothing - they aren't programs, the posts are from humans who have (low paying) jobs to post links on message boards.

I had reasonable success by limiting posts to people who have verified their email address -- I think that that was also a feature of a recent phpBB update.

But the spam still outnumbered posts, so in the last two weeks I've added these two phpBB mods: [] - this mod checks each registration IP address against the dns blacklists. I think that it improved the situation, but it didn't stop the problem out right, and I still had to clean up the board once in a while. [] - this mod gives a really easy way to delete a user and all of their posts at once. It's not a fix, but it's turned out to be the best solution. It only takes a few seconds to undo the damage from any one individual, no matter how many spam posts that they have made. A person could spend 20 minutes registering and posting 20 messages and I have to spend 20 seconds nuking the account and all it's posts. It's a fair trade, and I get some small satisfaction in that!

mod_security (2, Informative)

fthiess (669981) | more than 8 years ago | (#15089649)

I've had quite good luck by using Apache mod_security ( to filter web activity. Yes, all the suggestions people have been giving about CAPTCHAs, blocking people with addresses in high spam domains, etc., are all good and useful, but mod_security lets you cover a base those approaches are missing: it lets you block spammers from posting spam, even if they somehow manage to get through your registration defenses. I use a mod_security ruleset based on one published at y+rules [] which watches POST content for URLs and terms commonly used in spam postings, and blocks them--in adddition to rules that are more traditional for mod_security, such as blocking phpBB exploits--which I've also found it to be invaluable for. I administer several forums and wikis that were having quite bad problems, even with CAPTCHAs, email verification, and so on. . . but the problems pretty much went away once I pulled mod_security into the battle.

Solution without Captchas (1)

Frozen Void (831218) | more than 8 years ago | (#15090212)

Spam in forums should be dealt
as Email spam. Delete by filters.

Add spam to text filters sets to reduce all future spam posts to blanks.
sure its hard and time-consuming plus it
gets its share of CPU power but
Its most use-friendly.
No CAPTCHAs.: just text filtering.

All spam forms can be catalogued and string added to blocklists.
i.e. If you post something
  (question marks indicate any letter)
Containing string "Am?z?ng op?or?un?ty"=
you get banned for a week.
Or if you post "ch?ap Vi?gra substitut?",It get text filtered to blank/_____ (underscore,to check with search and mass delete/scripted removal) .

Now,if the user persists you can ipblock him(after 4 posts in minute,ipblock for week ) etc.

as for KittenAuth if sucessful will lead to sweatshops of chinese kids furiosly clicking on kittens(Click the kitten with a hat to submit!) to post spam(which is authorized if poster human).

in tandem (1)

chivo243 (808298) | more than 8 years ago | (#15090443)

Use something like: reply e-mail activation and plain text only for n00bs. Then moderator review to get past n00b. One forum I joined, briefly, I as a n00b couldn't use post in html, upload avatar or use smilies (like I cared about that)

PunBB is a good forum (1)

VGfort (963346) | more than 8 years ago | (#15090772)

If you dont want to use PHPbb, PunBB is great. Its much easier to make themes for since its XHTML 1.0 strict compliant, so most of the changes you can make are done with just the CSS.

Although a good idea, that I've seen on a forum once was that any new users, cant make a new topic until they make at least 2 replies first. Most bots are setup to make new topics and not replies. Although I guess they could change that. Ive even seen one forum that makes you wait 48hrs before you can ever post.

Another idea is to make all links, use the rel=nofollow, so search engines wont follow the link. I doubt the bots check for that but thats really what they are after.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account