Java-Gaming.org    
Featured games (91)
games approved by the League of Dukes
Games in Showcase (579)
games submitted by our members
Games in WIP (500)
games currently in development
News: Read the Java Gaming Resources, or peek at the official Java tutorials
 
    Home     Help   Search   Login   Register   
Pages: [1]
  ignore  |  Print  
  Spambots attacking my forum, need information on building a more secure system.  (Read 5971 times)
0 Members and 1 Guest are viewing this topic.
Offline kpars

JGO Ninja


Medals: 57
Projects: 4
Exp: 2 years


Kemoy Labs/Radirius Game/Engine Developer


« Posted 2013-09-03 15:18:46 »

Welp, rather than making a gigantic explanation, here's what's basically happening:



Earlier this week I learned that Kemoy translates into "garbage" in Japanese, so I found a bunch of annoying little bots running roaming around the forums.
Any help on creating a more secure system? I'm trying to avoid activation quizzes as much as possible, but if I have to do so, then I will. And yes, I am using SMF.

"Living is easy with eyes closed, misunderstanding all you see. It's getting hard to be someone, but it all works out." ¤¤ Kemoy Labs: http://www.kemoy.net/
Offline RobinB

JGO Knight


Medals: 37
Projects: 1
Exp: 3 years


Spacegame in progress


« Reply #1 - Posted 2013-09-03 22:28:36 »

Make a unique register form.
Since java-gaming is populair, an activation quiz is the last resort against these bots.
With some unknown site, you could make the register form as easy as "type the following word in the textbox" to stop these bots.
Offline Several Kilo-Bytes

Senior Member


Medals: 11



« Reply #2 - Posted 2013-09-03 22:42:20 »

From most effective to less effective:
1. Tell Google not to index your site (Easiest. Incredibly, incredibly effective)
2. Manually activate each account and put them in different moderation groups if suspicious. (Very effective)
3. Change your registration page name and make sure things like copyright notices won't appear in search engines.
4. Use a topic specific quiz. (Second easiest)
5. Make website and signature inputs on registration hidden. Ban anyone that POSTs something for those inputs. (A honey pot)
6. Refer to Stop Forum Spam.
7. Use nofollow links.
8. CAPTCHA (including generic quizzes)

Number 2 or 3 combined with another technique is much better than just 2 or 3.
Games published by our own members! Check 'em out!
Legends of Yore - The Casual Retro Roguelike
Offline kpars

JGO Ninja


Medals: 57
Projects: 4
Exp: 2 years


Kemoy Labs/Radirius Game/Engine Developer


« Reply #3 - Posted 2013-09-03 22:44:41 »

Alright, I've turned off search engine indexing, and I've also turned on e-mail activation.

I forgot how god-awful the SMF defaults were.

"Living is easy with eyes closed, misunderstanding all you see. It's getting hard to be someone, but it all works out." ¤¤ Kemoy Labs: http://www.kemoy.net/
Offline netikan

Junior Member


Medals: 1
Projects: 1


Zombies!


« Reply #4 - Posted 2013-09-04 00:22:32 »

There's also useful plugins that block logins/posts/registrations from users without useragents, refer headers, proxy IPs and a few other obvious spam-bot differences.

But remember, nothing will stop someone legitimately signing up on your site, to then use an auto-posting spambot.
Even if you include CAPTCHAs, you can't stop everything.

Check out my project Land of Zom - Multiplatform Zombie MMO/RPG!
Soon to be at Eurogamer 2013.
Offline Several Kilo-Bytes

Senior Member


Medals: 11



« Reply #5 - Posted 2013-09-04 02:22:12 »

Generally it is better to reduce the value of spam on your site and put in a few obstacles to trip dumb spam bots than to try to profile bots. Anything you profile can be masked, even in the most extreme case by running your bot in a real browser or using a real person. No matter how good the profiling is, people will still find a way to spam your site if the benefits outweigh the cost. Since spamming can be highly distributed (to the point of using zombie computers), you can still get frequent spam even if you slow down individual users. You also run the risk of cutting out legitimate users with profiling. (Referral headers can be shut off in standard browsers, there are good reasons to use proxies, and you could have users using a client you do not recognize.) If you have other methods to regulate spam, then it is more likely that adding profiling will end up blocking Richard Stallman from your site than an extra spammer.

Human registration with automated posting is not much of a problem. Someone has to look at your site and judge that it is worth spamming first, which it probably won't be if it takes work to register and it seems well moderated, since spam can be removed in bulk when you have user ids to match it.

Honeypotting is the only profiling method that can be made reliable for automatic banning, since certain actions won't give you a false positive. (Someone POSTing to login.php instead of signin.html - Someone visiting a forbidden directory only listed in robots.txt - Someone filling in fields that don't exist - etc.)
Offline kpars

JGO Ninja


Medals: 57
Projects: 4
Exp: 2 years


Kemoy Labs/Radirius Game/Engine Developer


« Reply #6 - Posted 2013-09-04 02:57:44 »

Adding an e-mail confirmation helped a ton. Thanks a lot guys!

"Living is easy with eyes closed, misunderstanding all you see. It's getting hard to be someone, but it all works out." ¤¤ Kemoy Labs: http://www.kemoy.net/
Offline gimbal

JGO Coder


Medals: 25



« Reply #7 - Posted 2013-09-04 13:38:16 »

Honeypotting is the only profiling method that can be made reliable for automatic banning, since certain actions won't give you a false positive.

Its a trap!

Didn't know that term. Highly interesting technique, thanks for making me aware of it.
Offline SwampChicken
« Reply #8 - Posted 2013-09-06 05:18:12 »


5. Make website and signature inputs on registration hidden. Ban anyone that POSTs something


I don't understand this point.

Also, your usage of the term 'honeypot' seems a little different to mine. A honeypot (for me) is something masqerading as a normal server/site but is actually a fascade for the owner(s) to monitor/follow/log user activity...kinda like watching labs rats in a maze. I don't see how this applies to securing forum software?
Offline Several Kilo-Bytes

Senior Member


Medals: 11



« Reply #9 - Posted 2013-09-06 06:01:28 »

The goal of a honeypot is to profile connections with low false positive rates by catching someone in the act. Observation beyond that is of diminishing utility unless you use it as a source for a classification algorithm. The goal is to put your honeypot and service on the same site and banning bots caught by it.

If I have a PHPBB forum and I see clients submitting requests to index.php?action=register I know it came from an automated source. And if I see requests to ucp.php?mode=register when I use SMF I also know I have an automated attack. If I create a page called ucp.php for the sole purpose of detecting forum spam bots on a SMF site and generated temporary bans of those IP addresses, then that is a honeypot on a server which also contains a real service. You might also create a honeypot by telling robots to avoid a certain directory and logging IPs of clients deliberately disobeying robots.txt or by giving spam bots a spot to include a url (for their user profile) that will never by seen by people and logging attempts to jump the gun to post links on your site.

Since spam comes from two sources (automated drive by attacks which involve dumb robots and targeted attacks that involve human judgement) you need something to protect you from the dumb robots and something to signal your site is not worth the effort. Dumb robots use profile URLs as part of their strategy because it gets their URL on your page without them needing to trick spam filters that look at links in posts. If your site does not have a website profile field or you change its name and if a robot posts with the old parameter name anyway, you know it was a bot at can ban it at the time of registration. The honeypot is a single profile field that bots POST to by default even though you may still provide legitimate users a different way to designate their website.
Pages: [1]
  ignore  |  Print  
 
 
You cannot reply to this message, because it is very, very old.

 

Add your game by posting it in the WIP section,
or publish it in Showcase.

The first screenshot will be displayed as a thumbnail.

xsi3rr4x (36 views)
2014-04-15 18:08:23

BurntPizza (32 views)
2014-04-15 03:46:01

UprightPath (47 views)
2014-04-14 17:39:50

UprightPath (30 views)
2014-04-14 17:35:47

Porlus (47 views)
2014-04-14 15:48:38

tom_mai78101 (68 views)
2014-04-10 04:04:31

BurntPizza (128 views)
2014-04-08 23:06:04

tom_mai78101 (228 views)
2014-04-05 13:34:39

trollwarrior1 (193 views)
2014-04-04 12:06:45

CJLetsGame (200 views)
2014-04-01 02:16:10
List of Learning Resources
by SHC
2014-04-18 03:17:39

List of Learning Resources
by Longarmx
2014-04-08 03:14:44

Good Examples
by matheus23
2014-04-05 13:51:37

Good Examples
by Grunnt
2014-04-03 15:48:46

Good Examples
by Grunnt
2014-04-03 15:48:37

Good Examples
by matheus23
2014-04-01 18:40:51

Good Examples
by matheus23
2014-04-01 18:40:34

Anonymous/Local/Inner class gotchas
by Roquen
2014-03-11 15:22:30
java-gaming.org is not responsible for the content posted by its members, including references to external websites, and other references that may or may not have a relation with our primarily gaming and game production oriented community. inquiries and complaints can be sent via email to the info‑account of the company managing the website of java‑gaming.org
Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines | Managed by Enhanced Four Valid XHTML 1.0! Valid CSS!