Joined: May 25, 2003 Posts: 4752 Location: Santa Barbara, CA
Posted: Sun Jul 01, 2007 2:51 pm Post subject: Anonymous forum posting (unregistered users)
Well, the arithmetic system was in place for a year before spambots started to punch messages through. I really do believe in leaving the ability for guest posting as it's the easiest way to allow most people to ask questions or interact. However, it is our responsibility to filter out as much porn and other trash from our forums and RSS feeds. To continue to allow anonymous posting, we've upgraded the mechanism that tries to foil anonymous spambots.
The new anonymous posting mechanism is a captcha mechanism that should be familiar for people. Each time an anonymous guest tries to submit a post, a "Security Code" image will appear at the bottoof the post. In order to make a post, the text field below must be filled out with the visible code prior to clicking "Submit".
No posts can be made without the correct code being entered.
This is the same mechanism used for processing user logins here, so hopefully it should be evident. Please report any captcha problems here (if it's broken, you may need to register first, howver )
Joined: May 25, 2003 Posts: 4752 Location: Santa Barbara, CA
Posted: Sun Jul 01, 2007 3:19 pm Post subject:
Note:
As of right now guest posting has again been disabled. After the captcha was enabled and guest posting re-enabled, porn spam again started to appear.
Guest posting has again been disabled as this is the only known way right now to combat the spam attack. Most likely it is a phpbb SQL injection, but we don't have the resources to research and address this system vunlerability.
If anyone sees notice of this phpbb vuln. please forward it along so we can patch our system and re-enable guest posting with the captcha.
Keeping totally inappropriate spam out of our RSS feeds and forums is much more important than guest posting.
Joined: Jun 20, 2006 Posts: 2051 Location: Midwest, USA
Posted: Sun Jul 01, 2007 4:12 pm Post subject:
Thanks for working on this, Ed. I saw one whole slew of the spam posts last night, and the subject lines were quite offensive. I knew they'd be cleared quickly, though.
I'm sorry to see guest posting go, even though I don't use it unless I'm away from home and have forgotten my password, but I have to agree that keeping the spam attacks at bay is more important.
Joined: May 25, 2003 Posts: 4752 Location: Santa Barbara, CA
Posted: Mon Jul 02, 2007 10:01 pm Post subject:
OK, more potential injections removed and some other options added. The captcha and additional code seem to not break the test system, so I'm adding the new code here and re-enabling guest posting. Hopefully this will keep the not-so-friendly spambot from having its fun.
I'll keep monitoring the fora, if the spam reappears then guest posting will be turned off again.
Joined: Jun 20, 2006 Posts: 2051 Location: Midwest, USA
Posted: Tue Jul 03, 2007 5:59 am Post subject:
I don't know if this is related or not, but trinity is no longer tracking unread posts for me. All the little icons are white, even though there are posts I haven't read yet. And the "View posts since last visit" link results in a "there are no posts matching your query" message.
I don't know if this is related or not, but trinity is no longer tracking unread posts for me. All the little icons are white, even though there are posts I haven't read yet. And the "View posts since last visit" link results in a "there are no posts matching your query" message.
I just logged in this morning and saw the orange icons for my unread forums as well as unread topics in those forums.
What you are probably seeing is a known, yet infrequent, bug in the PHPNuke software that we use. Every once in a while I see this same thing happen to me and it usually is when I have two concurrent login sessions (like after my browser has crashed and I relogin).
I'll keep monitoring the fora, if the spam reappears then guest posting will be turned off again.
5 IPs have already posted in the last 6 hours so seems to me they found a hole in PHPNuke.
Since spending all day deleting spam posts, editing the web servers, httpd.conf file, and restarting it is a real PITA, I've turned off anonymous posting in all forums.
Joined: May 25, 2003 Posts: 4752 Location: Santa Barbara, CA
Posted: Tue Jul 03, 2007 7:12 pm Post subject:
It's a shame, but it looks as if guest posting will need to remain off. My last try was about as good as it could possibly get; I even removed potential holes that might have existed in the latest shipping version of phpbb. Without knowing what the spambots are using as an attack vector for the guest forum postings I'm pretty much dead in the water. Who knows; it may even be a coordinated physical spam attack.
If anyone sees any news on this latest round of spambots cropping up anywhere, please post a link here. I scanned the regular places but didn't see anything myself.
Please don't be surprised if we need to enable arithmetic verify + captcha for registered users in the future; I totally expect spammers to start making bots more clever.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You cannot download files in this forum