Watch@Patrick
Today the site started sending back the SQL the server is executing after posting replies to messages. Here's a snippet. Looks like your log file.
1 0.56290626525879 select self_ID, friend from relationships where other_ID = '8267'
2 0.59986114501953 select other_ID, friend, ignorr from relationships where self_ID = '8267'
3 0.86808204650879 insert into postviews (user_ID, post_ID, want_email) values (8267, 1217988, 0) on duplicate key update want_email=0
4 0.94485282897949 update comments set comment_date=now() where comment_ID=889784
5 0.97990036010742 update threads set latest_comment_excerpt='Dan8267 says CaptainShuddup says And I\'m sure there\'s sound scientific reasoning behind... \"There\'s also been studies showing that religious tendencies are genetic.\" If I bother to do the Google search and prove you wrong yet again, will you be man enough to' where post_ID=1217988
Follow
Befriend (54)
5,188 threads
6,158 comments
46 male
Menlo Park, CA
Thanks for telling me!
I was trying to reduce the total number of SQL calls and accidentally pushed test code to the server.
Should have just been for a minute or two at most.
Follow
Befriend (16)
764 threads
7,710 comments
Boca Raton, FL
Premium
Is the username "Bob';drop table threads" still available?
Follow
Befriend (54)
5,188 threads
6,158 comments
46 male
Menlo Park, CA
Hopefully I've got things clean enough that that could actually be a username and wouldn't hurt anything.
But just in case I think I'll re-check...
Follow
Befriend (16)
764 threads
7,710 comments
Boca Raton, FL
Premium
I just got this message
and I only had http links, all to images. Explicitly putting in the img tag fixed it.
Strange restriction. I'd rather there be a rule that you had to have at least 5 links every time you post, a sort of requirement for people to back up their assertions.
Follow
Befriend (54)
5,188 threads
6,158 comments
46 male
Menlo Park, CA
Some spammers post comments with vast numbers of links, so I assumed a limit would be good.
OK, it's now 10 links per comment.
Anyway, explicitly putting in the img tag should not have fixed it. That sounds like a bug in itself.
Follow
Befriend (16)
764 threads
7,710 comments
Boca Raton, FL
Premium
Are spammers registering accounts on patrick.net so they can post spam?
Follow
Befriend (54)
5,188 threads
6,158 comments
46 male
Menlo Park, CA
Yes, vast numbers. They attempt a new registration a few times a minute.
Fortunately, they have certain characteristics that let me detect them, such as typically being from Russia, Ukraine, or a few other countries, posting links immediately, and using certain keywords that are easy to block, like drug names or brand names.
Follow
Befriend (16)
764 threads
7,710 comments
Boca Raton, FL
Premium
Ah, the problem is your not using captcha's when registering new users. You're just using email confirmation. I just registered user "test111" and didn't have to enter a captcha.
Without such a human-verification challenge, people will write code to automatically register users. It's not worth their time to register a single account by hand. I'd recommend adding a ReCaptcha challenge for registering new users.
Since a real user only needs to register once, this is hardly an inconvenience. But it kills the automated registering of accounts. Plus it helps digitize books.
Follow
Befriend (54)
5,188 threads
6,158 comments
46 male
Menlo Park, CA
Something about captcha's always bothered me. They seem unfriendly.
Also, I've heard it's pretty easy to get around them by just making some porn site require the entry of a captcha, which is copies from the site you're trying to get into.
Follow
Befriend (16)
764 threads
7,710 comments
Boca Raton, FL
Premium
Patrick says
lol. Crowdsourcing captcha's in exchange for porn. Priceless.
Well, there is another way. You could make registration computationally intensive, say running a JavaScript function to factor two large primes. It would only take a few seconds on a browser, but automated registers won't want to execute the JavaScript and won't want to spend the time factoring the product.
Follow
Befriend (54)
5,188 threads
6,158 comments
46 male
Menlo Park, CA
Tell me more. Do you have an example bit of code?
Follow
Befriend (16)
764 threads
7,710 comments
Boca Raton, FL
Premium
http://arachnoid.com/prime_numbers/index.html
Basically get a table of large primes from some math site, multiply two or more together to produce a very large number, and run the JavaScript from the above site (after removing the maximum value limitation) and it could take a few seconds to a few minutes of JavaScript execution to get the factors out.
Use AJAX to send the result back to your server and compare with the original numbers you used in the product. If they match, accept the registration.
Basically, it's like a captcha, but a machine can do it. No human intervention is required, but it's not worth spending computational time doing to register lots of accounts. At most, a human needs to keep a browser tab or window open for a few minutes while doing this verification. And since this only needs to be done once per legitimate user, it's not that inconvenient.
Follow
Befriend (16)
764 threads
7,710 comments
Boca Raton, FL
Premium
Speaking of spam...
Follow
Befriend (54)
5,188 threads
6,158 comments
46 male
Menlo Park, CA
Dan8267 says
I'd prefer registration to be instant and as convenient as possible for human users, since merely having registration already discourages people a bit from commenting.
If I could somehow easily charge users one cent to register, that would be perfect. The spammers won't pay even a cent, but most other people wouldn't care.
Follow
Befriend (6)
85 threads
969 comments
44 male
Egg Harbor City, NJ
I recommend SQL paste. That's how I fix my leaking SQL server issues.
Follow
Befriend (16)
764 threads
7,710 comments
Boca Raton, FL
Premium
Patrick says
Well, there is one other way, but it does take away anonymity and requires a mobile phone with SMS messaging. The registering user gives his phone number and your server sends him a SMS with a short numeric code. The user then enters the code on a verification page.
Of course, that means users have to be willing to share their mobile number with you. Spammers won't do that, but not all humans will want to or be able to either. And they have to trust you to not reveal who they are as their mobile number effectively identifies them.
Online marketing companies love mobile phones because then they can attach a social security number and everything that goes with that to a user profile.
Follow
Befriend (16)
764 threads
7,710 comments
Boca Raton, FL
Premium
Also, there is Askimet. It's a $5/month service that provides a Bayesian filter for forum comments based on all comments received from all their customers (around 20 million a day). You send them the text of a comment, and they reply "spam" or "not spam". There are libraries for various platforms including all the major ones.
Follow
Befriend
3 threads
21 comments
Hermosa Beach, CA
I've seen sites that ask very simple questions like "What is 6+3?" in an image to get proof of human. Don't know how easy that is to bypass. Seems quite simple and hard for a spammer to automatically figure out. After all, they are using code intended for the masses.
Follow
Befriend (54)
5,188 threads
6,158 comments
46 male
Menlo Park, CA
The 6 + 3 test seems simple enough to do and reasonably hard to get around, especially if I generate it as an image.
But my latest attempt to simply filter by number of comments, country of origin, presence of links, and keywords is working pretty well lately. I hope it's not blocking any innocent people.
Anything else I should improve about the forum?
Follow
Befriend (16)
764 threads
7,710 comments
Boca Raton, FL
Premium
Patrick says
That's just a captcha. If spammers are crowsourcing captchas on porn sites, then the 6 + 3 test is no harder (no pun intended) to break.
Follow
Befriend
3 threads
21 comments
Hermosa Beach, CA
Dan8267 says
But if it's a custom built "captcha," the spammers would have to customize code to deal with it. It's not a canned captcha for which they already have libraries to handle. I doubt Patrick has the following (sorry) to get spammers attention.
And it doesn't even have to be an image. It could be text. How would they know which field is the test? Registration asks lots of things. One could even be "leave this blank if you are a human."
Follow
Befriend (54)
5,188 threads
6,158 comments
46 male
Menlo Park, CA
Melissa says
Actually, they are paying close attention, and continuously modify their spam to try to get it through my filters.
For example, I added a feature where you can enter an email address so that the thread will get mailed to that address (and the address added as a user). Within one day they were entering valid email addresses, which then got registered as users. Then they would log in as those users and attempt to post spam.
So I'm pretty sure the spamming is not entirely automated. There must be humans working on it.
Follow
Befriend
3 threads
21 comments
Hermosa Beach, CA
Patrick says
Wow... That surprises me (obviously). I would have expected them to stick to things like Wordpress and other packaged systems, especially those not customized. Perhaps you have a spammer following. :-)