patrick.net

Some spammers post comments with vast numbers of links, so I assumed a limit would be good.

OK, it's now 10 links per comment.

Anyway, explicitly putting in the img tag should not have fixed it. That sounds like a bug in itself.

Are spammers registering accounts on patrick.net so they can post spam?

Yes, vast numbers. They attempt a new registration a few times a minute.

Fortunately, they have certain characteristics that let me detect them, such as typically being from Russia, Ukraine, or a few other countries, posting links immediately, and using certain keywords that are easy to block, like drug names or brand names.

Ah, the problem is your not using captcha's when registering new users. You're just using email confirmation. I just registered user "test111" and didn't have to enter a captcha.

Without such a human-verification challenge, people will write code to automatically register users. It's not worth their time to register a single account by hand. I'd recommend adding a ReCaptcha challenge for registering new users.

Since a real user only needs to register once, this is hardly an inconvenience. But it kills the automated registering of accounts. Plus it helps digitize books.

Something about captcha's always bothered me. They seem unfriendly.

Also, I've heard it's pretty easy to get around them by just making some porn site require the entry of a captcha, which is copies from the site you're trying to get into.

I've heard it's pretty easy to get around them by just making some porn site require the entry of a captcha, which is copies from the site you're trying to get into.

lol. Crowdsourcing captcha's in exchange for porn. Priceless.

Well, there is another way. You could make registration computationally intensive, say running a JavaScript function to factor two large primes. It would only take a few seconds on a browser, but automated registers won't want to execute the JavaScript and won't want to spend the time factoring the product.

Tell me more. Do you have an example bit of code?

http://arachnoid.com/prime_numbers/index.html

Basically get a table of large primes from some math site, multiply two or more together to produce a very large number, and run the JavaScript from the above site (after removing the maximum value limitation) and it could take a few seconds to a few minutes of JavaScript execution to get the factors out.

Use AJAX to send the result back to your server and compare with the original numbers you used in the product. If they match, accept the registration.

Basically, it's like a captcha, but a machine can do it. No human intervention is required, but it's not worth spending computational time doing to register lots of accounts. At most, a human needs to keep a browser tab or window open for a few minutes while doing this verification. And since this only needs to be done once per legitimate user, it's not that inconvenient.

Speaking of spam...

http://www.anwy2MPT5RE

Dan8267 says

Basically, it's like a captcha, but a machine can do it. No human intervention is required, but it's not worth spending computational time doing to register lots of accounts. At most, a human needs to keep a browser tab or window open for a few minutes while doing this verification. And since this only needs to be done once per legitimate user, it's not that inconvenient.

I'd prefer registration to be instant and as convenient as possible for human users, since merely having registration already discourages people a bit from commenting.

If I could somehow easily charge users one cent to register, that would be perfect. The spammers won't pay even a cent, but most other people wouldn't care.

I recommend SQL paste. That's how I fix my leaking SQL server issues.

I'd prefer registration to be instant and as convenient as possible for human users, since merely having registration already discourages people a bit from commenting.

Well, there is one other way, but it does take away anonymity and requires a mobile phone with SMS messaging. The registering user gives his phone number and your server sends him a SMS with a short numeric code. The user then enters the code on a verification page.

Of course, that means users have to be willing to share their mobile number with you. Spammers won't do that, but not all humans will want to or be able to either. And they have to trust you to not reveal who they are as their mobile number effectively identifies them.

Online marketing companies love mobile phones because then they can attach a social security number and everything that goes with that to a user profile.

Also, there is Askimet. It's a $5/month service that provides a Bayesian filter for forum comments based on all comments received from all their customers (around 20 million a day). You send them the text of a comment, and they reply "spam" or "not spam". There are libraries for various platforms including all the major ones.

I've seen sites that ask very simple questions like "What is 6+3?" in an image to get proof of human. Don't know how easy that is to bypass. Seems quite simple and hard for a spammer to automatically figure out. After all, they are using code intended for the masses.

The 6 + 3 test seems simple enough to do and reasonably hard to get around, especially if I generate it as an image.

But my latest attempt to simply filter by number of comments, country of origin, presence of links, and keywords is working pretty well lately. I hope it's not blocking any innocent people.

Anything else I should improve about the forum?

The 6 + 3 test seems simple enough to do and reasonably hard to get around, especially if I generate it as an image.

That's just a captcha. If spammers are crowsourcing captchas on porn sites, then the 6 + 3 test is no harder (no pun intended) to break.

Dan8267 says

That's just a captcha.

But if it's a custom built "captcha," the spammers would have to customize code to deal with it. It's not a canned captcha for which they already have libraries to handle. I doubt Patrick has the following (sorry) to get spammers attention.

And it doesn't even have to be an image. It could be text. How would they know which field is the test? Registration asks lots of things. One could even be "leave this blank if you are a human."

Melissa says

I doubt Patrick has the following (sorry) to get spammers attention.

Actually, they are paying close attention, and continuously modify their spam to try to get it through my filters.

For example, I added a feature where you can enter an email address so that the thread will get mailed to that address (and the address added as a user). Within one day they were entering valid email addresses, which then got registered as users. Then they would log in as those users and attempt to post spam.

So I'm pretty sure the spamming is not entirely automated. There must be humans working on it.

So I'm pretty sure the spamming is not entirely automated. There must be humans working on it.