Spam

You dragonslayer you!

The volume on the most recent attack was too great for any human / UI to deal with. We nuked it in the database itself. That’s a shell access level thing so it most definitely won’t be exposed outside core ROOL staff.

One way or another spam will find its way in, we just have to keep cleaning it up and doing what we can to mitigate, as best as time allows and noting the trade-off with usability. The mostly-human spammers these days can read quizzes, read instructions and so-on just as well as the next man but, given their “profession”, are most likely more adept at it than real users!

The only really important thing to remember, is to swear profusely whenever a spam incident occurs before taking clean-up steps, in the hope that karma is listening.

Suggestion (slightly tongue in cheek) – make having posting rights to a forum account dependant on knowing a RISC OS fact eg. “Which Cambridge-based computer company invented RISC OS?”

Ideally, having an account would be read-only initially, with post-ability determined by some secondary factor (eg. question or something). Most spammers would probably just give up and move on before going through extra steps etc.

Ideally, having an account would be read-only initially

You obviously missed the not so minor detail that you don’t require an account at all for read access

I still reckon that new users should be limited in what they can post in their first day¹, and the system should reject everybody that tries to make an infeasible number of posts (such as >20 in five minutes?).

This won’t stop spam, it’s damage limitation.

¹ Make it clear at the account signup that this limit is in place. Spammers won’t read it. My wiki has a very clear message that unknown users don’t get global write permission by default. Didn’t stop them trying. I’m guessing that they can’t read English any more than is necessary to complete captchas?

You obviously missed the not so minor detail that you don’t require an account at all for read access

Not relevant to Andrew’s point.

“Signing up for read access [which isn’t necessary]” is not the same thing as “Only having read access [at first] when you sign up.”

Depending how advanced spam bots are now compared to the last time I had to deal with their output, and how it’s done, that might be all it takes to deal with the problem. Ensure an account with read only access doesn’t see the posting form – so it’s prevented from trying to post, rather than allowed to try but given an error. That way, the bot is likely to think the account simply doesn’t work. (Unless they’ve got smarter these days.)

Alternatives that might be helpful are a rate limiter, as Rick suggests – and a flag in the user database that prevents posting (if the flag is set there is no posting ability). The advantage of those should be clear from the steps Andrew H. had to take to deal with that mass of spam.

Instead of nuking the account, he could have simply ticked the “no posting” flag for the user – thus preventing it continuing to post – and limiting the rate would have meant much less to clean up.

(And that “no posting” flag could obviously be related to the read only period: Make it three option field: 0 = posting banned, 1 = posting not yet permitted, 2 = posting allowed)

Obviously, I know absolutely nothing about the specific system in use here, so I don’t know how easy or otherwise it would be to add that.

Obviously, I know absolutely nothing about the specific system in use here, so I don’t know how easy or otherwise it would be to add that.

I was wondering if only a limited number of character sets could be specified, permitting postings in “English”, but refusing obviously different/unintelligible ones. This would save Korean/Japanese/Chinese/Arabic spammers wasting their time and benefit everybody!

permitting postings in “English”, but refusing obviously different/unintelligible ones

まあ!

まあ!

Yes, it did occur to me that you mightn’t be too happy with this one! But you too could always write in English. Then we’d all know what you were saying.

Oh Dear indeed. मैं कभी कभी हिन्दी में लिख रहा हूँ, भी।

I find the replies funnier when they aren’t in English.
For example, Rick’s reply of “30307e42!” makes me think of Kryten.
“Ah the old classic, 30307e42”
Does that translate to “Smeeeeeeg heeeeeeed”?

Then we’d all know what you were saying.

Some of us do anyway. It’s not difficult, even if you don’t know a word of Japanese. Computer translation is often not very good and sometimes completely rubbish, but it’s often better than nothing…

For example (for those who didn’t try this): https://translate.google.com/#ja/en/%E3%81%BE%E3%81%82!

ตัวอักษรอื่น ๆ ที่สนุก!

Это правда.
(I’ll use Google to translate out of anything – but only into languages I know well enough to check that I’m not being tricked into talking nonsense or worse…my wife is Indian – or was until she naturalized British in 1993 – and my babooshka was Russian.)

My not so great idea is to copy the translated text, paste it into the source, flip the languages, and then see if the result makes any sense.

A website was built on the idea of the “problems” of translating between English and Japanese: http://translationparty.com/
Try: It takes one to know when one is pulling one’s tail (without a full stop at the end – yes, this makes a BIG difference!)

8~) Yes – I have several Vietnamese friends, but I don’t know a word of Vietnamese. Trying to eavesdrop on their facebook conversations is hilarious.

Bing appears to be broken – it says, “problem with Bing, probably over limit”

Google appears to tangle the words a bit, but is not affected by the presence or absence of a full stop, and the tangled words do alter the meaning, but mainly by making it a bit unparseable.

Bing appears to be broken

Seems like a reasonable (under)statement.
My mind associates Bing with the noise made by a PC with an error, which for me sums things up.

Here we go again. Is it worth suspending new membership until a better method of preventing this spam is found. It really mucks up the RSS feed!

Is it worth suspending new membership

Rather unfriendly to potential new users, especially if they are new to RISC OS and have a problem because RISC OS Isn’t Linux (or Windows).

New user limitation, reduce spam without blocking legitimate new people…

Rate limit the posting to 4/hour or similar. The only legit user this is likely to impact is Rick M ;)

Doesn’t get rid of the spam, does make it less worth their effort to post it.

Rate limit the posting to 4/hour or similar. The only legit user this is likely to impact is Rick M ;)

Then they just create more new fake users. It’s the user creation step that needs trapping somehow. Normally if I register on a site, it sends me a response key by e-mail to my valid e-mail address. Could adding this step help, or will the spambot merely create loads of e-mail accounts to use – or would that be too much bother?

The only legit user this is likely to impact is Rick M ;)

<blows raspberry>

Something I noticed the other day when downloading something, there was a tick box that looked a lot like these “I’m a human” checks that Google makes, only the text indicated that I should Tick the box to continue if I am something other than a human. I think it was carefully worded to contain the text “tick box continue human” but omit the words “not” and “don’t”.

Alternatively, the idea I devised for my blog is to simply provide a random five digit number and ask for it to be written backwards. There’s no session state or anything, the original number is provided in clear in the form’s POST fields. The receiving script simply reads that, flips it, and compares against what the user entered.
My blog isn’t high profile, certainly, but to my knowledge it has only been spammed twice (and all input is sanitised so HTML, Wiki, and BBCode don’t work).

My Wiki, on the other hand, I’ve hidden the sign up form (by hacking the wiki code). I really really don’t want to use Captchas as while ones like these aren’t bad:

Some are bordering on incomprehensible. No matter how often I hit Refresh, I still can’t figure out what the heck it is asking.

Then, some are just extracting the urine:

(I’ve had one where one side was Cyrillic and the other was what looked like some sort of Indian language (the one that has a line over the top of everything, at least, that’s what it looked like (edit: not unlike what Clive wrote above)) – yeah, okay…)

Now this, I like. If I’m going to suck at difficult captchas, there ought to be a good reason for it. Will this do? :

Look, it’s even in the ROOL colour scheme. I vote we implement this last one…