Spam

Even better would be a conditionally-refundable registration deposit

I wonder how many people that would put off?

This system isn’t POSIX compliant and they
expect you to pay before you can
even ask for assistance!
That’s SO eighties!

If we had a tenner for every

There are numerous times I’ve thought “If I had a Euro…”, but alas the world doesn’t work like that.

spam received over the past week or so

One of the benefits of sticking with crappy Yahoo!, obfuscating my address (the at nonsense), and not making my private email address generally known. I tend to get maybe ten or so spams a week now, and bizarrely the ones Yahoo! fail to filter are ones claiming to be from Yahoo! inviting me to update my account.
There’s no email at @heyrick as back around 2004 or so (after I left the UK), it was piling it at hundreds per week, and in some cases that many over a weekend, so I asked my provider at that point just to reject it all. I don’t know what Rob does nowadays, if I even have an MX. I don’t use it, so not bothered.

The address that DID get spam was the alias heyrickmail-usenet (at Yahoo!), you can probably guess what I used that for. The ‘desired’ policy of csa* is for people to use real addresses, thus providing a reasonably rich source of email addresses to spambots. I stopped that and tried adding a “.removethis.” bit in the email address, but that proved too stressful for some people who would rather spend several minutes flaming ‘stupidity’ than several seconds checking the outgoing address (either that or they have crap software that replaces address with friendly name and makes it difficult/impossible to see the actual address being used), so now I just use a completely fake address. It’s not worth my time dealing with spam because somebody else wants me to post a live email address to the world. FTS.

which seems to disallow, practically, any modification.

…and written in a language that iswas “trendy” but isn’t as well known (or as easy to figure out) as the other usual server side language. My request to get rid of the SSL warnings (look up, you ought to have a grey padlock with bright yellow/orange ‘!’ triangle, or similar) is the addition of a single ‘s’ in one or two places. I stuck it in the bug tracker six months ago, but it’s been an issue for several years. ;-) As I understand it, the current setup is treated as “don’t touch unless actually broken”.

Oh, and one final thing… some of us try our best to avoid: a, PayPal and b, using active real credit cards online. John – as you’ve been in France for a while, you’re probably aware of Virtualis…

I wonder how many people that would put off?

Everyone that doesn’t want to use Paypal, 99.99% of the genuine new users and the spammers probably have a dodgy method of dealing that kind of obstacle.¹
Oh, and the deposits money has to be held somewhere and readily repaid, securely, to the right person. I’m not sure I’d like to dump that conundrum on the set of people I know over in our FM building that specialise in Finance so dumping it on the minimal group of people labeled as ROOL just isn’t fair.

My request to get rid of the SSL warnings (look up, you ought to have a grey padlock with bright yellow/orange ‘!’ triangle, or similar) is the addition of a single ‘s’ in one or two places. I stuck it in the bug tracker six months ago,

I’ve got an alternate fix – delete the gravatar element²

¹ The first illegal method that occurred to me is some kind of illegal bank transfer that when there have been 500 accounts created and then killed would look to an outside financial analyst rather like an illegal money gathering (or laundering) scheme by ROOL.
² Damned irritating, pointless, eye-candy. Removal would probably improve the server response times too.

I wonder how many people that would put off?

I probably wouldn’t be using RISC OS at all if I had to pay – even temporarily – to use the forums. I started with the Raspberry Pi and I’m sure that I wouldn’t have touched the OS if I had to pay to get access to community-provided support.

Damned irritating, pointless, eye-candy.

I question the security of it too. You’re “supposed” to use different account details for each site that you’re a member of, so that if the site gets compromised then the attackers can’t log into other sites using the same account. Yet Gravatar seems to require that you provide a list of all your accounts… if Gravatar gets compromised then that extra layer of security goes bye-bye.

Technically I probably shouldn’t be using my real name on the ROOL forums either! I know I can change it easily but then none of you will know who I am… or is that a good thing? :)

How about moderating new users?

All posts would be held until approved, unless they were on a thread started by that user or made from a RISC OS system.

There could be a form styled like a helpdesk request, which could be used to start a new thread in the community support forum, without moderation. This would prevent genuine people being totally cut off, while still protecting all the other fora.

Is their an anti spam plugin for this forum software?
For example Akismet
https://akismet.com/

Looking at what comes in, you’d probably deal with half the spam problem if you automatically discard any message with “http” in the title…

Looking at what comes in, you’d probably deal with half the spam problem if you automatically discard any message with “http” in the title…

Thinking along those lines what if there was a background script that checked for http in the title AND in the visible content and reject ones that were not in the link format is deleted.
i.e. a properly formatted link to a website is left alone and every other web note gets script deleted.

Edited my message above, for the last paragraph and a bit being struck out. Ooops! Can’t close an <s> with an </i>! :-)

Yet Gravatar seems to require that you provide a list of all your accounts…

I have two (as only two places use Gravatar). Of course, they are maintained as two entirely separate entities. That way, one getting found out doesn’t disclose the other (actually, I’ve forgotten what/where the other one was, but the point still stands – treat them as separate).

Thinking along those lines what if there was a background script that checked for http in the title

Thinking more while at work (gotta use my brain for something!), it seems clear to me that the title check should look for “http:” and “https:”. That way, a legitimate URL will trip it, but a valid title like “HTTP fetcher?” won’t. I’ve had a quick look through a few pages of the forum, and didn’t spot any real postings with a URL in the title.

Now, the important thing is not to flag an error. Don’t say “URLs are not allowed” or suchlike. Just reload the messages list as before, only instead of inserting the message as a new one, you simply drop it on the floor. Silently.

A real person will (eventually) complain and be told that such things won’t work. A spammer probably won’t be smart enough to figure it out. From my experience, I wonder if the people doing this stuff can even understand English… or are even real people.

AND in the visible content and reject ones that were not in the link format is deleted.

Define “in the link format”? There is no magic to making a link in Textile, just write “http” blah blah and it’ll be turned into a link.

BUT, and this is a big but (see what I did there?): I usually use <a href...> style links. The first reason is because Textile is annoying and its URL parser is rubbish, so any URL that contains weird stuff in it is often truncated by the auto-link thingy, meaning you can display the entire URL in the message, but only a part of that will be made into a link. I got fed up of working out what was the cause, so now I just tend to wrap everything in href tag, that way I know it’ll be correct. I also use href tags around imgur inserts. I know that NetSurf cannot handle dealing with inline image resizes, so I try to avoid dropping anything wider than ~600 pixels on the forum (there’s also the issue of data size, nobody would thank me for them fetching a 3MB image on their mobile phone multiple times until the image drops out of the Recent Posts view). So I put a reduced image on the forum, with some sort of link to see it full size. Either a click-here style link, or the image itself is a link to its original.

unless they were on a thread started by that user or made from a RISC OS system.

Threads started by that user is often how spams are done (re. my comments about URLs in the thread title).

Made from a RISC OS system? Once upon a time people used to have “a system” and they’d pretty much stick to it. These days, it’s harder.
Example – when my alarm goes off in the morning, it’s my phone. I check TheRegister, ROOL, and the news. Sometimes I look at AccuWeather, but it seems in my experience that it’s far simpler to note whether or not I get wet when walking across the field to feed outdoor cat. I eventually get up, put the kettle on, walk across said field, then come back. If I’m not going to work, I might mess around on the tablet while drinking my Tetley. If I am going to work, I’ll be using my phone while on break for lunch. Then, in the afternoon (not working) or evening (working), I will be using either RISC OS or Windows. I used RISC OS earlier this evening (tweaked DeskLib, and a post or two to csap). Now I’m insulting Trump’s idiotic comments about his Red Button being bigger (in other words, writing a blog entry) so I’m using the PC. Depending on when I’m done, I may or may not watch an episode of Border on my phone. Then I might use it again to look at stuff on-line.
Once upon a time, such things used to only be possible with desktop PCs, but Firefox/Chrome on a phone is every bit as good at rendering as said browsers on a PC. You do miss a few things (the fine grained control of NoScript, for example) but for looking at stuff, it does a good job. And using a modern browser on a phone is much quicker than using Otter, or more capable than using NetSurf.

So, in short, I think assuming “from a RISC OS system” is maybe twenty years out of date.

Define “in the link format”?

Dead easy: look at the text near the bottom of the screen when you’re logged in and ready to post.
Can’t be that difficult to read three bullet points with a heading saying “formatting help”

Made from a RISC OS system? Once upon a time people used to have “a system” and they’d pretty much stick to it. These days, it’s harder.

Well quite.
If I’m at work I’m on a PC, obviously barred from posting with that ruling.
If I’m at home like this I’m on a laptop, obviously barred from posting.
If I fire up the Iyonix the network interface is currently knackered, no network on that
If I move to the RPC general browsing performance is erm, erm, polite Steve, be polite, erm, not good.

I know what I’ll do – go browse some sites that do let me do things from a PeeCee.

Now I’m insulting Trump’s idiotic comments about his Red Button being bigger

I believe the phrase “Trump’s idiotic comments” is a tautology.

Can’t be that difficult to read three bullet points with a heading saying “formatting help”

Ah, you mean the quote text quote colon URL thing? I don’t think I’ve ever used that. And I wouldn’t, because the URL isn’t quoted so it’s probably subject to the same brokenness as the auto URL thing…

Ah, you mean the quote text quote colon URL thing? I don’t think I’ve ever used that.

You know how some people have short memories? Well have a look here and see what was done for the “(piccy here).” text. :) Oh, look it’s this same thread.

I suspect Rick links in a way that the URL is quoted (which is why he mentions that it isn’t when using that method) – i.e. by using anchor tags, which probably looks the same to anyone reading the post.

(I’m assuming that the forum allows it – so as a quick test: Piccy here)

Yes, it does.

A few minutes later… and I see Rick has now explained that’s exactly what he does!

Note to self: Read in full first, then post.

You know how some people have short memories?

I know my memory is barely better than that of a goldfish, however it is better than that of the person that reads my message and then forgets the part where I mentioned using <a href...>. :-P

Yes, my links are written in HTML, not the URLs-for-dummies markup, so a Brownie Point to Vince!

The first link, for what it’s worth, is the first thing that came to mind. Don’t ask me why… But you will notice when you click on it, it opens in a new window/tab, not replacing this. Easy stuff to do when you can use proper HTML markup.

BTW, the list of what tags are available is part of Beast, listed as the white_list part of the plugins (under “vendors” for some reason). I won’t directly link it, but those who can write HTML can probably wander around a repository (no, not that one, the other one!) and spot the list at the bottom of the file. It’s pretty much your standard line up of basic HTML, though span is included so you can mess with CSS to get creative (as I have in the past).

Yes, you can write forum posts using HTML.

Like:

...list at the <i>bottom</i> of the file. It's pretty much your
standard line up of basic HTML, though <code>span</code> is...

Yes, you can write forum posts using HTML.

Just one more variant of scripting for Beast/Textile to chew up and spit¹ out.

¹ Spit wasn’t the first word I thought of.
BTW. I try to keep things simple and standard (Textile std) because it gives less excuse for the system to screw things up. Plus dummy is probably apposite.

Made from a RISC OS system? Once upon a time people used to have “a system” and they’d pretty much stick to it. These days, it’s harder.

Well quite.
bq. If I’m at work I’m on a PC, obviously barred from posting with that ruling.
bq. If I’m at home like this I’m on a laptop, obviously barred from posting.
bq. If I fire up the Iyonix the network interface is currently knackered, no network on that
bq. If I move to the RPC general browsing performance is erm, erm, polite Steve, be polite, erm, not good.

Except you are not a new user. A new user would likely be on a Pi 2 at least. And my exceptions were to bypass moderation in situations that present little risk of spam, rather than be the only way of posting.

A new user would likely be on a Pi 2 at least.

I’d actually dispute the implied assumption that the new user is going to jump at the chance of fiddling with a RO browser they aren’t familiar with to browse the net rather than use the other system they almost certainly have (PeeCee or Mac) particularly if they have a number of setup issues to iron out.

You see the point is that as an olde user I’m more likely to have experience of RO browsers and any affinity for them than any new user.

I spend my work time in an IT support setup so the variants on what users see as an insurmountable obstacle are familiar territory for me. Have to say I’m also,sadly, familiar with what idle support staff in partner organisations put up as obstacles.

I’ve never known such a sustained spam campaign as the current one. I say “one” because, although the email addresses are different every time, and there have been several URLs, it all looks very similar to me. Anyway, I’ll keep on knocking them down as soon as I see them. And I look more often now, since I see that the spammer keeps doing it at different times.

On the plus side, a message or two of crazy English every so often is surely better than several hundred messages written in Hangul?

On the plus side, a message or two of crazy English every so often

Maybe it’s just me but 99.99% of the spam seems so blindly obvious just from the subject that I ignore them, so don’t open them and never see the actual content. Maybe that’s why they stick their URL stuff in the title, but I’m used to sales stuff in the work account and routinely delete those (assuming they haven’t already repeated and triggered me to produce an auto delete)

a message or two of crazy English

I suggest that they may be being generated by a similar algorithm to that used to generate English “mottos” for French T-shirts, to which I believe I’ve referred before.

If anyone doesn’t know what I’m talking about, then presumably they haven’t been exposed to this genre of meaningless nonsense.

It must surely be auto-generated!

Could we add a regular expression checker to the subject or to URLs in the forum posts that render forum posts private the current user until approved? I’m sure writing a regular expression would detect most of this spam.

Alternatively, RISC OS Info has a nice simple new user protection mechanism that protects against spam which might be just as effective but rather simpler to implement
…

“http:” and “https:” in the subject? Discard it.
Could probably do that with one line of code in the right place… ;-)

Repeat previous requests for discarding of messages with “http:” and “https:” in the subject… ;-)