Registration new user on the forum

if you have anything to say about this forum, this is the place

Moderators: avij, Phaseolus, Fons

Post Reply
User avatar
Phaseolus
Forum Moderator
Forum Moderator
Posts: 13358
Joined: Fri Feb 11, 2005 2:16 pm
Location: Quelque part ou même ailleurs !
Contact:

Registration new user on the forum

Post by Phaseolus »

I have recently been approach by some relatives that wanted to register on the forum and was stuck by a "question she could not answer".

I have checked the registration process and understood that she was stuck whilst responding to the following question :"Get the registration code from http://ebtforum.com/spam" onclick="window.open(this.href);return false; and enter it here to proceed:
This question is a means of preventing automated form submissions by spambots."

I guess the difficulties are :
1. For getting the password, you have to copy and paste the address and read the text that is not explicit and find that the password is "banknote"
2. It would be advisable that the link "http://ebtforum.com/spam" be a proper link and not a text to be copied and past
3. I followed the steps and all were in English only, please consider that everybody does not understand this language . I would advise to make proper translations
4. Why not use a simply system such as what you can see on other websites where they ask "Please, fill in the answer for 4+9= ?"

I fear that this step might frighten some new users. But this last statement is only a "feeling" that I can not confirm supported by facts.
User avatar
Crazy Bob
Forum Moderator
Forum Moderator
Posts: 7363
Joined: Sun May 01, 2005 6:29 pm
Location: Rotterdam, Netherlands

Re: Registration new user on the forum

Post by Crazy Bob »

Shouldn't this be in Forum Feedback?
User avatar
avij
Forum Moderator
Forum Moderator
Posts: 6120
Joined: Mon May 27, 2002 10:45 pm
Location: Helsinki Finland
Contact:

Re: Registration new user on the forum

Post by avij »

Indeed. I moved this topic to a more appropriate subforum (without warning).

For the record, the registration form looks like this at the moment
ebtforumspam.png
ebtforumspam.png (35.12 KiB) Viewed 16523 times
and http://ebtforum.com/spam" onclick="window.open(this.href);return false; has this to say (emphasis original):
http://ebtforum.com/spam wrote:Please note the following:
  • All the posts from newly registered users must be approved by a moderator before they're visible to others. Any spam will only be seen by the moderators.
  • User profiles are not visible to non-registered users to prevent using them for search engine optimization.
  • Private messages can only be sent by users who have posted at least one accepted public message on the forum.
  • Due to the above points, using our forum for spamming is rather useless. Please don't even try.
If you are not a spammer, please accept our apologies for this inconvenience. You may now proceed to register on the forum using the registration code banknote
I would not say that the process is particularly difficult. But then again, I'm a nerd, so my opinion may be biased.

I agree that this approach is somewhat unusual (more on this later), but I specifically made two choices that would make the process less difficult. One is the short URL. It is short enough to be typed manually in a browser, if cut and paste proves difficult for some reason. Another is the emphasis on the registration code. I was hoping that this would help people to pick the correct word from the page without having to read the entire page. The registration form asks for a "registration code", and the registration infopage also mentions that "registration code" term exactly once. There should not be too much confusion about which word to use.

phpBB does not allow BBcode or HTML in that field. That's why the URL is not a clickable link.

Fortunately phpBB does allow different questions to be presented based on the browser's language. If you can provide me the French translations for "Get the registration code from http://ebtforum.com/spam" onclick="window.open(this.href);return false; and enter it here to proceed" I can configure it to be shown whenever someone tries to register in French. Likewise, the longer list with the bullet points can also be translated. If you or someone else provides me with an appropriate French translation for that text, I can make it to be shown for users who have set their web browser to prefer French.

As for the "fill in the answer for 4+9" suggestion.. this requires a bit longer answer.

In the beginning there was no spam and everyone was happy.

Then the spammers arrived and quicky became a nuisance for everyone.

Various countermeasures were applied over time, gradually escalating to some sort of an arms race. Whenever some countermeasure was devised, the spammers quickly adapted their spambot systems to figure out the answers to the presented problems.

For example, there was a time when CAPTCHAs were considered the best possible countermeasure against forum spam. They worked fine in the beginning, but the spambots became smarter and the 'garbling' of the text had to be gradually increased. This led to a situation where it became truly difficult for humans to decipher the text, but some of the most advanced spambots managed to solve the captcha without too much trouble. This was obviously not good.

What we had prior to the current solution was a relatively easy question & answer test: "What are we tracking at this site: Dollar, Yen, Euro or Swiss Francs?". I don't actually know who set that up, but I think it wasn't me. That approach didn't seem to be enough, so something different was needed.

What I found out during the captcha period was that unique solutions work the best. phpBB at that time displayed a captcha that was exactly six characters long. As a consequence, the spambots were programmed to figure out six characters from the captcha image. I made a simple, yet surprisingly effective change to phpBB's code that made phpBB emit captchas with seven characters instead of six. As this change was unique to our forum, it thwarted the majority of spambots that were designed to spam phpBB forums. As time went by, the spambots became smarter and the seven character captchas gradually lost their effectiveness.

So, going by that "think different" theme, I (as the person who actually removed most of the spam users at that time, even though there are other forum admins as well) set up that system where the registration code would need to be fetched from a different page. It also allowed me to publish the "if you are a spammer, don't even try" information, which the registration form didn't have space for. If someone wanted to spam our forum, some actual person would need to access that page to fetch the code, and hopefully that spammer would spend a few seconds reading the text.

There was also an option to set up a system where the code would change automatically each day, but that turned out to be unnecessary. I have changed the code only once since the beginning. It was initially 'europa'. I think I'll change the code again in the next few days, it's been 'banknote' for quite some time now. Some of the spambots keep a database of such registration codes. How do I know? Some of the spambots are buggy and leak information through their web page requests to the web server log. Example: "GET /viewtopic.php?f=1&t=5349+++++++++Result:+unknown+type+of+text+captcha,+add+it+in+textcaptcha.txt;+chosen+nickname+%22Duerryflurf%22;+registered+%28registering+only+mode+is+ON%29;".
For the uninitiated, the text from +++ onwards should not be there. It boggles my mind (as a programmer) how they managed to create a bug like that.

I hope I managed to answer your questions, and also a few other questions you did not ask yet. If some other forum admin thinks some other approach would be better, go ahead and make the change, and delete any spammers yourself that leak through the new countermeasures.
Money makes the world go round. We track how the money goes round the world.
Post Reply

Return to “Forum feedback”