The spam on this board is OUT OF CONTROL.

[Spidey]

Something needs to be done about all the spam on the board. It's EVERYWHERE. On main, in place, anywhere where people frequently post, there's a spammer, and nothing seems to be done about it, no matter how much I hit the report post button.

There's a spammer here who has *26* posts! TWENTY-SIX. How the hell is this allowed to happen?

I understand that staff have lives and priorities outside of this board, but the amount of spam is absolutely ridiculous.

If there is this much spam on the board, then just how secure is the board? When was the last time the forum software was updated? Where did LITERALLY half the emoticons and skins go? Why do things that used to work no longer work anymore (here's looking at you, HTML, delete post function in place)?

This is worrying. What's being done? Is there control of the upgrade of the board anymore?

[treasure]

the number of posts is not all that controllable, since a spam bot can keep posting as fast as the forum will allow it to. imo admins do get rid of spam quite quickly, but maybe there need to be more admins or more frequently visits by admins?

updates, upgrades, themes etc are all under the control of sine nomine who i don't think is interested in keeping them updated, although an upgrade to phpBB3 was done in the past few years. (happened to break avatar updating and that hasn't been fixed either). i don't think sine nomine should be in control of so many admin functions while not being an active administrator, but there's not a whole lot we can do about that.

[kiwi33]

Gaball Screen, thanks for reporting the "26-er" - I have deactivated the account and have done a generic IP-ban which should be the end of that one.

Typically the spammers are not script-kiddies who do spam-bots - the CAPTCHA which is part of BUS registration blocks most of them. Rather, they are unpleasant people whose IP addresses are (surprise...) apparently mainly from China, Russia and Ukraine - your 26-er was from China.

Most of the spam is tedious but innocent (links to porn and on-line pharmacy sites are obvious exceptions).

I can assure you that all members of the staff team take spam seriously. The mods move all of the spam that their permissions allow and the admins deactivate spam accounts as fast as they can (eg, so far today I have deactivated ~10 spammers who have posted and pre-emptively deactivated another ~10 accounts).

[Spidey]

Gaball Screen, thanks for reporting the "26-er" - I have deactivated the account and have done a generic IP-ban which should be the end of that one.

Typically the spammers are not script-kiddies who do spam-bots - the CAPTCHA which is part of BUS registration blocks most of them. Rather, they are unpleasant people whose IP addresses are (surprise...) apparently mainly from China, Russia and Ukraine - your 26-er was from China.

Most of the spam is tedious but innocent (links to porn and on-line pharmacy sites are obvious exceptions).

I can assure you that all members of the staff team take spam seriously. The mods move all of the spam that their permissions allow and the admins deactivate spam accounts as fast as they can (eg, so far today I have deactivated ~10 spammers who have posted and pre-emptively deactivated another ~10 accounts).

I don't mean any disrespect, but as an ex-mod, how the hell is this allowed to happen? I imagine it has to be a massive PITA for y'all to swat down spammers as admins (and as I remember, it was for me as a mod), but the amount of spam that seems to be getting through the CAPTCHA (which has been proven to be ineffective from a security standpoint) and even allowed to register in general is absolutely INSANE. I just logged on and there's 4 more accounts who are spamming place!

I hate to be a turd, but I'm calling the SECURITY of the board into question. A board that is fully updated and patched should NOT have the kind of spam/BS issues that seem to be endemic on the board. If the board is vulnerable to spammers...what else is it vulnerable to?

Honest question.

[kiwi33]

No disrespect taken, I don't think that you are a turd and I appreciate your honest question.

The board is currently running under phpBB v3.0.10. The latest version is v3.0.11. As far as I can see from the phpBB Web site, the differences between these versions are essentially cosmetic, though I could be wrong. I have the impression that your technical computing expertise exceeds mine (I used to write code, mainly FORTRAN, some C++, but that was some time ago). Maybe you could have a look at the phpBB site - if you spot anything important, let me know by PM and I will raise it on the admin forum.

As far as security is concerned, the board is secure in the sense that if I Google "Gaball Screen" (or the screen-name of any other member), nothing relevant to BUS is revealed.

[swirlish]

There is nothing we can do about the board software. The admins try to keep bus as safe and stable as we possibly can and to be honest, most people say that spam is dealt with pretty quickly and efficiently. I'm sorry that your experience is different. If you have any ideas, please let us know, but keep in mind that there is nothing we can do about the board software.

Mia

[Spidey]

There will be spam no matter how hard one tries, and I get that, I understand that. I know enough about computers/forum software/PHP to realise that the fight against spam is an often futile one.

Suggestions:

- CAPTCHA. It's old. It's insecure. Really, it's pathetic and most secure forums/places won't even bother with it except to verify posts and cursory verification of registration. It's the "I guess I should do ...something" of the Internet world if people don't want to improve security measures or somehow can't. With a messageboard like BUS, it'd be best to piggyback CAPTCHA with something a bit more secure, like email activation and the details of which I've expounded on below.

- If email activation doesn't exist for accounts, it should. It's easy and an admin can implement that - I know for a fact that it's a feature on most message boards - new users are required to activate not only their email address but maybe put in an alphanumeric code to verify that they're, in fact, human and not a spambot. Another forum I'm on actually requires new users to update their profiles by selecting a dropdown box asking them if they're a spammer or not. N/A or Yes gets them automatically banned and deactivated. I'm sure it wouldn't be difficult to implement this.

I know that you can't mess with the software, but seriously - keeping tabs to the latest and greatest THAT IS NOT BETA is always helpful and can mean that you can head off BS before it starts. Of course, this means that you'll have to keep tabs on the beta versions and the security flaws within them, but an updated software system (even if things get broken) is a more stable and secure system (and do not. even. get me going. on all the broken shit. there is. here. HELLO HTML WHERE ARE YOUUUUU)

[Milvus]

Email activation should be in place for accounts. It's enabled in the admin panel. If I weren't about to go to bed I'd set up an email account to test it. Poke me tomorrow and I'll try to do it after work.

I don't think we can do auto-bans via the profile (otherwise all the spammers whose gender is "Volkswagen" would not be here...) but it's possible we could set up a question instead of the CAPTCHA. I'm not sure if that would be any more effective, as you have more experience with it than me, what do you reckon? It might be easier for visually impaired people, too.

Software updates are probably not going to happen as they require Deb. We're aware of the broken stuff, themes, html etc. It all needs Deb's attention.

[swirlish]

Email activation should be in place for accounts. It's enabled in the admin panel. If I weren't about to go to bed I'd set up an email account to test it. Poke me tomorrow and I'll try to do it after work.

I don't think we can do auto-bans via the profile (otherwise all the spammers whose gender is "Volkswagen" would not be here...) but it's possible we could set up a question instead of the CAPTCHA. I'm not sure if that would be any more effective, as you have more experience with it than me, what do you reckon? It might be easier for visually impaired people, too.

Software updates are probably not going to happen as they require Deb. We're aware of the broken stuff, themes, html etc. It all needs Deb's attention.

As Milvus said, e-mail activation is enabled.

Re spambot measures, I just had a look and there is an option to set up a question like you said (although not a dropdown menu, an empty field). Would that work better for disabled users? If so, it might be something we can talk about.

Updates would be good (although from what Kiwi said, it doesn't sound very useful at this point), but there really is nothing we can do about it. I feel a bit frustrated because I hear that you think this needs to be done and that you have strong feelings about it and there is nothing I can do and there's no good answer I can give you. (those are my feelings only, not speaking for anyone else.) It feels like you are telling me that I should be doing this and not fully listening when I say I can't. Not saying this is what's happening, just that it's what I feel. I have a lot of respect for you, as I hope you know! And your input is really appreciated.

Mia

[Spidey]

I don't know how accessible questions would be for disabled users; that is something that Admins would have to look into...that and if it would be too much of a burden for users themselves...

I am not mad at you; I'm just mad at the situation. I understand that there is not very much that you can do about it -- I don't mean to be offensive or rude it's just from a security standpoint when I see a flaw I pounce on it like ants on a leaf I get to sounding heavy handed sometimes....oops

[amerylis]

Speaking as a dyslexic person a question would be easier than a captcha and questions are cope-able with by screen-readers, which would also benefit fellow dyslexic people and those with visual impairments. What do others think?

[swirlish]

I don't know how accessible questions would be for disabled users; that is something that Admins would have to look into...that and if it would be too much of a burden for users themselves...

I am not mad at you; I'm just mad at the situation. I understand that there is not very much that you can do about it -- I don't mean to be offensive or rude it's just from a security standpoint when I see a flaw I pounce on it like ants on a leaf I get to sounding heavy handed sometimes....oops

It's okay I totally understand the frustration. I hope that something good will come out of this conversation, you bring up really good points.

Mia

[kiwi33]

I think that amerylis makes a good point about a question rather than a CAPTCHA - a question would be accessible to real people but would defeat spambots.

It could be quite simple:

(1) Please rank the following animals in terms of how big they are (biggest first): mouse, zebra, whale, cat.

(2) Please rank the following numbers in terms of how large they are (largest first): seven, fifty, two, ten.

Easy for people, probably impossible for spambots.

[swirlish]

there is only one option in the admin panel :are you a spambot? if you type no with a capital no, you're fine. paraphrased, I'm on my phone right now.

[Milvus]

We can add more questions quite easily, I like Kiwi's suggestions because a bot is unlikely to come up with the answer randomly.

[emark]

I think the key question is: What options does the phpBB software allow (including newer versions if relevant)? I mean, it's all very well criticising the spam-prevention features of phpBB, but that's not something the admins here can resolve.

There is some info from phpBB at https://www.phpbb.com/community/viewtopic.php?t=2122696 , which lists which CAPTCHAs are no longer recommended, and says that CAPTCHAs based on questions are most effective. However, that doesn't mean such questions are impossible for spambots, they will be able to answer some kinds of questions (not to mention that one way that spammers get round CAPTCHAs is by farming them out to humans to answer). The link I gave gives recommendations of questions that are effective:

"What programming language is phpBB written in?" is an effective question, while "What colour is the sky?" or "2+2 = ?" are not. These questions are particularly effective on niche forums where one can ask a question that is not immediately obvious to the general populace.

Also very effective are questions of the type:

Q: What are the first three and last three characters of this board's URL ?
A: phpity

Q: Grass is to lawn as __________ is to forest.
A: trees

Or:

Q:Forest is to lawn as grass is to ______________.
A: trees

I'd have thought that question based CAPTCHAs would be better for disabled users (since text to speech programs would still pick them up, and no issues for visually impaired people trying to recognised images - even without any disability, I find myself unable to read quite a lot of the image based CAPTCHAs...) I mean, if someone can read the website, they should be able to read the question.

[Spidey]

I think the key question is: What options does the phpBB software allow (including newer versions if relevant)? I mean, it's all very well criticising the spam-prevention features of phpBB, but that's not something the admins here can resolve.

There is some info from phpBB at https://www.phpbb.com/community/viewtopic.php?t=2122696 , which lists which CAPTCHAs are no longer recommended, and says that CAPTCHAs based on questions are most effective. However, that doesn't mean such questions are impossible for spambots, they will be able to answer some kinds of questions (not to mention that one way that spammers get round CAPTCHAs is by farming them out to humans to answer). The link I gave gives recommendations of questions that are effective:

"What programming language is phpBB written in?" is an effective question, while "What colour is the sky?" or "2+2 = ?" are not. These questions are particularly effective on niche forums where one can ask a question that is not immediately obvious to the general populace.

Also very effective are questions of the type:

Q: What are the first three and last three characters of this board's URL ?
A: phpity

Q: Grass is to lawn as __________ is to forest.
A: trees

Or:

Q:Forest is to lawn as grass is to ______________.
A: trees

I'd have thought that question based CAPTCHAs would be better for disabled users (since text to speech programs would still pick them up, and no issues for visually impaired people trying to recognised images - even without any disability, I find myself unable to read quite a lot of the image based CAPTCHAs...) I mean, if someone can read the website, they should be able to read the question.

This is the best answer ever in the history of answer-kind.

[bearcat]

I have nothing useful to add, besides to say thanks for working on this. Spam is scary.

[Diane M]

Agrees with Bearcat. At the moment there seems to be five on them online. Away to logout!

[Isme]

can i just ask why isn't deb keeping up with the board maintenance? i understand that she's got a life away from the board, but if she isn't able to maintain the board wouldn't it be a good idea to allow others to?