@Felice: It's both that account AND mariadenial with malware links. Both are obviously spambots.
Bet you dollars to dongles they share a common IP backbone.
@zep...
Moderators...
You need moderators...
If you're not gonna read the forum daily, you need moderators.
Even if they can't do anything except quarantine posts.
Thanks all -- I cleaned up the ones I could find. Please add to this thread if I missed any. The spambots in the Pico Dragon thread were a particularly nasty bunch, with ip addresses all over the place :(
The next BBS update includes spam flagging and improved spammer prevention at sign-up : play a small PICO-8 game to prove that you're not only human, but also human with a minute to spare.
Haha, love it.
I dunno, though... machine learning is getting preeetty good these days... I've seen those AI-controlled Mario games. ;) Haha
Pretty sure AI can only get good at Mario because the level is static and its own AI runs deterministically.
That being said, a pico-8 game runs client-side. If zep just uses the current web player, it would be incredibly easy to circumvent it by swapping in different code that just insta-wins.
More of the same. Recent spam users and their posts:
https://www.lexaloffle.com/bbs/?uid=27387&mode=posts
https://www.lexaloffle.com/bbs/?uid=27386&mode=posts
- https://www.lexaloffle.com/bbs/?pid=48215#p48215
- https://www.lexaloffle.com/bbs/?pid=48214#p48214
- https://www.lexaloffle.com/bbs/?pid=48212#p48212
https://www.lexaloffle.com/bbs/?uid=27384&mode=posts
- https://www.lexaloffle.com/bbs/?pid=48206#p48206
- https://www.lexaloffle.com/bbs/?pid=48200#p48200
- https://www.lexaloffle.com/bbs/?pid=48199#p48199
- https://www.lexaloffle.com/bbs/?pid=48198#p48198
- https://www.lexaloffle.com/bbs/?pid=48197#p48197
- https://www.lexaloffle.com/bbs/?pid=48195#p48195
https://www.lexaloffle.com/bbs/?uid=27378&mode=posts
https://www.lexaloffle.com/bbs/?uid=27236&mode=posts
Those are all of today's additions. However, as I've been writing this list, there were more being added, and I'm sure there will be more after I submit.
| @zep! |
I know having people who moderate other people's posts can be tricky. Too many interpersonal issues, judgment calls being made badly, stuff like that.
I assume that's why you responded to requests for moderators with a yet-to-arrive flagging system. I don't think that's enough, though. You seem to be a busy guy, and I suspect you won't be able to review flagged posts frequently enough.
You don't need to make anyone a full moderator. No one needs a title or a badge. Just quietly pick a few of us who you think have the best interests of the community at heart, and give them just one single ability: to move a post to another hidden "quarantine" board. Then you can periodically check quarantined posts to be sure we did our job right.
I'm not sure if I'm someone you'd trust that way, but if so, I'm happy to volunteer a little of my time and energy to doing something like that for the community. I can think of a few other people, but I won't presume to volunteer their time.
We've got your back, dude, if you'll just let us...
If the only concern is moderators removing posts based on their own merits, which might not align with yours... Then I think the solution is simple:
Moderators are only allowed to remove/quarantine spam posts.
Once they break this rule, even if you would have done it yourself... they're out.
So they're less moderators, and more spam cleaners.
I'm sure there's people here, who are respectable/well-adjusted enough to play by those rules.
Probably, I just wanted to further stress that "moderator" doesn't necessarily have to mean someone moderating content that's in a potential gray area.
Spam is pretty black and white.
Other content might not be. And ultimately its up to zep to decide in such cases.
And making that delineage between a "moderator" and "janitor" clear, might be enough for zep to feel comfortable picking a few people for that position.
Yeah, I was imagining people not even being marked as the cleaning crew. No egos, just a job to do quietly.
Sigh...
https://www.lexaloffle.com/bbs/?uid=27387&mode=posts
@zep
You deleted "her" previous spam, but didn't delete the user?
y u do dis
@Felice
Heh, that was me thumb-typing to delete spam, as I'm traveling right now and don't have my usual tools. But! I did add some admin functionality:
@MBoffin and @Felice -- check out a user's posts page for a 'mark as spam' button. It's a temporary solution and a little dangerous, but reverseable if you mess up. And thanks so much for the rigorous spam marking so far.
If any other regular forum members are keen to hunt spam in this way until I get a better system in place, please reply here and I'll add you.
I'm also working on improving sign-up screening and at-post tripwires, so hopefully there won't be much spam to catch in the future. The lexaloffle BBS has the defensive advantage of being completely hand-rolled, but it seems there are at least a couple of spammers out there monitoring it and manually working around changes I make to the way posts work. I don't think it will be too hard to add enough friction to that process to shake them off -- it just hasn't been a high priority until now.
The BBS signups will soon require a google captcha, but later on I'd also like to add a weaker but more entertaining layer:
[tweet]
The task will be to collect coins in some order, or avoid some obstacles, so that it can't be defeated by stuffing simple keypresses in.
If a spammer works around that one too (not really that hard), then at the very least they'll have to get to know PICO-8 and feel slightly bad about messing up the forum.
Awesome. Thanks, zep! That should help quite a bit until the other changes eventually go through. It's never any fun having to play whack-a-mole with spammers and their wily ways, but having a better captcha will certainly help. (And I love the captcha cart idea.) :D
Oh wow, thanks, zep!
Yeah, BBS protection suffers the same fate as DRM... sooner or later someone with too much time on their hands will eventually break through your fences.
What gets me is that it's really not a high-traffic BBS. I'm not sure how it's worth it to post spam here anyway.
Maybe it's someone who sells lists of compromised sites and methods and, whether it's useful or not, it's a +1 for their "number of sites" selling point.
could it be that they're trying to get their sites linked among other reputable links? Isn't that how to cheat SEO nowadays?
| kaizen said:
The information you share is very useful. It is closely related to my work and has helped me grow. Thank you! flip diving |
Well, if that's not the most winning comment on this thread, I just don't know what is. On four other threads as well. :)
| Lexaloffe BBS said:
marking user as spammer: 27436 |
Thanks, zep! :D
PS: Heads up to anyone else volunteering for watch duty:
Another user, ellascott, also kinda looks like a spammer, because lots of posts all of a sudden, and all brief with links at the end. But on closer inspection, I think she just appears to be linking to her own games.
So right off the bat, that was a good reminder to me: don't jump to conclusions.
PPS: On closer closer inspection, that actually IS spam. I found the same user being more obvious on other websites.
Before ban:
https://webcache.googleusercontent.com/search?q=cache:9hF6kUZUsNYJ:https://biostar.usegalaxy.org/u/13714/
Now:
https://biostar.usegalaxy.org/u/13714/
Second lesson for the day: cross-reference questionable spam.
I can already tell this is going to be a challenge. :)
The "aweosem" post over is present on other threads. Looks like they're copying posts from random threads.
@zep A trick that works rather well to tell apart spambots and humans, is just adding a field that is NOT of type=hidden, but a real input with appealing attributes, like <input type="text" class="important" name="email" placeholder="Enter e-mail here">. Then hide it to human eyes with a display:none, or placed behind another element, or with negative position, etc. The most complicated, the better, so that a bot can't easily tell if the input is used or not (a display:none straight on the input is easy to catch).
Then your form validation checks if this input is empty as intended. If it's not, it's been filled by a bot.
Maybe checking with JS whether the submit button has really been pressed could work too.
That is: first, solutions that are transparent for real users. Then, using a captcha.
I zapped the one that just posted on this thread.
A lot of these aren't bots. They actually respond to the specific subject matter intelligently and on-point, not just regurgitating previous text with markov chains or saying vague things that could apply to any subject, and then tack on a link, probably to malware. Pretty sure there's an actual human creating the account, so anti-bot tactics won't help.
My theory is they're putting in this effort in hopes of getting a keylogger onto some dev's machine, where the machine has remote privs on some big corpnet, e.g. MS or google, so they can steal credentials, trade secrets, etc. I think it's targeted specifically at developer forums. I've found the same links on similar forums.
There's a few more. (Is this the best way of reporting??)
It works. :)
There were three more, by the way. They really came out of the woodwork tonight.
Marked, thanks
I almost have community spam-flagging tools ready, but for now reporting in this thread is still appreciated. Cheers!
You think that's bad. Yesterday I found something like half a dozen of them talking to each other across about twenty pages of an unrelated thread.
"Hangin's too good for 'em. Burnin's too good for 'em. They should be torn up into little bitsy pieces, and buried aliiive!"
--Hanover Fiste (sorta)
My spades more like my spam amiwrite
Been getting a lot of spam on my site as well via the contact form. Most likely because the bots have invaded this forum, since the site isn't posted anywhere else online (that I know of), so they're following links and trickling down as well into sub-communities. I get probably 8-10 emails a day through the contact form from bots offering web development and SEO services (I work a full-time job as a web developer, morons) and Viagra (at 36 I would hope it's not quite time for that yet). Going to implement reCAPTCHA on there as well. Fortunately it's pretty easy to do once you know how ( @zep if you need help lemme know, I've already written a PHP class for it!)
Sorry, been under the weather or I would have marked them sooner.
No problem Felice, it's a pretty endless task.
Link comment here
https://www.lexaloffle.com/bbs/?tid=31358
[Please log in to post a comment]
