As you can see, recently we have seen major bot attacks. They keep coming back despite the mods' best effort to delete them.
Posted under General
As you can see, recently we have seen major bot attacks. They keep coming back despite the mods' best effort to delete them.
There's basically zero protection on signup form.
Even a simple captcha can help, but given complexities described in working with website engine, this may not be an easy task.
This kind of spam happens once every six months anyway.
I mean, it could be much worse don't you think?
Without adding something on software level, maybe we can use cloudflare? It has some bot protection, although it is more focused against DDoS.
Or there are various methods of jumping through hoops with injecting non-application pages in-between process. But it depends on how much engine will allow.
In the meantime, I think we need another mod/janitor...
Oh! I nominate Cirno! Strongest!
I would like to add that OYP needs to be HTTPS. The DuckDuckGo Privacy Essentials addon gives OYP a C+ for lack of encryption and "unknown privacy practices".
I don't think that HTTPS will help against bots.
We either need to install captcha (can be difficult due to engine state), add sandbox where first forum posts need to be approved by mod before being seen (can be impossible due to engine), or install some general bot protection on server which has a list of blacklisted ips (can be not very effective)
EasyDeibu said:
I don't think that HTTPS will help against bots.
We either need to install captcha (can be difficult due to engine state), add sandbox where first forum posts need to be approved by mod before being seen (can be impossible due to engine), or install some general bot protection on server which has a list of blacklisted ips (can be not very effective)
I agree that HTTPS won't stop bots, but it is a step toward better privacy.
Regarding CAPTCHA, even Danbooru doesn't have the CAPTCHA feature either. If it is to be implemented in a future version, I personally don't recommend Google due to their bad privacy practices.
Updated
I wouldn't mind taking on the role of janitor, if only to get rid of the spam that seems to pop up every so often.
From what I gathered, the botnet started "mass joining" OYP for lack of better words around mid December.
Dosu, can users' IP addresses be checked here?
boom said:
I wouldn't mind taking on the role of janitor, if only to get rid of the spam that seems to pop up every so often.
Perhaps two janitors will suffice in case one is absent for an extended period of time...? That could also speed up the spam cleanup process if necessary.
Hitosura said:
Oh! I nominate Cirno! Strongest!
Give that I literally just this minute finished flaming my second site admin in as many months, that may not be the smartest idea.
1) no protection whatsoever. Toawa and I had floated a captcha idea a long time ago but it's literally never been looked at beyond discussions.
2) We can track IP addresses and block them but it's useless against bots since the ip addresses are almost always spoofed and comes from a huge block. IP banning traditionally is almost always useless in any scenario against dedicated attackers. (but very effective against morons)
3) HTTPS won't help, and while it's a good security practice the implementation side is beyond my casual knowledge.
4) Cloudflare is unnecessary, since our problem is not DDOS but with spam bots making accounts. It's also not free. We don't get enough traffic to warrant this sort of protection.
I can make someone a janitor but last I checked they can't even delete posts, just approve posts still in the queue. So it's kind of pointless.
Full admin access I'm leery of giving out for obvious reasons.
poweryoga said:
1) no protection whatsoever. Toawa and I had floated a captcha idea a long time ago but it's literally never been looked at beyond discussions.
2) We can track IP addresses and block them but it's useless against bots since the ip addresses are almost always spoofed and comes from a huge block. IP banning traditionally is almost always useless in any scenario against dedicated attackers. (but very effective against morons)
3) HTTPS won't help, and while it's a good security practice the implementation side is beyond my casual knowledge.
4) Cloudflare is unnecessary, since our problem is not DDOS but with spam bots making accounts. It's also not free. We don't get enough traffic to warrant this sort of protection.I can make someone a janitor but last I checked they can't even delete posts, just approve posts still in the queue. So it's kind of pointless.
Full admin access I'm leery of giving out for obvious reasons.
I can probably help with HTTPS, implemented it a few times in my practice. But that again would require giving me server keys, which is even more than admin access. Or maybe we can have a chat and I can try to consult you through the process.
Instead of blocking their IPs manually, there are already created lists of IPs that bot use that are updated regularly. Many of them also allow to download and cache list locally, for processing speed
For example https://www.projecthoneypot.org/services_overview.php or http://iplists.firehol.org/
Updated
By the way, I just realised that all those spam post refer a single website. Can we just reject all forum posts that have a specific string (that damned website domain) in it's body?
Or maybe deleted ones were referring different websites.
filtering forum posts is impossible with my level of js and ruby knowledge. Not to mention I have doubts on whether plugins will even work with danbooru running in test mode. (don't even know how to plug that into text filters for this inputbox for that matter, but I haven't looked at d2 code in ages).
As for IP filtering, we can probably do some filtering with apache but I'm not familar enough with that sort of stuff to really maintain it.
As for HTTPS, appreciate the offer but that's just not the issue for this site. It's the basic lack of security features and the ability for us to really update it. It's fragile enough as is and every day this site stays up and doesn't break permanently is really a win.
and as I mentioned before: we really would need to update danbooru 2 to the latest build, write a migration script and then start developing plugins or integrating captcha things to keep this site running smoothly. I don't have the motivation nor expertise to do this, and neither does Toawa after so many years into this project.
poweryoga said:
As for IP filtering, we can probably do some filtering with apache but I'm not familar enough with that sort of stuff to really maintain it.
It can be maintained with a crontab after initial implementation. We choose 3rd party service with a list, find how to update local list to get their newest and add this to crontab.
poweryoga said:
I don't have the motivation nor expertise to do this, and neither does Toawa after so many years into this project.
I am willing to try (not migration to version 2, but https and ip filtering), if you feel good enough about giving me access.
Bumped because holy fuck.
Sometimes it feels like they do it on purpose, like check this thread and go "oh they are talking about us! HERE HAVE SOME BOTS!"