Let the purge continue!
Would upgrading the forum help with this?
Posted under General
Let the purge continue!
Would upgrading the forum help with this?
not counting the number of bots deleted, lets say its over 600.
1) forums are not "upgradable". It's just part of the site.
2) I disabled the physical sign up link so the bots are not dumb: they're either sql-injecting (bad) or just directly accessing the ruby script used to create accounts. (also bad)
So next step is to take out the registration page altogether + disable the scripts responsible for signing up.
No new bot has spawned since 47 minutes before Dosu's post. So far, so good!
Thanks so much easy!
It's sad that the sign up page had to be removed.
Hopefully in a week or so it can be restored.
It's only a matter of time. It also won't take long before the remaining bots stick out their uneasy heads to be weeded out now that the SQL injection(?) and/or bot generator is useless.
bots don't get re-used. Accounts are use-and-dispose and run on a script.
No need to painstakingly sift through accounts and try to figure out who's who.
poweryoga said:
1) no protection whatsoever. Toawa and I had floated a captcha idea a long time ago but it's literally never been looked at beyond discussions.
2) We can track IP addresses and block them but it's useless against bots since the ip addresses are almost always spoofed and comes from a huge block. IP banning traditionally is almost always useless in any scenario against dedicated attackers. (but very effective against morons)
3) HTTPS won't help, and while it's a good security practice the implementation side is beyond my casual knowledge.
4) Cloudflare is unnecessary, since our problem is not DDOS but with spam bots making accounts. It's also not free. We don't get enough traffic to warrant this sort of protection.
You could always try email verification that block one-time email domains, or even phone verification.
I don't think account slowdown (like, preventing everybody from using their newly-created account for X period of time) works - spammers will simply stagger their efforts.
Mikato said:
You could always try email verification that block one-time email domains, or even phone verification.
I don't think account slowdown (like, preventing everybody from using their newly-created account for X period of time) works - spammers will simply stagger their efforts.
You're a bit late on this ;P
all of those are addressed, more or less. We don't care about one time e-mails as long as there's a real account behind it. Just be prepared to lose the account if you forget the login, that's all. Even then we can probably update the account email on the db directly.
As for spammers... don't see any russian bots recently so maybe https or captcha is working.