BuddyPress.org

r-a-y maybe you are right. I created some dummy accounts and input all the fields in profile page. Then I log out and check every account, they are showing correctly. Is it any encoding issue you think? Although I am sure wordpress mu and buddypress are utf-8 standard.

I want to check the email enter by the user is good with two email fields. If the second field is different than the first, a warning is display to the user and he can correct his mistake before create an account.

PART 2 – DEFEATING SPAMMERS

In the last post I covered why and how spammers attack BP installations. This post will cover how I propose to counter them.

Fast Attacks -vs- Slow Attacks

There are two basic kinds of spam attacks that get run on social networks: “fast” or “flood” attacks, and “slow” attacks.

In a fast attack, the spammer signs up for an account on the site, then sends thousands of messages as quickly as possible.

Obviously, the site admin will be deluged with complaints about the spam user and quickly delete their account …but in the hours (or days) it takes the admin to respond, hundreds and hundreds of people will read the spam messages. Then the spammer signs up for another account, and repeats the process.

In a “slow” attack, the spammer signs up for *hundreds* of accounts on the system, often over a period of many months, and only sends out spam messages one at a time …often days, weeks, or months apart.

“Slow” attacks are very difficult to counter using automation …at least without annoying legitimate users.

The best way people have come up with so far is just a “report spam” button which, when clicked, reports the member to an admin so they can investigate it and if necessary delete the account. This will be implemented as part of @francescolaffi ‘s BP content moderation plugin in a couple of months.

Unfortunately, a “report spam” button doesn’t work well against “fast” attacks.

This is because:

a) There is a delay while the admin responds to manually submitted spam reports, or,
b) When a consensus scheme is used (if X users report a member their account gets suspended), there is a delay while enough votes are accumulated to flag the member as a spammer.

During that time, people are reading the spam messages and the spammer is winning.

Goals of Proposed BP Core Anti-Spam Mods

The goal of the proposed core modifications is to counter “fast” attacks by the following means:

1) To make it difficult for a spammer to create large numbers of member accounts using automated means.

2) To make it difficult for a spammer that already has a member account to use automated means to:
a) send large volumes of PM’s
b) send large numbers of friend requests
c) create large numbers of groups
d) create large numbers of group posts
e) post large numbers of comments
f) post large numbers of status updates

3) To accomplish 1) and 2) without being annoying to legitimate users.

4) To make the system configurable, so it can be adapted to the needs of the site …for example: visually impaired users, or display on mobile phones.

5) To make the system “on by default” and “secure by default”

How We Can Accomplish This

1) New User Sign-up

a) Add a captcha on the new account sign-up screen.
b) If the “user” gets the captcha wrong on the first try, require *TWO* captchas to be solved before they can proceed. (If the odds of a bot solving ONE captcha with OCR are 1 in 100, the odds of the bot solving TWO captchas with OCR are 1 in 10,000. This is a technique Gmail uses.)

…set X to be a random number on each installation between 3 and 7…

c) If the user gets X captchas wrong in a row, block their IP for a random amount of time (15 minutes to 2 hours). (This is what Craigslist does)
d) If the user fails X captchas *again* after being blocked, permanently ban their IP and post it to akismet.
e) If a locally banned IP tries to sign-up, don’t throw an “error page”. Completely ignore the request and don’t send anything.
f) If an akismet banned IP tries to sign up, require *TWO* captchas to be solved on the first try, and if they get X captchas wrong in a row, permanently ban their IP and repost it to akismet.
g) Add an option field to the admin menu that limits the number of accounts that can be created per IP address. By default, set it at 2.

2) Existing User Sign-In

a) Use a “normal” password box on first sign-in attempt.
b) If the member gets their password wrong on the first try, require them to solve a captcha on the second try. Offer password recovery option.
c) If the member gets their password wrong on the second try, require *TWO* captchas to be solved before they can proceed. Offer password recovery option.

…set X to be a random number on each installation between 3 and 7…

d) If the user gets X logins / captchas wrong in a row, block the visitor’s IP for a random amount of time (15 minutes to 2 hours).

3) Private Messages

a) Add a field to the user table that allows PM limiting to be bypassed or set to a unique value on a user-per-user basis.
b) Add three option fields on the admin menu: allow “X” messages to be sent every 24 hours, averaged over the past “Y” hours with “Z” hysteresis
…when BP is installed, randomly set X, Y, and Z to allow a daily maximum of between 18 and 24 messages, averaged over between 2 and 24 hours, +/- 3 messages.
c) If the maximum is exceeded, require the member to solve a captcha before they can send another PM.
d) If they get the first captcha wrong, require them to solve two captchas before they can send another PM.

…set R to be a random number on each installation between 3 and 7…

e) If the user gets R captchas wrong in a row, block their IP for a random amount of time (15 minutes to 2 hours). (This is what Craigslist does)
f) If the user fails R captchas *again* after being blocked, permanently ban their IP and post it to akismet.
g) If a locally banned IP tries to visit the site, don’t throw an “error page”. Completely ignore the request and don’t send anything.

Consider how difficult the algorithm above makes it to send automated messages. A spammer can’t just send “12 messages a day” or “1 message an hour” and avoid triggering the system. Every BP installation will have a unique combination that will cause it to trip. Yet for a “normal” user, the system will hardly ever trip, and if it does, it takes all of 5 seconds to enter a captcha and continue. And the system can be bypassed entirely for edge cases, like paid advertisers or site news.

3) Friend Requests

a) Create a config option in BuddyPress that allows the admin to remove the member’s directory with one click. Disable the member directory by “default” on new installs. In my experience, the only people that use the member’s directory (in its default state, on a socially oriented site) are Spammers, Marketers, and Competitors. There’s a reason Facebook, MySpace, LinkedIn, and Twitter do not have “global” member directories.
b) Implement same scheme as private messages.

4) Group Creation

a) Add a field to the user table that allows Group limiting to be bypassed or set to a unique value on a user-per-user basis.
b) Add an option field on the admin menu that sets a maximum number of groups that can be created by a user. By default, set it at 5.

5) Group Posts

a) Add a field to the user table that allows group post limiting to be bypassed or set to a unique value on a user-per-user basis.
b) Create a “whitelist” field on the admin page that allows “trusted” media sharing URL’s like YouTube, Revver, Flickr, etc to be bypassed in spam protection.
c) Create an option that automatically “scrubs” URL’s and email addresses from group posts if they are not on the whitelist. Not just “nofollow” …complete removal. This will stop 90% of abuse dead in its tracks, because most spammers are just trying to get traffic to a site or replies to an email.
d) If the system detects a URL or email address embedded in a message, and it’s not on the whitelist, require a captcha to be solved before allowing the post.
e) If they get the first captcha wrong, require them to solve two captchas before approving the post.

…set R to be a random number on each installation between 3 and 7…

f) If the user gets R captchas wrong in a row, block their IP for a random amount of time (15 minutes to 2 hours).
g) If the user fails R captchas *again* after being blocked, permanently ban their IP and post it to akismet.
h) If a locally banned IP tries to visit the site, don’t throw an “error page”. Completely ignore the request and don’t send anything.

i) For posts that do not contain a URL or email address, run the post through akismet. If it passes, approve the post. If it fails, require a captcha to be solved before allowing the post.
j) If they get the first captcha wrong, require them to solve two captchas before approving the post.
k) If the user gets R captchas wrong in a row, block their IP for a random amount of time (15 minutes to 2 hours).
l) If the user fails R captchas *again* after being blocked, permanently ban their IP and post it to akismet.
m) If a locally banned IP tries to visit the site, don’t throw an “error page”. Completely ignore the request and don’t send anything.

6) Comments

a) Create an admin option that only allows users to comment on their *friend’s* items. Activate it by default on new BP installations.

7) Status Updates

a) Add a field to the user table that allows status update limiting to be bypassed or set to a unique value on a user-per-user basis.
b) Create a “whitelist” field on the admin page that allows “trusted” media sharing URL’s like YouTube, Revver, Flickr, etc to be bypassed in spam protection.
c) Create an option that automatically “scrubs” URL’s and email addresses from status updates if they are not on the whitelist. Not just “nofollow” …complete removal. This will stop 90% of abuse dead in its tracks, because most spammers are just trying to get traffic to a site or replies to an email.
d) If the system detects a URL or email address embedded in a message, and it’s not on the whitelist, require a captcha to be solved before allowing the activity stream post.
e) If they get the first captcha wrong, require them to solve two captchas before approving the activity stream post.

…set R to be a random number on each installation between 3 and 7…

f) If the user gets R captchas wrong in a row, block their IP for a random amount of time (15 minutes to 2 hours).
g) If the user fails R captchas *again* after being blocked, permanently ban their IP and post it to akismet.
h) If a locally banned IP tries to visit the site, don’t throw an “error page”. Completely ignore the request and don’t send anything.

i) For activity stream posts that do not contain a URL or email address, run the post through akismet. If it passes, approve the post. If it fails, require a captcha to be solved before allowing the post.
j) If they get the first captcha wrong, require them to solve two captchas before approving the post.
k) If the user gets R captchas wrong in a row, block their IP for a random amount of time (15 minutes to 2 hours).
l) If the user fails R captchas *again* after being blocked, permanently ban their IP and post it to akismet.
m) If a locally banned IP tries to visit the site, don’t throw an “error page”. Completely ignore the request and don’t send anything.

8 ) In All Cases

a) When a member account is banned, or repeatedly triggers spam protection measures, send an alert to the site administrator.
b) Allow admin alerts to be disabled if necessary, example: DDOS attack against the site.

9) CONCLUSION

While the list of modifications above may look incredibly complicated, really, it’s not.

I’d say “worst case” it’s about a week of work to research and make these modifications. Then we can push it out into beta testing with all the other new code to give it a proper shakedown.

I’m sure there are plenty of ways the algorithms above could be improved, so please go ahead and post your feedback!

Thanks!

^F^

@Andrea_r

The goal is to limit:

1) Spam PM’s
2) Spam friend requests
3) Spam comments
4) Spam group creation
5) Spam group posts

Once a spammer / troll / hostile has created a member account on the system.

The goal is NOT to stop:

6) Spam comments on blog posts from non-members.
-> Already handled by dozens of plugins

7) Spam in profile fields
-> Limited damage. Will be handled by @francescolaffi ‘s GSoC project

8 ) Spam blog creation
-> Limited damage. Will be handled by @francescolaffi ‘s GSoC project

9) Spam sign-ups
-> Impossibly hard target. The only effective countermeasure is phone verification + geo IP + proxy blacklist; as implemented by Craigslist, eBay, PayPal, Elance, and many others.

Full background on all this stuff in about an hour.

Thanks!

^F^

Tks for your help! I cannot disable BuddyPress since I didn´t install WP and then BP over it. I installed BP from my hosting provider (so WP was “transparently” installed). However I created a new user via wp-admin but no email its beeing sent…

Thanks so much @r-a-y that code worked….

I’m really struggling to find my way around – I’m experienced with WP but not with WPMU or BuddyPress structure. How do I change this text?

Sign Up Complete!
You have successfully created your account! To begin using this site you will need to activate your account via the email we have just sent to your address.

Thanks for your response Brajesh – I’ll check these out

for the second…. if I select only logged in users can create new blogs this also disables new user registration completely.

Yes I need to have the host upgrade to PHP5 but I have a number of sites on the account and I just don’t have time right now to do any debugging if things break right now.

Hi

I have no idea what I am doing but I found this line in the sidebar.php

<?php printf( __( ‘ You can also create an account.’, ‘buddypress’ ), site_url( BP_REGISTER_SLUG . ‘/’ ) ) ?>

I have an image I want to use for users to click on and add it BELOW this text

I assume I can just copy this above line and add the correct code to display the image and paste it below this line – that’s what I need some help with what is the correct code / path to the image

Thanks

Gibby

@roydeanjr – Can you be more specific about the error that you get? This plugin doesn’t really affect group creation at all, since groups are essentially created by the end of step 2 (the screen where you check “Create Group Blog”) and the invitations don’t come until the end of the process. Do you have the same problem with group blogs even with Invite Anyone turned off? Exactly what does the error say?

@hnla – The tab nav string is in in the file invite-anyone/by-email.php, function invite_anyone_setup_nav(), around line 199 where it says ‘name’ => __( ‘Send Invites’, ‘buddypress’ ). I’m noticing that I’m inheriting the BP string translation, since the phrase occurs in BuddyPress core. If it would help, I can change that to the bp-invite-anyone domain, so that you could use a language file to apply the change just in that place.

As for hidden groups: I am using bp_has_groups with the user_id of the logged in user to populate that group list. Thus the Invite New Members screen should only show the groups that the user is a member of. It’s possible that you’re seeing all groups because you’re testing with an admin account. Have you verified your hidden group problem with a non-admin account?

Thanks for the support! To answer your question Mob Power generates money for charity through the advertising on the site. Rather than the funds advertisers pay going into the pockets of shareholders ALL funds go to charities each member gets to choose. We think that’s a more appropriate use of the value generated through social networking, after all it is the users who create most of the value through their time, attention, and interactions.

Each member profile allows users to choose ”My Causes”, these are the charities that will receive your portion of the total money raised on the site. Each month ALL the money raised by Mob Power through advertising is split up between the charities members have selected, a completely democratic means of allocating the resources.

This entire process is overseen by the Mob Power Foundation comprised of a Board of Directors of Public Figures whose governance will ensure full transparency and accountability.

Mob Power doesn’t take a single cent of the money raised through advertising to cover expenses like most ”social businesses” simply because Mob Power exists to help solve humanities greatest problems and not create jobs for anyone. So far it has been completely funded by believers in the idea.

However, Members can select Mob Power as one of their ”Causes” if they want Mob Power to continue operating. All funds allocated this way will only be used to cover operating costs, with any excess going back to the charities. This way all Power is in the hands of Members. Now that’s Mob Power.

More information about this and related topics is available in the About section at http://www.mobpower.org