BuddyPress.org

Well! “SI CAPTCHA Anti-Spam” not really works. Spammers registration keep coming. The number of a day has been reduced but still can’t stop them. I assume the spammer bots may smart enough to OCR the words in CAPTCHA or could listen to the audio assist then they could generate a correct input to pass the registration. So I set CAPTCHA to “high” level and uncheck the audio option. The last 24 hours I got 10 spam registers. I wonder if a plug-in can spell check the field input may help eliminate most of these spammers.

Yeah! I believe they are spam accounts. They are keep coming from all over the world. I have just install plugin “SI CAPTCHA Anti-Spam” on all three wpmu web sites. It should stops the spam bots if you are not “human”….lol. Thanks all you guys!

My error log (I deleted info that I believe to be private.

File does not exist: public_html/robots.txt

File does not exist: public_html/feed

File does not exist: public_html/wp-content/themes/unplugged/_inc/css/reset.css, referer: http://geekoftodd.com/

File does not exist: public_html/members, referer: http://geekoftodd.com/members/

File does not exist: public_html/favicon.ico, referer: http://geekoftodd.com/

File does not exist: public_html/activity, referer: http://geekoftodd.com/

I’m guessing that I need to move some buddypress files so hostgator can find them or is this like in certain programs where I have to locate them manually for them to be recognized? Thanks any help would be great.

PART 3 – STRONG -vs- WEAK METHODS

When it comes to spam on BP sites, you’ll see all sorts of stuff posted on blogs saying “change [whatever] on your site and your spam problem will disappear”.

Truthfully, a lot of these tricks will actually work …for a while… but eventually, the spammer makes a minor change to their bot, and they’re back in business. In fact, many of the leading blog spamming packages include sophisticated logging features to catch the errors that “uniquely configured” blogs generate and help the spammer quickly fix the “problem”.

If we’re going to have a reliable anti-spam solution for BuddyPress, we should probably focus on “Mathematically Strong” methods, not on “Obfuscation” and “Moving Things Around”. That way, we won’t have to constantly change our spam protection methods.

Changing Page Slugs

Many people recommend changing the page slugs on BP installations to reduce spam. While this is certainly easy to do, you of course need to give your users *links* to those page slugs somewhere on your site so they can actually visit the pages. And if users can follow the links, so can a spam bot.

Changing page slugs is kind of like boarding-up the front door of your house, installing a new door in the side of your house, and then attaching a piece of string from the front door to the side door of so everyone can find the new door.

The “change your page slugs” approach seems to come from the “change your admin menu URL” technique. Changing your admin menu URL is actually a *strong* protection technique. Since there is no link to it anywhere on the site and you’re the only one that knows the URL, it’s like having two passwords on your admin login. An attacker would have to try billions of URL’s to find it.

Not so with all the other URL’s on your site. They have to be linked off other pages so your users can find them.

Adding Fake Form Fields

Many people recommend adding a few extra fields to forms throughout your site (sign-up, login, post to group, etc) and “hiding” these fields using CSS. If any of the “trap” fields are filled out, in theory, you’ve just detected a bot, because a normal user would never see the fields and fill them out.

This approach *might* defeat a very simple bot that searches every web page it can find for forms, and fills every field in every form with random spam; but it will not defeat a bot that understands CSS or is specifically targeted at BuddyPress, especially considering that BuddyPress is *open source*.

Don’t think bots can analyze CSS? Read this: http://www.google.com/support/webmasters/bin/answer.py?answer=66353

A bot designer can simply read through the BP source code and discover the names of the fields that should be filled in and the names of the fields that should be left empty.

To use our “house” analogy, adding extra form fields is like installing 3 front doors on your house and rigging two of them with grenades …then hanging a big red “out of order” sign on the the two rigged doors so your friends don’t use them.

Obviously if your friends can read the signs, so can your enemies.

JavaScript Proof of Work

Javascript proof of work (Wp Hashcash) defeats spammers by making visitor’s web browsers solve a math problem in JavaScript before they are allowed to post.

Because everyone knows spam bots can’t run JavaScript.

http://forums.digitalpoint.com/showthread.php?t=1124949
http://www.scrapebox.com/
http://blogcommentdemon.com/
http://www.senuke.com
http://www.botmasternet.com/more1/

Except when they can.

There’s also the issue of what to do with visitors that don’t have JavaScript enabled.

The WordPress and BuddyPress development teams have put an epic amount of work into ensuring both platforms will work reliably when JavaScript isn’t available. Requiring users to have JavaScript to post any kind of content to the site nullifies much of this work.

Proof-of-work was a great idea back in 1997 when spammers ran hundreds of attack threads from a single server and solving the JavaScript math problems slowed it to a crawl.

In 1997, we’d be dealing with a single spammer running 1000 attack threads against the site. Because the spammer was running 1000 threads, each of which would have to solve the JavaScript problem, they would effectively be penalized 1000 fold over a normal user. The end result is they would only be able to run a few threads before their computer slowed to a crawl and their spamming abilities would be sharply limited.

Epic win for site.

Unfortunately, things are different in 2010.

Spam bots have become the tool of choice for basement SEO marketers. Instead of a few members of the “spam elite”, we’re dealing with tens of thousands of “do it yourself” spammers each running 1 attack thread using the new “automatic backlink software” they just picked up for $29.00 off some random SEO website. Instead of fighting one spammer splitting their resources across a thousand threads, we’re fighting a thousand spammers running a single thread dedicated *just to our site*.

Skipping a ton of math, what this means, is that in order to cause a spammer a 1-second delay while their computer solves our JavaScript challenge, we have to cause each of our *legitimate users* a 1 second delay while *their* computer solves our JavaScript challenge. And, considering the 3 to 5 second database lag I see on 90% of the BP sites I visit, the challenge would need to take much longer than a second to have any merit at all …otherwise page refresh time would be the limiting factor, not the JS challenge.

So what happens when a user visits the site using a computer that is much slower than a typical desktop …say a mobile phone or an old laptop? The challenge would take proportionally longer to complete. A challenge that requires 5 seconds to solve on a desktop PC, could take 30 seconds on an iphone …and 30 second response times would not make for an enjoyable user experience.

Overall, proof-of-work challenges are probably not a good choice in the 2010 Internet landscape.

Mathematically Strong Methods

In the next post, I’ll cover the specific details of the methods I’ve proposed for the BP spam solution, and why they will defeat most spam attacks.

^F^

Thanks, I did install that and there is a load of info there. Maybe ill work on that and see how it is.

This plug-in works great, however it sends users to the backend login form and not the register page. Can’t figure out how to redirect to register page.

class RegisteredUsersOnly {
var $exclusions = array();
// Class initialization
function RegisteredUsersOnly ()
{
// Register our hooks
add_action( ‘wp’, array(&$this, ‘MaybeRedirect’) );
add_action( ‘init’, array(&$this, ‘LoginFormMessage’) );
add_action( ‘login_head’, array(&$this, ‘NoIndex’), 1 );

}

// Depending on conditions, run an authentication check
function MaybeRedirect() {
global $bp;
// If the user is logged in, then abort
if ( current_user_can(‘read’) ) return;

if ($bp&&($bp->current_component == BP_REGISTER_SLUG ))//buddypress
return;
#’wp-trackback.php’,
#’wp-app.php’,
$this->exclusions = array(
‘wp-login.php’,
‘wp-signup.php’,
‘wp-register.php’,
‘wp-activate.php’,
‘wp-cron.php’ // Just incase
);
// If the current script name is in the exclusion list, abort
if ( in_array( basename($_SERVER), apply_filters( ‘registered-users-only_exclusions’, $this->exclusions) ) ) return;

// Still here? Okay, then redirect to the login form
auth_redirect();
}

// Use some deprecate code (yeah, I know) to insert a “You must login” error message to the login form
// If this breaks in the future, oh well, it’s just a pretty message for users
function LoginFormMessage() {
// Don’t show the error message if anything else is going on (registration, etc.)
if ( ‘wp-login.php’ != basename($_SERVER) || !empty($_POST) || ( !empty($_GET) && empty($_GET) ) ) return;

global $error;
$error = __( ‘Only registered users can watch this site. Please register or login.’, ‘registered-users-only’ );
}

// Tell bots to go away (they shouldn’t index the login form)
function NoIndex() {
echo ” n”;
}

}

// Start this plugin once all other plugins are fully loaded
add_action( ‘plugins_loaded’, create_function( ”, ‘global $RegisteredUsersOnly; $RegisteredUsersOnly = new RegisteredUsersOnly();’ ) );

All About BuddyPress Spam

From what I’ve seen over the past few days, the range of knowledge about spam in the BP community ranges from zero to PhD research project. So, to get this thread off to a productive start, I’m going to give everyone some background info on why spammers target our installations, how they do it, and what we can do to reduce or eliminate these kinds of attacks.

1) Why do spammers attack BP communities?

-> Spam is 100% economically motivated. Spammers do what they do because it’s very profitable. Even if only 1 out of a million messages the spammer sends actually reaches somebody, if it cost $2 to send out those million messages and the spammer makes $50 by tricking one person into giving them a credit card number, the spammer is going to throw every resource they have into sending out more messages …because they’re getting a 2500% return on their investment.

-> Given the choice between multiple sites, a spammer will pick the one that gives the largest payout.

Gmail is a “hard” target, with users that are experienced with spam. If a spammer sent a billion spam messages to accounts on Gmail, 99.9% of them would be probably be deleted by automated filters at other ISP’s along the way before even arriving at Gmail. The first thousand messages that arrived at gmail would likely be delivered but would be put in user’s spam folders; and the remaining 999,000 messages would be flat-out refused by Gmail’s servers.

Because anyone with an email account is familiar with spam, probably 999 of those 1000 users would ignore the spam message and 1 user might act on it. So if it cost $20 to send those billion messages and the spammer made $50 by tricking the one person into giving them a credit card number, they’ve only made $30 for all that work.

BP communities are usually “soft” targets that are inexperienced with spam.

Once a spammer gets into a BP community, every single message they send is delivered to a member, and most members are NOT expecting to be attacked by other users on the site.

If a user called “site_news” sends everyone a message that says: “Our site just got featured on Oprah! check out the video! http://www.youtube.com/watch/dQw4w9WgXcQ.cn” every single member is going to get that message, and probably half of them are going to click on the link. (did anyone notice what’s wrong with that “YouTube video” … )

Then, assuming there are 50,000 members on the BP site, half of them click on the link, half of those people are using Internet Explorer, and the attack site the link points to installs a backdoor on computers running IE …at $2 / install the spammer has just made $25,000!

Now, if *you* were a spammer, which site would you attack?

2) How do spammers find BP communities?

Using Google.

Example: http://www.google.ca/search?hl=en&q=%2B”is+proudly+powered+by+WordPress+and+BuddyPress” (front page of every BP site on the net)
Example: http://www.google.ca/search?hl=en&q=inurl:%22/community/members/%22+%2Bbuddypress (members page of every BP site on the net)

3) How do spammers attack websites?

-> Most spam attacks are done using robots, because sheer volume of posts is usually the winning factor. In situations where there is a “captcha wall” or other defense blocking registration to a “high value” site (hint: yours), spammers will use people in low-wage countries to break the captcha and sign up on the site. The going rate is about $2 per 1000 captchas.

http://www.decaptcher.com/client/

Once inside the site, they will then use bots to post spam to all the members on the site.

-> There are literally *thousands* of different programs available that spam websites, and they all have *different* venerabilities.

For example, this program: http://forums.digitalpoint.com/showthread.php?t=1124949

a) Will DEFEAT a “hidden fields” challenge,
b) Will DEFEAT a “javascript proof of work” challenge,
c) Will FAIL a “captcha” challenge
d) Will FAIL an “Akismet” challenge
e) Will FAIL a “Hashed Form Field ID” challenge

But this program: http://www.botmasternet.com/more1/ , wikipedia: http://en.wikipedia.org/wiki/XRumer , video of it running: http://www.youtube.com/watch?v=AL2i4SNPJmg

a) Will DEFEAT a “hidden fields” challenge,
b) Will DEFEAT a “javascript proof of work” challenge,
c) Will DEFEAT a “captcha” challenge
d) Will DEFEAT an “Akismet” challenge (uses proxy networks, never sends the same message twice)
e) Will DEFEAT a “Hashed Form Field ID” challenge
f) Will FAIL a “enter the numbers with a triangle over them” challenge (as used by PlentyOfFish.com)
g) Will FAIL a “click on the photos of cats but not the photos of dogs” challenge

4) How do we stop spammers from attacking BP communities?

-> By making it frustrating and unprofitable (but not necessarily impossible) for spammers to target us; while making these tactics invisible to normal users.

I will cover how I propose to do this in the next post.

^F^

Thanks.

ne1?

Still looking for help on this. My new BP site finally went live today — http://www.wordlab.com/ — and I’m getting a couple signups per hour that never click on the activation link. Some may be legit but can’t figure out the activation process, but from email correspondence I’ve only found one who fit that bill — the others never respond to me, so I’m guessing a fair percentage of them are spambots using fake email addresses.

So it would be great to have these improved User sorting options in the WP Admin, so I could track down bogus registrations, perhaps those that haven’t been activated after a set amount of time, and delete those users in batches. An alternate strategy would be to have the system auto delete (or delete en masse on command) any registrations that are never confirmed after a set period (10 days, 30 days, etc.)