95% of the spammer usernames/emails that people here have mentioned so far, I too have come across. I noticed in late May that the birth date was the most common factor, but I have a feeling that the more we talk about it, or the sooner we come up with an automated solution based on the birth date...
the sooner the spambots will either stop using that birthdate, or start using random birth dates. We should assume the worst - that we can't count on this birth date red flag, for forever.
Nearly every time a new spambot (or a revisit of an old spambot) appears on my site, I've manually ISP blocked it, which involves a WHOIS to find the complete IP range.
I have to be very careful when I do this, because although my site is English language, it attracts legitimate users from all over the world - including a few from China. So every time I ISP block another Chinese range, I always check it against the very few legitimate Chinese members my site already has. This tactic will eventually stop another legitimate Chinese user from joining my site, but the spam is so out-of-hand right now, that I'm considering this to be a small price to pay. I don't feel comfortable with ISP blocking as a longterm solution though.
I'm probably going to introduce a subforum for New Member Introductions. When you confirm your email address for registration, you're shifted into a phase-one custom usergroup that can only post, in the manner of starting new thread(s) in New Member Introductions. Until you've done this, you can't start threads in any other subforums, or reply to any threads other than your own. After that, if you have at least one post, eventually you get auto-promoted, and can post/reply in any subforum. However, that promotion could come real quick, so to make sure it's always at least an hour, you introduce another intermediary custom usergroup, whose sole purpose is to exist one hour before the promotions CRON triggers again.
Once a spammer starts posting, they'll do it in waves. They aren't going to sit around and wait 1-2 hours until they can post in other subforums, and that's if they're not banned by then. What I like about the New Member Introductions idea, is that all of the spam will originate in one place, and you can safely appoint a legion of moderators solely for that board, with custom permissions so they can only move posts, and you have a trash/spam subforum that's not public, as evidence for a higher-up staff member to eventually issue a banning.
I can understand why some vB owners here would want to block their Member Lists, because a little-talked-about problem right now, is spam across Private Messages. Though I don't know how much good it does to block the Member List, because a smart spambot could build its own index of usernames, by brute forcing all of the User ID numbers. I'm thinking of reserving the Private Messaging privilege for users who have already posted at least 10 times, and same with being able to view the Member List or any individual User Profile. That ought to solve some problems.
Now, I'm not deeply knowledgeable about the repercussions with robots.txt, so for anyone who is more familiar with how it works, will spambots being able to access robots.txt, in any way foil any of my ideas here?
the sooner the spambots will either stop using that birthdate, or start using random birth dates. We should assume the worst - that we can't count on this birth date red flag, for forever.
Nearly every time a new spambot (or a revisit of an old spambot) appears on my site, I've manually ISP blocked it, which involves a WHOIS to find the complete IP range.
I have to be very careful when I do this, because although my site is English language, it attracts legitimate users from all over the world - including a few from China. So every time I ISP block another Chinese range, I always check it against the very few legitimate Chinese members my site already has. This tactic will eventually stop another legitimate Chinese user from joining my site, but the spam is so out-of-hand right now, that I'm considering this to be a small price to pay. I don't feel comfortable with ISP blocking as a longterm solution though.
I'm probably going to introduce a subforum for New Member Introductions. When you confirm your email address for registration, you're shifted into a phase-one custom usergroup that can only post, in the manner of starting new thread(s) in New Member Introductions. Until you've done this, you can't start threads in any other subforums, or reply to any threads other than your own. After that, if you have at least one post, eventually you get auto-promoted, and can post/reply in any subforum. However, that promotion could come real quick, so to make sure it's always at least an hour, you introduce another intermediary custom usergroup, whose sole purpose is to exist one hour before the promotions CRON triggers again.
Once a spammer starts posting, they'll do it in waves. They aren't going to sit around and wait 1-2 hours until they can post in other subforums, and that's if they're not banned by then. What I like about the New Member Introductions idea, is that all of the spam will originate in one place, and you can safely appoint a legion of moderators solely for that board, with custom permissions so they can only move posts, and you have a trash/spam subforum that's not public, as evidence for a higher-up staff member to eventually issue a banning.
I can understand why some vB owners here would want to block their Member Lists, because a little-talked-about problem right now, is spam across Private Messages. Though I don't know how much good it does to block the Member List, because a smart spambot could build its own index of usernames, by brute forcing all of the User ID numbers. I'm thinking of reserving the Private Messaging privilege for users who have already posted at least 10 times, and same with being able to view the Member List or any individual User Profile. That ought to solve some problems.
Now, I'm not deeply knowledgeable about the repercussions with robots.txt, so for anyone who is more familiar with how it works, will spambots being able to access robots.txt, in any way foil any of my ideas here?
Comment