News | Forum | People | FAQ | Links | Register | Log in
海南三亚旅游 (The Thread About Forum Spam And Possible Solutions)
Might as well discuss solutions and their relative merits.

(edited from original spam, obviously)
Best Topic Evar. 
So good I couldn't bring myself to edit it.

Metl, make this a sticky! 
Im Gonna Visit 
that url, maybe something fappable lies in wait 
Perhaps these bots are contributing to the slowness of func recently... If they aren't registered they're probably downloading the entirety of threads they visit to post in them, perhaps they just do it too often for the database to cope. 
that wouldn't make sense since it'd cost them bandwith, but you might be right. Maybe they're using hijacked computers, dunno.

Oh, will the pestilence never end?

I still think it's not a solution to require registration for posters... Maybe make a mathematical calculation for the anonymous posters, like:
what is 5-3? [answer here]. Func's such a small place that nobody'll bother to code a bot to handle that. (you need image recognition for blogspot etc..) 
I've Been Thinking About This... 
There are systems (called CAPTCHAs or something) people have developed to force humans to type in text or whatever to prove they're human. I could do something like that.

However, I'm thinking of going with a solution of using javascript heavily enough behind the scenes that a javascript-disabled agent (like a web spider) wouldn't even be able to tell what form needed to be submitted, nor where it needed to be submitted to. That way there would be no change in usability for humans. I don't think most spam bots run the javascript they find on a page. 
For starters, use a javascript button calling form.submit() instead of the typical submit button (sure hope the spambots are not reading this). If that doesn't work, go from there - create the form, elements etc using javascript DOM. And so on. Until either you or the spammers get fed up with it =). 
that's exactly what i had in mind.

by the way, i already have a button that calls a function that does form.submit -- the problem is the agent can simply submit the form itself. At the very least, i think i'd need to hide the form.action by creating it using javascript instead of HTML. Beyond that, i might have the input elements outside of the form, not have a form at all, and create the form with javascript when you click the button. Anyway, i'll mess around with it. 
i browse regularly with javascript disabled. Don't loose backwards compatibility just because you get spammed by a few bots. i stopped posting at mapcenter because i had to type in that stupid number every time i visited. 
i browse regularly with javascript disabled. Don't loose backwards compatibility just because you get spammed by a few bots. i stopped posting at mapcenter because i had to type in that stupid number every time i visited. 
Megaman Has A Point 
Maybe another way to solve this is to have people vote spam threads and messages off (e.g. put a button "report as spam" next to each message, and if at least x people click it, hide that message). 
Sorry For The Double 
server hung when posting and refresh of the thread didnt shot my comment :/ 
i was under the impression that currently, you could not post without javascript. But you can? 
Why is javascript such a bogeyman anyways? Lots of sites break without it. 
Some Interesting Reading On This... 
As A First Step 
wouldn't it make sense to at least set the "noindex" flag for func? no wonder it's an easy target if it appears in google results so often... 
Hmm Metl 
interesting read that second article, someone had sat down and actually thought the problem through to logical conclusions.
The question is ultimately ensuring the posters intentions... but that makes only moderation or buddylists useful.
It was good while it lasted, the internet and open forums and such. 
That Second Article 
is really really good. and shows how all these systems are really really flawed.

Accessibility mistake #4 (first one on that page)

Sharing problems with the visitor

You want to protect your site from comment spam, e-mail spoofing, and content theft. But why should visitors bear the burden, and have to enter things they see or cannot see in images to submit an inquiry, when it really does nothing for their personal protection? Anything computer generated is hackable by a computer given enough time and dedication梕ven supposedly hack-proof CAPTCHAs.

Why should your visitors have to go through a multi-step sign-up process to ask you a question? It抯 your problem when you get spammed梟ot theirs. Yes, it does frustrate the occasional prankster and gives you a chance to point out help devices such as your FAQ section, but it also means the visitors who really need to contact you have to go through a lot more steps than they should have to. How many times have you hung up the telephone in frustration after listening to all the options of an automated system?

very, very, true. Of course this is a site for the community, so it's as much our problem as yours, but still what he tries to say remains true.

/me thinks of 
Bleh, Javascript Is Fine... 
...If you don't use a shit browser like IE that supports lots of bizzare MS extensions to Javascript (ok, maybe I am just guessing, but IE is the only browser I know that lets sites add themselves to your bookmarks). Also, I guess if you visit lots of "free" hardcore porn sites and warez sites then you are asking for it. But I haven't had any problem in years (pretty much since I started using Opera, actually.)

The only problem I have these days is with the few remaining popup tricks people have, and Flash.

Flash is great when used well. I think Google video uses Flash to stream video data, and it seems a lot less of a pain in the arse than QT, RM or WMV. Flash animations are often fun, as are games. However, Flash ads, menus and sites built purely using flash for no reason other than to look cool (usually advertising some game or film) are not ok. They suck cock and are usually a PITA to navigate.

There are also sites which use Flash for just little things. Take the site for example. I really like the site, and visit it at least once a day, but they use flash for the fucking titles of news posts just so that they can use the font of their choice. It is hardly even noticeable... unless you are using a shit PC, upon which point Flash obliterates your machine until you close the window. If you disable flash, the titles are shown in a regular sans-serif font in the same colour. Big fucking deal?

Mind you, if you don't need javascript, don't use it either. 
Megaman, Etc. 
The whole idea behind javascript was that it wouldn't impact the user experience at all -- javascript is already required, the javascript would work behind the scenes to make the submit form look normal to humans and look like nonsense to bots. I really don't want to do a CAPTCHA or any other thing that requires extra human involvement. Javascript seemed like the ideal hurdle since I don't think most bots will run the javascript they find on a page.

I understand that it's anti-accesibility to require javascript, but the whole point of the move is to make posting inaccessible to certain visitors -- bots.

But I also want to expand moderation powers a bit, becuase of course javascript is only going to be a temporary obstacle. 
Easy Captchas 
I know you're not very keen on it but I've used a free service in the past thats very easy to get up and running. You don't need to piss about with getting graphics libraries and wotnot installed. They create the captcha images for you.

Website is:

You need an account, but its free, you just email them for it. You need to download a php class from there as well and they have an example of how to link it in here:

You could have it up and running in 20 minutes, tops. If you want any pointers, well you know where I am.

Personally I don't have a problem with them, its a necessary evil unfortunately. 
i'd rather alienate a bunch of non-registered users (register, damn it!) than have to type in some bit of shit for every post i want to make. am i the only one who thinks that's phenomenally retarded? 
Either moderate unregistered posts, encouraging people to register. Once they're registered, they can use a Captcha to verify that they're indeed human.

Or, require a captcha once per IP/IP range, every other week or so. 
Are bots capable of posting from registered accounts? Maybe this is obvious, but if they can't post from registered accounts, and you still want to use captcha stuff, perhaps you could limit that requirement to unregistered users? Perhaps used in combination with various other methods such as IP blocking or limiting anonymous posting to X/(unit of time) that might reduce the frequency while causing a minimum of frustration.

I've gotta be honest, though: I'm not really concerned about the occasional spam message. There are already a few posts that I just ignore. However, eight in a row once every day or two kinda sucks. 
What R.P.G Says Is Very Good 
Are bots capable of posting from registered accounts?

Not unless bots support cookies. Hmm, that might be a good way to do block them, instead of the sneaky javascript i was planning. Problem is i don't REALLY know what bots are capable of. 
The title and the name of poster are both perfect Chinese characters, I mean, not only they are Chinese characters, but also they make sense.

i.e. the name of the poster ( if we translate it into English), is "Travelling in Hainan Province", in which Hainan is indeed a southern province of China and is one of the most famous sites.

Bloody Bots 
I had to disable comments on my website after I got hit by bots posting a shit load of crap... always from *.ru domains as well; never quite got that.

I tried to set up a captca but my host doesn't have the library in place for it to work with php, yet another reason to move hosts asap!

There has to be a way of stopping these twats in their tracks without adding too much hassle to legit site visitors (does that JS solution work if they have JS disabled??) 
Bots _could_ Post From Registered Accounts, Sure 
If the author of the bot could be arsed to put the effort in. Given that the func_ software runs one just the one site it seems unlikely that anyone's going to go to that much effort to spam a bunch of cranky mappers...

Captchas are so fucking annoying. The problem isn't that bad. has been getting spammed too :| 
so we just got our first spammer who actually created an account to spam with. I have this idea that I actually came up with in a dream, where we use "shibboleths" to restrict accounts only to people who are into quake or gaming or mapping or something. Something like, show a picture of a fiend and say "what is the name of this monster" or "what level does he first appear in on normal skill?" or something. 
that's the most pathetic thing you've written yet. 
What is this monster called?
"You know, this thing that.. it shoots these pink balls that follow you.. meh, i give up." 
Yeah Well.. 
just throwing it out there. I don't really like any system that restricts account registration, but we may need a way to block some humans if blocking bots turns out not to be enough. Some types of systems, with varying degrees of annoyance and exclusiveness:

- register, get activation key via email, go back and submit the key (needs a valid email address plus you need to be human)

- captchas (you need to be human, even if you're a human visiting a porn site with a rerouted captcha)

- shibboleths (like captchas but you have to have some insider knowledge that anyone in the community would know. could still be rerouted to a porn site, but they probably wouldn't bother for func)

- can only join with an invitation by an existing member. This sounds really exclusive, except that if people can establish a presence here as an anonymous poster, they could become known to members and then they could just ask for an invitation. (downside of that: a spammer could just look at the board for a username that always posts anonymously, and pretend to be that person in an email request)

Then there are various ways to grant delayed or restricted priviledges to new members, such as you can't use function X for a week after joining, or you can't use function X until you're modded up by an admin (we'd have two tiers of regular members.)

Anyway, I really would rather just let anyone post and anyone join, but I think eventually all weakpoints in the board will be exploited. So it may just be a matter of time. We'll see. 
"You know, this thing that.. it shoots these pink balls that follow you.. meh, i give up."
You are talking about Kinn, don't you? 
It Is That Hard 
to just delete the offending posts and remove the account? 
I didn't see Spirit's post before I replied 
I hope you didn't misunderstood it, I meant that you are the "thing that.. it shoots these pink balls...". No, not nice of me either. Slap me :D 
I think just stopping bots should be enough, there's really not much you can do when a human is decided to come spam somewhere. It's not a major problem on other message boards, don't see why it would be one here (not enough moderators maybe?) 
In the short term I can just improve the moderation tools.

I'm thinking forward to a time when the volume of abust gets high enough that it takes too much human effort to moderate. We're not there yet, though. 
This Is Just An Idea: 
Limit posting to registered users and create one "anonymous account". Just a common user account with a password everyone knows (like the qmap@qmap). Maybe just put an image on the login page with the username and password for anonymous posts. The ideal would be when this user had a changeable name so people still can/have to enter a name.

You'd need the email approval link then too, so bots can't register themselves. 
Oh Wait 
Uhm, that user must not be allowed to login via cookies of course, so no-one can block it. Just add a Password field in the "Post A Reply" form that people will have to fill everytime then (if not logged in with their real accounts). 
... just use captchas for anonymous posting and account creation. That's a system that most people understand nowadays.

What do you mean by rerouted captchas btw? 
well, there's two problems:

- keep spambots out completely
- keeping human abuse as low as possible

The captchas are only good for dealing with spambots, but I have some other, less-annoying-to users ideas to deal with that first.

The latest train of thought has more to do with how to reduce human abusers. 
actually i quite like the invitation idea. It works VERY well for gmail..

and including #tf we have a pretty nice infrastructure for inviting new members already. You could just drop a line on the registration page ' please come to irc and ask someone for an invitation..'

you'd have to make sure that new users can't invite thousands of spammers immediately then, though. 
I myself think invitations for such a tiny message board is completely stupid. =)
Come on, this place doesn't get so much traffic, there are very little problems with humans spamming and such. 
I Agree With Bal 
Human abuse is incredibly small, IMHO. Invitation system just furthers elitism and discourages growth in a community that has been shrinking for some time. Furthermore, for users who don't even have an account, who's to say they'll take the time to ask for an invitation?

IMHO, the only significant issue is the spammers. 
What About... 
A anonymous post & new account queue? When they initially sign up or post anonymously, it goes into a queue and has to be aproved by a mod or a certain number of existing members?

You'd make a section "New Account/Post Queue" that would be visible only to registered, active members. The new account or anonymous post gets routed there first before appearing in the main forums. If a post or an account is random or seems to have non-legit info, then it would take a number of members to either approve it or flag it for deletion. 
I Like Blitz' Idea... 
Its how they do it on, and they have THOUSANDS of users -- they don't get much spam, if any (although, they get lots of stupid stuff, but thats not the same ;) 
That's Exactly The Point Though... 
...func_msgboard DOESN'T have thousands of users, so such a system is completely useless. 
that you KNOW ABOUT! 
I made a slight change to the javascript code to discourage spam bots -- the "post a reply" form now does not have a valid "action" (the action is the URL of the target page to submit data to) until the javascript sets it right before submitting. So, assuming spambots don't execute the javascript the way a real browser would, this might stop them. 
Response To Aquirre From Other Thread: 
It wasn't really a suggestion to secure this board, since it's pretty spam-free. It was more of a consoling feeling that someone's actually trying to put a spotlight on this issue from a spammer's perspective.

The online world seems otherwise to be rapidly drowning in a diarrhea of nonsensical noise ...

Yeah, I admire the project. Reminds me of my idea to release "vaccines" or "antibodies" which are basically benign trojans/viruses that use an exploit to get in, but the payload is actually just a patch for the same exploit.

This somewhat violates people's rights to control their own computer, and it's definitely illegal, but on the other hand, if unsecured workstations are being used in DDoS attacks and spam vectors, then it's for the good of the internet in general and I think that probably outweighs people's implicit right to determine when and how to patch their computers.

As for the general state of email and forum spam, "search engine optimization", and wikipedia abuse, my opinion is that it is all neatly explained by the "Tragedy of the Commons" theory. It makes me wonder what the end result is going to be, because it seems like everything we like about the internet (openness, freedom, anonymity) is only made possibly because we are in an early transitional state where the exploiters haven't reached maximum efficiency yet. Will we eventually get to a point where openness, freedom, and anonymity are replaced by exclusivity, controlled access, and identity verification? 
It Seems 
very likely. As a comparison, in the mid-nineties I already considered Internet to be extremely noisy compared to e.g. CompuServe, which I had been using for a long time before that.

It was always very easy on CS when searching for help or useful info, while the Internet search engines (pre-InfoSeek and AltaVista) were bad and their results even worse.

Since then, the search engines have become much better, but the increased speed of noise production is just ridiculuos today.

What's the use of having any amount of very knowledgeable info, when you can't access it due to ear-damaging noise levels?

Not to mention the increasing difficulty to distinguish between real and phony info. 
A less pessimistic point of view is that the internet goes through cycles of higher and lower usefulness.

You could look at the huge increase in usefulness provided by Google in the early days, when it replaced older, crappier search engines and provided a sudden window into billions of pages which were ranked well enough that you could actually find stuff. Then as google became well known as an information source, it became a desirable target for exploiters. Now the usefulness of google is a product of how well they can defeat the exploiter's strategies. So the peak for google was a few years ago.

The more recent attempt to consolidate knowledge and root out the crap is Wikipedia, but Wikipedia is experiencing the same curve... there was (or will be) a peak where there is a critical mass of information to make it useful, but now that people recognize it as useful, it becomes more attractive a target for the exploiters, who go in there trying to make full use of the free access to an audience.

So if it's really cyclical, is each peak higher than the last? Is each trough shallower? 
Metl, insightful...
I guess the same is with many nice forums - first you can have nice people but then it's filled with lamers... 
I guess the same is with many nice forums - first you can have nice people but then it's filled with lamers...

Good one! A little self deprecating humor is good
for the soul. 
Post A Reply:
Website copyright © 2002-2014 John Fitzgibbons. All posts are copyright their respective authors.