It's 99% spam robot registrations.

It's 99% spam robot registrations.

Hi Andreas,

Thnnks. I think most of us had already kinda figured out that it was some kind of automated spam attack.

Can it be stopped? When did it start? Who do you think is behind it? Does this prevent "registrations" of legetimate people being "enabled"?

Regards,

Tigger

There is a fix for the problem, but it takes some bother to implement.

Spammers use search engines to find sites running phpbb, and have bots connect to the sites and sign up, in the hope that they'll be able to spam fora with ads. Even an extremely low profile site will get 1-2 of these registrations a day, Andreas undoubtedly gets a lot more than that. The normal phpbb signup arrangement will give him no more data than that a certain pseudonym has signed up, and their email address can be determined with a little bit of work. Some of the time you can search Google for their ID or their email address and "spam," and find out that they're a spammer. But many of them change their IDs almost daily (blahblah327, because they used blahblah326 yesterday), and those IDs will be harder to reach definite conclusions about.

The fix, insofar as one exists, is to modify phpbb so that registrations use Captcha, that scheme whereby you're asked to type in some characters from a partially obscured image. Some spammers' bots have been rewritten to get around simpler implementations of Captcha, so that will only thin it out a bit... bleeding edge implementations do a bit better, but a bot which allows its operator to deal with the Captcha part of the signup page can easily defeat all such anti-spam mechanisms, if the operator can read English. Likewise for pages that make one solve a simple math problem, etc. The only semi-reliable way to screen is to make every applicant write an essay about why they want in, and that requires quite a bit of recoding of the phpbb core (as well as time to read all of the essays). If Andreas is not a crack php coder, and very familiar with the phpbb code base, that may not be feasible.

And this assumes that his spam problems are all the routine kind that every phpbb site has to deal with. OSA, separatist Anons, or any other troll with even a slight grip on what OCMB is about could be expected to write a reasonably deceptive essay.

The authorizing of users is restricted to the admin account, so none of this is anything he could foist off on a moderator.

In the current economic climate, I've found myself needing to spend an unpleasantly large amount of my time doing paying work. I doubt that things are very different in Norway. Andreas is probably content to let the existing group, which he spent years developing, just run on its own. And if you don't like it, well, find an expert and trustworthy php coder and offer to pay them several hundred dollars to write some code for OCMB.

Not much, if one is a skilled php programmer... a few minutes. If not, it would take slightly longer than it takes to learn a bit of php. The change might screw up the rendering of the page, so add in some extra time for debugging. But it could be done in hours, rather than days, if one has a knack for computer languages and a high threshold for tedium.

Well, sure, they can do that on ANY page. Right now, for example, anyone using XP/W2K/W2003 can have their system taken over via a bug in the way their OS handles QuickTime files. There is no patch, only a workaround (which 99.9% of MS customers will never apply), and you don't have to click on anything for it to work, just going to an infected page is enough. (The workaround is here, BTW: http://support.microsoft.com/kb/971778 )

What makes this kind of exploit especially scary is that it needn't be hosted on a hacker's website, it can be (and has been) posted on big, famous websites that we've all visited. This is done by attacking the website and inserting a reference to the malicious code into their page. The attack method most commonly used (SQL injection) can only be carried out by someone who can post or submit content to the site, so a closed site like this is far safer than one where everybody's free to post. In that respect, disallowing any new members could be an effective security measure, since it excludes new posters who might come here to spread malware.

Sorry for being grumpy in that last sentence. I'm just going under the assumption that Andreas is doing the best he can with the time & resources at his disposal, and hope that others will cut him a reasonable amount of slack. It's not as if we had any reason to question his motives or dedication to the cause. But if he DID want to turn the site into an online clam retailer, effective tomorrow, that'd be his own business. We're just his guests, not taxpaying citizens.