In recent days, backpackinglight.com, along with forums across the internet during the same time, has been hit with an automated forum spam attack from newly upgraded spamming software that is becoming increasingly sophisticated at circumventing anti-bot measures. The attacks on backpackinglight.com resulted in a level of spam that makes it nearly impossible to moderate manually with human moderators.

Consequently, we will be limiting forum postings and the creation of new threads to members only (M or MLIFE).

This is intended to be a short term change in policy while we evaluate a number of options as we move forward. One of the options we will evaluate is whether or not to maintain this restriction indefinitely, or at least until we are able to upgrade to new forum software.

My hope with this change in policy is that our forums will return to a very high level of quality, even at the sacrifice of some quantity from those users who have contributed in the past but have not been members of our website. To those of you specifically, I'm grateful for your contributions and will continue to explore options that allow for your participation in the future.

We will continue to make the forums publicly available so that the rich resource here can be read by the public.

I wanted to thank Roger Caffin for being an incredibly patient and persistent moderator during this time. Roger did a terrific job of keeping the impacts of the attacks to a minimum, of keeping me and our web developer informed, and working with our web developer to create tools for helping us efficiently deal with large quantities of spam.

Thanks for your patience with the spammers and with us this past week.

Edited by ryan on 10/21/2012 22:38:09 MDT.

Ryan

During this trying time it might be productive to lower the yearly membership to $10 or less
to encourage people to join.

Came in to see how things are progressing.

I think your decision was a wise one, although it's going to be hard on both members and non-members. A considerable number of the non-paying members contribute significant content to this forum, which has been greatly appreciated by us members. Hopefully a solution can be found soon to have automated controls on new non-paying members so these folks can come back. It's obvious, though, that the days of letting everyone have access are long gone.

At least you'll find out if the spammers want to pay to spam on this site!

Hopefully now Roger can do something besides chasing spam! Maybe get some sleep or go on a backpacking trip?

Edited by hikinggranny on 10/21/2012 23:27:18 MDT.

> At least you'll find out if the spammers want to pay to spam on this site!
I am sure we can accomodate them. How about $10 per posting?

Cheers

What about adding one of those encryption puzzle widgets before each post can be made?
You know, that little box with distorted letters and numbers that requires a human brain to decipher.

If that could be added to the current software we could let everyone back in.

Maybe it would only need to be added to the new user registration page..

Just a thought.

> encryption puzzle widgets
CAPTCHAS? The latest version of the spamming SW can handle those.

Cheers

i knew it couldn't be that easy...

Okay, so everyone has to complete a Sudoku puzzle before they can post... I am kidding.

If the spam accounts have been deleted, isn't it possible to allow all current members (paying or non-paying) to post on the forum, but stop the registration of new non-paying members?

If the spam accounts have been deleted, isn't it possible to allow all current members (paying or non-paying) to post on the forum, but stop the registration of new non-paying members?

------------------

A difficult decision and I don't have the expertise to offer up a solution. But not allowing non-paying members to post is going to make me less interested to participate in BPL. Many non-paying members are valuable contributors and greatly enhance the BPL experience.

The past couple of months I have spent very little time here as BPL has changed for the worst over the past year or so. This action seems to add fuel to downward spiral.

I vote to allow all current members, paying or non-paying, to continue to participate.

Thanks, Ryan and Roger!

I would likely have chosen a different path, but, that doesn't matter. You have been very stressed this past week. I hope this is only temporary. I fear it may be permanent.

Many of the forum members are stressed, too. The decision to close the site is a good one. The spam and related issues have caused a number of BS threads and, more generally, a large distraction from the subject by members. Picking out which postings are good, which are spam, has been annoying.

I agree with the past policy of open registration, but, with software that is as sophisticated as what we have seen, this is not an option. If not for inept programmers running the spamming SW, they would be registering new users, logging in and spamming continuously: destroying the site faster than it is possible to humanly maintain. The BPL staff has shown that for a single admin, this is impossible.

This represents one of the things I hate. I hate that the dissemination of knowledge is now only to the wealthy. No, it does not prevent a user from reading what others have written. But , the *poor* user takes this as it comes, with no involvement, with no questions…with partial answers. If you can afford a membership, you can ask a question and expect a response to it. Is the cost of membership that high? No...not compared with the expense of the infrastructure needed to simply access this info. The fact that it requires any charge just goes against my grain.

Gear Swap is protected and posts replying to ads can be sent through external means. Anyone wishing to post publically will have to post an email address. I never use it (except for two small purchases,) but I may reconsider, now. I suspect others will need to simply post to forum members. (I have my own thoughts on the ethics of selling my older or used gear.)

This does not prevent a non-member from reading. Often, especially here, acquiring background on a specific subject is as important as asking a question. He is still free to read, I think. This site represents the single best resource on lightweight packing for anyone. It is supposed to be a magazine. Perhaps, this will return it to that status.

I agree with the need, if not the methode (but that’s just me.) Good Job, guys!

It's so unfortunate that it has come to this. Now a huge group are unable to use the forums.

Can we define temporary?

This comes at a bad time.

Hopeful that it is not too late for BPL.

How about telling us the exact dollar amount needed for switching to new software? Christmas is coming.

Edited by kthompson on 10/22/2012 06:25:02 MDT.

"This is intended to be a short term change in policy while we evaluate a number of options as we move forward. One of the options we will evaluate is whether or not to maintain this restriction indefinitely, or at least until we are able to upgrade to new forum software."

I recognize that fast action was required to halt a sophisticated cyberattack, but I strongly urge you NOT to make this the permanent solution. A much better approach would be to allow postings from registered non-members, with precautions during the registration process to ensure that they are not 'bots and perhaps a probationary period during which posts would be delayed and moderated.

I started here as a lurker, learning that I could backpack again despite middle age. That progressed to asking questions and benefitting from the help I received. I became a paying member in order to get access to the excellent SOTM and technical articles.

The way to encourage and grow membership is to keep the flow of high-quality articles coming, and keep the forums open to new people. Locking down the forums will degrade their quality, reduce traffic, curtail new and renewing memberships, and push the site into a downward spiral.

That's my 2 cents.

This is only a partial lockdown (as opposed to going Read-Only), and so I applaud you for it. This is a measured response that should be effective flood control, if the only site compromise has been through the BBS security.

I've seen a few comments about how effective "new spam bots" are, as though that may be a reason not to engage in particular types of spam control. From the perspective of owning a much larger, much more active website that receives much more, and much more sophisticated, spam and hacking attempts inbound than BPL is, I can tell you that I have seen "this" before and that the fearful conclusions regarding the purported futility of anti-spam techniques is plain wrong. When you believe that, the spammers have already beat you.

As I am sure the Admins here are aware, the achilles heel for BPL is the BBS software. I am relatively sure that you've either solicited or received input regarding what the appropriate fix might be for that, but in the event you'd like a third party perspective, or just someone to step up and do it for you, please feel free to use my registration email address to contact me -- or PM me an email to respond to.

This isn't the first time I've made this offer and I realize that fact may serve to devalue it. However, I also watched this get ahead of the site and I know what you're going through.

A little flood control is great, but you're still on a glide-path to doom. Shake it off and pull up. Change came.

An approach to consider is to create/require a very low-level membership level of $1 which allows posting but not Gear Swap or many of the articles. It would be better than the temporary restrictions in that there would be more options for current non-members. It wouldn't bring as many newbies into the forums as an open policy, through.

Better yet, deputize a number of the calmer existing members (there are a few who don't "run with scissors") and therefore offer a quicker response and shared workload to (1) approve the first 2-10 messages of any new member and/or (2) be quick on the "delete" and "ban member" buttons in response to spam.

This temporary situation does allow you do do a market survey, essentially. The price point for posting just went from $0 to $20(?). Look to see if you get any new members this week(s) of new restrictions.

This should be possible without actually requiring a $1 payment.

Using PayPal, do a $1 checkout, but when instead of drawing the amount from the users account, cancel the transaction as soon as the user has authorized the payment. This way you can log the users name and email-address (and whatever PayPal gives you access to.) without requiring a payment, although a PayPal account and a credit card is required.

Might be a good idea to clear with PayPal’s terms and conditions before implementing.

Necessary triage, it seems. I appreciate the difficult decision.

I do hope it's short-lived. As others have said, there is a great deal of content contributed by current non-members (I'm beginning to prefer that term, as many current non-members were long-term members in the past) and I'd hate to lose their voices for an extended period of time.

Roger/Ryan,

Can registered non-members still PM others? Would a non-member try PM'ing me to see if it works?

Edit: Yup, non members can still use the PM system, in case anyone else was interested.

Edited by idester on 10/22/2012 09:55:09 MDT.

"Edit: Yup, non members can still use the PM system, in case anyone else was interested."

Great! This will remove a lot of stumbling blocks to using Gear Swap!

Something had to be done and if upgraded technology isn't doable, this was the only option. Unfortunately the spamming technology will just keep becoming more potent and pervasive as time goes on, so an economic solution may be the only cure in the absence of deep pockets.

I'm glad that steps are being taken to address the integrity of the forums, but, like others, I also hope that this is a temporary fix. I"m a new member and I participated without membership for months before committing. I needed to understand the community and the value the forums and organization had to offer before throwing down some coin (the forums to me tho are far more valuable than the articles). Banning non-members could have a detrimental effect, really hampering recruitment of new members and future growth.

This may be the easiest and most effective immediate measure, but there must be other ways. i participate in a lot of forums (backpacking to political to tech) and this is the only one that's been spammed like this.

Edited by mediauras on 10/22/2012 11:36:39 MDT.

+1 to everything Will Webster has said.

In order for the site to continue, it MUST be a temporary fix. And by temporary I'm talking 2-3 weeks maximum. Many people only find value in the forums & reduced traffic means the death to any forum. If the forum fails, membership will rely solely on the articles. With today's blogoshpere, BPL is no longer the only place to find UL content so we don't want to go there.

On the more capitalistic side, this could prompt someone to create a new UL website that addresses the issues we've all had for years. (or buyout this one). Either way, I hope everything works out for all involved. Except for the spammers of course.

Ryan

Edited by ViolentGreen on 10/22/2012 10:48:45 MDT.

While I agree this is better than the constant spam, I also agree with some other people here that believe that non-members contribute a lot to the forum content. I hope this is very temporary, because it will definitely affect the flow of information on the forum. And while some people may decide now is a good time to join, others may resent the idea that they are being forced to join to participate at any level. What I would rather have seen happen would have been that new unpaid members would have limited posting powers where all posts would be subject to moderator review prior to posting them up, with an instant ban on any new spam attempts. With Roger being the only moderator, of course, that would not be feasible but there have been a number of us (David, Mary, myself, others) that have offered to step up and become temporary moderators to help with the spam situation. Perhaps that's not an option with this software, however. The forum I administrate is on PHPBB and the tools available there may be different.

Would it make sense to have a $1 membership for new people signing up where it allows them acces just to the forums and a limited number of "intro to UL backpacking" articles for something like 1 month?

Allows people to experience the value of the forums and some of the articles.

Teaser version of a membership to give the new people a reason to sign up for an annual membership while limiting the SPAM problem.

-Tony

There are several non-paying members who contribute more than the paying ones to the quality of the forums. During this time of member only forums I think that some of these top contributors should be gifted a temporary membership (1-month?) so that they can remain active.

Is it not possible to stop new registrations and thereby no new spammers? I assume you could, thereby keeping the ability of non-paying members to contribute.

Edit: I've removed some of my post after seeing Roger's reply regarding this being a temporary solution

Edited by cobberman on 10/22/2012 15:56:10 MDT.

My renewal period just came up and I almost let it lapse.

I really love this forum but have been sad to see the way BPL is being run in some ways. I dont appreciate the lack of communication between BPL and us regular members in relation to the Lifers. Article content has taken a bit of a dive too.

I think that requiring membership to post would kill this forum.

I do understand the need though to do something about the spam. The forum was pretty much useless during the spam attack.

I hope this is only temporary, very temporary.

any non members that want to post in the meantime (except for gear swap) PM me and I'll be happy to post for you

Dear All

This is ONLY A TEMPORARY FIX while BPL works out how to handle the problem!

Oh yes, we are very well aware of how many non-Members are valued contributors to the Forum channels. Please don't go away! We want to return to 'normal' ASAP.

I will repeat what has already been said elsewhere: this is a problem for a whole raft of website Forums across the Internet which were previously wide open: everyone is being hit. I suspect that the list of 'suitable spamming targets' has been massively increased just recently with the release of the 'upgraded' spamming SW, so that script kiddies have a whole new range of targets.

Let me also emphasise that the current spamming SW is extremely sophisticated. It knows how to create new member registrations and how to solve CAPTCHAS: the SW includes templates for this for hundreds (thousands?) of web sites. Most of the solutions which have been proposed on this Forum will not work against this SW.

But we WILL deal with it!

Cheers
Roger

Maybe it's possible to temporarily not allow any new people to register

Allow currently registered people to post

That would temporarily solve problem without denying registered non-members to post

Are you sure this isn't a conspiracy to deny rightwingers to post on the Romney/Ryan thread? : )

with the option to request, and receive, a refund after a vetting period for those who do not wish to become members? Say 1 month?

Edited: This is meant only as a stopgap measure until more sophisticated methods of blocking SPAM are developed.

Edited by ouzel on 10/22/2012 17:12:09 MDT.

This may turn out to be a positive shot in the arm for BPL. RJ is back at the helm, fixes may benefit all of us, and like a power outage we all need to appreciate what we hold in this community.Technology always comes with price but the simple pleasures of our outdoor adventures is the bond for all of us. Sure as of late a few cairns have been knocked over at BPL but we will still find OUR way.

Hoot

As a working web developer with lots of experience in maintaining forums both custom and off the shelf, there's a great many things you can do to minimize the spam bots. Many of them you've probably already thought of or are working to implement, so I won't ramble on, but here are my personal faves (feel free to message me if you want/need details):

- Captcha doesn't work, especially the commercial ones because they're widely used and as such spammers work to crack them constantly. Break a mainstream Captcha service so your bot can spam it and suddenly thousand of sites become accessible, as such, a one-off solution is best because you become a niche that requires special attention. Take-away here: don't pay big bucks to subscribe to a Captcha service because just like a $1 pay-wall, the hassle of trying to decode the really hard to understand graphics of numbers and stuff usually drives plenty of REAL people away from signing up.

- Randomized natural language question & answer. This one works well because bots can't read. Use some programming logic to generate questions such as "what's the third letter from the right in the word top-right of the screen" (if you're playing along, it would be "e" in "Help"). Sometimes you can get away with just having one question. For extra points, randomize the question between a dozen or so you setup in advance. For guru points generate the questions programmatically by having the logic "scrape" your own page during the sign-up process for a random word out of a list of generated words. The more one-off the logic but that continues to be pretty "natural language" in it's query to human users, the better.

- The Honey Pot. Most spam bots sign up accounts by scraping/crawling your sign-up page and looking for telltale field names in your sign up form. It does this by checking the "name" attribute typically and us programmers are a lazy bunch if given half a chance, and will name our fields appropriately. Spam bots look for typically used language and LOVE things named "email" and "username" and so on. One VERY successful method is to setup a simple field in the sign-up form (visible because bots ARE smart enough to ignore hidden things sometimes) and give the input field the "email" name, but on screen label it "If you're human, leave this empty". Bots will enter an email address, albeit fake, because they think it's a required field, and your own programming them throws out any submissions that includes a value when a human would know not to include anything. Extra Hater Points if you send the bot a "successful registration!" screen and email just to throw the persistent bots for a loop (bots will look for words like "success" in page after trying to sign up a spam account). It should be said you should rename your ACTUAL name, email, and so on, fields to something obfuscated. I'm somewhat partial to "fleamail" or sometimes "spammersshoulddieofcancer" for "email". Should probably check all your fields and just change them to something confusing behinds the scenes.

Anyhow, somehow I rambled. But yeah, you should be able to take care of making yourself a pretty low-yield target by creating a one-off system for sure. All told it's not a ton of programming (in fact it's a very minor amount) and should solve your problem.

Best of luck and let me know if you need any advice (I'm too busy to help code... sorry, day job of doing web stuff at a start-up means I get zero free time!) :(.

Edited by aeriksson on 10/22/2012 23:04:15 MDT.

> This is intended to be a short term change in policy while we evaluate a number of options as we move forward. One of the options we will evaluate is whether or not to maintain this restriction indefinitely, or at least until we are able to upgrade to new forum software.

The solution to this is extremely simple. Simply add a question to the registration page that only a human with knowledge of the site can answer. Right now you have NO anti-spam measures that I could see other than checking for a valid email perhaps so it's a miracle we've not seen much more spam before this.

I've used this technique successfully for several years on my phpBB-based forum (thankfully it's built into the software now instead of having to mod it). I'm even 3 revisions behind in updating the forum software and haven't had a single spam registration since implementing this technique.

So just get your programmer to add a little code to add a question and check for a correct answer. Personally I would recommend something like "What is the 4-word slogan for BPL?" A: "pack less be more" (ignore case and punctuation). Problem solved with no cost and a few minutes of time.

"The solution to this is extremely simple. Simply add a question to the registration page that only a human with knowledge of the site can answer..."

Yeah, these are all good delaying tacticts. AI's have time. They can do anything you can think of. And this is another good solution.

AI has many definitions, but I like to think of them as Turing did, as a response generator whose responses cannot be distinguished, person and machine. After all, that IS what we are talking about. How to distinquish between man and machine?

Question:
Every potential new member could be a robot. How do you distinquish them apart?
Answer:
You can not. Someone will build a better AI and log in, eventually.

Only by checking a potential new member's intent to use his membership can we check. Like using a different algorithim to solve complex multiplication (used for encryption,) checking a persons "target of intent" becomes a matter of not validating his signing up (the obvious "become a member") but checking his posts for some valid content ("I have a question about sleeping bags...")

IFF the AI can solve this, then it doesn't matter, his posts are "valid" within the context of this site. I don't care if he is a person or machine. His posts are fine. He might start spamming after ten or twenty posts, but even people's computers have been known to be hacked and start spamming.

IFF his first post is spam, well, he needs to be gotten rid of(I favor hanging by his protruding member rendering him impotent...metaphorically speaking, of corse.)

So, I would suggest a "logic" check by simply moderating his first couple posts rather than an "item" check that can be solved by brute force.

But, there is never a guarentee that a bot will not figure out something general in response, like "This is a great site!" Sorry, it needs to show a specific intent. Something that is NOT gleaned from anything on the web page, and by extension, the web site. And not so general that it can be responded to by simple word substitution for phrases on the page. "I like backpacking" from the web site would not be good enough. "I like" is general, "backpacking" was gleaned from the web page.

I think Roger is Australia's AI. How do I know? Maybe I am an AI. How do you know? Does it matter as long as Roger stays on subject, there, and I stay on the subject, here?

Let me preface this by pointing out that I am absolutely sure what the headache the Admins have feels like and that I know multiple postings with "just ______, it' so obvious" in the theme can be frustrating.

However, some of the postings are full of good input from pros that know what they're doing. I like Mr. Eriksson's posting (even though I have a higher opinion of Captcha) and he provides some very good ideas that really can work. Where you have admins of phpBBS boards telling you what works for them, this is also significant, because that platform's not the most robust out there in terms of security -- so, if they've got solutions, they've probably been tested...

One thing I am sure of: an effective repair for this highly-disrupted site will involve replacement of the forums software. Replacing the front end is a big deal, but if the BBS can be severed and there's a functional bridge out there for the CMS/front to the forums, THIS IS THE FIX.

Of course, a new forum package would necessarily include a modernization of look and function. Note, however: modern features take more bandwidth and will allow more traffic, potentially driving overhead at BPL Corporate Towers UP. Who's gonna pay for the upgrades, programming, time and higher operating costs?

> Yeah, these are all good delaying tacticts. AI's have time. They can do anything you can think of.

Quite true, but unless you don't use an appropriate question, the Q&A method has been very effective for at least 3 years now. And as Erik pointed out above, phpBB is one the most popular boards to hack and spam since it has one of the largest user bases and this is still the most effective single solution.

I disagree that allowing a potential spammer to register in the first place is an acceptable thing since it will just take up the mods time to check the intent of the first few posts of each new user. I sure wouldn't want that job! It's far better to prevent them from registering in the first place. I do agree with HOW you filter spambots is crucial, which is why I suggested the slogan since it's contained within a picture rather than plain text. Yes, AI can "read" pics of course but it's going to take a long time to randomly pick the right combination of words you may be looking for since the slogan is not obvious.

> One thing I am sure of: an effective repair for this highly-disrupted site will involve replacement of the forums software.

While I know many would like to see that (I'm one of the few that don't mind the spartan software), that's not true in my solution. Simply add a question to the registration page and the code to check it to allow the registration process to continue. Literally a 5 min job for whoever designed it. At least it was just a couple of minutes for me to edit the php files before they finally added it into the base code.

Edit: I see Alexander's post above now (hadn't read it the first time I saw this thread) and I like the idea of "completing" the registration process with a fake success message if they fail the Q&A. So maybe that would take 10 minutes. :)

Edited by topshot on 10/23/2012 09:37:43 MDT.

"Quite true, but unless you don't use an appropriate question, the Q&A method has been very effective for at least 3 years now. And as Erik pointed out above, phpBB is one the most popular boards to hack and spam since it has one of the largest user bases and this is still the most effective single solution. ..."
Yes, of course. I didn't mean not using automated defenses, too. We definitly don't want to waste a moderators time.

I've been having really good results (ie. perfect) with the Q&A method for a number of years now.

A few BPL related examples that could be incorporated into the registration process:

Q) When it's winter, precipitation most commonly falls as...
A) Snow

Q) What you use to hold your gear (hint: goes on your back).
A) Backpack

glad you provided the answers Dan- I was at a loss there :)

I should point out that captcha isn't all snake-oil, they definitely work. I just tend to discount them because most/all sites I've ever maintained would rather not erect a potential barrier to entry (and captchas, or for a lot of users anything that takes them longer to fill out than 20 seconds) which could dissuade people from signing up and participating in the first place. Usually we had a "well if someone wants to spam us, at least that means we've made it, then we'll address the problem" attitude towards things but obviously that doesn't work everywhere. We dubbed this "a problem we'd like to have". So in the end yeah there's some strong captcha services but I think between the fact that they can be expensive, onerous for users, and if a spammer breaks one service they have access to spam everyone using that service, facts, that I tend to pass.

Plus like others have pointed out, the Q&A method does seem to be oddly effective. Between Q&A and the honey-pot I've never had to deal with spammers. Ironically, when we used phpBB on a site and DID get spammed, it was because we were a single release behind and the captcha we were using was breached.

Oh and like someone else mentioned, Q&A and honey-pots can be very cheap/fast/easy to implement. I wouldn't suggest going the "get all new software" route until you've exhausted all the custom approaches since migrating content and user accounts is a BIG deal. Ugh.

You have my sympathies BPL gang!

Edited by aeriksson on 10/23/2012 20:21:25 MDT.

Bad plan! Think longterm. And please...no CAPTCHA or similar. Impossible.

Edited by backpackerchick on 10/24/2012 14:38:09 MDT.

I agree with Dan - registration questions would likely do the trick. Another similar option (but not just text based) - have a picture and ask the registrant: "How many people are in the picture above?"

I prefer the Q&A idea. CAPTCHA always feels more like GOTCHA to me because half the time I can't read the darn thing. It seems to do a better job blocking people than bots.

From Wikipedia -

"CAPTCHA is vulnerable to a relay attack that uses humans to solve the puzzles. One approach involves relaying the puzzles to a group of human operators who can solve CAPTCHAs. In this scheme, a computer fills out a form and when it reaches a CAPTCHA, it gives the CAPTCHA to the human operator to solve.

Spammers pay about $0.80 to $1.20 for each 1,000 solved CAPTCHAs to companies employing human solvers in Bangladesh, China, India, and many other developing nations.[23] Other sources cite a cost as low as $0.50 for each 1,000 solved."

Someone is out there waiting to make $.001 on your challenge....

Nothing is as simple as you might hope.

Dan writes:
>Q) When it's winter, precipitation most commonly falls as...

A) Rain

At least within 100 miles of here. Lots of rain where I live. Snow is headline news.

I'd probably fail this test.

Maybe tests like this should allow for a small number of reasonable answers, e.g. snow, rain, tree drip :-)

And my friends in Houston would also answer "rain".

"From the redwood forest, to the gulf stream waters
This land was made for you and me."

Yeah, a simple methode for spammers is to simply register themselves, as humans. Then bot as many posts as the can before getting knocked off. Obviosly, this has been tried and results in large amounts of spam.

If a spammer can make money on a spam messages, then spamming will be done. Someone, somewhere will benefit. Besides using automagic tecniquies, which can all be broken, there needs to be a cost associated with it that allows the registering party to have some confidence that it is MORE expensive to register and spam than simply ignore the site. Using "slave" labour means no cost. If he has to pay, he won't.

Even delaying him by moderating his posts really is not a solution. It is only another delay. In any group of ten people, chances are they can type ten reasonble messages to get by this moderation...then spammmmmmmmmmm.

I would suggest a refundable cost, or garantee, when registering. If you start spamming, it is forefit. Or a membership fee, as is now in place. Anything that makes the spm more expensive than not.

Just another thought to add to the mix...

It seems to me if spammers can hire cheap labor to solve "captchas", they could hired to solve Q&A's as well. Perhaps a trial membership, returnable (prorated) if no spamming took place, would be the best option? Maybe a separate category for industry reps?

Having just spent the last four years of my life in Houston, I think an appropriate answer would actually be "what's winter?". ;-D

> It seems to me if spammers can hire cheap labor to solve "captchas", they could hired to solve Q&A's as well. Perhaps a trial membership, returnable (prorated) if no spamming took place, would be the best option?

You would kill your forum if you instituted such a policy. It's bad enough our's is still blocked after 5 days. It would be interesting to know if anyone has joined.

I've never heard of a forum do that, and human spammers have never been a problem for any forum I'm aware of that uses a reasonable anti-spam measure such as Q&A.

Just use the QA solution as a temporary stopgap instead of the payed membership. Waaay better in the short term, and you have to work on a long term solution either way.

Edited by lindahlb on 10/27/2012 08:11:12 MDT.

Maybe the spamming is an inside job! HaHa!

I am always perplexed by the people that complain about having to cough up $25.00 for something they love. What a joke. Some people say there are other forums. I say go to your other forums. There is only one BPL. Viva BPL! At least this will end the spam on the Carbon Flame War thread or somebody will have to cough up at least $25.00!

From another point of view; Anyone that studies forums much will notice that it's always the same damn people that post - to me, that gets old fast - that to me means a forum is dead. It even looks as if the people that participate in them get paid to be there. It seems different here at BPL. I think it may be more effective if people pay to talk rather than get paid to talk. There seems to be a wider participation here than the usual forums - people even pay to play. There is more quality here and a quality that is worth investing in. I think much of the quality here comes about because people are attracted that have the ability to assess the value of things - it makes for a more colorful playing field. It sure is a good thing that if someone does not like that, they can go elsewhere to play - would be terrible if they couldn't!

Edited by wildlife on 10/27/2012 13:32:59 MDT.

Just spammed again, by a non member.

Better get with it. Should have been fixed already. It's embarrassing how long you have been talking about updating the site. And now it has come to this. Seriously, It has been year upon year of talk. I can dig up links, I have the free time.

I'd tell you to pat yourself on the back, but I'm actually thinking a bit lower. But I'll bet your kicking yourself now anyway.

This sucks. Bad.

Perfect timing with your trip too. What cosmic powers are at work there? Having a spammer on the trip could be fun.

+1 with Dan. Viva BPL

Once again I ask for an exact $ figure on what it will cost to fix this problem. You might just get it. The forums are certainly valuable to a lot of us. Perhaps many of us find it more valuable than you do. Stating that only 20% of MLifers participate, access the forums, I can see how you can look past it/us.

Don't overlook the offers of help with this problem from forum members who work in this field. The answers to your problems may lie closer than you think.

My dear old mother has a saying, Sh*t or get off the pot.

The time for action has long since passed.

It's a big dang mess that we all saw coming. Told you so.

Edit: reversing my previous mo I added text to this post not deleting.

Edited by kthompson on 10/28/2012 19:22:11 MDT.

Wow, and of course the usual edited by kthompson.......

nice postive post

Dan, I have been thinking the same thing that it is someone that is disgruntled about BPL....really I do.

" Perhaps a trial membership, returnable (prorated) if no spamming took place, would be the best option?"



What is the reasoning that leads you to such a conclusion? If the registering party is guaranteed their money back after a month, what is the objection?

Positive, smositive

This is messed up. Been messed up

We have all messed up

Yes I'm being harsh, negative, mean, hateful, trolling, what the f ever else you want to add on there.

As BPL's favorite critic(just ask)this is my role.

I'm mad because I care. I don't need Ken H. to act as my conscience. You're not qualified anyway.

To Thine self be true.

Don't like it, don't read it.

Nice train wreck.

Let's fix this.

Edited by kthompson on 10/27/2012 19:19:15 MDT.

I just thought of another way to allow our friends in and keep what we already have.

We archive the current site as it is.

Then we open a new BPL on brand new software and begin a-new with everyone.

Hi all

From Ryan just now:


I'm getting ready to leave in the morning to teach the WTS course in the Anaconda-Pintler Wilderness and will be away until next Monday.

1. I am unable to lock new registrations easily right now due to problems with the integration of registration for accounts with registration for subscriptions.

Therefore:

2. We will be installing a low-fee forum subscription that will allow users to post. When that happens, all users who were registered forum participants prior to the lockdown will be grandfathered in with a new subscription at no cost. I can't tell you when this will happen, but this is the short term solution, and would occur in a matter of 2 weeks perhaps.

That's all I can tell you right now, and it's about all we can do with the software we have; we are going to take some time to carefully evaluate longer term options.


'Low Fee' means a few dollars: not enough to scare anyone, but quite enough to stop the spammers who (I am told) get paid about $1 per 1000 postings.

Yes, the current Forum SW is a handicap, but it holds the Forum Archive. Do we want to lose that? Our first guess is No Way.

Cheers
Roger

Hi all

From Ryan just now:


I'm getting ready to leave in the morning to teach the WTS course in the Anaconda-Pintler Wilderness and will be away until next Monday.

1. I am unable to lock new registrations easily right now due to problems with the integration of registration for accounts with registration for subscriptions.

Therefore:

2. We will be installing a low-fee forum subscription that will allow users to post. When that happens, all users who were registered forum participants prior to the lockdown will be grandfathered in with a new subscription at no cost. I can't tell you when this will happen, but this is the short term solution, and would occur in a matter of 2 weeks perhaps.

That's all I can tell you right now, and it's about all we can do with the software we have; we are going to take some time to carefully evaluate longer term options.


'Low Fee' means a few dollars: not enough to scare anyone, but quite enough to stop the spammers who (I am told) get paid about $1 per 1000 postings.

Yes, the current Forum SW is a handicap, but it holds the Forum Archive. Do we ant to lose that? Our first guess is No Way.

Cheers
Roger

Roger, Ryan, Good Job!

Yeah, I had suspected it was not about "what to do" so much as "How to do it."
Adding a single line of code is trivial. Determining where to put it in old code is often the more difficult task.

See below about not being able to code at ALL...

Edited by jamesdmarco on 10/29/2012 05:08:08 MDT.

How about:

1. Using CAPTCHA to enter BPL (not log on)
2. Creating TWO levels of membership
a. Standard Membership at standsrd fee for posting and reading articles
b. Posting ONLY membership at $1. fee
3. spam/foreign language recognition software protection (Sorry amigos)

ESET's NOD software may be of some help.

It seems that one way to counter the spam attack is to limit the number of allowed posts. I suggest that you consider a "tiered membership" in which $5/month buys you a limited number of posts, $15/month more posts/month, and $25 unlimited.

I don't mind paying for something that has real worth, and BPL certainly fits that description. The articles here are well worth paying for.

I also wish you'd bring back at least *some* ability to obtain gear of a UL/SUL nature. I miss the unique items you used to have available here, though I'm sure this was, for you, too much trouble and possibly too time-consuming an enterprise.

Good luck for the future. Not having this site would be a real loss.

James, if it were as simple as figuring out where to put one line of code, we would have done it a long time ago. BPL runs on a hosted application - we do not have access to the code. We can't just dive-in and do anything we want. Being a one of the tech advisors here, trust me when I say that we are doing all that we can :-)

Damien,
Little you can do if you cannot even write code. Yeah, that is STILL the same problem, compounded by not being able to do ANY maintenece programming.

So, anything that was suggested, as far as coding, adding CATCHCAs, programming questions, etc isn't really possible. This means all you can do is set parameters on an existing program.

Economics is the only viable solution. That is, making it cost more to spam than what it they get paid to spam.

Yes, you guys are doing the best you can, given you arn't even allowed access to the code.

" Being... one of the tech advisors here, trust me when I say that we are doing all that we can :-)"

Godspeed, then!

> BPL runs on a hosted application - we do not have access to the code.

Wow. Being as this forum software is nothing like any other I've come across, it sure seemed like a homemade solution. Are you suggesting you don't even have access to the database that houses all the post history so we won't lose anything whenever you do switch to something else?

You should be getting after your host then to update their software to control spam. Other than that, you're pretty well screwed for now except doing the $1 membership thing I guess.

Michael, no I was not suggesting that we don't have access to the data. I was just responding to the issue of access to the code for quickly resolving problems.

OK. That's good to know. I hope you've tested your backup strategy! ;)

Would have been nice to hear about the code problem from the start so we didn't suggest all these possible solutions. :)

they're still attacking certain forums/threads- evidently the member only post isn't fully being applied to the entire site

I have noticed.
It is being investigated. One possibility is that these are 'dormant' accounts created some time ago. Dunno.

Cheers

Roger, I noticed that just previos to the new spammer, un-paid members were also posting on that thread. ????

What, I wonder, do the spammers get out of their attacks? This doesn't seem like a likely place to pick up customers for typical spam products.

Search Engine Optimization

If there's a link to their site, from BPL which is rated fairly high, then the rating for their site goes up

It has nothing to do with whether BPL readers will ever go to their site or buy anything

Then, when someone searches on google or whatever, for wedding dresses or whatever, their site will come up higher

sorry for my ignorance, but is it legal???

cut to the chase, impose a guaranteed refundable after one month registration fee and stop these a$$holes in their tracks while a longer term solution is developed? Along with this, I think it would be fairly easy to waive this requirement for known, upstanding non members who have already proven their good citizenship, e.g. Bob Gross, Bucktoof Willy, Newton, et. al.

Many people will be scared off it you ask them to pay anything - you have access to their financial info

Maybe paypal would be safe

Use of PayPal would insulate the buyer from the website: no financial data would go to BPL or its servers. Some folks would still complain, of course.

There are two more issues with PayPal and/or refundable payments: 1) PayPal limits the time frame in which one may refund all of any fee paid (after that, the cut PayPal takes is permanent) and the dashboard for such work doesn't include alarm timers or the ability to code particular transactions after they occur. What seems like an "easy idea" wouldn't be so easy.

I know this because I process/account PayPal subscriptions to another website. So, my input to fellow BPL members is that: "a refundable fee isn't a viable solution to anything", because it would necessarily involve significant labor at the computer and shrieking by customers. Do you see whining and conspiracy theory, now? Ha ha ha ha!!!! Yeah.

"The Answer", visible to those outside the forest, is a migration to new forum software that includes modern, standard features. Here's hoping that move would not require migration to a new front end -- if it does, that's why nothing can happen fast.

portlandhikers.org has similar spammers - seems like higher frequency lately

more moderators than just Rog

Four "clicks" to get rid of the spammer and all his posts

March 2007: http://www.backpackinglight.com/cgi-bin/backpackinglight/forums/thread_display.html?forum_thread_id=9398

Edit: I forgot I have to manually code http links....

Edited by adrianb on 11/01/2012 12:42:53 MDT.

Somehow despite the dated software, and obnoxious mid-thread ads, this remained one of the best forums I spend time on, because of the people. Now you've just shut a huge number of them out, with no short term prospect of return, and you hope this will raise the quality level?

I suggest rather than trying to extract money from reader generated content (forums), you take inspiration from the packrafting forums, and set up a separate independent forum with a "sponsored by BPL" link back to the pay site. See their (I think very admirable)forum mission and disclaimer.

Forums are not expensive to host, see http://www.activeboard.com/pricing.spark - starting at eight dollars a month (!) for 25,000 page views. You would probably get volunteers from here to help you with migration of the database.

Edited by adrianb on 11/01/2012 13:25:10 MDT.

+1 Adrian

Any guess as to how long this situation will last? Well the pay to post situation. We all know about the software limitations. They have been built in. Adrian pointed out the problems with that choice years and years ago.

More spam is hitting the backpacking.net forum, too, but nothing like here. Again, we have lots more moderators as well as alert members. I received ten spam notices (an unusually large number) in my email a few days ago, but one of the moderators in an earlier time zone got them all. I tend to pick up the ones that post about now (after 9 Pacific time) when the eastern time zones mods have gone to bed. We also notify the site owner so he can ban the ISPs. That seems to slow them down for a week or two at least, sometimes longer. We do monitor new members, since a lot of our spam comes from folks who post half a dozen innocuous messages and then insert their commercial links. We usually can spot them from the beginning (poor English and ISPs from Asia), but since we welcome international members we can't ban them until they actually post spam. We don't wait, though, for those whose posts are complete gibberish and whose ISPs are identified as known spam sites (easily found by googling the ISP number).

Edited by hikinggranny on 11/04/2012 22:28:15 MST.

Sucks to hear about the spam. Would love to see the forums opened up free of charge to non-members which is what got lots of us here in the first place...

If any improvement or change to the forums is to come, may I suggest improving the PM system? It's nice to have it archived and accessible, the current bpl setup is tedious!

We're still getting spammed despite the countermeasures that BPL has taken by one "aallenhua billaaa".

Party On,

Newton

Just clicked on "recent posts" and the spam post is right after this one!

EDIT, LATER: Roger got it! Thank you, Roger!

Edited by hikinggranny on 11/06/2012 17:23:55 MST.

We seem to still have some 'sleeper' registrations.
But with everyone's help, they are controllable.

Cheers (and thanks)

And there is still more coming through!

Look for "eelatevalri"

Party On,

Newton

Update?

Any realistic timeframe as to if this will be fixed? Or is this RJ's way of killing off the forum, the place where he gets criticized the most often?

I miss hearing from people who have given a lot to this community. Realizing though that since this is a business that those people who don't spend their money here are of no interest to the front office.

Would love to proved wrong.

I suspect (and fear) some of those well-loved non-paying members while choose not to return even if it costs them nothing. Truly a loss to the community. The longer this goes on the more likely it will be as well.

> is this RJ's way of killing off the forum, the place where he gets criticized the most often?
Ah Ken, you are too optimistic.
My understanding is that there should be at least a partial fix within days.

A permanent general solution to spammers may take a little longer.

Cheers

A word from a BPLr with no financial stakes asked me to post his thought here, so I will.


Ken,

Since I am not able to post myself anymore would you mind posting this to the spam news thread on my behalf? If you don't wish to let me know and I will ask another paying member to do so. :)

I am sure I speak for a great many of the (currently) non-paying members when I say the way this is being handled seems more about encouraging membership fees and less about shutting out spammers. I have been a member of this community for years and have spent hundreds of dollars with BPL. Are you telling me that it is technically impossible to allow my account to post while not allowing accounts that are 10 minutes old from posting? For shame BPL. Either you are not being honest about your motives or you are not able to think through the consequences of your actions.

ChemE (Chris Lucas)

> Are you telling me that it is technically impossible to allow my account to post
> while not allowing accounts that are 10 minutes old from posting?

With some Forum SW, that is correct. They do not have any provision for running a script which can look at the account creation date. Yes, I know, antique SW, but that's what the ISP has.

I expect Ryan to post an update within a few days. I KNOW he and Ben (our SW guy) have been working on hard on a solution. I'll let Ryan explain soon.

Cheers

It's interesting to see non-members complain they are being treated unfairly and paying members defending them. As long as this content is entertaining and informative to me I'll pay for the ride ($.07/day). Even though many are significant contributors and some are real characters, I really don't understand the attitude that I should be so enamored with non-paying posters that I should pay their way. Duh,this is a business. This reminds me of the majority of voters on Tuesday who want a seat on the wagon, and are perfectly willing to let me pull.

It's interesting to see non-members complain they are being treated unfairly and paying members defending them. As long as this content is entertaining and informative to me I'll pay for the ride ($.07/day). Even though many are significant contributors and some are real characters, I really don't understand the attitude that I should be so enamored with non-paying posters that I should pay their way. Duh,this is a business. This reminds me of the majority of voters on Tuesday who want a seat on the wagon, and are perfectly willing to let me pull.

--------------------

Rob,

If you have ever read some of my posts in Chaff, most would say I am an extreme Capitalist. There are some (many?) valuable non-paying members who for reasons of their own don't care to subscribe. Their absense is a greater loss to BPL, than not being able to participate is a loss to them. And I know for some of these folks money is not the issue at all.

Maybe the message is a subscription-based forum is not the best business model. Maybe for RJ it is - that decision is up to him.

Latest update from Ryan, posted this afternoon (Thurs 11/8) is here:
http://www.backpackinglight.com/cgi-bin/backpackinglight/forums/thread_display.html?forum_thread_id=70133&skip_to_post=599449#599449

Edited by hikinggranny on 11/08/2012 23:55:36 MST.

For myself, this website has been a great resource, even before Ryan set it up to host forums, and it continues to be a "special" place to learn a great deal about gear, skills, places, and people related to lightweight backpacking.

I don't recall which came along first after I discovered and started following BPL in its early years -- adding the forums or requiring membership for access to some areas -- but I do know for certain that, for me, the BPL website with or without forums has been worth the cost of paying for a subscription.

The forums have added value to the website, but they have also brought headaches, even more so lately with the spam.

Hope Ryan keeps BPL's website around a long time, with forums limited or otherwise, or even without forums. It's a truly great and unique resource.

(edited in the interest of brevity)

Edited by JRScruggs on 11/09/2012 00:18:58 MST.

Nick said:"Maybe the message is a subscription-based forum is not the best business model. Maybe for RJ it is - that decision is up to him."

Absolutely.

Some of the comments read like a script from a bad relationship you should end, but you don't because you want to salvage the "investment". Ryan seems like a smart guy. If he wants the BPL forum to survive it probably will.