+1 to everything Will Webster has said.

In order for the site to continue, it MUST be a temporary fix. And by temporary I'm talking 2-3 weeks maximum. Many people only find value in the forums & reduced traffic means the death to any forum. If the forum fails, membership will rely solely on the articles. With today's blogoshpere, BPL is no longer the only place to find UL content so we don't want to go there.

On the more capitalistic side, this could prompt someone to create a new UL website that addresses the issues we've all had for years. (or buyout this one). Either way, I hope everything works out for all involved. Except for the spammers of course.

Ryan

Edited by ViolentGreen on 10/22/2012 10:48:45 MDT.

While I agree this is better than the constant spam, I also agree with some other people here that believe that non-members contribute a lot to the forum content. I hope this is very temporary, because it will definitely affect the flow of information on the forum. And while some people may decide now is a good time to join, others may resent the idea that they are being forced to join to participate at any level. What I would rather have seen happen would have been that new unpaid members would have limited posting powers where all posts would be subject to moderator review prior to posting them up, with an instant ban on any new spam attempts. With Roger being the only moderator, of course, that would not be feasible but there have been a number of us (David, Mary, myself, others) that have offered to step up and become temporary moderators to help with the spam situation. Perhaps that's not an option with this software, however. The forum I administrate is on PHPBB and the tools available there may be different.

Would it make sense to have a $1 membership for new people signing up where it allows them acces just to the forums and a limited number of "intro to UL backpacking" articles for something like 1 month?

Allows people to experience the value of the forums and some of the articles.

Teaser version of a membership to give the new people a reason to sign up for an annual membership while limiting the SPAM problem.

-Tony

There are several non-paying members who contribute more than the paying ones to the quality of the forums. During this time of member only forums I think that some of these top contributors should be gifted a temporary membership (1-month?) so that they can remain active.

Is it not possible to stop new registrations and thereby no new spammers? I assume you could, thereby keeping the ability of non-paying members to contribute.

Edit: I've removed some of my post after seeing Roger's reply regarding this being a temporary solution

Edited by cobberman on 10/22/2012 15:56:10 MDT.

My renewal period just came up and I almost let it lapse.

I really love this forum but have been sad to see the way BPL is being run in some ways. I dont appreciate the lack of communication between BPL and us regular members in relation to the Lifers. Article content has taken a bit of a dive too.

I think that requiring membership to post would kill this forum.

I do understand the need though to do something about the spam. The forum was pretty much useless during the spam attack.

I hope this is only temporary, very temporary.

any non members that want to post in the meantime (except for gear swap) PM me and I'll be happy to post for you

Dear All

This is ONLY A TEMPORARY FIX while BPL works out how to handle the problem!

Oh yes, we are very well aware of how many non-Members are valued contributors to the Forum channels. Please don't go away! We want to return to 'normal' ASAP.

I will repeat what has already been said elsewhere: this is a problem for a whole raft of website Forums across the Internet which were previously wide open: everyone is being hit. I suspect that the list of 'suitable spamming targets' has been massively increased just recently with the release of the 'upgraded' spamming SW, so that script kiddies have a whole new range of targets.

Let me also emphasise that the current spamming SW is extremely sophisticated. It knows how to create new member registrations and how to solve CAPTCHAS: the SW includes templates for this for hundreds (thousands?) of web sites. Most of the solutions which have been proposed on this Forum will not work against this SW.

But we WILL deal with it!

Cheers
Roger

Maybe it's possible to temporarily not allow any new people to register

Allow currently registered people to post

That would temporarily solve problem without denying registered non-members to post

Are you sure this isn't a conspiracy to deny rightwingers to post on the Romney/Ryan thread? : )

with the option to request, and receive, a refund after a vetting period for those who do not wish to become members? Say 1 month?

Edited: This is meant only as a stopgap measure until more sophisticated methods of blocking SPAM are developed.

Edited by ouzel on 10/22/2012 17:12:09 MDT.

This may turn out to be a positive shot in the arm for BPL. RJ is back at the helm, fixes may benefit all of us, and like a power outage we all need to appreciate what we hold in this community.Technology always comes with price but the simple pleasures of our outdoor adventures is the bond for all of us. Sure as of late a few cairns have been knocked over at BPL but we will still find OUR way.

Hoot

As a working web developer with lots of experience in maintaining forums both custom and off the shelf, there's a great many things you can do to minimize the spam bots. Many of them you've probably already thought of or are working to implement, so I won't ramble on, but here are my personal faves (feel free to message me if you want/need details):

- Captcha doesn't work, especially the commercial ones because they're widely used and as such spammers work to crack them constantly. Break a mainstream Captcha service so your bot can spam it and suddenly thousand of sites become accessible, as such, a one-off solution is best because you become a niche that requires special attention. Take-away here: don't pay big bucks to subscribe to a Captcha service because just like a $1 pay-wall, the hassle of trying to decode the really hard to understand graphics of numbers and stuff usually drives plenty of REAL people away from signing up.

- Randomized natural language question & answer. This one works well because bots can't read. Use some programming logic to generate questions such as "what's the third letter from the right in the word top-right of the screen" (if you're playing along, it would be "e" in "Help"). Sometimes you can get away with just having one question. For extra points, randomize the question between a dozen or so you setup in advance. For guru points generate the questions programmatically by having the logic "scrape" your own page during the sign-up process for a random word out of a list of generated words. The more one-off the logic but that continues to be pretty "natural language" in it's query to human users, the better.

- The Honey Pot. Most spam bots sign up accounts by scraping/crawling your sign-up page and looking for telltale field names in your sign up form. It does this by checking the "name" attribute typically and us programmers are a lazy bunch if given half a chance, and will name our fields appropriately. Spam bots look for typically used language and LOVE things named "email" and "username" and so on. One VERY successful method is to setup a simple field in the sign-up form (visible because bots ARE smart enough to ignore hidden things sometimes) and give the input field the "email" name, but on screen label it "If you're human, leave this empty". Bots will enter an email address, albeit fake, because they think it's a required field, and your own programming them throws out any submissions that includes a value when a human would know not to include anything. Extra Hater Points if you send the bot a "successful registration!" screen and email just to throw the persistent bots for a loop (bots will look for words like "success" in page after trying to sign up a spam account). It should be said you should rename your ACTUAL name, email, and so on, fields to something obfuscated. I'm somewhat partial to "fleamail" or sometimes "spammersshoulddieofcancer" for "email". Should probably check all your fields and just change them to something confusing behinds the scenes.

Anyhow, somehow I rambled. But yeah, you should be able to take care of making yourself a pretty low-yield target by creating a one-off system for sure. All told it's not a ton of programming (in fact it's a very minor amount) and should solve your problem.

Best of luck and let me know if you need any advice (I'm too busy to help code... sorry, day job of doing web stuff at a start-up means I get zero free time!) :(.

Edited by aeriksson on 10/22/2012 23:04:15 MDT.

> This is intended to be a short term change in policy while we evaluate a number of options as we move forward. One of the options we will evaluate is whether or not to maintain this restriction indefinitely, or at least until we are able to upgrade to new forum software.

The solution to this is extremely simple. Simply add a question to the registration page that only a human with knowledge of the site can answer. Right now you have NO anti-spam measures that I could see other than checking for a valid email perhaps so it's a miracle we've not seen much more spam before this.

I've used this technique successfully for several years on my phpBB-based forum (thankfully it's built into the software now instead of having to mod it). I'm even 3 revisions behind in updating the forum software and haven't had a single spam registration since implementing this technique.

So just get your programmer to add a little code to add a question and check for a correct answer. Personally I would recommend something like "What is the 4-word slogan for BPL?" A: "pack less be more" (ignore case and punctuation). Problem solved with no cost and a few minutes of time.

"The solution to this is extremely simple. Simply add a question to the registration page that only a human with knowledge of the site can answer..."

Yeah, these are all good delaying tacticts. AI's have time. They can do anything you can think of. And this is another good solution.

AI has many definitions, but I like to think of them as Turing did, as a response generator whose responses cannot be distinguished, person and machine. After all, that IS what we are talking about. How to distinquish between man and machine?

Question:
Every potential new member could be a robot. How do you distinquish them apart?
Answer:
You can not. Someone will build a better AI and log in, eventually.

Only by checking a potential new member's intent to use his membership can we check. Like using a different algorithim to solve complex multiplication (used for encryption,) checking a persons "target of intent" becomes a matter of not validating his signing up (the obvious "become a member") but checking his posts for some valid content ("I have a question about sleeping bags...")

IFF the AI can solve this, then it doesn't matter, his posts are "valid" within the context of this site. I don't care if he is a person or machine. His posts are fine. He might start spamming after ten or twenty posts, but even people's computers have been known to be hacked and start spamming.

IFF his first post is spam, well, he needs to be gotten rid of(I favor hanging by his protruding member rendering him impotent...metaphorically speaking, of corse.)

So, I would suggest a "logic" check by simply moderating his first couple posts rather than an "item" check that can be solved by brute force.

But, there is never a guarentee that a bot will not figure out something general in response, like "This is a great site!" Sorry, it needs to show a specific intent. Something that is NOT gleaned from anything on the web page, and by extension, the web site. And not so general that it can be responded to by simple word substitution for phrases on the page. "I like backpacking" from the web site would not be good enough. "I like" is general, "backpacking" was gleaned from the web page.

I think Roger is Australia's AI. How do I know? Maybe I am an AI. How do you know? Does it matter as long as Roger stays on subject, there, and I stay on the subject, here?

Let me preface this by pointing out that I am absolutely sure what the headache the Admins have feels like and that I know multiple postings with "just ______, it' so obvious" in the theme can be frustrating.

However, some of the postings are full of good input from pros that know what they're doing. I like Mr. Eriksson's posting (even though I have a higher opinion of Captcha) and he provides some very good ideas that really can work. Where you have admins of phpBBS boards telling you what works for them, this is also significant, because that platform's not the most robust out there in terms of security -- so, if they've got solutions, they've probably been tested...

One thing I am sure of: an effective repair for this highly-disrupted site will involve replacement of the forums software. Replacing the front end is a big deal, but if the BBS can be severed and there's a functional bridge out there for the CMS/front to the forums, THIS IS THE FIX.

Of course, a new forum package would necessarily include a modernization of look and function. Note, however: modern features take more bandwidth and will allow more traffic, potentially driving overhead at BPL Corporate Towers UP. Who's gonna pay for the upgrades, programming, time and higher operating costs?

> Yeah, these are all good delaying tacticts. AI's have time. They can do anything you can think of.

Quite true, but unless you don't use an appropriate question, the Q&A method has been very effective for at least 3 years now. And as Erik pointed out above, phpBB is one the most popular boards to hack and spam since it has one of the largest user bases and this is still the most effective single solution.

I disagree that allowing a potential spammer to register in the first place is an acceptable thing since it will just take up the mods time to check the intent of the first few posts of each new user. I sure wouldn't want that job! It's far better to prevent them from registering in the first place. I do agree with HOW you filter spambots is crucial, which is why I suggested the slogan since it's contained within a picture rather than plain text. Yes, AI can "read" pics of course but it's going to take a long time to randomly pick the right combination of words you may be looking for since the slogan is not obvious.

> One thing I am sure of: an effective repair for this highly-disrupted site will involve replacement of the forums software.

While I know many would like to see that (I'm one of the few that don't mind the spartan software), that's not true in my solution. Simply add a question to the registration page and the code to check it to allow the registration process to continue. Literally a 5 min job for whoever designed it. At least it was just a couple of minutes for me to edit the php files before they finally added it into the base code.

Edit: I see Alexander's post above now (hadn't read it the first time I saw this thread) and I like the idea of "completing" the registration process with a fake success message if they fail the Q&A. So maybe that would take 10 minutes. :)

Edited by topshot on 10/23/2012 09:37:43 MDT.

"Quite true, but unless you don't use an appropriate question, the Q&A method has been very effective for at least 3 years now. And as Erik pointed out above, phpBB is one the most popular boards to hack and spam since it has one of the largest user bases and this is still the most effective single solution. ..."
Yes, of course. I didn't mean not using automated defenses, too. We definitly don't want to waste a moderators time.

I've been having really good results (ie. perfect) with the Q&A method for a number of years now.

A few BPL related examples that could be incorporated into the registration process:

Q) When it's winter, precipitation most commonly falls as...
A) Snow

Q) What you use to hold your gear (hint: goes on your back).
A) Backpack

glad you provided the answers Dan- I was at a loss there :)

I should point out that captcha isn't all snake-oil, they definitely work. I just tend to discount them because most/all sites I've ever maintained would rather not erect a potential barrier to entry (and captchas, or for a lot of users anything that takes them longer to fill out than 20 seconds) which could dissuade people from signing up and participating in the first place. Usually we had a "well if someone wants to spam us, at least that means we've made it, then we'll address the problem" attitude towards things but obviously that doesn't work everywhere. We dubbed this "a problem we'd like to have". So in the end yeah there's some strong captcha services but I think between the fact that they can be expensive, onerous for users, and if a spammer breaks one service they have access to spam everyone using that service, facts, that I tend to pass.

Plus like others have pointed out, the Q&A method does seem to be oddly effective. Between Q&A and the honey-pot I've never had to deal with spammers. Ironically, when we used phpBB on a site and DID get spammed, it was because we were a single release behind and the captcha we were using was breached.

Oh and like someone else mentioned, Q&A and honey-pots can be very cheap/fast/easy to implement. I wouldn't suggest going the "get all new software" route until you've exhausted all the custom approaches since migrating content and user accounts is a BIG deal. Ugh.

You have my sympathies BPL gang!

Edited by aeriksson on 10/23/2012 20:21:25 MDT.

Bad plan! Think longterm. And please...no CAPTCHA or similar. Impossible.

Edited by backpackerchick on 10/24/2012 14:38:09 MDT.

I agree with Dan - registration questions would likely do the trick. Another similar option (but not just text based) - have a picture and ask the registrant: "How many people are in the picture above?"