Forum update [was: the forum is flooded by Spam. What can I do ?]

I’ve hacked the login page with a second username field and a honeypot field. Hopefully this will elude the spammers for a while.

Fingers crossed.

Thanks for taking the time to come up with a solution

Well, this time the implementation delay wasn’t so much lack of time but lack of moments with relative clear thinking to offer the possible solution after two years of sleep-deprivated nights :sunglasses:

Only 6 spammers this morning

Yeah, that didn’t take them long to work around. If this doesn’t stop soon we’ll have to implement heavier measures. Next step in fighting the spam is to add post moderation for new users so that new posts only appear on the forum when a moderator approves it. Lot’s of work but almost guaranteed no spam anymore.

A heads up:
With FluxBB 1.5.8 the forum can automatically promote users from e.g. a New Member group to a Member group (currently all registered forum users are Members except the moderators and admin). When we combine this function with a post moderation system then (obvious) spam would not become visible on the forum, significantly reducing the incentive for spammers to attempt posting. Moderators would only have to approve posts from New Member and after (say) five approved posts the New Member would automatically upgrade to full Member whose posts are not actively moderated.

This week I’ve successfully tested the upgrade from Fluxbb 1.4.8 (current version) to 1.5.8 (latest version). Some modifications to the current forum software will initially be lost but can be added again after the upgrade to 1.5.8. The first obvious modification to re-implement would be the remote user authentication against the main OSM website API. When this is up-and-running the post moderation mod will be installed in the following days.

Sounds good?

Only issue I see with post-moderation is the “Users: *” forums and foreign languages, especially Cyrillic and Asian languages (i.e. non-Latin character sets). But we’ll see how it goes.

As it stands now I’ll start upgrading this evening, depending on real-world necessities (i.e. household and baby stuff that needs to be done). :slight_smile:

Forum software upgrade has finished. Next is apply the various modifications…

… fixed various counters that were out of sync (post count, topic counts, etc) and removed orphaned last_post references and such. Fixed a bug in a FluxBB plugin as well during this process.

… forum registration is disabled so only existing members can login. Will take a while before new OSM users will be able to login again because I’ve decided that the post moderation should be implemented first.

… new New Member group created with restricted permissions (e.g. unable to send emails as the spammers were using the forum email system to send email spam).

… about half way through adding the post moderation modification. Will continue tomorrow when time permits. New users won’t be able to join the forum for now unfortunately.

The main issue so far - fixed width of forum. 22" @ 1680x1050 looks not that good.

Great job, Lambertus :slight_smile:

one minor problem: Clicking on a link in a post does not open a new page like before.

Regards

walter

I am using number of features in my squid - proxy server - to enhance anonymity a little bit

reply_header_access Via deny all
reply_header_access X-Forwarded-For deny all
reply_header_access From deny all
reply_header_access Server deny all
reply_header_access WWW-Authenticate deny all
reply_header_access Link deny all
reply_header_access X-Cache-Lookup deny all
reply_header_access X-Squid-Error deny all
reply_header_access X-Cache deny all
reply_header_access Referer deny all
reply_header_access User-Agent deny all

So far I have had no problems using any of these features on any of the web pages I use until upgrade of this very forum. Now using “reply_header_access Referer deny all” returns following error while posting:

Bad HTTP_REFERER. You were referred to this page from an unauthorized source. If the problem persists please make sure that ‘Base URL’ is correctly set in Admin/Options and that you are visiting the forum by navigating to that URL. More information regarding the referrer check can be found in the FluxBB documentation.

I have disabled that line in squid to post this message, but i would hate it to be the last post as I am not going to turn it of just for one forum, sorry. Besides does that enhance security of the forum anyway?

I have Refcontrol as a Firefox Plugin for years, never had a problem with it until now! Setting is “forge”, it sends the root of site (e.g. forum.openstreetmap.org). Same problem “HTTP_REFERER”. Workaround is to add an exception, but is this security feature really neccessary?

https://addons.mozilla.org/en-US/firefox/addon/refcontrol/

Does choosing one of the other styles (via your Profile page) help?

Yes, that’s one of the modifications I need to re-apply.
Edit: Should be fixed now

Re: Bad HTTP_REFERER
This seems to be a design flaw in FluxBB. I’m not a security expert, so I hope someone more knowledgeable can say if this modification would help? I.e changing from checking a token instead of the HTTP_REFERER?

Failing test post with Refcontrol on:
Referer header of POST request is: “http://forum.openstreetmap.org/

Successful test post with Refcontrol off:
Referer header of POST request is: “http://forum.openstreetmap.org/post.php?action=post&tid=36900

I see that this is a quite crude security measure by FluxBB, the patch might help here if it applies cleanly. If there is no other easy solution I can life with adding an exception in Refcontrol

Post moderation is implemented now. Existing users should have no trouble posting anywhere, but there are several options at various places so it might need some tinkering to get all settings correct. Please report problems if you encounter one.

@Lambertus - thanks for all your efforts (and to the moderators too). Hope you get some sleep now :slight_smile:

You’re welcome.

Now, in order of importancy, the following mods:

  • OSM API authentication so that new users can enter the forum (new registrations are disabled for now) → Finished.
  • fix the ‘bad referrer’ problem by implementing a CSRF synchronizer token pattern. Thanks Jojo4u for the feedback.
  • Easy BBCode & quick quote

When editing/creating messages, I don’t see the handy buttons to format my text. BBCode is on.

This is probably because of a not yet re-applied mod. (other thread)

Actually I like the “new” way. While it is easy to open a link in a new window or tab (with shift+click or ctrl+click) the user cannot decide to open it in the same tab if it is forced by the software.

edit: https://css-tricks.com/use-target_blank/

Thanks for the forum upgrade. Continuously deleting Spam messages and getting flooded with even more reports was pretty annoying.

The new premoderation seems to work pretty well. I don’t know whether it is intended as a feature, but I like that I can approve posts for parts of the forum that I do not have moderation rights for. It speeds up processing and as long as the mod can understand the language of the post, he can easily tell whether it is SPAM.

bye, Nop