April 23, 2007Checkbox Challenge Test Results Are Positive
If you just want a summary, here it is: this MOD idea works. 
If you want more details, Read …
Test Board #1 Results So Far
I finally had two users register on the first board where I installed this MOD. Both users are using yahoo accounts. Both successfully navigated the checkbox challenge. Both activated their accounts, and both actually visited the board and logged on.
Neither has posted.
I did a google search for both users, and only one showed up, and with only 2 hits. So neither has so far exhibited the type of behavior expected by a spammer. But these are the first two out of 128 attempts that have made it through the registration process. Both could actually be legitimate users. Time will tell.
There really is not much of a point to posting percentages or doing any sort of mathematical analysis on the numbers for this board as it’s really not active at all. That is not the case for my next example.
Test Board #2 Results So Far
My biggest board has logged over 400 registration attempts in a little less than a week. I have made some adjustments to the text shown on the registration form that seems to have helped actual users get through the process. I have also detected some new spammer domains. How are they detected? Have a look at these two log entries from the Checkbox Challenge log:
1177292768 | Mopoterder89@greatmailworld.com | Mopoterder89 | ccc17554 1177292769 | Norma@greatmailworld.com | Norma | ccc17554
The first number you see is the time stamp for the registration; note that they are one second apart. The second is the attempted email address, followed by the username. The last is the encoded IP address. Two registrations, one second apart, same IP address, same failure code (not shown) just screams “spammer” to me. 
I have happily banned this email domain.
If anyone wants to preemptively ban a bunch of spammers before they get to your board, there is a set of insert statements that you can copy / paste into phpMyAdmin or other SQL tool at the end of this post. The statements include the domain listed above as well as many others that I have captured over the past week that have exhibited spammer-like behaviors.
Real Users Take the Weekend Off
Another interesting tidbit: normal (successful) registrations take a steep dive over the weekend. Spammers do not. Here is a graph showing the last six days of activity for my larger board.
The blue line represents successful registrations. Note how it takes a severe dip on Saturday, April 21, remains down for Sunday, and then jumps back up for Monday (today)? Yet the spammers do not stop for weekends. The number of failures for too many checkboxes (the red line) and failure to check the required checkbox (the orange line) remain nearly constant through the weekend. I am actually pleased at the drop in the orange line (no checks at all) because that indicates that fewer successful users are having to fill out the form twice. Ideally the only ones that will fail the registration attempts are those that cannot (or will not) read the screen. This includes registration-bots as well as impatient users, I guess. 
The raw numbers: 54% of the registration attemps failed. Of these, by personal inspection, about 4% are legitimate users having problems with the form, leaving 50% of the user registration attempts for this board as spam-bots.
Fifty percent. 
I used to be proud of the nearly 25,000 users registered on this board. Now I’m guessing that the actual number is much closer to about 15,000, with the rest being spammers. I’m not willing to drop it down quite to 50% as I have at least 12,000 users that have posted at least once. So I suspect that the real number is somewhere between 15,000 and 17,000 as far as legitimate users. That is still a lot of unwanted spam.
How does this compare to the WordPress results?
You might remember that this MOD was inspired by some code I wrote to help cut down on comment spam on my blog. The ratio of “errors” is actually reversed. If I take into account only the registrations on my larger board, 1/3 fail to click a checkbox and 2/3 click all of the checkboxes. On my blog, 2/3 of the blocked comments are because of a failure to click the checkbox, and 1/3 are rejected because all of the checkboxes are marked.
Coincidence? Pattern? I have no idea. You be the judge.
I can tell you that from my experience the WordPress comment-bots are a lot more active than the phpBB reg-bots. I have blocked over 3,500 comments on my blog in the past 23 days. That’s 160 attempted comments per day.
What about domain registration dates?
Regular blog readers might remember that a while back I talked about preventing users from domains that were “too new”. Ironically, the domain listed above was created on April 21, 2007, just two days before they tried to register on my board. Seems there is some life left in that idea afterall. In fact, I am planning to add the domain age check to this MOD as an optional second line of defense. I never pursued it as a primary idea for a MOD because I found that a decent percentage of domains did not report a creation date, rendering the MOD less useful as a stand-alone tactic.
But as an addendum to the Checkbox Challenge I think it has promise. It will, of course, be admin configurable as to whether to enabled this feature or not.
Summary
So I think that the jury is no longer out. I think that this is – at least for the time being – a viable option in the battle against spammers. My activation percentage has gone up nearly 5% since adding the code to my biggest board. And yes, I realize that some spammers (many nowadays) can activate their accounts. But by blocking those that are not likely to activate my activation percentage has climbed from 75% to 80%.
I will start formally developing this MOD and integrating it with the Domain Age Check. When? Just as soon as I get the time. 
Some Suspected Spammer Domains
Use this at your own discretion. I believe them to be spammers based on their behavior. Your mileage may vary.
insert into phpbb_banlist (ban_email) values ("*@bestmailguide.com");
insert into phpbb_banlist (ban_email) values ("*@byemailsite.com");
insert into phpbb_banlist (ban_email) values ("*@candoyoudude.org");
insert into phpbb_banlist (ban_email) values ("*@cherrysolutionss.com");
insert into phpbb_banlist (ban_email) values ("*@dsg0283y02g3.org");
insert into phpbb_banlist (ban_email) values ("*@email-me-letter.info");
insert into phpbb_banlist (ban_email) values ("*@floridafreemail.com");
insert into phpbb_banlist (ban_email) values ("*@freemailacc.com");
insert into phpbb_banlist (ban_email) values ("*@freemaildirect.com");
insert into phpbb_banlist (ban_email) values ("*@freemailid.com");
insert into phpbb_banlist (ban_email) values ("*@gemmails.com");
insert into phpbb_banlist (ban_email) values ("*@goglemailoffice.com");
insert into phpbb_banlist (ban_email) values ("*@greatmailworld.com");
insert into phpbb_banlist (ban_email) values ("*@illusioncorpmail.com");
insert into phpbb_banlist (ban_email) values ("*@itua.info");
insert into phpbb_banlist (ban_email) values ("*@iyxv.info");
insert into phpbb_banlist (ban_email) values ("*@jessyparkeronline.org");
insert into phpbb_banlist (ban_email) values ("*@junklessmail.com");
insert into phpbb_banlist (ban_email) values ("*@somaildot.com");
insert into phpbb_banlist (ban_email) values ("*@somefreemailserv.com");
Comments (5)
Dave,
Part of the reason why this approach works is because it’s unique. I build my own 2-stage registration and threw away the PHPBB version and have experienced 100% success over 4 months now. It’s not worth anyone’s time to build a script for one site. The danger of a mod is that with widespread adoption, it does become worth the time to develop a smarter bot.
I was just now trying to think of a better way to mark the right checkbox, maybe using CSS + borders and having javascript modify the element onload, but all my ideas would ultimately fail. The problem is that the browser has to render the right box differently. Any bot built to handle this technique if encountered can back out what right answer is (it’s all on the HTML page somewhere). Do you see what I’m getting at?
John
Comment by John Marino — April 24, 2007 @ 1:45 am
Hi, John, and thank you for your comments. I actually thought a long time about whether to release this as a MOD for just the reason(s) you mention.
I have tried to add in a lot of variability to the MOD. Each board admin can determine how many checkboxes there are. They can determine the name of the form field elements. They can alter how the checkboxes are marked. It is my hope that this will provide enough variability that the bots will still be confused.
I also experimented with using hidden “div” tags so that every checkbox was “marked” in the same way. That would mean that user only sees one set of *’s to mark the confirmation checkbox, but that a bot or anyone scanning the source would see *’s around all of the checkboxes.
But I do believe that you are correct. If this MOD because very popular it will start to fail.
Comment by dave.rathbun — April 24, 2007 @ 9:13 am
Thanks a lot, Dave. I’d been noticing some of the suspected spammer domains that you listed above were infiltrating my forum. Your list helped me build my ‘ban’ list. I’ve also noticed that people who use email addresses ending with “.ru” or addresses with random letters are also usually spammers.
Anyway, thanks again.
Comment by adia — April 25, 2007 @ 5:04 pm
Adia, you are most welcome. I had another list of spammers in this post if you want some more.
Comment by dave.rathbun — April 26, 2007 @ 6:58 am
There is an hack for ipb board for import/export a ban list.
And this list is updated permanently here :
http://www.invisionfuse.com/forums/index.php?showtopic=272
Best regards
Degas
Comment by eMule France — May 1, 2007 @ 12:42 am