March 18, 2008Checkbox Challenge, One Year Review
It was almost exactly one year ago today that I posted about what has become the final version of the Checkbox Challenge comment blocker for my WordPress blogs. At that time I was logging the comment attempts and the results of the challenge to a text file. Now I log things to a database so I can search them easier. I had thousands of entries in the text file log before I switched, and I did not bother to convert them. (I just checked; the text file was used from January of 2007 to August of 2007 and contains over 22,000 lines of data.)
The database logging process was added on August 1, 2007. So I ran for about seven months without the database log, and now have run for just over six months with the database logging in place. The results are, frankly, both astounding and a bit scary.
Here they are:
+----------+----------+ | log_code | count(*) | +----------+----------+ | 0 | 60 | | 1 | 5528 | | 2 | 39880 | +----------+----------+
A log code of zero means that a comment was successfully entered. A log code of 1 means that all of the checkboxes were marked. A log code of 2 means that none of the checkboxes were marked. Now you could argue that some of the comments blocked because none of the checkboxes were marked are because of human error, meaning the person simply did not read (or understand) the instructions. But I seriously doubt that nearly 40,000 comments were entered just because someone failed to read and follow the instructions. I would guess that at least 99% of those are legitimate spammers.
There are other codes that can come into play as well, but it seems that the checkbox challenge check is more than enough. For example, there are log codes for comments that mark the correct checkbox but enter too many links. There is another log code for comments that are over a certain size. Neither of these show up in the log because the comment failed the checkbox test first. Only one result code is logged per attempt, and that is the first failure.
There have also been 7 attempts to call the comment processing code directly (without first visiting a post) but that attack has dropped substantially because WordPress but a block for that into the base code some time back.
That means that the “signal to noise ratio” is extremely low. Since August of 2007, I have received 60 successful comments out of 45,468 attempts. That is barely over a tenth of a percent (0.13% to be exact). What a waste.
It’s too bad some people have nothing better to do.
I’ve always had guest posting enabled on a few of my forums, and just yesterday I started getting spam posts where as it had been almost a year since I got spam. Now I am thinking aobut adding the Check Box Challenge to the posting form for guests. That oughta slow them down, yet allow legitimate guests to post (and I do get legitimate guest posts!).
This also shows what logic these spammers use in their bots. Great for getting a feel for how they work.
I mention this because I allow guest posting, but I’ve removed the username field. So, all the posts I got, had these weird subjects like ‘Grom’. It was the script entering in the subject field, a value which would normally end up in the username field! This most likely means that these bots DO NOT scrape the page or read any HTML to get the name of the form fields, they simply go down the list and blindly fill out the forms, like a blind man who types, hits tab, goes on to next field, etc.
Good stuff.
Comment by Dog Cow — March 18, 2008 @ 3:24 pm
Hi, Dog Cow (moof!) and welcome to my blog. Thanks for your comment.
I have recently modified the Checkbox Challenge log so that it can be used for other challenges as well. For example, I started getting spammers posting on my contact form. Nevermind that it doesn’t go anywhere except for me, apparently that’s attractive enough to enter their spam. So I have added a field to the checkbox challenge so I know where the boxes are used and the results for each. If you didn’t care to know where the source of the record was, you could probably use it as-is without too much effort for guest posting.
I do this by adding one extra line everywhere I use the challenge just before I do the first include:
Then the include file grabs the appropriate language strings based on the log type passed. That way there are still only minimal changes to the core, but the challenge code is a lot more flexible.
Comment by Dave Rathbun — March 18, 2008 @ 5:25 pm
I understand now why you didn’t provide a version of CC for posting– most boards don’t allow guest posting!
Anyway, instead of adding your extra files, I just pasted your code inline to posting.php, and being too lazy to add the config vars and ACP, I have hard-coded everything.
Instead of using message_die(), I use the $error_msg to make the error box appear, so the user doesn’t have to hit the back button. Of course, if the spammer (or user!) gets locked out, that uses message_die()
For the database log table, I cleared out the email and one other field, and have it enter the post’s subject instead. Everything else works out as-is. So far I have 1 valid entry (me testing it) and 28 spam posts.
A job well done, and I get to keep guest posting on my forums.
Comment by Dog Cow — March 21, 2008 @ 11:33 am
Sounds like you did a nice job; all I did was provide the idea.
Hope it continues to work for you.
I discovered an “abandoned” phpBB2 board the other day that I had set up about a year ago. It was a companion board to another board where I first tested the checkbox challenge. By “companion” I mean it was another board on the same domain name. Anyway, I was checking the mail logs on my server a few days ago and saw all sorts of emails being sent from that abandoned domain. When I took a look, there were thousands of registered users (all spammers) and tens of thousands of posts.
I dropped the board right away, and went out and found some other orphan boards I had set up for testing and forgotten about. It just goes to show than an uprotected phpBB2 board in the wilderness of the Internet is quickly overrun.
Comment by Dave Rathbun — March 21, 2008 @ 7:04 pm
I was trying to do that a few months ago– I set up a default phpBB board on my domain name as /phpBB2/ and gave it the weakeast settings — no visual conf, guest posting allowed, etc. and I wanted to get spam posts and users just to collect data.
Turned out no one found it. I took it down, but next time I will probably have to find some way to covertly link to it, so hopefully the spammers will find it too. Or leave it up longer….
Comment by Dog Cow — March 22, 2008 @ 10:14 am
What sort of data do you want? I have a board that I can open up and collect data for a while, and I can guarantee you’ll get plenty of spam users and posts.
Comment by Dave Rathbun — March 23, 2008 @ 11:11 am
All kinds of things. Just this morning I was thinking about the time frequency– are the spam posts all made in the evening or night, or all throughout the day. If they are all made at certain time periods, then perhaps we could disable (or lessen) our anti-spam mods at those times when they are not so active.
Second, what sort of passwords are they using? I mentioned this elsewhere, but I have a bit of data about passwords the spam bots are using on my site– with more I could set up a password disallow list, or even a regex of some sort to catch the obvious ones. The bonus part about this is that it would get legitimate users to use better passwords, which is of course good.
Comment by Dog Cow — March 24, 2008 @ 2:01 pm
Would you please tell me the steps to allow guest posting in phpBB3? I am finding it much more complicated then with other forums. Please tell me step-by-step from opening the Admin panel on….
Thanks much. This is my first time using phpBB3 and really want to stay with it if I can figure this “guest posting” out.
Comment by Tom DeLands — August 18, 2008 @ 11:35 am
Hi, Tom, and welcome to my blog. To the best of my knowledge it’s just a question of setting up the permissions. I could tell you how to do it easily with version 2, but I’ve yet to really play with the admin panel for version 3 much.
I expect that a quick post in the phpBB3 support area at phpbb.com would be the best way to go.
Comment by Dave Rathbun — August 18, 2008 @ 4:57 pm