View previous topic :: View next topic |
Author |
Message |
notageek Tux's lil' helper
Joined: 05 Jun 2008 Posts: 135 Location: India
|
Posted: Sun Mar 01, 2020 4:49 am Post subject: Captcha ... or Not |
|
|
User: ElliottT
Reason: Spam
Banned, and cleaned up, thanks.
Catchpa discussion split split to its own topic from the Report topic.
-- NeddySeagoon _________________ "Defeat is a state of mind. No one is ever defeated, until defeat has been accepted as a reality." -- Bruce Lee |
|
Back to top |
|
|
Old School Apprentice
Joined: 20 Nov 2004 Posts: 252 Location: West Bank of the Coast Fork
|
|
Back to top |
|
|
e3k Guru
Joined: 01 Oct 2007 Posts: 515 Location: Quantum Flux
|
|
Back to top |
|
|
Amity88 Apprentice
Joined: 03 Jul 2010 Posts: 265 Location: Third planet from the Sun
|
Posted: Sun Mar 01, 2020 7:08 am Post subject: |
|
|
Topic: Are You Kidding Me?
Reason:
Bot is spamming our forums with junk. _________________
Ant P. wrote: | The enterprise distros sell their binaries. Canonical sells their users. |
Also... Be ignorant... Be happy! |
|
Back to top |
|
|
Amity88 Apprentice
Joined: 03 Jul 2010 Posts: 265 Location: Third planet from the Sun
|
Posted: Sun Mar 01, 2020 7:12 am Post subject: |
|
|
e3k wrote: | currently OTW flooded by this user with 20 new threads.
this could be handled automatically. no human opens that many so fast. |
Yup, it's prolly about time that we add a reCaptcha.
Not only is the bot spamming, the contents are totaly unreadable. The least they could do is to attack us with something that posts readable junk _________________
Ant P. wrote: | The enterprise distros sell their binaries. Canonical sells their users. |
Also... Be ignorant... Be happy! |
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 22725
|
Posted: Sun Mar 01, 2020 6:06 pm Post subject: |
|
|
Amity88 wrote: | Yup, it's prolly about time that we add a reCaptcha. | Absolutely not. Google captchas are a bane on the Internet and should never be used. They are broken with Javascript blocked. They require a graphical browser. We have historically kept the forums working for users who block Javascript and for users who are stuck using text-only browsers during early system setup. Enabling a Google reCaptcha would turn away users who need help during the install.
That doesn't even touch on the issues that some users have with interacting with Google as a gatekeeper. |
|
Back to top |
|
|
e3k Guru
Joined: 01 Oct 2007 Posts: 515 Location: Quantum Flux
|
Posted: Sun Mar 01, 2020 6:52 pm Post subject: |
|
|
Hu wrote: | Amity88 wrote: | Yup, it's prolly about time that we add a reCaptcha. | Absolutely not. Google captchas are a bane on the Internet and should never be used. They are broken with Javascript blocked. They require a graphical browser. We have historically kept the forums working for users who block Javascript and for users who are stuck using text-only browsers during early system setup. Enabling a Google reCaptcha would turn away users who need help during the install.
That doesn't even touch on the issues that some users have with interacting with Google as a gatekeeper. | simple statistics would put a hold on such behavior. what was your AI doing?! did you know the NASA coding guidelines do not allow endless loops? _________________
Flux & Contemplation - Portrait of an Artist in Isolation
Last edited by e3k on Sun Mar 01, 2020 7:13 pm; edited 1 time in total |
|
Back to top |
|
|
Tony0945 Watchman
Joined: 25 Jul 2006 Posts: 5127 Location: Illinois, USA
|
Posted: Sun Mar 01, 2020 6:59 pm Post subject: |
|
|
Thank You thank You Thank You, Hu!
What is a "street sign?" Any sign on a street? A sign giving the name of a street? Official signs on the street? Captcha does not seem to define that consistently.
What is a vehicle? Is a bicycle a vehicle? Is the front end of a car barely visible a vehicle?
I would think that bots have tried every combination and noted how to answer these. The same pictures are used. Just need a database with the answers. I hate spending 5 minutes on "try it again". No problem with the phrase Captcha's, but what if one is deaf? Or unfamiliar with English pronunciations?
A scourge on the internet.
If need be, I'd much rather see two factor identification to log on. Or a whitelist of IP addresses (won't help if mobile or using VPN).
Two factor identification won't help if a user is having e-mail trouble.
Last edited by Tony0945 on Sun Mar 01, 2020 7:01 pm; edited 1 time in total |
|
Back to top |
|
|
Ant P. Watchman
Joined: 18 Apr 2009 Posts: 6920
|
Posted: Sun Mar 01, 2020 7:01 pm Post subject: |
|
|
We could have an ArchLinux-style captcha (random obvious questions that take 5 seconds to answer, like "what name does Gentoo use for the arch commonly referred to as x86-64?")
It'd probably get rid of the random windows lusers that occasionally show up here too. |
|
Back to top |
|
|
Tony0945 Watchman
Joined: 25 Jul 2006 Posts: 5127 Location: Illinois, USA
|
Posted: Sun Mar 01, 2020 7:03 pm Post subject: |
|
|
Ant P. wrote: | We could have an ArchLinux-style captcha (random obvious questions that take 5 seconds to answer, like "what name does Gentoo use for the arch commonly referred to as x86-64?") |
I'll bite. What name DO we use? |
|
Back to top |
|
|
Muso Veteran
Joined: 22 Oct 2002 Posts: 1052 Location: The Holy city of Honolulu
|
Posted: Sun Mar 01, 2020 7:24 pm Post subject: |
|
|
Tony0945 wrote: | Ant P. wrote: | We could have an ArchLinux-style captcha (random obvious questions that take 5 seconds to answer, like "what name does Gentoo use for the arch commonly referred to as x86-64?") |
I'll bite. What name DO we use? |
amd64 _________________ "You can lead a horticulture but you can't make her think" ~ Dorothy Parker
2021 is the year of the Linux Desktop! |
|
Back to top |
|
|
Old School Apprentice
Joined: 20 Nov 2004 Posts: 252 Location: West Bank of the Coast Fork
|
Posted: Sun Mar 01, 2020 9:31 pm Post subject: |
|
|
Tony0945 wrote: | Thank You thank You Thank You, Hu!
What is a "street sign?" Any sign on a street? A sign giving the name of a street? Official signs on the street? Captcha does not seem to define that consistently.
What is a vehicle? Is a bicycle a vehicle? Is the front end of a car barely visible a vehicle?
I would think that bots have tried every combination and noted how to answer these. The same pictures are used. Just need a database with the answers. I hate spending 5 minutes on "try it again". No problem with the phrase Captcha's, but what if one is deaf? Or unfamiliar with English pronunciations?
A scourge on the internet.
If need be, I'd much rather see two factor identification to log on. Or a whitelist of IP addresses (won't help if mobile or using VPN).
Two factor identification won't help if a user is having e-mail trouble. | ++ _________________ www.otw20.com
The further a society drifts from truth, the more it will hate those who speak it.
George Orwell |
|
Back to top |
|
|
krinn Watchman
Joined: 02 May 2003 Posts: 7470
|
Posted: Mon Mar 02, 2020 6:10 am Post subject: |
|
|
I don't really see the problem
* someone flooding OTW with threads
* the threads are just junk
* mostly done by non gentoo user
isn't that OTW normal life? |
|
Back to top |
|
|
e3k Guru
Joined: 01 Oct 2007 Posts: 515 Location: Quantum Flux
|
|
Back to top |
|
|
389292 Guru
Joined: 26 Mar 2019 Posts: 504
|
Posted: Mon Mar 02, 2020 9:13 am Post subject: |
|
|
Ant P. wrote: | We could have an ArchLinux-style captcha (random obvious questions that take 5 seconds to answer, like "what name does Gentoo use for the arch commonly referred to as x86-64?") |
I would fail this one. It should be better paraphrased - "Another name for x86-64 architecture?". |
|
Back to top |
|
|
szatox Advocate
Joined: 27 Aug 2013 Posts: 3461
|
Posted: Mon Mar 02, 2020 7:43 pm Post subject: |
|
|
Tony0945 wrote: | Ant P. wrote: | We could have an ArchLinux-style captcha (random obvious questions that take 5 seconds to answer, like "what name does Gentoo use for the arch commonly referred to as x86-64?") |
I'll bite. What name DO we use? |
I've seen some of those on other forums too, questions based on local community stereotypes.
What does ATI do? (A: sucks - from a gaming forum)
Any my personal favorite: Which is our capital city? (A: the ugly one - i hope I haven't butchered this one in translation, Poles will understand )
Still, I'd rather not have captcha unless it's really REALLY necessary. Hopefully upgrading the scripts will be enough to keep the vast majority of the bots out anyway. |
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 22725
|
Posted: Wed Mar 04, 2020 2:03 am Post subject: |
|
|
Setting aside the question of whether a captcha is viable given community constraints, there is also the practical problem of where the new gate would be placed. For the purpose of this post, I will assume that (1) captchas are an annoying, but acceptable and not insurmountable, hurdle to legitimate users and (2) captchas are an insurmountable hurdle to robots. (As I wrote in a prior post, I have doubts about the truth of (1) in our community, but for the sake of argument, let's assume it to be true.) The truth of (2) depends on what captcha implementation is chosen. For the sake of argument, I will assume a captcha implementation that makes (2) true.
Placing a captcha as a restriction on creating an account sounds appealing from the perspective of minimizing the burden members of the community, but it wouldn't be very helpful, I think. Most spam attacks have been done with one or very few accounts, so requiring the attacker to manually solve one captcha to register before he can start the spam bot with credentials is not a very useful hurdle.
Placing a captcha as a once-per-N-time-units barrier would be a bit more annoying to the community, but would again be fairly ineffective unless N-time-units is extremely low. Small scale spam attacks are almost immune to time-based limits since they only need to create a few posts, then they go silent on their own. Large scale spam attacks are rarer, but generally noticeable for the large volume of posts they create very quickly. I've fielded responses to a couple that continued posting for more than an hour.
Placing a captcha as a once-per-N-posts barrier could be effective against the large scale attacks, but small attacks are much more common, from what I have observed.
For both of the once-per-N models, there would be competing goals of setting a permissive limit to minimize the burden on legitimate users versus setting a strict limit to maximize the burden on spammers.
I think there are other, non-captcha approaches that could burden spammers while not substantially inconveniencing legitimate users. For example:- Aggressively add rel="nofollow" on user-controlled links, with exemptions only for known-approved content. This should reduce the value spammers receive from posting spam links, and hopefully deter interest in using the forums to host spam links.
- Restrict posting of "untrusted" links by "untrusted" users. For this, a link would be trusted if it is on a whitelist of commonly and legitimately linked domains, like the pastebin hosts. A user would be trusted if they met some criteria such as minimum account age, minimum number of counted posts, etc. Tuning the heuristics for this rule could be tricky, but the goal is to let long-time posters ignore the new system entirely, while confining new users to doing only those things that legitimate new users need to do. Ideally, although this is likely not possible, we would want to reach the end result of Constructive.
Due to the intended use of the forums, we can't use more aggressive deterrents, like imposing a minimum account age before posting, without burdening users who just want to ask for help. |
|
Back to top |
|
|
krinn Watchman
Joined: 02 May 2003 Posts: 7470
|
Posted: Wed Mar 04, 2020 12:30 pm Post subject: |
|
|
you have another way to deal with this:
all links are allow to be post (no whitelist), all links are hidden except to a group of users: logged users, or users from a group, which could be some kind of "reporter" or just base on their posts count
this way, anyone is untrust, and links are hidden, only "trust" users can see them because you know they will report if there is a problem with that link
the only "bad" effect is that new user will have harder time helping other, as they won't see any information provided as help in a thread thru a link
maybe a "no links shown to not log-in users" could be enough, as i think spam value more the number of people seeing them and clicking them (or robots) rather than real forum users seeing them and clicking them |
|
Back to top |
|
|
Ant P. Watchman
Joined: 18 Apr 2009 Posts: 6920
|
Posted: Wed Mar 04, 2020 5:47 pm Post subject: |
|
|
New users immediately filling in half the profile fields (particularly all those dead IM services - aim and msn are *long* gone) should probably trip an automated check, too. Most of the spambots follow a consistent pattern there. |
|
Back to top |
|
|
|