Captcha ... or Not

[notageek]

User: ElliottT
Reason: Spam

Banned, and cleaned up, thanks.

Catchpa discussion split split to its own topic from the Report topic.
-- NeddySeagoon
_________________
"Defeat is a state of mind. No one is ever defeated, until defeat has been accepted as a reality." -- Bruce Lee

[Old School]

User: ElliottT
Topic: Avengers Quicksilver Cosplay Costumes : Cosplaymade.com
Post: post 8425820
Reason: New user spambot, this is the first of 15 spams
_________________
www.otw20.com

The further a society drifts from truth, the more it will hate those who speak it.
George Orwell

[e3k]

[Amity88]

Topic: Are You Kidding Me?
Reason:

Bot is spamming our forums with junk.
_________________

[Amity88]

[Hu]

[e3k]

[Tony0945]

Thank You thank You Thank You, Hu!

What is a "street sign?" Any sign on a street? A sign giving the name of a street? Official signs on the street? Captcha does not seem to define that consistently.
What is a vehicle? Is a bicycle a vehicle? Is the front end of a car barely visible a vehicle?
I would think that bots have tried every combination and noted how to answer these. The same pictures are used. Just need a database with the answers. I hate spending 5 minutes on "try it again". No problem with the phrase Captcha's, but what if one is deaf? Or unfamiliar with English pronunciations?
A scourge on the internet.

If need be, I'd much rather see two factor identification to log on. Or a whitelist of IP addresses (won't help if mobile or using VPN).
Two factor identification won't help if a user is having e-mail trouble.

[Ant P.]

We could have an ArchLinux-style captcha (random obvious questions that take 5 seconds to answer, like "what name does Gentoo use for the arch commonly referred to as x86-64?")

It'd probably get rid of the random windows lusers that occasionally show up here too.

[Tony0945]

[Muso]

[Old School]

[krinn]

I don't really see the problem
* someone flooding OTW with threads
* the threads are just junk
* mostly done by non gentoo user

isn't that OTW normal life?

[e3k]

well you have the flood protection at irc or search delay at forums. why not do the same for opening new threads.
_________________

Flux & Contemplation - Portrait of an Artist in Isolation

[389292]

[szatox]

[Hu]

Setting aside the question of whether a captcha is viable given community constraints, there is also the practical problem of where the new gate would be placed. For the purpose of this post, I will assume that (1) captchas are an annoying, but acceptable and not insurmountable, hurdle to legitimate users and (2) captchas are an insurmountable hurdle to robots. (As I wrote in a prior post, I have doubts about the truth of (1) in our community, but for the sake of argument, let's assume it to be true.) The truth of (2) depends on what captcha implementation is chosen. For the sake of argument, I will assume a captcha implementation that makes (2) true.

Placing a captcha as a restriction on creating an account sounds appealing from the perspective of minimizing the burden members of the community, but it wouldn't be very helpful, I think. Most spam attacks have been done with one or very few accounts, so requiring the attacker to manually solve one captcha to register before he can start the spam bot with credentials is not a very useful hurdle.

Placing a captcha as a once-per-N-time-units barrier would be a bit more annoying to the community, but would again be fairly ineffective unless N-time-units is extremely low. Small scale spam attacks are almost immune to time-based limits since they only need to create a few posts, then they go silent on their own. Large scale spam attacks are rarer, but generally noticeable for the large volume of posts they create very quickly. I've fielded responses to a couple that continued posting for more than an hour.

Placing a captcha as a once-per-N-posts barrier could be effective against the large scale attacks, but small attacks are much more common, from what I have observed.

For both of the once-per-N models, there would be competing goals of setting a permissive limit to minimize the burden on legitimate users versus setting a strict limit to maximize the burden on spammers.

I think there are other, non-captcha approaches that could burden spammers while not substantially inconveniencing legitimate users. For example:

• Aggressively add rel="nofollow" on user-controlled links, with exemptions only for known-approved content. This should reduce the value spammers receive from posting spam links, and hopefully deter interest in using the forums to host spam links.
• Restrict posting of "untrusted" links by "untrusted" users. For this, a link would be trusted if it is on a whitelist of commonly and legitimately linked domains, like the pastebin hosts. A user would be trusted if they met some criteria such as minimum account age, minimum number of counted posts, etc. Tuning the heuristics for this rule could be tricky, but the goal is to let long-time posters ignore the new system entirely, while confining new users to doing only those things that legitimate new users need to do. Ideally, although this is likely not possible, we would want to reach the end result of Constructive.

Due to the intended use of the forums, we can't use more aggressive deterrents, like imposing a minimum account age before posting, without burdening users who just want to ask for help.

[krinn]

you have another way to deal with this:
all links are allow to be post (no whitelist), all links are hidden except to a group of users: logged users, or users from a group, which could be some kind of "reporter" or just base on their posts count

this way, anyone is untrust, and links are hidden, only "trust" users can see them because you know they will report if there is a problem with that link
the only "bad" effect is that new user will have harder time helping other, as they won't see any information provided as help in a thread thru a link

maybe a "no links shown to not log-in users" could be enough, as i think spam value more the number of people seeing them and clicking them (or robots) rather than real forum users seeing them and clicking them

[Ant P.]

New users immediately filling in half the profile fields (particularly all those dead IM services - aim and msn are *long* gone) should probably trip an automated check, too. Most of the spambots follow a consistent pattern there.