Experts Round Table Network

I'd like to come up with a reasonable way to prevent spam on the site, while allowing legitimate new users to sign up. Here's what I am thinking. Please let me know your thoughts:

I. Principles:
1. The most important thing is that the limited time people spend here is productive. That means improving the site in meaningful ways, not just removing spam. This is even more important than getting new legitimate members. So, within reason, we have to prevent spammers from signing up, and remove the ones who are here.

2. It should still be possible for new users to sign up somehow.

3. #2 should not be too time consuming either, for the same reasons as in #1

II. Practice (my suggestions for actions to take)
1. Delete all accounts that are >3 months old and have no posts.
2. Disable automatic sign up.
3. Create an email address to write to in order to request an account.  Uses will have to include their emails, proposed username, and a brief description of their interests and why they want to join. There is no review process, this just insures that actual human beings are signing up. Unless things change, I predict we will get very few of these emails. The mail can fwd to me, huntress, and coral, who will make the account manually.
4. I will look into CAPTCHA options instead of #3, which may do a good job preventing bot signups, and then we will not need to manually make accounts.

I was going to ask if #4 worked with our software.  ; )

I am looking at IP addys, and one I have up now, list signup attempts back to April 13, 2009, with Sender Verify fail. And 2 attempts today, with No Such User Here.

NARF! 
Somebody is yelling at me they can't get their grill going.  : (
I'll be back...

In theory, yes, but in practice it may be a PITA. In general, our software is kind of patchy right now. I need to look around and see what is available, but it may be that the best thing to do is scrap what we have now, and rebuild with a forum, wiki, and articles. Everything else seems to have been pretty much unsuccessful anyhow. The idea would be to leave what we have now in the forum as an archive, and move everything else over to a new platform (which will no doubt get scrapped eventually itself). The main issue is whether I can migrate the users over to new software/databases...

For the time being, I'm going to disable new signups...

how about using "member approval" in registration settings?
that's pretty easy to manage... i guess.

Maybe a reply email with a site generated password before they can logon.

I think CAPTCHA or re-CAPTCHA is probably the best way to go.  It does well on many other sites I'm on.

http://recaptcha.net/whyrecaptcha.html (http://recaptcha.net/whyrecaptcha.html)

Yeah, that is what I turned on a couple days ago. The problem is, then we get tons of "spam" from the site every time a bot signs up (once every few minutes). Iit's hard to tell if the sign up is legit or a bot, so for any given signup it's difficult to decide whether to activate or not. The only reliable way would be to email the person and only activate if you get a response. But that could get to be a PITA very quickly.

That's an interesting idea. There's no easy way to do that using the CMS we're running, so I think I'd have to write my own sign-up script, but it shouldn't be that hard. I've also got scripts from previous work that would be more or less drop-in solutions for the hard parts of this. I'll get back to you ;)

I like reCAPTCHA a lot, especially since it's pretty accessible, and it uses the user input to do something useful (digitize old books). I've had a pretty easy time setting it up on other sites. The problem is, hooking it into our current software is not super easy, and I don't want to spend time figuring it out. If I upgrade the forum, there are pre-existing solutions to link it in, though. This is one of many reasons to upgrade the forum and wiki, and ditch the current CMS, I think. I just need to make sure I can port at least the user info.

Just had a thought, how much load will the password email put on the system?
Sending out passwords to bots seems like a waste.
Doing IP checks last night, I saw several with 6-8 hits on them. And I only did about half a dozen, before you killed the signup  (thank you).

Anyway we can add a text box for them to type in the SUBMIT link, instead of them just clicking the button?
Maybe spell it in haxor, with instructions to type it correctly.

Just keep us updated on what you decide and need from us and we'll help in any way we can.  I've just been through the userlist and cleaned it up a bit.  Not sure why the ban filters aren't working right but that's moot since most of these are signed up via proxy accounts with different IPs.  Anyway....we're here.

Are you saying that there is no email verification at all?
All the CMS i have looked at have that...
The system sends either the initial password (like drupal) or an activation link that needs to be clicked?
No wonder we have problems with spambots.

Hmmm... looks like the notifs are down also. I didn't get one for GrandSchtroumpfs post.

How odd.  I didn't get one for GS either but I did get one for coral1?  Must be an intermittent problem?


Found a bug...Tried to upload an avatar and got this--> The attachments upload directory is not writable. Your attachment or avatar cannot be saved.   Just a heads up.  Was wondering why I couldn't see any avatars.

I think there is a problem with the Avatar directory.
They stopped showing up after the move, just the place holder was there.
And after a couple of days, I think Nick turned them off, because even that stopped showing.

That's what I thought.

it was a server setting I forgot to update. should be fixed now ;)

Sweet!  Thanks hun.

We have an email verification...but it's not that hard to write a program to sign up for a gmail account, sign up at a forum, and then check mail frequently and follow activation links (especially easy if it's a standard email hard-coded in the CMS). Not all of the spam bots seem to be doing that, but I think some do. That's why I'd like to come up with something that is a little harder for a computer to manage.

I have an idea.  Can you setup an email account from the server that only the admins can access then we can post in the news section that all registrations have to be made through that email.  That way we can filter the baddy's and register the good ones manually.  Maybe require them to write a little note or something?

yeah that is sort of what I was thinking with #3 in my original post

I'm a little worried it could be a PITA though. I guess it never hurts to try. There are two ways to do it:
1) Have an account on the server that you can check via webmail or your email program (thunderbird etc)
2) just set up an alias so that mail to that addy fwds to the admins (at whatever account you want)

which one works better for you guys?

I, for one, have been doing these for quite sometime so it kind of should fall on me.  I'd rather setup a pop3 in TBird like I used to have on the old servers when we were still .com.  I only work part-time now so have plenty of time to deal with it.

It's a deal :)
I'll set up an account and email you with the credentials.

Great!  :-)  After it's done I'll post instructions in the news section.

sounds good -- I'll also try to look through the forum code and see if I can insert a message to replace the one that says "registration disabled." If I can, I'll put whatever message you post over there also.

Excellent.  :-)  I'm ready when you are.

Ditto on the SWEET !   : )

HAHAHAHA... while I was typing out something like that, you 2 already did it.  : )

Yell if you need a hand.

You know it!  ;-)  Thanks Craig.

Please check the news on the main page.  :-)  It's all set now.  I will be getting the messages on my machine but they will also be left on the server for up to 7 days so that if anyone wants to give a hand and has access to the webmail then have at it!  ;-)

Looks good! I'll try to paste it into the register link too.

Sweet!

Do you have some way to mark them so we don't double up?

I am assuming you are already logged on there, since I can't get in, yet.
I will set up a pop tonight for OE, and try again tomorrow. It's past my bedtime.  : )

WAIT!  If you set up the POP account you have to leave the mssages on the server!  Make sure of that.

heheh, I can see this is stirring up trouble already =)

One (or both) of you can also use IMAP to prevent a conflict. Credentials/servers are the same.

I updated the text on the registration page. Let's see how it works out!

I'll give it a test right now...Username=Muse

Leave messages -- check

I was just going to do a test run. I won't do anything until we can sync our efforts. : D

I really need to get to bed now.

LOL  It's giving an error but still gives the info at least.  ;-)

dang I forgot to fix that. Lemme try

Just got my email for resistering at least.  I think this will work well to deter a lot of the crap.  And as far as registrations go...I'll need to change the message to include "desired username"  password will be generated by whichever admin does the reg then sent to the user.  This way, all we have to do is search the usernames to see if they've already been done by another admin.

News edited.

Sounds like a plan. I fixed the registration screen message so it doesn't look like an error. I'll update the message in a second. Thanks for the help sorting this out. Now it's past my bedtime too :)

Talk to you guys soon. Probably not before the weekend - I got a bunch of junk to do this week.

Ok hun.  ttys!  Sleep well both of you.

GOT IT!  If you login through Horde you can mark messages as "Answered".  That won't work if we all use POP3 though.  :-/

OK. I got in through Horde, and looked around a bit.
Inbox was empty, and I saw the 2 tests in Sent.

What are you using to generate passwords?

Haven't had to yet.  I think we may have deterred the worst of it now.  It might be awhile before we get any new members again.

Besides, it doesn't really matter what the password is since they should change it as soon as they login.

>> it doesn't really matter what the password is since...

That's kind of what I thought, but wanted to double check.

I don't want to furar things TOO soon.   ; )

OK, what did I do wrong to get this:

[error message removed by matt for security]

I was trying to register a new user, and that's what I got when I hit the Register Button.
The email is from Nick Wilson, just in case it went out despite the error message.

update:

I just checked again, seems it did register him (Kestrel). I will go ahead and mark it Answered.

i also got this message when posting a simple message...
you did not do anything wrong.
it's just the absolute path to the website that has changed.
a typical problem you encounter when migrating.

OK.
Something else I noticed, when looking at his profile, my IP addy showed up in it.
May I assume this will 'fix' itself when he logs on the first time?

Just got the same error.  Nick or Matt will have to look at it.  I's something in the coding.

That's a relief.   : )

wow. moving Threads is mind numbingly tedious.   8 |

Don't I know it!

LOL.   Thanks. I needed a good laugh to "break the daze".   : )

The error should be fixed now -- lemme know if anything else pops up.

You can count on it.  ; )

grrr, now I can't get into the horde mailbox.  Did someone change the password or is it just plain down?  I haven't been chacking my email like I used to and saw a new user registration.  Just wanted to remove it.

And the ban filters don't appear to be working properly either.  I added *@mail.ru and I don't think it's working.

Horde is working for me. I've been checking it almost every night, and I just looked now.

There have been 2 requests that I put through, but it doesn't look like they have come back yet. I even sent a Welcome email from one of my gmail accounts and told them to yell if they had problems.

You want me to PM you the details?

I saw the last one but you can send the one before that.