| Author |
 Topic Search  Topic Options
|
Arna 
Newbie
Joined: 09 August 2013
Location: Norway
Status: Offline
Points: 14
|
 Post Options
 Thanks(0)
 Quote  Reply
 Topic: WebWiz Forum + Captcha =?
Posted: 13 November 2013 at 11:12pm |
Hi! We're licensing the WebWiz Forum, and used to have Captcha installed up to version 9. Upon the upgrade; Captcha magically disappeared function-wise; but the version 10 source code is virtually "littered" with captcha references. :-)
The captcha documentation on http://downloads.webwiz.net/download-page.htm - http://downloads.webwiz.net/download-page.htm explains how to integrate captcha in any .asp page - but how do I simply enable the code already in place in WebWiz Forums?
I've found just 1 (open and accessible) reference (via in admin-ASPs, and that is within admin_post_topic_configure.asp, http://www.webwizcaptcha.com/ - Web Wiz CAPTCHA for Guest Posting".
Looking forward to hearing from you nice WebWiz administrators!
Best,
A-
|
 |
Arna
Newbie
Joined: 09 August 2013
Location: Norway
Status: Offline
Points: 14
|
Post Options
Thanks(0)
Quote Reply
Posted: 13 November 2013 at 11:29pm |
Btw, getting more the hang on it now; although captcha here and there, getting it into the forms is crucial to get it into action, it seems :-) The rest of the code (includes etc.) seems to be there already. This example probably tells it all; credit to Christine W. for original code (as far as I know):
<td width="50%" valign="top"> <input type="password" name="<% = strPasswordFormName %>" id="<% = strPasswordFormName %>" size="15" maxlength="20"<% If blnDemoMode Then Response.Write(" value=""letmein""") %> /> </td> </tr> <!-- Captcha code added, Webmaster, 14.11.2013 Credits to Christine for code in v. 9 --> <tr class="tableLedger"> <td colspan="2">Security Code Confirmation (required)</td> </tr> <tr class="tableRow"> <td width="50%" valign="top">CAPTCHA Security Code<br /><span class="smText">Please enter the code exactly as shown in image format.<br />Cookies must be enabled on your web browser.</span></td> <td width="50%" valign="top"><!--#include file="includes/CAPTCHA_form_inc.asp" --></td> </tr> <tr class="tableBottomRow"> <td valign="top" height="2" colspan="2" align="center"><input type="submit" name="Submit" value="Forum Login" /> <input type="reset" name="Reset" value="Reset Form" /> </td> <!-- Captcha code added, Webmaster, 14.11.2013 Credits to Christine for code in v. 9 --> |
|
WebWiz-Bruce
Admin Group
Web Wiz Developer
Joined: 03 September 2001
Location: Bournemouth
Status: Offline
Points: 9844
|
Post Options
Thanks(1)
Quote Reply
Posted: 14 November 2013 at 7:55am |
|
CAPTCHA was removed from Web Wiz Forums version 10 as it no-longer works against the more advanced bots that have CAPTCHA code OCR built in and can read CAPTCHA codes that even humans can not.
Instead Web Wiz Forums version 10 uses a number of complex session, encryption, and unique page/form systems that prevent automated registrations and logins.
|
|
|
|
Arna
Newbie
Joined: 09 August 2013
Location: Norway
Status: Offline
Points: 14
|
Post Options
Thanks(0)
Quote Reply
Posted: 15 November 2013 at 4:16pm |
Thank you for your swift reply, Bruce!
We appreciate the mechanisms added and extended in versjon 10, and we see that a lot of spam is stopped.
There are still too many robotized user registrations.
We do understand that that OCR may be a viable hacker tool to penetrate the current tekst-based captcha-system. Still, we believe that tools such as captcha relying on relatively human specific behaviour are important. Reading the barely readable, solving puzzles and answering seemlingly strange or complicated questions may give a most welcome and needed protection from robotized malware.
Your partner "Stop Forum Spam" are themselves using a modernized captcha with puzzle-like tasks for user registration, presumably not too easy for robots to bypass to readily.
If I may do suggest and improvement, user registration is indeed an area of improvement. Two-stage registration, moderated registration or captcha gen. 2 may give the extra layer of protection needed.
Our users are getting weary of the spam flooding through the gates recently, and I am anxious that we will eventually lose those users, and eventually the confidence we are absolutely reliant upon to get their confidence and continued participitation on our site.
Your sincerely,
Arna, co-webmaster.
Edited by Arna - 15 November 2013 at 9:26pm
|
|
WebWiz-Bruce
Admin Group
Web Wiz Developer
Joined: 03 September 2001
Location: Bournemouth
Status: Offline
Points: 9844
|
Post Options
Thanks(0)
Quote Reply
Posted: 16 November 2013 at 1:44pm |
We can not comment on security measures at StopForumSpam as we are not partnered with them, we do include integration with their service within Web Wiz Forums, but that is as far as the affiliation goes. We do host thousands of websites that use Web Wiz Forums and monitor them through custom rules in network gateway IPS services and log files and not seen any remote automated form submission that has got passed the current protection for the Forum Registration. We have seen remote form submission which is getting passed the post submission and will be putting in place extra measures on the next release. The Web Wiz Forums is a multiple stage process for registration already as you can not submit a registration directly to the Member Registration page. You have to go through the Member Agreement page which creates a unique registration form using encrypted form fields unique each time. Additional protection also comes from multiple tokens that are unique to each Registration form created. It is very complex with many multiple solutions in place that prevent remote form submission with many months spent on development and real world testing including on large forums we host for companies including MIcrosoft which are under constant attack from advanced automated submissions and other attacks. What you will see is real people registering using strange user names like '123TT7aV' and emails like 'a.b.c@gmail.com' to get around blocked usernames and email addresses in StopForumsSpames database. These spammers are real people working in modern day sweat shops working 12 hour days for a few dollars in order to spam forums. This is likely what you are seeing in forums. Most clients who complain to us of spam within Web Wiz Forums it is because they are not using the tools available to stop spammers. After setting up Web Wiz Forums to prevent spammers we see busy forums that are plague with spam drop from 20+ spam posts a day to 2 or 3 a month. The first thing you should do to prevent spam is create a new user ladder group for 0 to 10 points. This group should have posting URL's and images disabled as well as signatures. As spammers are paid by the number of forums they spam with links by having these disabled for new users spammers quickly move to easier targets. You should also make sure StopForumSpam is enabled and set to check for Usernames or IP Addresses. Other information on preventing spam is on the page below:- http://www.webwiz.net/web-wiz-forums/kb/spam-prevention.htm
|
|
|
|
Arna
Newbie
Joined: 09 August 2013
Location: Norway
Status: Offline
Points: 14
|
Post Options
Thanks(0)
Quote Reply
Posted: 18 November 2013 at 9:08pm |
Hi, Bruce! Thank you for a very thorough reply. I appreciate your time and effort spent answering us very much! You may very well be right that what remains of spamming is manual, and hence difficult to stop totally. It is no less very annoying, and as said earlier undermining the users trust in our site. Moderated registration may be the ultimate weapon against such manual spamming, since the harm is done once the posting is done alerting and alerming our users, although the spam today does cause any real harm since it is without harmful payload. It would be most appreciated to see such options added to user registration.
Yours sincerely,
Arna, co-webmaster. |
|
Arna
Newbie
Joined: 09 August 2013
Location: Norway
Status: Offline
Points: 14
|
Post Options
Thanks(0)
Quote Reply
Posted: 24 November 2013 at 9:32am |
|
Today, I've had the honor and pleasure of deleting a high number of "Bru49Z9" accounts on our 10.16 system. This is to say that we will certainly appreciate even more countermeasures from WebWiz :-)
Bruce, you were talking about a new version with more bells and whistles against unwanted user registrations and spam; when will these be put into action? Will it be with 10.18, 11.0, on this side of new years eve, or next year?
I'm asking simply because we will have to consider what to do next. I suppose that this is the eternal struggle between the bad guys (the underpaid workers of emerging (post-) industrialized countries), and the good guys (us, of course :-), and this means that it is a matter of trust. Trust that we will be able to fine-tune the solution, with e.g.
- geolocation controlling the possibility of user self-registrationg; e.g. letting GB users register and get into use immediately, whilst those of less fortunate countries are given the oppurtunity to establish accounts that are immediately blocked and/ore suspended from the start on, or not given the opportunity to register at all.
I realize that such changes will take some time, hence the wish to know a bit more about coming plans. OK - at least that much that I'm relieved, and så little that the "bad guys" will not be able to countermeasure before measures are put into action :-)
Sincerely yours,
Arna.
|
|
WebWiz-Bruce
Admin Group
Web Wiz Developer
Joined: 03 September 2001
Location: Bournemouth
Status: Offline
Points: 9844
|
Post Options
Thanks(0)
Quote Reply
Posted: 26 November 2013 at 7:42am |
|
The use of Geolocation requires expensive database subscriptions and components installed on servers.
We use Geolocation filtering on this forum, but the database subscription costs over $500 per year. Usually such systems are easy to implement and as there is high costs involved it is best to have this type of thing as a modification rather than in the core code.
The next version will likely be in the early part of next year. The present anti-spam measures if used and configured correctly are more than sufficient and present developer time is being used getting the Rich Text Editor to work correctly in IE 11.
|
|
|
|
