Dandello wrote on Oct 4^th, 2014 at 9:30pm:

Do you think it's blocking that The Guardian™ would have blocked anyway, or are you telling us that those bots actually defeated YaBB's security? The reason I ask is because I get the following in our error log:

"You tried to use scripting in the url or form input, which is not allowed!"

However, I could care less about those errors because scripting still hasn't caused any problems. YaBB's security wall has stopped it all.

On the other hand, if you're telling us that The Guardian™ is outdated, and needs additional help to stop scripts, that's bad news indeed. If that's the case, then it seems I've been very lucky over the last few years since I've been able to stop scripting spam-bots cold without any issues.

As such, I'll remain happy that our 2.4 forum seems to be operating just fine.

Keep in mind that there will be what seem to be failed blockings of spam-bots because another "utility" has blocked them, although had they not been blocked by that utility, another utility would have blocked them. In other words, from my perspective, YaBB can still stand against spam-bots whether they're trying to pass through malicious code, or they're trying to register, and subsequently post their spam. Shall I no longer presume those things?

I had this a bit earlier today:
Sorry, this service is for registered members only.

~~~~~YaBB.pl?board=&action=viewprofile

17 attempts per minute, but I can not tell for how long as I only had my log set to 100 entries and it was filled up. I traced the IP back to Germany, and I upped my error log to 500 entries.

Ah, stopping them on multiple failed attempts would be very helpful in our forum ... just as you deccribed it ... this is what commonly happens in our forum as well ... probably pretty common in most YaBB forums.

In our forum I've appended the default error message of "Sorry, this service is for registered members only."

Instead, it reads, "Sorry, this service is for registered members only. However, membership is free, so please become a member by clicking Register on the menu above."

I believe that spam-bot attempts to view profiles is done to harvest any email addresses that may be listed. Partly because of that, our forum allows members to hide their email addresses from the public. I like that YaBB presents email addresses as a java script link instead of the email address itself even if a member makes it public. Of course, auto-bots can still harvest those otherwise hidden email addresses with a script.

Edited:

Dandello wrote on Oct 5^th, 2014 at 5:52am:

That's actually incorrect (at least as I've referenced with the links to other 2.4 forums below). In our 2.4 forum as I pointed out, links to a member's profile produces an error message, even when you click on a last poster name. The appended error message that comes up in our 2.4 forum is as follows:

"Sorry, this service is for registered members only. However, membership is free, so please become a member by clicking Register on the menu above."

For a quick reference, check out the following forums that are still using the 2.4 version (randomly chosen):

http://www.theartofbooks.com/forum/YaBB.pl

http://www.scurion.ch/cgi-bin/yabb24/YaBB.pl

http://www.ephs1960.com/cgi-bin/yabb2/YaBB.pl

http://www.fnxbasic.com/cgi-bin/yabb2/YaBB.pl

***********************************************

Dandello wrote on Oct 5^th, 2014 at 5:52am:

That's only a certain segment of auto-harvesters. Another segment of an auto-harvester is one that captures a web page, searches for email addresses, and then filters everything else out but those email addresses ... just one way to harvest that data.

Yet aother segment of an auto-harvester is one that employ scripts, which are written to perform all of the necessary steps that a human would otherwise perform while registering. Even someone like myself who isn't experienced at writing code can pretty easily write a script to register in a YaBB forum. First, the auto-harvester is loaded up to retrieve a forum's register page, and then keystrokes are recorded.

This all started back in the days of writing DOS programs to perform certain tasks, some of which I wrote myself back in the eighties, of which none of mine were malicious. The scripts I remember writing were automated "how to" computer instructions for people who needed basic help to operate their computers. I also wrote simple programs. In practice as it was done back then, they'd insert a 5^1/4 inch floppy disk that I programmed to automatically start, and they'd be good to go.

But I digress. :

Basically, the way automated registration in a forum is done is by recording key stokes that become a form filler. I'm not giving away any secrets here, and I'm not being specific enough to cause any harm. As such, "Form fillers are primarily designed for web browsers to fill in checkout pages and log users into their accounts." A forum's registration page is simply another way a form filler can be used to automate the process.

The end result for automated spam-bots is that they can register memberships in a forum (not just in YaBB), and then post their spam using yet another bot for that. However, for years forums have been able to stop spam bots cold just as YaBB is able to do.

Bill Myers wrote on Oct 5^th, 2014 at 8:20am:


It's a LINK to the profile, Bill. Even if it only generates an error it's still a link! Maybe you don't care that your error log is filled with thousands of clicks on links that will only produce errors, but wouldn't it be better to not have those links showing to non-members if they're ONLY GOING TO PRODUCE ERRORS?

Red Barchetta wrote on Oct 5^th, 2014 at 3:00pm:

Exactly. Don't show them what they can't use.

Dandello wrote on Oct 5^th, 2014 at 2:08pm:

What I care about more is that guests can see they're missing out on being able to access a member's profile. As for the url of the profile being shown, a better alternative would be to show a simple message, perhaps as follows:

"Only members can access another member's profile."

I had a much longer reply detailing why I think it's fine that a guest can see the link to a member's profile, although I qualify that with my statement above. As for filling up my error log, it doesn't harm my forum, and I like having the ability to see what's causing spam-bot errors.