Steve Geddes |
2 people marked this as a favorite. |
Steve Geddes wrote:They'll just make a few posts along the lines of "Where can I buy this game?", "What's the strongest class?", "Which books should a newbie buy first?" get approved and then start making spam posts a week later with their approved account.
Meanwhile we get more spam - a whole bunch of genuine-sounding questions where the asker doesn't really care about the answer and the moderators have to address not only their concerns but also the legitimate new users (who are now deterred to some degree from coming here to ask questions).
Posts (especially initial ones) with questions like that should be redirected to an already-posted FAQ rather than blanked approval.
Which begins to impact on genuine users, and the moderators will now need to check the 'FAQ referred' accounts additional times, plus it involves a 'line' as to what kind of post is 'good enough to count' which is extra work for the moderators and at the end of the day the spammers will still jump through the necessary hoops (because it's their job).
An automated response is better (even though there will be annoying times like this weekend) - paizo can never compete with the hourly rate in wherever these posters are.
UnArcaneElection |
^Make the existing Messageboards thing for new users more prominent (includingdirecting new accounts to it), and have it include example common questions like that, and instructions to go to places to find the answers to these frequently asked questions and to use the Search function first before making new posts on these. Users who ignore these instructions get their posts ignored by the moderators.
Steve Geddes |
2 people marked this as a favorite. |
are paizians doing something about it?
when i posted before in my native language (spanish) paizians took like 5 minutes to bring that post down... why are they leaving this dudes to post in another language? kinda ofensive
They do if they're viewing the messageboards - they don't have 24 hour surveillance of it though, so sometimes they'll stay up for several hours.
Having said that, it seems to me the staff are really good about visiting overnights and on weekends. It can't be a pleasant part of the job and having to log in just to delete a bunch of nonsense posts would be tedious.
Talonhawke |
1 person marked this as a favorite. |
Okay I tried the last year method of going to the spammers profile and flagging but getting a message each time that I tried to go I got a page with this message
You have made too many requests for the same page too quickly.
Please wait a minute before trying again.
I can go to anyone else profile. Is this paizo's doing or have the found a method to make us go into each individual thread.
Edit: trying to flag can't keep up!!
skizzerz |
I'm not sure what defenses you are using, but consider making use of external services designed for combating spam, such as the free StopForumSpam service. Usage details are here, but basically you submit the IP address, username, and email address of the person and it tells you if they've been recorded as a spammer (and there are some extra fields you can pass in to get a confidence score, among other things). Doing this on every post would likely be slow, but it could be done at registration time to outright block the spammer from signing up if there are enough hits for them (or possibly allow the registration just in case they're legit and want to purchase something from the webstore, but flag the account that they can't post on the forums until they either buy something or Customer Service clears the flag).
Chemlak |
1 person marked this as a favorite. |
I'm not sure what defenses you are using, but consider making use of external services designed for combating spam, such as the free StopForumSpam service. Usage details are here, but basically you submit the IP address, username, and email address of the person and it tells you if they've been recorded as a spammer (and there are some extra fields you can pass in to get a confidence score, among other things). Doing this on every post would likely be slow, but it could be done at registration time to outright block the spammer from signing up if there are enough hits for them (or possibly allow the registration just in case they're legit and want to purchase something from the webstore, but flag the account that they can't post on the forums until they either buy something or Customer Service clears the flag).
Problems being: IP spoofing, botnets, and disposable email addresses. These are real people using botnets to hide their location and identity. Paizo have said that they don't particularly want to ban legitimate users by locking out IP addresses, and it won't help anyway, since they're using someone else's IP address.
The tech guys at Paizo know their stuff, and are good at adapting (unfortunately, so are the spammers). I'd love to see a ratio of successful: unsuccessful attempts, but I think it's safe to say that the laser will be recalibrated against this latest successful method, and the war will begin anew.
GM_Beernorg |
1 person marked this as a favorite. |
Our services can be a bit expensive depending, but Proofpoint Inc. (my employer) deals with email and Internet security, including spam protection services. May be something to consider.
Me, I am gonna get me a 12 point buck spammer, WHOOO BOY!
Which is of course not to say that the Paizo web team isn't kicking arse and taking names, cause, clearly they are.
skizzerz |
skizzerz wrote:I'm not sure what defenses you are using, but consider making use of external services designed for combating spam, such as the free StopForumSpam service. Usage details are here, but basically you submit the IP address, username, and email address of the person and it tells you if they've been recorded as a spammer (and there are some extra fields you can pass in to get a confidence score, among other things). Doing this on every post would likely be slow, but it could be done at registration time to outright block the spammer from signing up if there are enough hits for them (or possibly allow the registration just in case they're legit and want to purchase something from the webstore, but flag the account that they can't post on the forums until they either buy something or Customer Service clears the flag).Problems being: IP spoofing, botnets, and disposable email addresses. These are real people using botnets to hide their location and identity. Paizo have said that they don't particularly want to ban legitimate users by locking out IP addresses, and it won't help anyway, since they're using someone else's IP address.
The tech guys at Paizo know their stuff, and are good at adapting (unfortunately, so are the spammers). I'd love to see a ratio of successful: unsuccessful attempts, but I think it's safe to say that the laser will be recalibrated against this latest successful method, and the war will begin anew.
IP spoofing is not possible with a TCP connection (which HTTP(S) is) unless you have the ability to MITM the route between the legitimate owner of that IP and the paizo servers; this is not a capability that the vast majority of spammers/botnets have.
As for botnets, that's the entire point of this service. Botnets aren't so cheap/disposable as to only post one message from any individual IP address on any individual site; the same botnet IP will be posting thousands of spam messages across thousands of sites. Forums that integrate with StopForumSpam then report these IPs to the central service, and after enough reports the IP is listed as blacklisted so that all other consumers of the service can benefit from knowing that information without necessarily having been hit by that particular IP themselves (yet).
If an IP is listed as having 20+ hits for spam across multiple sites on the service, the chance of it being a legitimate user is very low. Even then, there are solutions that don't completely lock them out of the site, as I mentioned in my post. The account could be flagged as unable to post on the forum until they either make a purchase on the storefront or contact Customer Service via phone or email to have the restriction lifted. They could be told this in clear terms, and it is very easy for a legitimate user to have the block lifted while at the same time providing more effort/expense than spammers would be willing to go through in order to unflag hundreds of accounts. Alternatively, if an IP/email/username combo is listed with enough hits, additional heuristical algorithms can be applied to the message that have a higher false-positive rate (and therefore couldn't be applied across-the-board) and block the post if those heuristics match.
The likelihood of these being real people actually posting the spam is exceedingly low. What is far more likely is that real people have figured out how to bypass the spam protection measures currently in place, and then applied that programatically to their own scripts or to commercial spamming software such as XRumer so that the bots can spam on their own.
While I'm sure the Tech Team knows their stuff, the war on spam is being fought everywhere. Attempting to fight it solo is always a losing proposition, while banding together with other sites (such as via this service) provides a larger net benefit for everyone.
Cort Odekirk Technology Manager |
John Woodford |
3 people marked this as a favorite. |
Mogloth |
1 person marked this as a favorite. |
I have the team in office today, so right at the top of our priority list is figuring out how they are bypassing the filters. Bear with us while we modulate the shields.
Switch all power to front deflector shields.
John Woodford |
<...>
If an IP is listed as having 20+ hits for spam across multiple sites on the service, the chance of it being a legitimate user is very low. Even then, there are solutions that don't completely lock them out of the site, as I mentioned in my post. The account could be flagged as unable to post on the forum until they either make a purchase on the storefront or contact Customer Service via phone or email to have the restriction lifted.
The other thing is that as a legitimate user, if I get a bounce notice from Paizo because of spam originating from my IP address I'm going to scrub every machine on the home network. I don't think any of them are compromised, but one never knows.
Cort Odekirk Technology Manager |
1 person marked this as a favorite. |
skizzerz wrote:The other thing is that as a legitimate user, if I get a bounce notice from Paizo because of spam originating from my IP address I'm going to scrub every machine on the home network. I don't think any of them are compromised, but one never knows.<...>
If an IP is listed as having 20+ hits for spam across multiple sites on the service, the chance of it being a legitimate user is very low. Even then, there are solutions that don't completely lock them out of the site, as I mentioned in my post. The account could be flagged as unable to post on the forum until they either make a purchase on the storefront or contact Customer Service via phone or email to have the restriction lifted.
One thing to keep in mind with blocking IPs is that numerous people can be focused through a single IP (many ISPs have many of their internal users broadcast externally from the same IP). So if we block an IP because a single user has been compromised into a botnet component, we are also blocking by proxy all the other users who may share that IP via their ISP.
I'm not saying we don't block IPs, we do when it's necessary, but it's not our first course of action as we want to avoid collateral damage.
Cort Odekirk Technology Manager |
Chris Lambertz Community & Digital Content Director |
3 people marked this as a favorite. |
Some answers to these questions:
- We don't plan on eliminating special characters from avatar names.
- We don't plan on implementing a feature that automatically hooks into any FAQ options.
- We don't have plans to implement a third-party service into our forum software.
- Moderating the first few posts of any new user in some sort of automatic queue would be unrealistic to add to our current workload, and is unlikely to happen.
- Our heuristics for isolating these accounts are sophisticated enough that flagging their accounts isn't necessary. Don't feel like you must be on guard to flag their posts.
- Please do not post references to their usernames, the URLs, or translations. This is exactly what the spammers want.
- We won't be revealing specific tactics that Paizo implements for eliminating spammers publicly (that just gives them and other potential baddies a way in).