The spam problem is resolved. The ST have implemented a lean mean spambot-fighting machine of their own to take down spam posts 24/7.

Original Post: In the past 20 minutes I have found at least 8 topics created by spambots made in the last 24 hours. Just yesterday I found 6 more spam topics over the course of that day. Has activity always been this high? Last time I checked one or two topics were made every month or so. Something bad is happening, and it's happening fast. So why all of sudden we're being attacked more often?

There is a major flaw in the sign-up process: a lack of something to stop a spambot. CAPTCHA could work, although I remember reading a post by jvvg that even spambots have the intelligence to bypass it. Not good. We need something to gain the high ground and we need to do it fast, or else we will face another spambot invasion far worse than Scratch has encountered before. I'm not cynical, but the vulnerability of Scratch is a reality.

What are these spammers capable of?
There are a number of technological adaptations that allow spambots to do almost anything a person can. The main weapons of them include Optical Character Recognition (to “read” CAPTCHAs), Averaging (which reduces noise of a CAPTCHA image), and even artificial intelligence that can answer security questions (such as "What is 2+2?). What makes these spammers tough to stop is that they can hide behind multiple proxies, making an IP ban nearly ineffective against them.

It can be difficult to tell if a spammer is a bot or human, depending on the behavior. Often times, a spambot will be aided by a human to fill in certain fields on a page to avoid suspicion that it is indeed a spambot. On Scratch, I have witnessed spambots (likely aided by someone) do the following actions:

• Fill in information in the About Me and What I'm Working On sections of profiles.
  
• Comment on profiles, projects, etc.
  
• Reply to comments.
  
• Post on other forum topics.
  
• Create projects
  

Sometimes it's not obvious if the person really is a spambot. But it takes just one spam post to aid in Search Engine Optimization to identify a user as a bot. But before that, you can often mistake a spambot for a legitimate user based on prior behaviors, such as “innocent” commenting/posting.

What should I look for?
Keep your eyes peeled for any suspicious topics that seem to not belong. For instance, the following are common spam topic titles found in the Scratch Forums:

• Dude vs Dude2 Live Stream
  
• hey bro whats up
  
• that was great man (use of the word “man” is common)
  
• Website Reviews from [Company Name]
  
• Kitchen Appliance Sale
  
• {OM}Watch XXXXXXX Online
  

You should report these IMMEDIATELY. The longer these topics last on the forums, the more people will view them, and the greater SEO it will accomplish. Scratch was, is, and always will be commercial-free, so help get rid of these topics ASAP!

How do I report?
The report button is located in the bottom right corner of every post; when you click it, you will be asked to put in a reason for why you are reporting that post, so put in “Spam” or “Spambot” as the reason. It should take a few minutes (hours?) for a moderator/admin to pick up on the report and take down the topic along with terminating the spambot account. To see if any spambots have infected the forums, click the link “See unanswered posts” at the bottom-right of the main discuss page and locate suspicious topics.

How can we stop spam?
However, all hope is not lost. We have come up with powerful defenses against spam:

Circular CAPTCHA (Suggested by Lirex)
This is a new kind of CAPTCHA where letters and symbols are arranged clockwise or counterclockwise on a circle. However, this poses two major problems: 1) Real people could have a hard time disinguishing between M,W, and 3; and 2) It does not prevent spambots from using their OCR powers.

Destruction of External Links (Suggested by me)
Spambots are responsible for sending out links to assigned websites. If we can destroy those links at the moment of posting, the SEO will no longer work. This will not prevent spambots from registering, but will render their posts completely harmless, link-wise. This also means that “legitimate Scratchers can't post legitimate external links” (scimonster), unless a whitelist of websites is used.

Honeypot (Suggested by scratchisthebest)
This puts a new field on the registration page that is not supposed to be filled in. Spambots are notorious for filling in absolutely everything on a fill-out form, and may not catch that this field should be left empty, and therefore preventing their registration.

Verification (Suggested by jvvg)
jvvg explains it:
“On the registration page, make a frame that points to a secondary form and ask the user to submit the form in the frame before registering.
When the secondary form is submitted, mark that IP as verified for 10 minutes.
When submitting the registration form, check that the IP was verified within the last 10 minutes, and reject the request if it wasn't.”

CAPTCHA Images (Suggested by me)
Because spambots use OCR to “read” words almost perfectly, they can bypass any CAPTCHA with those weird morphed words. So instead of using words to verify a user, use images of simple everyday objects and a list of answers, one of which is correct. For instance, there could be an image of an apple, and the user must answer what the image is generally, given three or more radical answers and one correct answer. Guess incorrectly for two or so times consecutively, and you will be unable to register for 30 minutes. However, language barriers are a problem because there would need to be 50+ translations for every possible answer.

The fate of Scratch hangs in the balance. Is it up to each and every one of you to defend it from malicious spammers.

Maybe we can add a flash-based captcha game to the registration process, as these are harder to be completed by spam bots than regular captchas.

I can testify that it's actually likely to take up to a couple hours to deal with spammas. (My latest report was “Spamma.” )
I think a simple captcha would be better than none; even just something like this one.\

I remember seeing a spam topic yesterday (or maybe a bit before then?); I haven't seen any yet today, though, since I've just gotten on. I'm troubled with what you've reported though.

I agree with your idea of a captcha, as long as it's simple. I was thinking something along the lines of what Scimonster showed, maybe where you have to drag a square onto another, and where you're not restricted to a simple slider. Or maybe instead you have to click the cat in a row of three sprites. What do you think of those?

Asking,

ErnieParke

Captcha is a great idea! I wonder why they haven't done that in the past…
EDIT: Of course, younger Scratchers might not be able to read it as well…

I think I've already reported 3 “hey bro whats up” topics…

Yes, something has to be done.

iPhones can get viruses. Anything connected to the Internet can.

That aside, we already have an iTopic about stuff like this But I've seen a bunch of things saying “hey bro whats up” that are spam. Huh. I wonder if one person/company/whatever's trying to spam…

Support Flash Captcha, but what if we don't have Flash?

As stated in the original post, any kind of conventional CAPTCHA can be bypassed by a bot. The key here is to do something extremely unconventional. Remember that if many sites adapt the same technique, the bots will adapt. This is an example of biological evolution applied to machines: if someone can create a mechanism that will stop 99 out of 100 spam programs, everyone will use the 1 program that gets around it.

The most common spam program is called XRumer (Wikipedia link). It is known for being extremely effective in getting around CAPTCHAs. Here is an image demonstrating the kinds of CAPTCHAs it can get around:


My point is that any kind of conventional CAPTCHA will not be useful here, as the most popular spam software can still get around it. That software can also get around email verification and most JS solutions. Flash is a good idea, but once the HTML5 player is implemented, there will no longer be a Flash requirement, and therefore some users won't be able to sign up if they don't have Flash.

Currently, the best solution against it is the New Scratcher status, because this prevents it from posting more than every 180 seconds or posting links. However, another possible solution would be to check the IP and email against http://stopforumspam.com. That is the service I use to prevent spam.

I am going around the forumside massacring fast acting program-controlled accounts.

I have reported 2 forum posts containing sports and entertaining spam.

Thanks for your suggestions! I agree, the spambot activity appears to be increasing. Some simple operation that would be difficult for a bot to perform would probably help quite a bit - but I also like the idea of adding a check against stopforumspam.com.

what if we add something like a game to play and do highscore or solve a quadratic equn or solve asum kind of captchas ?

Auto007 wrote:

what if we add something like a game to play and do highscore or solve a quadratic equn or solve asum kind of captchas ?

Maybe a thing saying for us to click 5 (or however) dots to sign up?

It's harder for bots to read English and actually understand it than it is for them to just read it. Watch as my amazing new technique blows XRumer out of the water:

Select the last 4 red colored dots.

Select 4 red dots.

Select the 4 red colored dots closest to the end.

Click on 3+1 red dots.

Select a red dot 4 times.

[]

QED.

This method should totally be implemented! xD

Actually, spam bots also comment multiple times on profiles and projects!! They give out fake e - mail addresses, which is actually something for identity theft.

Here is an example of a spam bot commenting (the fake email addresses have been removed by me, the email addresses are links to dangerous sites):

Hello my dear, How are you doing today? i hope all is well with you over there, please my dear i saw your contact here today and i became interested, my name is (real name removed).I wish to have you as a friend, if you care. I have important reasons to request your interest for a Serious Relationship, i will be happy if you can send me email at (contact info removed) so that i can easily explain to you more about me and send you my picture because I have something very Important to tell you.

I posted a forum topic about this - and the Scratch Team came across it, and without needing a report, banned the account for solicitation.

This is just an example of what a spam- bot would say…. and how serious it is…

What about a CAPTCHA like this one?

Just in the past week, I've reported 4 fake sports/entertainment livestream topics while looking around for questions to answer. Before that, I had only seen maybe 1 (can't exactly remember). So I would agree that spam is getting worse.

I found 2 sb (spambot) threads.

But this is the first time I've seen a sb. I doubt it's a common problem.

EDIT: Ok, just found one more in the New Scratchers forum which I rarely go to for some reason. But still, I bet this seldom happens.

Lirex wrote:

What about a CAPTCHA like this one?

I had some trouble reading that, and I'm still not sure what to put down (thanks to that 3, w, or m?). I'd even think that XRumer might be able to get through it, but then again, the circular nature of the text might stump it.

I do like the design and colors, though.

@mathfreak231:
You are right; it's not common, but there have been a few large spam attacks before.

My thoughts,

ErnieParke

I think a spam filter that's really simple would work.

Like
“click the red button 3 times” (There would be 5 buttons of varying colors)
“drag the smallest button to the right” (There would be 5 buttons of varying sizes)
“click 2+1 buttons 8-6 times” (There would be 6-8 buttons)

Those types are easy for humans to understand, but not bots.