Sonickyle wrote:

I've been looking around, and found PlayThru. Instead of typing something it asks you to play a small game. It runs in HTML5 and it's apparently bot-proof.

It's seems perfect for a website like this.

davidkt wrote:

jvvg wrote:

davidkt wrote:

jvvg wrote:

davidkt wrote:

ppettitt wrote:

jvvg wrote:

There is a trick to stop just about all spambots. The key is to use something that is unique to your site. Spambots can adapt to just about anything that is used on a lot of sites, but if it is only used on one site, then they probably won't adapt.

This usually involves one of the following:

• Specialized CAPTCHAs (they don't need to be hard, they just need to be unique)
  
• HTML tricks
  
• Questions specifically tailored to the website
  

There are a lot of other things that can go on that list, but the key is to create something unique.

I've got an idea! The top of the signup window would change to a random color and then it would ask “What is the color of the top of this window?” You would have to choose the color from a drop down menu. That is pretty unique. We could also do something like there is a scratch cat that changes colors and moves in a certain direction. You would then have to choose what color the scratch cat is and which direction it is moving. Those things would be easy for an 8 year-old to do, but not a spam bot. And it can be formatted in HTML5 so that flash player is not required. Of course, anyone who wants to view project online will have to get flash eventually.

Way too easy for a spambot to detect the colour.

Not exactly. I need to reiterate what I said above: Spambots will not be able to get around something that isn't widespread. They can get around just about anything if someone wants them to, but nobody will bother trying to write a script to detect the color if it's just one site.

What if someone makes a spambot specifically for the Scratch website that creates a bunch of accounts to spam? Way too easy.

There is just about no way to stop a spambot targeted for a specific site. However, developers of spambots don't care about individual websites.

The thing you need to remember is that the spambots we're trying to stop are commercial spambots, and those just try to hit as many sites as possible. The developers don't care if some sites are able to stop them, they just care that some aren't.

Still, more security is better than less…

Like how about the easiest platformer game where you have to get from one side of the screen to another? That would be hard for a spambot to use…

Just yesterday, I reported 3 topics in a row made by the same spam - bot. Spam-bots are now also capable of spamming the forums repeatedly, not just once.

ProdigyZeta7 wrote:

BREAKING NEWS: I'm getting news that spammers are creating PROJECTS! Our time is running out, we must do something to stop them!

Original Post: In the past 20 minutes I have found at least 8 topics created by spambots made in the last 24 hours. Just yesterday I found 6 more spam topics over the course of that day. Has activity always been this high? Last time I checked one or two topics were made every month or so. Something bad is happening, and it's happening fast. So why all of sudden we're being attacked more often?

There is a major flaw in the sign-up process: a lack of something to stop a spambot. CAPTCHA could work, although I remember reading a post by jvvg that even spambots have the intelligence to bypass it. Not good. We need something to gain the high ground and we need to do it fast, or else we will face another spambot invasion far worse than Scratch has encountered before. I'm not cynical, but the vulnerability of Scratch is a reality.

What are these spammers capable of?
There are a number of technological adaptations that allow spambots to do almost anything a person can. The main weapons of them include Optical Character Recognition (to “read” CAPTCHAs), Averaging (which reduces noise of a CAPTCHA image), and even artificial intelligence that can answer security questions (such as "What is 2+2?). What makes these spammers tough to stop is that they can hide behind multiple proxies, making an IP ban nearly ineffective against them.

It can be difficult to tell if a spammer is a bot or human, depending on the behavior. Often times, a spambot will be aided by a human to fill in certain fields on a page to avoid suspicion that it is indeed a spambot. On Scratch, I have witnessed spambots (likely aided by someone) do the following actions:

• Fill in information in the About Me and What I'm Working On sections of profiles.
  
• Comment on profiles, projects, etc.
  
• Reply to comments.
  
• Post on other forum topics.
  
• Create projects
  

Sometimes it's not obvious if the person really is a spambot. But it takes just one spam post to aid in Search Engine Optimization to identify a user as a bot. But before that, you can often mistake a spambot for a legitimate user based on prior behaviors, such as “innocent” commenting/posting.

What should I look for?
Keep your eyes peeled for any suspicious topics that seem to not belong. For instance, the following are common spam topic titles found in the Scratch Forums:

• Dude vs Dude2 Live Stream
  
• hey bro whats up
  
• that was great man (use of the word “man” is common)
  
• Website Reviews from [Company Name]
  
• Kitchen Appliance Sale
  
• {OM}Watch XXXXXXX Online
  

You should report these IMMEDIATELY. The longer these topics last on the forums, the more people will view them, and the greater SEO it will accomplish. Scratch was, is, and always will be commercial-free, so help get rid of these topics ASAP!

How do I report?
The report button is located in the bottom right corner of every post; when you click it, you will be asked to put in a reason for why you are reporting that post, so put in “Spam” or “Spambot” as the reason. It should take a few minutes (hours?) for a moderator/admin to pick up on the report and take down the topic along with terminating the spambot account. To see if any spambots have infected the forums, click the link “See unanswered posts” at the bottom-right of the main discuss page and locate suspicious topics.

How can we stop spam?
However, all hope is not lost. We have come up with powerful defenses against spam:

Circular CAPTCHA (Suggested by Lirex)
This is a new kind of CAPTCHA where letters and symbols are arranged clockwise or counterclockwise on a circle. However, this poses two major problems: 1) Real people could have a hard time disinguishing between M,W, and 3; and 2) It does not prevent spambots from using their OCR powers.

Destruction of External Links (Suggested by me)
Spambots are responsible for sending out links to assigned websites. If we can destroy those links at the moment of posting, the SEO will no longer work. This will not prevent spambots from registering, but will render their posts completely harmless, link-wise. This also means that “legitimate Scratchers can't post legitimate external links” (scimonster), unless a whitelist of websites is used.

Honeypot (Suggested by scratchisthebest)
This puts a new field on the registration page that is not supposed to be filled in. Spambots are notorious for filling in absolutely everything on a fill-out form, and may not catch that this field should be left empty, and therefore preventing their registration.

Verification (Suggested by jvvg)
jvvg explains it:
“On the registration page, make a frame that points to a secondary form and ask the user to submit the form in the frame before registering.
When the secondary form is submitted, mark that IP as verified for 10 minutes.
When submitting the registration form, check that the IP was verified within the last 10 minutes, and reject the request if it wasn't.”

CAPTCHA Images (Suggested by me)
Because spambots use OCR to “read” words almost perfectly, they can bypass any CAPTCHA with those weird morphed words. So instead of using words to verify a user, use images of simple everyday objects and a list of answers, one of which is correct. For instance, there could be an image of an apple, and the user must answer what the image is generally, given three or more radical answers and one correct answer. Guess incorrectly for two or so times consecutively, and you will be unable to register for 30 minutes. However, language barriers are a problem because there would need to be 50+ translations for every possible answer.

The fate of Scratch hangs in the balance. Is it up to each and every one of you to defend it from malicious spammers.

joshuaho wrote:

BREAKING NEWS

Just yesterday, I reported 3 topics in a row made by the same spam - bot. Spam-bots are now also capable of spamming the forums repeatedly, not just once.

ScratchJahd2011 wrote:

joshuaho wrote:

BREAKING NEWS

Just yesterday, I reported 3 topics in a row made by the same spam - bot. Spam-bots are now also capable of spamming the forums repeatedly, not just once.

Um… They are already capable of doing that when they started… It's really annoying…

joshuaho wrote:

ScratchJahd2011 wrote:

joshuaho wrote:

BREAKING NEWS

Just yesterday, I reported 3 topics in a row made by the same spam - bot. Spam-bots are now also capable of spamming the forums repeatedly, not just once.

Um… They are already capable of doing that when they started… It's really annoying…

They haven't done that since the first time I saw a spam topic.

cheeseeater wrote:

This is reaching a ridiculous level

I reported 32 (and it keeps going up) spam posts today, all with phone numbers, emails and websites. This is becoming unacceptable. I am asking for sign-up to have a capatcha, when people sign up they are mostly doing it with an adult, so they can help. I am worried that the Scratch forums may become unsafe.

ScratchJahd2011 wrote:

cheeseeater wrote:

This is reaching a ridiculous level

I reported 32 (and it keeps going up) spam posts today, all with phone numbers, emails and websites. This is becoming unacceptable. I am asking for sign-up to have a capatcha, when people sign up they are mostly doing it with an adult, so they can help. I am worried that the Scratch forums may become unsafe.

I agree! The ST must create at least one of the suggested CAPTCHA right this moment!

cheeseeater wrote:

This is reaching a ridiculous level
I reported 32 (and it keeps going up) spam posts today, all with phone numbers, emails and websites. This is becoming unacceptable. I am asking for sign-up to have a capatcha, when people sign up they are mostly doing it with an adult, so they can help. I am worried that the Scratch forums may become unsafe.

Lirex wrote:

What about a CAPTCHA like this one?

ErnieParke wrote:

I had some trouble reading that, and I'm still not sure what to put down (thanks to that 3, w, or m?). I'd even think that XRumer might be able to get through it, but then again, the circular nature of the text might stump it.

I do like the design and colors, though.

My thoughts,

ErnieParke

LuxrayStar wrote:

I found a ton of spam posts made by “Different” Spammers, and each post has pretty much the same stuff.
Edit: It grew to almost a page of almost nothing but Spam!

scratchisthebest wrote:

At this point, any captcha is good. It doesn't matter if it's perfect, as long as it slows down a few bots.

cheeseeater wrote:

LuxrayStar wrote:

I found a ton of spam posts made by “Different” Spammers, and each post has pretty much the same stuff.
Edit: It grew to almost a page of almost nothing but Spam!

Thats what I saw!