#2384 - Anti-spam heuristics

By Chris Graham
Added 8th Apr 2016, 9:32 AM
4 views

Identifier	#2384
Issue type	Feature request or suggestion
Title	Anti-spam heuristics
Status	Completed
Tags	Type: Spam (custom)
Handling member	Chris Graham
Addon	core
Description	There are a number of factors we can use to detect increased likelihood of spam: 1) Posting speed (by looking at when the CSRF token was generated compared to when the form was posted) 2) Closeness to having joined (people may join for bypassing CAPTCHA, getting extra features) 3) Posting links 4) Posting frequency 5) Posting repeat content 6) Using particular keywords ("cialis", ...) 7) Using particular coding ("Times New Roman" [implies a paste], "<font face=" [implies a paste]) 8) Use of invalid coding from other software ("[link", ...) 9) Use of paste as opposed to typing 10) Presence of JavaScript (particular calculations could be done and submitted with the form, to know that a real working JavaScript engine was there; perhaps something computationally costly like factorisation; also detection of use of mouse and/or keyboard as a human would) 11) Triggering of the spam blackhole in a form 12) Particular user-agent substrings ("bot", "perl", ...) 13) Missing HTTP headers a real browser will always send: Accept, User-Agent, Cookie, Accept-Language, Accept-Encoding 14) Hits from particular countries (fully configurable) We can detect these factors and make them configurable to bump up the spam certainty ratings for a request. It would be cumulative, each factor would add together to give an overall spam rating. That overall rating would be subject to the approve/block/ban thresholds that already exist. Our LAME_SPAM_HACK hack-attack signal can be removed, and the code for that integrated into this new system. It would all be configurable. All the time factors, all the different spam certainty increments (including configuration per detected spammy keyword).
Steps to reproduce
Additional information	Here's some simple temporary code in use on our own sites in an unofficial capacity, a small subset of what this final system would do... require_code('antispam'); $hours_like_guest=2; $post=post_param('post',''); if ((is_guest() \|\| $GLOBALS['FORUM_DRIVER']->get_member_join_timestamp(get_member())>time()-6060$hours_like_guest) && ((strpos($post,'<a ')!==false) \|\| (strpos($post,'[url')!==false))) { handle_perceived_spammer_by_confidence(get_ip_address(),floatval(get_option('spam_approval_threshold'))/100.0,'internal checks',false); }
Related to	#2057 - Delete member content on punishment form
Funded?	No

The system will post a comment when this issue is modified (e.g., status changes). To be notified of this, click "Enable comment notifications".

Rating

Unrated

Comments

By Guest posted 7th Jun 2016, 8:58 PM

Use of the contact forms is a concern. We should log everything going into them so that '4'/'5' above can work for these.

By Guest, By Guest, posted 8th Jun 2016, 10:20 PM

True. But also what about guest forum posting and guest support ticket / feedback submitting as well?

By Guest posted 8th Jun 2016, 10:23 PM

Fair point. It would need to track through somehow then. Maybe a punish link in the staff actions, like we do for forum posts - and track through content_type and content_id from that.

By Guest posted 8th Jun 2016, 10:48 PM

If the punish links could also be tied in to the warning/punishment form similar to forum posts... aka the content being punished is rendered as a link or a render box tempcode (or comcode) in the message field (similar to how my new reports addon works), that could further enhance the usefulness of punish links elsewhere.

But agreed. Technically, virtually any form of content can be submitted by guests... if permissions allow for it. Therefore, there needs to be a pipe for all content.

By Guest, By Guest, posted 14th Jun 2016, 9:48 AM

We also should have a privilege to avoid the spam heuristic system.

By Guest posted 25th Oct 2016, 1:50 PM

Ok, so I'm reading the comments more carefully than I did originally, as I am now implementing this.

I don't really agree with much of the discussion, it's tangential to the issue, more related to #2057 and #2374 and #375 which will be considered separately.

The main issue discussed seems to be how can we do posting-frequency detection for guests, as all combined guest postings go under a single ID. However I think there's no real issue because guests get the CAPTCHA, or we'd generally limit guest posting access (who'd want guests submitting news for example). So we can implement posting-frequency for non-guests only, and still have a whole diverse set of other techniques that do work on guests (CAPTCHA, but also all the other heuristics). We couldn't really track guests anyway, people could use TOR (so have rotating IPs and session IDs).

Duplicate content submission can work on the guest ID with no issue - because different guests are not legitimately going to be posting the same content.

We do need to make sure heuristics do work effectively for contact forms though.

By Guest posted 25th Oct 2016, 1:52 PM

Oh, also I think I was getting at, how do we know what is duplicate content, and I suggested a mechanism using the report system for that.
That isn't so necessary really. I've implemented a system where it can query via meta-data provided in the CMA hooks, over a time range for a particular submitter ID. That's simpler and better than trying to do it through reporting, because it works without any reporting needing to happen.

By Guest posted 27th Jun 2019, 1:20 PM

For reference, W3C have a document explaining non-CAPTCHA anti-spam techniques:
https://www.w3.org/TR/turingtest/

The TLDR is that we now do everything we can that isn't awful in some way, but it's still a good reference.

#2384 - Anti-spam heuristics

Rating

Comments

Statistics