Joined: 18 Dec 2003
Posts: 13497
Location: Behind You
Posted: 11/28/11 11:56
kdh:
djmerlyn:
kdh:
djmerlyn:
kdh:
djmerlyn:
Sorry you're having a bad day!
im not the one with a server thats filled with spam and garbage..
how about you?
Doing great, couldn't be happier Happy holidays!
I see what you did there..
lol nobody came here attacking you. Just pointing out a fundamental flaw of trying to ban so many IP's, the suggested temporary solution could be improved. It would be great if it was an importable csv list to add to the jamroom block list (its quick to make one that you can import in phpmyadmin no ssh required). Not sure where what I said created a tangent. But it seems to be the way the day has gone. Sorry if that's how it came across.
Note that there is another thread here suggesting we have just that, you have the fastest start as of right now. I'll link the thread...
You came out the gate calling my quick solition dutch boy security. That is an attack.
No, calling you or anyone else a chump is an attack. Calling blocking 4800 IP's dutch boy security, is calling it what it is.
I'm sure you're a really nice person in the real world, I don't know you and have no reason to attack you. I'm sorry you see it that way. But you're wrong, and the way you have responded is too. Nobody, and I mean NOBODY, deserves any type of abuse from ANYONE in ANY place, including a public forum like this whether we're talking about software, cars, girls, whatever. Going forward, it needs to stop.
im not the one with a server thats filled with spam and garbage..
how about you?
Doing great, couldn't be happier Happy holidays!
I see what you did there..
lol nobody came here attacking you. Just pointing out a fundamental flaw of trying to ban so many IP's, the suggested temporary solution could be improved. It would be great if it was an importable csv list to add to the jamroom block list (its quick to make one that you can import in phpmyadmin no ssh required). Not sure where what I said created a tangent. But it seems to be the way the day has gone. Sorry if that's how it came across.
Note that there is another thread here suggesting we have just that, you have the fastest start as of right now. I'll link the thread...
You came out the gate calling my quick solition dutch boy security. That is an attack.
No, calling you or anyone else a chump is an attack. Calling blocking 4800 IP's dutch boy security, is calling it what it is.
I'm sure you're a really nice person in the real world, I don't know you and have no reason to attack you. I'm sorry you see it that way. But you're wrong, and the way you have responded is too. Nobody, and I mean NOBODY, deserves any type of abuse from ANYONE in ANY place, including a public forum like this whether we're talking about software, cars, girls, whatever. Going forward, it needs to stop.
K.. you can call it dutch boy security, and I'll call you a hack webadmin.
Nobody, and I mean NOBODY, deserves any type of abuse from ANYONE in ANY place, including a public forum like this whether we're talking about software, cars, girls, whatever. Going forward, it needs to stop.
djmerlyn:
Obviously the little dutch boy blocking IP's is not a solution and promoting it as one is not very helpful and is mostly cluttering up the thread.
kdh:
Thanks for the suggestions chump.
I hate to say it but you both are doing it and that above comment is aimed as an attack just as his was, no difference.. we are all obviously systems people with different backgrounds and LOTS of experience. There is a difference of option here that is what open forums are all about... that said technical solutions people, professionalism!
Joined: 18 Dec 2003
Posts: 13497
Location: Behind You
Posted: 11/28/11 12:16
cmpnetwork:
I am confused now what exactly is Dutch boy Security?
the little dutch boy puts his finger in a hole in a dyke where the ocean is leaking through, trying to hold back the ocean from breaking through. Its a metaphor for a quick and dirty fix until help has arrived, not an insult :shrug:
http://www.pantheon.org/articles/l/little_dutch_boy.html
In this case, help did arrive but a lot of us missed it because the thread was going to fast with tangent solutions. It was never posted in a dominant place on the forum for people to follow. Its way back here in the middle of the page;
Joined: 09 Jul 2003
Posts: 37583
Location: Seattle, WA
Posted: 11/28/11 13:15
Please - we've managed to go over 8 years on this forum and maintain civility. Calling another user a name is not only unprofessional, but unwarranted.
If you disagree with someone on something they have posted, please focus on the problem and not the person.. If you technically disagree with someone, post WHY you disagree with them, and if you can please back it up with URLs or links to technical papers that clearly outline the issue at hand.
Calling someone a name or denigrating their input is simply guaranteed to get every riled up. I know it's easy to get passionate and involved when a situation appears to be blowing up, but more often than not, it's simply an additional road block that needs to be overcome before the real solutions and work can be completed.
So all together now, deep breath, step back, and let's think about what we can do to help alleviate this type of spam issue going forward.
We have taken the following actions:
- removed the affected/exploited quota and moved all active user to a new one.
- deleted and removed all the rouge accounts, had to take it down for maintenance for a few minutes.
- we patched the signup.php in the test release provided by Brian (Thanks!)
- we switched captcha to Google API (Great Suggestion! no template edits were required)
-jc
Agreed with above, so removing the unagreed step from my page one post, to be clear for those joining the thread fwd. The above solutions are easy to adapt, don't alter the JR codebase and work to hold back spam users. To my knowledge in this thread it has worked for others as well as us. Does anyone have reason to believe otherwise?
and click on the "use recpatcha on your site" button - fill in the form and you will be given some unique ID values for your site. Go into Jamroom Tools -> Advanced Settings and set the following 2 keys:
jr_recaptcha_private_key
jr_recaptcha_public_key
to the values you received on the Recaptcha site. Reset your template cache and you should see Recaptcha in place of Jamroom's captcha. If you continue to receive spammer signups AFTER doing this, then it means it is not a bot signing up, but a real user and you'll need to manually delete accounts.
Joined: 23 Mar 2007
Posts: 251
Location: Chicago, IL
Posted: 11/30/11 11:06
I've seen several options to block the spam accounts but it seems as if we don't agree on any of them. In close to 14 years I've never had to deal with a problem such as this which leads me to Yahoo to search for solutions. This isn't a JR problem exclusively it's wide spread with the CAPTCHA JR is using. Don't get me wrong I'm not attacking the JR development team as they used what they felt was a good solution and it was till some spammer found a way to read the CAPTCHA image.
Here is what I've seen to date as possible solutions:
Block IPs
Insert a hidden field
Add a 3 second delay to the Submit button
Change the name of the signup.php file
Up-date the signup.php file to 4.2.6 and insert the google recaptcha code
My personal choice was to change the name of the file which is working for now but I expect that will change. If I were a better coder I think I would add the 3 second delay and a hidden field to the sign up page, which should add an additional security measure. I don't like adding google recaptcha I don't like google and I'm getting plenty of traffic with out them. I figure if after 14 years, well that's another topic. 14k bot hits a week from google is extreme and unnecessary, there I said it.
Let's see if we can focus on a solution that we can all agree on.
Have a safe holiday all
_________________ 440MUSIC.COM Internet Radio & Music Store
The Granddaddy of Internet Radio for the
Unknown, Unsigned, and Independent Musician
Going Beyond The Reach Of Satellite
OH come on everyone can use a lil extra alexa traffic rankings . but yeah i feel ya i do not really need them either hitting my page.
2tunes:
I'm getting plenty of traffic with out them. I figure if after 14 years, well that's another topic. 14k bot hits a week from google is extreme and unnecessary, there I said it.
Let's see if we can focus on a solution that we can all agree on.
Just checked my email and had a few hundred pending messages and signups over the last couple of days.
Manually removed all of them this time with out using prune and set the quota signup to admin validation instead of email.
I've already updated my signup.php and am using re-captcha. Not sure how the thing got past that, been quite for the last week and all of a sudden the signups and messages started again.
Anyway, just going to watch it for a while.
_________________ JR 4.X + JR modules and addons ( I keep all of them current )
www.michiganmonster.com
I'm not seeing it yet. The recaptcha is still working. No spam signups. No new Blogs.
So far so good.
rickallen:
They're Back ....
Just checked my email and had a few hundred pending messages and signups over the last couple of days.
Manually removed all of them this time with out using prune and set the quota signup to admin validation instead of email.
I've already updated my signup.php and am using re-captcha. Not sure how the thing got past that, been quite for the last week and all of a sudden the signups and messages started again.