Time to tighten account security?

Looks like spammers and link farmers have found the forums…

I noticed that too. How much can actually be done about that?

Probably the best approach would be to install something like reCAPTCHA, if we’re not already using it.

If this means having to CAPTCHA for every post, then A. Skywalker speaks for me:


If it’s just for registration, no worries.

I lot of forums have a CAPTCHA just for members with less than 10 posts for example. It’s a little bit of pain for new users, but they’ll get past it soon enough. We’d all be fine if it was set up that way.

May I suggest then that it be very clearly stated each time the captcha is presented that you will only have to deal with it for your first ten posts? If I were presented with a captcha on each post upon making my first few posts to some forum/message board, and it weren’t crystal clear to me that this annoyance is temporary, I would very likely not return.


The phpBB mod I linked to only applies to new user registration and to guest posts. Guest posts are disabled here and I don’t think it’s unreasonable to ask new users to complete a captcha when they sign up. I believe there’s one already, but obviously it could stand to be better. reCAPTCHA could be the low-hanging fruit that lets that happen with no impact on real people and with the very minor social benefit of helping to digitize old books.

It takes less than two minutes of my time in the morning to update the banlist and purge the spam posts, even if it’s been an especially active night. (Thanks to everyone who flags the spam; that makes the job much easier!) A per-post captcha would require vastly more of everyone’s time than that. It would be a hassle and it would be lame.

Despite the green text on my username, I don’t do anything besides clean up the graffiti. I certainly don’t make administrative decisions, so please don’t read too much into my suggestions.

CAPTCHA for guests wouldn’t be too bad.

As for registering, I recall the forums at AGS. You had to fill in a questionaire before the process was complete. The questionaire also served, in its case, as a way to make sure people knew where to go, and didn’t post completed games in the Critics’ Lounge, or talked about game design in the Technical Forum.

And of course, it stopped bots from registering. They were multiple choice questions, as I recall.

Just a though.

My experience with web forums is that a catpcha on registering a new account will help, but won’t eliminate spam entirely.

I agree that a captcha on posts (even the first ten posts) is too arduous.

I agree with Ben. In most the forums I frequent, using CAPTCHA for doing the initial account registration is usually sufficient. If forum users would also co-operate in flagging any spam that does get through, clean up would take a minimal amount of time.

The cool side effect of answering a CAPTCHA correctly is that Carnegie-Mellon is using the input to help digitize books: google.com/recaptcha/learnmore


I didn’t know unpaid slave labour for the profit of a multi billion dollar corporation is now considered “cool”. Profit acquired by copyright infringement to make matters even better. I’ve still got a lot to learn.

The books they’re digitizing are in the public domain and made available “free of charge” for downloading or browsing online… Many are vintage editions and aren’t generally found in your local public library (at least not in mine).

So yeah, it’s pretty cool …


I suppose it’s easy to be snarky but I am not sure why anyone would prefer a useless captcha to one that accomplished a small amount of useful work. Every click on a Google search result helps their bottom line far more than helping to digitize old court documents ever will.

The real genius of the idea is that barring some weakness in the implementation, when spammers defeat reCAPTCHA they will do so by advancing the state of the art in OCR. That prospect is very cool.

Untrue. See the numerous court cases surrounding their book scanning project.

For example because it won’t invade anyone’s privacy. I think that’s a pretty good reason.

Which is why I’m not using Google search. Again, I value my privacy too much to become too clear a number in Google’s endless database.

Oh bosh. The major settlement was almost two years ago. And, if you want to analyze it further, it was really a “win for everyone” as the settlement created an environment that allowed much wider general access to books than had been previously considered.

There are still minor skirmishes here and there but the settlement: books.google.com/booksrightshold … tents.html really set the groundwork for resolution.

So, if you wish to “throw the baby out with the bathwater” then it’s your prerogative. For myself, I see the benefits far, far outweighing the drawbacks.

How does a CAPTCHA invade one’s privacy? The data doesn’t contain any personal information that I’m aware of … The account information is held on whatever server the forum, or other service, is run from.

If you really feel that way, then you probably don’t want to know about “cookies” …


Newsflash: The USA isn’t the whole world. Oh, wait, that’s all just ‘minor skirmishes’, of course, because it’s not taking place in front of your doorstep. By the way, isn’t it funny how you only came up with this after being told your initial smoke screen attempt was bullshit?

IP addresses combined with a forced cookie valid until 2038 are quite enough to identify you. Combine that with the information which person is using what on the Internet is data which many companies are willing to buy.

Information security is my profession, but thanks for the pointless sarcasm.

I’m not out to ‘convert’ anyone. Do with your private data whatever you like. I’m telling you that this is a bad idea, because you’ll lose potential visitors. I’ve given you reasons for this. Whether you agree with the validity of those reasons or not is insubstantial. You only have to believe that in the subjective view of some people, these reasons exist.

Is the question of whether to use reCAPTCHA vs. ordinary captcha really worth arguing about? Doesn’t seem like it to me.


The reCAPTCHA library does not store a cookie on the client system, as far as I can tell. You can check the source code to see for yourself. As a security professional, I would hope you are willing to examine less than 300 lines of well-commented code to substantiate your conclusions.

The client IP address is submitted to api.recaptcha.net, but if that is a serious privacy concern then you are already behind an anonymous proxy.

Real people create the spammer accounts, not bots. There is already a security question on sign-up, that’s intended to make sure a human is actually responsible. Log out, then go to the Sign Up link and you’ll see it. If it seems bots are somehow parsing it, I can always change the question and answer to something else. I’m open to suggestions. But I don’t like graphical CAPTCHA because those have been cracked by bots already (and because the more unbreakable you make it, the harder it is for even a human to read – I’ve had trouble just signing up some places because the CAPTCHA characters were just too vague even for me to make out).

Not to add to the derail, but while Google’s data retention policies are absolutely something to worry about, the 2038 cookie was replaced (in July 2007) with one set to expire 2 years after you last used Google.

Couldn’t they add a little relevance to their posts beyond copying and pasting one of the previous posts in a four-message thread? Is there some test to filter for creative spammers? (Or are the sign-ups human performed and the posting automated?)