Hi, I have used mollom to stop russian bots from registering on my drupal 6.20 site effectively since I set it up.
(backstory)
I also had memcached running with the drupal memcache module. For some reason anonymous users were not seeing new content, only if you logged in could you see new content. I resolved that issue by stopping the memcached service, thinking that was enough to stop drupal from trying to use memcached (hey anonymous users could see new content finally)
However I later found out users couldn't get past mollom. No matter what you put in for the captcha it would fail.. (unknown session id) it turned out to be related to memcache.. I removed the memcache include from settings.php and it was resolved..
Finally my real problem:
Now last night a Russian bot (user?) registered successfully. My dblog doesn't go far back enough to tell if mollom shows a "CAPTCHA PASSED"
In the apache logs I don't see that they ever clicked the account verification link that should have been sent to them in the email, which I can see was sent in the sendmail logs.
How did they get through? Maybe this was a real user?
username: chinagifts
email registered: sales08.fzop@gmail.com
IP address: 121.204.53.102
Reverse DNS: 102.53.204.121.board.fz.fj.dynamic.163data.com.cn
Comments
BTW, the bot found me via the
BTW, the bot found me via the following google search:
http://www.google.com/search?q=inurl:.com/users/+%22powered+by+drupal%22...
I have now modified my footer message from "Powered by Drupal" to "Using Drupal"
Mechanical Turk FTL?
As shibby can attest while mollom is pretty powerful it isn't omniscient. The single biggest chink in it's armor is Mechanical Turk style registrations. Spammers are paying real live people to register on sites and post spam links. Unfortunately I don't know of any technical solutions for this sort of thing short of actual account/post moderation.
Blackhat SEO
I believe what you are seeing is what we started experiencing on opensource.com a few months ago. It's most likely Blackhat SEO that is using real users (paid) to pass the CAPTCHA.
Where do I start...
Mollom has been great at catching an estimated 90-95% of our spam comments. This is what mollom does best. It does a text scan of the content being submitted and looks for links or keywords that it has built up in its database. On the back end, mollom also has some reputation algorithm for registered and anonymous users. It's basically building "trust" with users. Almost all new users and certainly going to have to complete the CAPTCHA. But after a few comments and rating, that will go away.
We have been working with Dries, Acquia, and the mollom team to apply similar tactics to user registration form. To the best of our knowledge, users are registering with the site to get links to whatever it is they are trying to promote. We have some beta code deployed that has drastically reduced our +10 / hour spam registration to now 1-3 / hour. There is still room for improvement.
I had some help from one of our security guru's here at Red Hat, Steve Milner, aka ashcrow, who explained the blackhat SEO tactics. Bascially, spammers have their database of emails, users, and typcial form information all scripted for forms like user registration or comment fields. Then, they've automated the CAPTCHA showing to paid users, i.e. Mechanical Turk style mentioned above), so that a real person is completing the CAPTCHA. 9 times out of 10, the accounts never log in after being registered.
Our best practice here is to scan new registrants and delete these accounts from our user regisrtation.
Now that we've deployed our BETA points system (see: http://opensource.com/should-be/11/1/beta-points-and-badge-system) we plan on implementing a model that will hide the website and bio for users who do not participate, by earning more than 10 points.
At a high level, a newbie, who is a registered user with < 10 points will be allowed to complete their user profile, however, on their user profile page, we will display "The users website and bio will be viewable once they reach our Community Member role."
Looking forward, the concept I've pitched to the mollom team is to scan the user reg form (website and bio seem to be most problematic for us), just like they do for comments, and block users from regsiterting with known spam URLs.
I hope this is helpful to everyone.
Shibby
Guys thanks for the ideas.
Guys thanks for the ideas. That could be it (humans).. one question, if 9 times out of 10 they never login after registering, what is the point?
URL
To get their URL on your site. -> Blackhat SEO
but if they never login how
but if they never login how does the URL get on my site?
I do see them login once and edit their account, on my site you can't put url's in your profile.. maybe that is what they would do if they could
Another Resource
Just wanted to add that I'm pretty sure Ruby had a very similar problem on HASTAC about a year ago. I'll tweet her and see if she has anything to share.
oh, thanks a lot Julia! I
oh, thanks a lot Julia!
I haven't had many more of the mechanical turks.. there is one that I think might be.. but I'm having a tough time tracking it down in the logs.
that particular one (from 4 days ago) hasn't logged in yet though