-
Due to abuse, self-registration is disabled.
Registration is only required for posting topics or replies. To register, make a request on any of the PIVX social media or chat channels.
NOTE: To enhance forum security, new accounts that have no posts within a 30-day period are subject to being deleted.
Due to abuse, registration is disabled.Registration is only required for posting topics or replies. To register, make a request on any of the PIVX so
- Thread starter Gerrald
- Start date
Eric_Stanek
Well-known Pivian
Forum admins were being interrupted multiple times every single day, to clear out spam. Some of it was pretty graphic. That opens us up to legal issues. The forum app version is current, and the spammers still get past the protections.
Options are:
1. Find and migrate to a new forum app.
2. Post the notice and allow manual registrations. (We did this.)
Option 1 would be best, but that takes time, with no guarantee the result won't be worse.
Option 2 took seconds to implement, and does not restrict anyone from being able to post. They just need to request an account if they don't already have one.
I am not aware of anyone moving forward on Option 1. But maybe someone is? If not, and someone else wants to do that research, and get Community consensus on the change, that would be great.
Options are:
1. Find and migrate to a new forum app.
2. Post the notice and allow manual registrations. (We did this.)
Option 1 would be best, but that takes time, with no guarantee the result won't be worse.
Option 2 took seconds to implement, and does not restrict anyone from being able to post. They just need to request an account if they don't already have one.
I am not aware of anyone moving forward on Option 1. But maybe someone is? If not, and someone else wants to do that research, and get Community consensus on the change, that would be great.
palmtree
Administrator
Part 1 of 2: Over 20,000 fake accounts (which have been removed) were using this and many other forums as free link farms to increase their websites SEO. Most mainstream forums must deal with this. They use specialty software (XRumer, GSA Search Engine Ranker, Money Robot, Seo Autopilot, and Seo Neo) which utilizes AI technology to create spam content, solve graphical CAPTCHAs, answer questions, and other automated tasks. They are able to register and post to forums (forum spam) with the aim of boosting search engine rankings. The program is able to bypass security techniques commonly used by many forums and blogs to deter automated spam, such as account registration, client detection, many forms of CAPTCHAs, and e-mail activation before posting.
palmtree
Administrator
Part 2 of 2: I created a simulated "Register Account" page that captures and logs user registration attempts. This monitoring system has provided valuable data over the four-month period since new registrations were disabled.
Key Metrics:
Total registration attempts: 3,719
Direct access attempts (non-referral): 600+
Automated bot attempts: 120
Unique IP addresses: 796
Successful attempts: approximately 40
Security Mechanism:
The registration process requires users to provide the current PIVX block number as a CAPTCHA verification. Successful completion of this challenge indicates sophisticated automated software capable of:
Threat Evolution:
Initial attempts showed a zero percent success rate during the first two months. However, I have observed a trend of increasing success rates over time, suggesting continuous refinement of the attacking software. Without intervention, these automated systems will eventually achieve consistent success rates.
Broader Impact:
Regarding the previously mentioned option 1, this invasive software represents a systemic threat affecting all major forum platforms, not just our installation.
Investigation Effort:
Significant resources have been allocated to this including extensive personal time investment, solution research, custom script development, and comprehensive data logging.
Here are a few screenshots, images that show log entries are in reverse order, newest entries on top)
Fake registration page:
Sample log entry where a user eventually succeeds, notice how many attemps and that it only took about 6 minutes to succeed:
Key Metrics:
Total registration attempts: 3,719
Direct access attempts (non-referral): 600+
Automated bot attempts: 120
Unique IP addresses: 796
Successful attempts: approximately 40
Security Mechanism:
The registration process requires users to provide the current PIVX block number as a CAPTCHA verification. Successful completion of this challenge indicates sophisticated automated software capable of:
- Real-time blockchain data retrieval
- Automatic credential management
- Distribution of access methods to other users utilizing the same software platform
Threat Evolution:
Initial attempts showed a zero percent success rate during the first two months. However, I have observed a trend of increasing success rates over time, suggesting continuous refinement of the attacking software. Without intervention, these automated systems will eventually achieve consistent success rates.
Broader Impact:
Regarding the previously mentioned option 1, this invasive software represents a systemic threat affecting all major forum platforms, not just our installation.
Investigation Effort:
Significant resources have been allocated to this including extensive personal time investment, solution research, custom script development, and comprehensive data logging.
Here are a few screenshots, images that show log entries are in reverse order, newest entries on top)
Fake registration page:
Sample log entry where a user eventually succeeds, notice how many attemps and that it only took about 6 minutes to succeed:
Last edited:
Eric_Stanek
Well-known Pivian
Wow. I suspected this type of activity was the issue, but had no clue you went to this much effort to prove it. Thank you so much for doing this.
The 'Work-around' of asking people to manually request an account be created, should dramatically lower the number of bots (for now) and give us time to adjust, with near zero impact to real people's ability to comment on the forum.
The only constant is change.
The 'Work-around' of asking people to manually request an account be created, should dramatically lower the number of bots (for now) and give us time to adjust, with near zero impact to real people's ability to comment on the forum.
The only constant is change.
That's a Good Job
palmtree
Administrator
No account is needed to "lurk". Everything is open for everyone to see. There is no benefit to having an account other than to actually post or reply to posts. In fact, it is my opinion that any new account that has never posted after 30 days should be deleted for forum security.
palmtree
Administrator
I'll be removing the fake registration link soon. Some (not all) things used for this experiment:
- Forced Cloudflare CAPTCHA on every access attempt
- Real URL location changed 25 times during the test period
- Link to register was obfuscated with JS - the real link and redirect only revealed when button was clicked
- Direct link to page would fail, referer must have been from "forum.pivx.org" otherwise form would not load
- Forum cookie must be within x minutes old
- Form was rejected if filled in to quickly (considered a bot)
- Form would timeout if submitted too slowly
- Form contained a "HoneyPot" field and if filled, was considered a bot
- Repeat offenders IP adddress were blocked so logs only showed new offenders