▄▄             ▄▄▄  ▄▄▄ Power
█  █ ▄▄▄▄ ▄▄▄▄▄ █  █ █  █
█▄▄█ █▄▄▄ █ █ █ █▀▀▄ █▀▀▄
█  █ ▄▄▄█ █ █ █ █▄▄▀ █▄▄▀

Login
Register
/ ad amd64 api asm asmbb best bugs chat common debian deck design dll docker email embed fast feature files fossil fresh.ide friendly gamedev heap help hiawatha incredible interop learning libfresh limit links linux meme meta.http-equiv money mysql neo nginx numbers orly os outage pass password programmers programming proile resources safety script.alert.xss secret seo skins sodom source sourcecode subforum support tags test type work xss игнат котики парола русский тест уеб.програмиране хабр.наполеон
Categories Thread list

suggestion about email verification

The IP of my server is blacklisted , so if i send email to gmail it gets blocked. The reason is comment email-forwarding of spam comments in a WP instance. I cant do anything about this.

This gives me problems when registering new users. I cant really register new users if the verification is via email. I can disable email verification but then i get into the next problem: Spam bots, and i got three after 24 hours of experimenting with ASMBB.

Therefore it would be nice to have some hidden email field with a fixed value like "example@abc.com" and a check of the value when email verification is deactivated. If it's tampered with and email verification is deactived then it's a nonhuman user.

jose

The IP of my server is blacklisted , so if i send email to gmail it gets blocked. The reason is comment email-forwarding of spam comments in a WP instance. I cant do anything about this.

This gives me problems when registering new users. I cant really register new users if the verification is via email. I can disable email verification but then i get into the next problem: Spam bots, and i got three after 24 hours of experimenting with ASMBB.

Therefore it would be nice to have some hidden email field with a fixed value like "example@abc.com" and a check of the value when email verification is deactivated. If it's tampered with and email verification is deactived then it's a nonhuman user.

There is a hidden field with unique "ticket" that is checked on post requests. But some bots are able to circumvent such simple traps.

Anyway, maybe you should try to use this trick: Use of ssmtp program for outbond emails - this way you will be able to send emails, by using external, not blacklisted email account.

johnfound

There is a hidden field with unique "ticket" that is checked on post requests. But some bots are able to circumvent such simple traps.

Anyway, maybe you should try to use this trick: Use of ssmtp program for outbond emails - this way you will be able to send emails, by using external, not blacklisted email account.

If i understand correct then the ticket/token value is generated each time to avoid to POST directly?

My need is different

1) I just try to avoid to use email for registration.

2) Try to catch bots during registration and not register them.

I could solve this with changing the theme and creating a trigger on table Users that checks Params.email_confirm. Is that a good/possible way to do this?

Actually i would prefer not to register at all upfront. Automatic registration when you post first time (without email verification) is a possibiity - also bot safe experienced with Kroc NoNonsense forum for a couple og years and not a single bot message.

jose

If i understand correct then the ticket/token value is generated each time to avoid to POST directly?

My need is different

1) I just try to avoid to use email for registration.

2) Try to catch bots during registration and not register them.

I could solve this with changing the theme and creating a trigger on table Users that checks Params.email_confirm. Is that a good/possible way to do this?

Actually i would prefer not to register at all upfront. Automatic registration when you post first time (without email verification) is a possibiity - also bot safe experienced with Kroc NoNonsense forum for a couple og years and not a single bot message.

Using trigger in the database is possible and probably will work. But some negative side effects are possible - for example a message for correct registration when actually the registration was rejected.

I can't answer right now what is the best approach in this scenario. I mean automatic registration on first use and without email confirmation. I have to make some research about the safety risks and the best way handling this problem. Will post about it tomorrow.

BTW, I am using this honeypot based protection in the commenting system of MiniMagAsm (the main https://asm32.info site is managed by it).

johnfound

Using trigger in the database is possible and probably will work. But some negative side effects are possible - for example a message for correct registration when actually the registration was rejected.

I can't answer right now what is the best approach in this scenario. I mean automatic registration on first use and without email confirmation. I have to make some research about the safety risks and the best way handling this problem. Will post about it tomorrow.

BTW, I am using this honeypot based protection in the commenting system of MiniMagAsm (the main https://asm32.info site is managed by it).

Great i'll wait for your qualified input - at least more qualified than mine.

I took a look on how NoNonsens forum does it, since their forum only has manual spam - we cant avoid those. He uses image to submit form and gets some coordinates when you clik with mouse and then cheks with the following code. define ('FORM_SUBMIT', (isset ($_POST['x'], $_POST['y']) || isset ($_POST['submit_x'], $_POST['submit_y'])));

and more - with comments if (( //if HTTP authentication is used, we don’t need to validate the form fields @$_SERVER['PHP_AUTH_USER'] && @$_SERVER['PHP_AUTH_PW'] ) || ( //if an input form was submitted: FORM_SUBMIT && //are the name and password non-blank? NAME && PASS && //the email check is a fake hidden field in the form to try and fool spam bots isset ($_POST['email']) && @$_POST['email'] == 'example@abc.com'

My experiment gave following data. (email is honeypot - and if submit.x|y are not set then its spam and in both cases data is dropped) Form data email example@abc.com password dsafdsaf submit.x 22 submit.y 19 text sdfd username 23423423

jose

I took a look on how NoNonsens forum does it, since their forum only has manual spam - we cant avoid those. He uses image to submit form and gets some coordinates when you clik with mouse and then cheks with the following code. define ('FORM_SUBMIT', (isset ($_POST['x'], $_POST['y']) || isset ($_POST['submit_x'], $_POST['submit_y'])));

and more - with comments if (( //if HTTP authentication is used, we don’t need to validate the form fields @$_SERVER['PHP_AUTH_USER'] && @$_SERVER['PHP_AUTH_PW'] ) || ( //if an input form was submitted: FORM_SUBMIT && //are the name and password non-blank? NAME && PASS && //the email check is a fake hidden field in the form to try and fool spam bots isset ($_POST['email']) && @$_POST['email'] == 'example@abc.com'

My experiment gave following data. (email is honeypot - and if submit.x|y are not set then its spam and in both cases data is dropped) Form data email example@abc.com password dsafdsaf submit.x 22 submit.y 19 text sdfd username 23423423

This trick with the x/y coordinates is nice.

IMHO, the fake email field is better to stay empty, because some smart bots may not change the non-empty fields. Or if they do, they will fill change ticket field as well, and will fail posting as well.

The only possible problem with this protection is that some users are switching off the image load/display in their browsers. Or navigate the form by the keyboard and submit by pressing Enter key. I am not sure how the browsers will handle this case. There is a risk that such users will not be able to register properly.

johnfound

This trick with the x/y coordinates is nice.

IMHO, the fake email field is better to stay empty, because some smart bots may not change the non-empty fields. Or if they do, they will fill change ticket field as well, and will fail posting as well.

The only possible problem with this protection is that some users are switching off the image load/display in their browsers. Or navigate the form by the keyboard and submit by pressing Enter key. I am not sure how the browsers will handle this case. There is a risk that such users will not be able to register properly.

I tryed it without pictures and got email example@abc.com password adfadgrqew submit.x 0 submit.y 0 text aaaaa username adfewrewqr

HTML is <p id="psubmit"> <label id="lab" class="" for="submit"><span>Submit</span> <input id="submit" name="submit" type="image" src="/forum/themes/greyscale/img/submit.png" tabindex="5" alt=">" width="40" height="40"> </label> </p>

I can post from a linux box using links textbrowser hitting ">", so I think blind people and others that do not use images still can post and thus register.

Well, I have made some changes in the logic of the register and login forms for the case when the email confirmations are switched off.

In this case, the email field in the registration form is hidden (by css) and if the bot submits some email, the registration will be rejected. In addition, the hidden ticket field has been made regular text field and hidden by CSS as well. This way, the chance that the bot will change it too is much higher.

Also, the submit button now is <input type="image"> and the posted submit.x and submit.y fields are checked as well. This way, simple POST requests can be rejected as well.

In general, all the source changes are here.

Download the latest binary package and update the engine file the templates/*.

P.S. The permanent link to the latest binary package is: https://asm32.info/fossil/repo/asmbb/doc/trunk/install/asmbb.tar.gz

P.S BTW, the best updating procedure (almost) on-the-fly for the file engine is:

  • Rename ./engine to ./engine2
  • Upload or extract the new ./engine
  • Execute sudo systemctl restart asmbb
  • Just test and could create the user. I get error message when logging in - but get logged in. I will investigate further tomorrow.

    There is problem with login. IT seems to depend on Backlink value. First time i dont get logged in but get the second time (browser saves login info so its the same data used)

    It seems to be some corner case. I can't reproduce. ?:-(

    I can each time First time i try login it fails

    Second time it works

    I've been experimenting with wasp theme from 17 november and made my own theme by modifying it. Can it be it?

    jose

    I've been experimenting with wasp theme from 17 november and made my own theme by modifying it. Can it be it?

    Yes, the latest changes both need changes in the template files and css files as well. You should merge (manually or by using fossil) your changed templates with the latest from the source repository.

    That is why I have specially notified about the need of templates update in the message above.

    P.S. Another way is to check carefully the changes in the templates and implement something similar in your theme. For example, the submit button of the register and login form must to be of type image. But this way is hard and should be used only if you have made serious, totally not compatible changes to the skin.

    Also, read about the CSS files edits here: https://board.asm32.info/small-help.248/

    Categories Thread list

    suggestion about email verification

    AsmBB v2.4 (check-in: 7bb3292ed42db7ca); SQLite v3.25.3 (check-in: 89e099fbe5e13c33);

    ©2016..2018 John Found; Licensed under EUPL.
    Powered by Assembly language
    Created with Fresh IDE

    Icons are made by Egor Rumyantsev, vaadin and icomoon from www.flaticon.com