AsmBB

Power
Login Register

suggestion about email verification

#15650 (ツ) jose
Created 20.11.2018, read: 1859 times

The IP of my server is blacklisted , so if i send email to gmail it gets blocked. The reason is comment email-forwarding of spam comments in a WP instance. I cant do anything about this.

This gives me problems when registering new users. I cant really register new users if the verification is via email. I can disable email verification but then i get into the next problem: Spam bots, and i got three after 24 hours of experimenting with ASMBB.

Therefore it would be nice to have some hidden email field with a fixed value like "example@abc.com" and a check of the value when email verification is deactivated. If it's tampered with and email verification is deactived then it's a nonhuman user.

#15651 (ツ) johnfound
Created 20.11.2018, read: 1857 times
jose

The IP of my server is blacklisted , so if i send email to gmail it gets blocked. The reason is comment email-forwarding of spam comments in a WP instance. I cant do anything about this.

This gives me problems when registering new users. I cant really register new users if the verification is via email. I can disable email verification but then i get into the next problem: Spam bots, and i got three after 24 hours of experimenting with ASMBB.

Therefore it would be nice to have some hidden email field with a fixed value like "example@abc.com" and a check of the value when email verification is deactivated. If it's tampered with and email verification is deactived then it's a nonhuman user.

There is a hidden field with unique "ticket" that is checked on post requests. But some bots are able to circumvent such simple traps.

Anyway, maybe you should try to use this trick: Use of ssmtp program for outbond emails - this way you will be able to send emails, by using external, not blacklisted email account.

#15652 (ツ) jose
Created 20.11.2018, read: 1853 times
johnfound

There is a hidden field with unique "ticket" that is checked on post requests. But some bots are able to circumvent such simple traps.

Anyway, maybe you should try to use this trick: Use of ssmtp program for outbond emails - this way you will be able to send emails, by using external, not blacklisted email account.

If i understand correct then the ticket/token value is generated each time to avoid to POST directly?

My need is different

1) I just try to avoid to use email for registration.

2) Try to catch bots during registration and not register them.

I could solve this with changing the theme and creating a trigger on table Users that checks Params.email_confirm. Is that a good/possible way to do this?

Actually i would prefer not to register at all upfront. Automatic registration when you post first time (without email verification) is a possibiity - also bot safe experienced with Kroc NoNonsense forum for a couple og years and not a single bot message.

#15653 (ツ) johnfound
Last edited: 20.11.2018 by johnfound, read: 1851 times
jose

If i understand correct then the ticket/token value is generated each time to avoid to POST directly?

My need is different

1) I just try to avoid to use email for registration.

2) Try to catch bots during registration and not register them.

I could solve this with changing the theme and creating a trigger on table Users that checks Params.email_confirm. Is that a good/possible way to do this?

Actually i would prefer not to register at all upfront. Automatic registration when you post first time (without email verification) is a possibiity - also bot safe experienced with Kroc NoNonsense forum for a couple og years and not a single bot message.

Using trigger in the database is possible and probably will work. But some negative side effects are possible - for example a message for correct registration when actually the registration was rejected.

I can't answer right now what is the best approach in this scenario. I mean automatic registration on first use and without email confirmation. I have to make some research about the safety risks and the best way handling this problem. Will post about it tomorrow.

BTW, I am using this honeypot based protection in the commenting system of MiniMagAsm (the main https://asm32.info site is managed by it).

#15654 (ツ) jose
Last edited: 20.11.2018 by jose, read: 1845 times
johnfound

Using trigger in the database is possible and probably will work. But some negative side effects are possible - for example a message for correct registration when actually the registration was rejected.

I can't answer right now what is the best approach in this scenario. I mean automatic registration on first use and without email confirmation. I have to make some research about the safety risks and the best way handling this problem. Will post about it tomorrow.

BTW, I am using this honeypot based protection in the commenting system of MiniMagAsm (the main https://asm32.info site is managed by it).

Great i'll wait for your qualified input - at least more qualified than mine.

I took a look on how NoNonsens forum does it, since their forum only has manual spam - we cant avoid those. He uses image to submit form and gets some coordinates when you clik with mouse and then cheks with the following code.

define ('FORM_SUBMIT', (isset ($_POST['x'], $_POST['y']) || isset ($_POST['submit_x'], $_POST['submit_y'])));

and more - with comments

if ((   //if HTTP authentication is used, we don’t need to validate the form fields
        @$_SERVER['PHP_AUTH_USER'] && @$_SERVER['PHP_AUTH_PW']
) || (  //if an input form was submitted:
        FORM_SUBMIT &&
        //are the name and password non-blank?
        NAME && PASS &&
        //the email check is a fake hidden field in the form to try and fool spam bots
        isset ($_POST['email']) && @$_POST['email'] == 'example@abc.com' 

My experiment gave following data. (email is honeypot - and if submit.x|y are not set then its spam and in both cases data is dropped)

Form data	
email	example@abc.com
password	dsafdsaf
submit.x	22
submit.y	19
text	sdfd
username	23423423
#15655 (ツ) johnfound
Created 20.11.2018, read: 1842 times
jose

I took a look on how NoNonsens forum does it, since their forum only has manual spam - we cant avoid those. He uses image to submit form and gets some coordinates when you clik with mouse and then cheks with the following code.

define ('FORM_SUBMIT', (isset ($_POST['x'], $_POST['y']) || isset ($_POST['submit_x'], $_POST['submit_y'])));

and more - with comments

if ((   //if HTTP authentication is used, we don’t need to validate the form fields
        @$_SERVER['PHP_AUTH_USER'] && @$_SERVER['PHP_AUTH_PW']
) || (  //if an input form was submitted:
        FORM_SUBMIT &&
        //are the name and password non-blank?
        NAME && PASS &&
        //the email check is a fake hidden field in the form to try and fool spam bots
        isset ($_POST['email']) && @$_POST['email'] == 'example@abc.com' 

My experiment gave following data. (email is honeypot - and if submit.x|y are not set then its spam and in both cases data is dropped)

Form data	
email	example@abc.com
password	dsafdsaf
submit.x	22
submit.y	19
text	sdfd
username	23423423

This trick with the x/y coordinates is nice.

IMHO, the fake email field is better to stay empty, because some smart bots may not change the non-empty fields. Or if they do, they will fill change ticket field as well, and will fail posting as well.

The only possible problem with this protection is that some users are switching off the image load/display in their browsers. Or navigate the form by the keyboard and submit by pressing Enter key. I am not sure how the browsers will handle this case. There is a risk that such users will not be able to register properly.

#15656 (ツ) jose
Created 20.11.2018, read: 1837 times
johnfound

This trick with the x/y coordinates is nice.

IMHO, the fake email field is better to stay empty, because some smart bots may not change the non-empty fields. Or if they do, they will fill change ticket field as well, and will fail posting as well.

The only possible problem with this protection is that some users are switching off the image load/display in their browsers. Or navigate the form by the keyboard and submit by pressing Enter key. I am not sure how the browsers will handle this case. There is a risk that such users will not be able to register properly.

I tryed it without pictures and got

email	example@abc.com
password	adfadgrqew
submit.x	0
submit.y	0
text	aaaaa
username	adfewrewqr

HTML is


<p id="psubmit">
	<label id="lab" class="" for="submit"><span>Submit</span>
		<input id="submit" name="submit" type="image" src="/forum/themes/greyscale/img/submit.png" tabindex="5" alt=">" width="40" height="40">
	</label>
	</p>

I can post from a linux box using links textbrowser hitting ">", so I think blind people and others that do not use images still can post and thus register.

#15657 (ツ) johnfound
Last edited: 20.11.2018 by johnfound, read: 1836 times

Well, I have made some changes in the logic of the register and login forms for the case when the email confirmations are switched off.

In this case, the email field in the registration form is hidden (by css) and if the bot submits some email, the registration will be rejected. In addition, the hidden ticket field has been made regular text field and hidden by CSS as well. This way, the chance that the bot will change it too is much higher.

Also, the submit button now is <input type="image"> and the posted submit.x and submit.y fields are checked as well. This way, simple POST requests can be rejected as well.

In general, all the source changes are here.

Download the latest binary package and update the engine file the templates/*.

P.S. The permanent link to the latest binary package is: https://asm32.info/fossil/repo/asmbb/doc/trunk/install/asmbb.tar.gz

P.S BTW, the best updating procedure (almost) on-the-fly for the file engine is:

Rename ./engine to ./engine2

Upload or extract the new ./engine

Execute sudo systemctl restart asmbb

#15658 (ツ) jose
Last edited: 20.11.2018 by jose, read: 1833 times

Just test and could create the user. I get error message when logging in - but get logged in. I will investigate further tomorrow.

There is problem with login. IT seems to depend on Backlink value. First time i dont get logged in but get the second time (browser saves login info so its the same data used)

#15663 (ツ) johnfound
Created 21.11.2018, read: 1825 times

It seems to be some corner case. I can't reproduce. :-(

#15672 (ツ) jose
Last edited: 21.11.2018 by jose, read: 1818 times

I can each time First time i try login it fails

Second time it works

I've been experimenting with wasp theme from 17 november and made my own theme by modifying it. Can it be it?

#15673 (ツ) johnfound
Last edited: 21.11.2018 by johnfound, read: 1814 times
jose

I've been experimenting with wasp theme from 17 november and made my own theme by modifying it. Can it be it?

Yes, the latest changes both need changes in the template files and css files as well. You should merge (manually or by using fossil) your changed templates with the latest from the source repository.

That is why I have specially notified about the need of templates update in the message above.

P.S. Another way is to check carefully the changes in the templates and implement something similar in your theme. For example, the submit button of the register and login form must to be of type image. But this way is hard and should be used only if you have made serious, totally not compatible changes to the skin.

Also, read about the CSS files edits here: https://board.asm32.info/small-help.248/

suggestion about email verification

AsmBB v2.9 (check-in: 6d407831308ba556); SQLite v3.31.1 (check-in: 3bfa9cc97da10598);
©2016..2020 John Found; Licensed under EUPL. Powered by Assembly language Created with Fresh IDE