Hold all posts for approval

[frozenpandaman]

Is there a way to make posts not show up until they get manually approved by an admin/mod?

[ctrlcctrlv]

no

[frozenpandaman]

Dang. CAPTCHAs (hand-rolled or recaptcha) aren't preventing spam of porn/viruses being posted with high frequency, and I need to find a way to curb it that doesn't require someone to be present at their computer 24/7 to watch for it. Any suggestions?

[chanadmins]

Dang. CAPTCHAs (hand-rolled or recaptcha) aren't preventing spam of porn/viruses being posted with high frequency, and I need to find a way to curb it that doesn't require someone to be present at their computer 24/7 to watch for it. Any suggestions?

If you have local chan, allow all IPs from your country and block everything else in htaccess.

[frozenpandaman]

@chanadmins It's not local – posters from at least 6 countries (quick manual tally of a few recent posts) use the board. Spam so far has come from IPs in eight different countries, including some that overlap with countries where legitimate users are from.

[RealAngeleno]

let me know if the ip addresses are coming from vpns, tor, or something else.

Is it from the known CSAM bot? I did think about the idea of a system similar to MediaWiki's QuestyCaptcha, as that works to stop 100% of all uncustomized spam, but obviously, it won't do you any good against customized spam.

[virtuelles]

I'm using DNSBL settings to block ads and malicious attacks. However, this requires the attacker's IP to be registered on the DNSBL server in order to be blocked.

[frozenpandaman]

@RealAngeleno Just went through the bans and checked. None are from Tor, but all are using VPNs/proxies according to https://ip.teoh.io/vpn-detection. https://www.ipqualityscore.com/tor-ip-address-check/ has all of them rated in the 96–99 range, "abusive IP". I'm sure the spam is automated.

QuestyCaptcha integration is a great idea; even if it feels repetitive to users, requiring posters to enter a simple word would prevent most automated spam, I'd imagine. I could probably hardcode this in tonight and see if I can get a basic/naïve implementation working.

@virtuelles Thanks for the suggestion! I could also look into denying site traffic via an .https file, since I figure a lot of those IPs are flagged in public lists. Could you let me know how you set this up?

[virtuelles]

The settings I'm using are just

$config['dnsbl'][] = array('all.s5h.net');

The reason for confirming their effectiveness is that they previously blocked me as well, LAMO. Additionally, are the tor.dnsbl.sectoor.de, bl.spamcannibal.org, dnsbl.dronebl.org, and dnsbl.httpbl.org provided by the wiki still useful? I encountered connection failures when testing them.

[frozenpandaman]

@virtuelles Ah, I didn't realize that was a built-in config option – so simple! Thank you. Reading https://github.com/vichan-devel/vichan/wiki/config, though, I'm not sure if I exactly understand the second item in the array, e.g. the 4 in the default $config['dnsbl'][] = array('rbl.efnetrbl.org', 4); line.

[frozenpandaman]

@RealAngeleno I've tried both above options (DNSBL and manually banning a ton of IPs using .htaccess deny rules) and the CSAM/porn spam is still happening. Would you or anyone else have a solution here? I think the QuestyCaptcha is the best idea, if there's no way to hold posts for auto-approval; let me know if there's already been code written to integrate something like that.

[MtnXfreeride]

Is there a way to make posts not show up until they get manually approved by an admin/mod?

This is a crucial feature the community needs IMO and the reason I stopped hosting a chan. My dream setup is email notification of a new post along with the ability to hold all posts for moderation by time of day (like the hours I am typically asleep). Seems like most chan sites are run by a single person so moderating assistance is important.

[frozenpandaman]

Hoping there is some progress on this soon! Just wanted to check in to see how things are going, since the repo & other feature development seems to be active.

[Black-Hand-Radio]

The spammers use their botnet as proxy servers, but they are not bots, they are normal people making posts. So they will get through all automated methods like captchas or honeypot fields. They can continuously rotate their IPs, and I suspect abusive IP lookups (stopforumspam, etc) will have limited effects too as those would get updated only after the IP is used. I have yet to try implementing stopforumspam IP blacklists however.

It is possible to detect and ban them by checking if the user message contains a shortened url that links to certain text link providers (telegra.ph being the most common but not the only one), referer checking, and some degree browser of fingerprinting. Actually, this latter would allow for 100% accurate blocking, since they use very specific setups.

[MtnXfreeride]

The spammers use their botnet as proxy servers, but they are not bots, they are normal people making posts. So they will get through all automated methods like captchas or honeypot fields. They can continuously rotate their IPs, and I suspect abusive IP lookups (stopforumspam, etc) will have limited effects too as those would get updated only after the IP is used. I have yet to try implementing stopforumspam IP blacklists however.

It is possible to detect and ban them by checking if the user message contains a shortened url that links to certain text link providers (telegra.ph being the most common but not the only one), referer checking, and some degree browser of fingerprinting. Actually, this latter would allow for 100% accurate blocking, since they use very specific setups.

Once you block one shortener, there are an unlimited number of others they will switch to within a few days.

Browser footprinting seems like an effective idea. I also wondered if there could be a vichan hosted block list/feature chan owners can opt into where all board owners can report urls or ips for blocking. Thay could be abused though.

[Black-Hand-Radio]

Once you block one shortener, there are an unlimited number of others they will switch to within a few days.

Browser footprinting seems like an effective idea.

You don't block the shortener, you block the link they have shortened. It seems that vichan already has a function for this, see: https://github.com/vichan-devel/vichan/pull/780

I've used a function like that for years and it was extremely effective. However this won't be enough for long since I see a trend where they switch from creating url shortener sites, to creating text hosting sites for their problematic links. So now you either also have to test the CURL downloaded page for the presence of certain banned links strings, or implement fingerprinting. The problem with the latter is that it can be considered very invasive.

I also wondered if there could be a vichan hosted block list/feature chan owners can opt into where all board owners can report urls or ips for blocking. Thay could be abused though.

IP bans are not useful since these bots use what I suspect to be botnet infected normal computers as proxies. All the IPs they use point to normal ISPs, but are flagged as abusive on spam databases. The spammers always use different IPs from different country. However in reality they all post from the same three or four regions (mostly Russia and Brazil). Unfortunately I could not identify them any further since I already got my spam checkers so tight that they simply lost interest on my site.