As those who visited the bulletin board certainly noticed, we were hit by some hefty spam activity especially in the SLikeSoft General (English) forum.
The spam activity started around October this year, and caught us off-guard at a time, where we had to deal with other priorities. While we certainly expected this to become a problem at some point, we thought we'd have had more time to properly configure and set up the forum against spam bot activity like this.
Since the forum wasn't that active yet (especially not in this general section), we concluded we still can handle this at a later point. While things looked kind of acceptable for the first couple of days/weeks where we stuck with manually removing the spam posts, at some point the spam activity went through the roof with peaks of up to 1k-10k spam posts per day in the end.
Still, the spam posts were kind of concentrated around this general forum. However, at one point it began to pollute other forum sections as well so it certainly started impacting the usability of the forum.
13 days ago Subtixx on GitHub spoke up and pointed out the spam activity. Realizing we could not afford to further delay the work on hardening the forum against the spam activity, we evaluated our options.
The initial BBS version was a simple installation using the standard Debian package. While this has a couple of advantages (f.e. automatic security updates, simple installation, proper configuration with regards to security, very low maintenance overhead, etc.), Debian, while being a very stable/reliable distribution, is quite conservative when it comes to providing newer versions of contained packages. So we had to decide where to go from here.
On GitHub several users suggested to move over to a different BBS. While this would certainly have been an option to go (and we are not ruling this out for the future), the cause of the spam activity in the forum was basically due to the lack of properly setting up spam preventions and using an outdated phpBB version which didn't provide recent anti spam improvements which the current versions provide. Since we do have some experience with hosting phpBB installations, we decided to stick with this forum software for the time being and see if we will be able to provide a spam-safe environment without having to sacrificing the possibility to create posts/threads without creating a user account first.
Moving away from the integrated Debian phpBB package and rather setting up phpBB using the vanilla package ourself (also bumping the phpBB version from 3.0 to 3.1 as part of that) provided us with alternative Captcha systems to lock out the spam bots and other plugins to prevent/filter out spam.
The downside is the additional maintenance overhead this is putting on our shoulders now. In order to reduce this to a manageable amount, we
unfortunately had to drop all supported languages which were previously available except for English (American and British) and German (in two
variations: "du/informal" and "sie/formal"). Please let us know, if you'd like to have a certain language pack provided again and we'll see
to add this to the list. However, we won't be able to maintain the previous set of >20 different language packs atm (that's why we'll only add additional ones on a per-request basis).
Besides the changes mentioned above, we also had to remove the permission from anonymous users to be able to bump threads/posts. This action can be performed without solving a Captcha first and obviously spam bots are misusing this function to bump their own posts. If you want to use the feature you therefore have to create a forum account now.
Last but not least we took the chance to revisit the server side security/configuration and see what can be done to disencourage spam bots from using our platform as well as improving the privacy and security of users of the forums.
One measure was to rerun the SSLlabs test. While we were running this test occasionally before already, it showed that meanwhile another SSL cipher was reported as being weak. This cipher was then disabled on the server and is no longer accepted to establish a secure connection.
Another task we performed was to run the securityheaders.io test and adjusted the HTTP-headers to the bare minimum required to run the forum/webpage. While the actual settings might have to be adjusted over time, one example of what was done is specifying the referrer policy header, which is now configured to never set the referrer for visiting pages. Since our webpage doesn't require this (atm), we decided for this setting to harden the privacy of our users. This also makes it a bit harder for spam bots to track that a click on a link they put on our forum actually came from here, so it can have an effect on reducing the spam activity as well.
To adjust our configuration once new features/setting become available, we'll run both of these tests (and others) on a regular basis and make the necessary adjustments to the webserver as the need arises.
I hope you can understand that since the both of us who are running the webpage and work on SLikeNet do have day time jobs which pay our bills and therefore time is quite a limited resource. There's more than enough work related to developing SLikeNet, hosting the web presence, and running the company, and while we'd like to work on everything at the same time, that's simply not always possible.
That said: It goes without saying that now that things are initially set up, from this point on we'll carefully monitor the spam activity on the forum and will handle any new spam posts ASAP without any further delay. Please don't hesitate to contact us directly (at firstname.lastname@example.org) if you have any concerns or if you think a situation/issue requires a higher priority to be dealt with (this goes for anything, not only issues with the forums).
General topics regarding SLikeSoft
1 post • Page 1 of 1
Users browsing this forum: No registered users and 1 guest