JKOwners Forum banner

1 - 9 of 9 Posts

·
Registered
Joined
·
441 Posts
I'm sure it's some counter measure for bots. But, it just turns out to be annoying to users. There are other built-in delays that make less sense such as the waiting between searches.
 

·
Premium Member
Joined
·
80 Posts
I'm sure it's some counter measure for bots. But, it just turns out to be annoying to users. There are other built-in delays that make less sense such as the waiting between searches.
I'm sure it's a measure against bots, and if you notice, we're getting hit with a bot right now. If they could put a post up once a second, think about how much chaos they could create. New posts every second, pm's to members every second.

It also helps to reduce server load and bandwidth. Those bits of data that are transferred cost money for the operator. Yes it can be annoying, but there are very good reasons for the inconvenience.

Also, remember, you probably come here when you have time to waste time. Waiting 60 seconds isn't really that bad is it?
 

·
Registered
Joined
·
441 Posts
Waiting for a PM isn't a real issue although 60 seconds is still awhile. The algorithms in the bulletin board system could be smarter though. For example, it could detect that someone just sent a duplicate message multiple times in a minute, or new posts within a short timespan, or ...

The one that gets me is the search. Still trying to figure out that one other than a DoS attack, but they don't really need search to do that.
 

·
Registered
Joined
·
258 Posts
Discussion Starter #5
Thanks for the info. I have no idea about bots, are they related to the autobots? "Transformers, more then meets the eye."
 
A

·
Guest
Joined
·
0 Posts
Most forums prevent multiple posts within a minute to stop spamming trolls from posting crap (it slows them down). The search is sometimes restricted to stop someone from bringing down the database via continually searching via a script.
 

·
Registered
Joined
·
441 Posts
Thanks for the info. I have no idea about bots, are they related to the autobots? "Transformers, more then meets the eye."
Basically, a bot is a computer program that performs automated operations simulating a person. For forums, that would be posting, sending messages, etc. Not all bots are bad. Google for instance employs bots, or spiders, to navigate and gather information from websites.

Most forums prevent multiple posts within a minute to stop spamming trolls from posting crap (it slows them down). The search is sometimes restricted to stop someone from bringing down the database via continually searching via a script.
This all sounds like lazy programming to me. (I'm a software developer by trade.) I don't know if the forum software is free, but I would certainly expect more from the company that supplied it.

Countermeasures should be as invisible to the valid user as possible. And most of the security should be upfront (i.e. registration and sign-in). This is a never ending battle as CAPTCHA has been beaten and has accessibility issues that I won't get into.

It's nothing for bot programming to keep hitting the site repeatedly until there is an expected HTML response (in this case after 60 seconds) -- you're getting a response as a user and the bot can anticipate this. In fact, the bot can be automated to parse the HTML response and determine how many seconds to wait and thereby avoid hardware that detects a potential denial of service (DoS) attack.

Heuristics can be applied in the algorithm to anticipate bot activity without the arbitrary 60 second rule which can be exploited by bots without issue. This can be particularly aggressive with new users, and less and less so with veteran users.
 

·
Registered
Joined
·
712 Posts
This all sounds like lazy programming to me. (I'm a software developer by trade.) I don't know if the forum software is free, but I would certainly expect more from the company that supplied it.

Countermeasures should be as invisible to the valid user as possible. And most of the security should be upfront (i.e. registration and sign-in). This is a never ending battle as CAPTCHA has been beaten and has accessibility issues that I won't get into.
Agreed. (Although noting the point that given a particular application, certain features take priority over others, and they may have felt it 'just enough' to make users complaining about bots go away. Also noting that this has nothing to do with this board, and much more with the developers of the software its running on.)

It's not an effective defense against spam bots. What does a 60-second wait accomplish to a spammer running thousands, or even millions, of multi-threaded copies of their software on compromised machines? Behavioral analysis is far more effective, although much more difficult to implement. Heuristics may not even be necessary at all - for example, say the fastest typer types at a rate of 170 WPM. If three posts of each around 50 words are made in 10 seconds, then we know a human most likely didn't type them. Instead of using delays in the software, a directive could be made to return blank content immediately for the same session for a period of time after the three posts were made - admins could be notified automatically, etc. This would not stop spam bots, but would make them largely effective. (You could trigger on a single post by measuring time between executing new post action and returning content to be saved. You set a minimum word count threshold to analyze.)

Of course, I could go on like this all day - I'm also a developer/architect, specifically in the realm of network security. I've developed techniques for detecting these guys on the network-end, especially to counter their evasion techniques =)

!c
 

·
Registered
Joined
·
441 Posts
Exactly. You always have a trade-off. The old engineering saying is in affect. You have time, money, and features. Pick two. Or something like that.

The heuristics don't have to be something advanced from a computer scientist. They can be quite simple and yet effective. Especially, if they take into account a few different patterns like you mentioned. Another factor you didn't mention is the concept of popularity that can be applied based on rated posts over time. With popularity the restrictions can become less severe.
 
1 - 9 of 9 Posts
Top