Re: Need help with forum troll

How do we know you aren't said banned forum troll and are trying to use your tricky troll ways to get us to tell you how to get around your ban?

Re: Need help with forum troll

You'll just have to trust me on this. I'm not the one banned, I'm the one who does the banning. This has really become a problem and we're looking for a way to stop it. We're getting around 50 to 100 abuse reports a day. I'm losing more hair than I can afford! What do you need to convince you I'm sincere?

Re: Need help with forum troll

Looking at what Chris wisely points out, I won't comment on techniques that might be used by trolls, spammers, etc. to bypass bans but as for methods to defend against some:

profile the activities of the user, and use the information you find to deny access.
Ban the email addresses and domain,
Check for IP addresses used to signup,
Ban IP found as torr-exit points,
Ban IP by networks (including full subnets) with custom messages by HT-error, letting possible innocent users know who is to blame for their disabled access,
Deny signup with email addresses from "public" or "free" webmail systems,
Add a waiting period,
Run all posts through a content filter, and setup a baysian filter with their content, treated as spam. Anything found to be spam-like is held in a moderator queue, and that account is then flagged to block all future posts from being public until moderated.
require moderators to OK all messages before they are made public,
Let the user remain unbanned, but set them as a "Tachy Goes to Coventry" user (They can see their own posts, but nobody else can.)
Public humiliation of the user, and exposure of their own private information, including email addresses, IP addresses used, and more.
If their content is illegal, report it as such to the hosted ISP, and followup. (Especially effective in cases where "kiddie porn" is published in some way. In my experience, ISP tend to react quickly at resolving such problems.)

There are more techniques, but I don't like publishing everything we use on the defcon forums, for fear that spammers will learn to create countermeasures faster than we can can implement new counter-counter-measures, or would that just be new measures?

I can tell you, that ultimately, the defender of a forum is at a disadvantage in this game. There is nothing that I can do as a mod, that I, as an evil-user can't bypass. Attacker has the advantage, and there are many more attackers than there are defenders.

And consider this: spammers are *paid* to spam, while all of the mods here are volunteers.

Re: Need help with forum troll

Ok Thanks, thats a start.
We're relatively new at this and we're having to learn as we go. One of the prolems we have is we have no way to check IP address used at sign-up or we don't know how. We were able to get this posters address but thats been about it. Our posters are able to see their posts as soon as they submit them and we want to keep it this way so a waiting period isn't feasable, but thanks for the suggestion. Running it through a content filter could work but with so many posting daily we're concerned that someone innocent will mistakenly have their post deleted. Setting them as a "Tachy Goes to Coventry" user sounds feasible we may try that. Also what is Ban IP found as torr-exit points? we may try that too. Public humiliation won't work, he apparently thrives off of that and non of his content is illegal just highly abusive. Our ultimate goal is to cause as little disruption to our other posters as possible.
Thank you for taking the time to answer my question. It is much appreciated. Any other suggestions will be welcome.
IBTrippin

Re: Need help with forum troll

"Tachy Goes to Coventry" is specific to VBulletin, although other forum software packages may have similar options.

TOR ("The Onion Router") is a means of connecting anonymously by using encrypted tunnels. Here is the TOR overview. TOR exit points are specific IPs that are known to be where the tunnels are exited to the "normal" IP traffic. You may also be block other users however, if they too, are using TOR.

Re: Need help with forum troll

Ok Thank you for the overview. If he's using something such as this then I guess there's not much we can do. Guys, I really appreciate your time in this matter. You've been more than helpful and have provided some excellent insights.
Happy Hoildays

Re: Need help with forum troll

Such content filters don't *delete* messages (in configurations I've seen.) They only move the message to a moderator queue for moderators to consider as spam/valid or not.

I first saw this on MythBusters forum site (discovery channel.)

I posted something with several citations through URL (kind of like a pseudo bibliography) and their system thought my post was spam. It took them 6-12 hours to mod+ the post so the public could see it. At the time, I was a little frustrated that my post did not appear right away, but I understood the need for it-- I just wish their filter was smarter than it was. ;-)

Then you don't have the kind of skilled, creative, and imaginative moderators that we have here on the Defcon forums. Check out "Fucktard Hall" as a place where we keep loser posters' posts around as a kind of cautionary tale to the rest of the public, on what not to do. It has been quite effective, when paired with everything else. You'll note we have not had many inductees lately. :-)

Of course, we don't have to be politically correct when we show users the errors of their actions. ]:>

That is the goal of many forums. The problem is that ease of use, and low thresholds for cost of entry make it easy for abusers to generate excess noise which can drive away your valued members.

Raise the bar too high, and new members stop posting.

We also employ a tiered user promotion system. This allows a great deal of variety in implementation (different metric/vectors can be selected for action) and control to limit damage. Tiered promotion systems should be very short. You can't really gauge anything about a user based on how old their account is. However, a user with no derogatory marks on their account, with a large number of posts, and a long history of not causing problems is probably a fairly safe bet, when considering future posts.

For example, you could arrange it so that users with accounts less than 24 hours old can only post 1 post every hour, or 5 posts in one day. You can arrange to have it so that, users with more than X posts, who have been around more than Y days, and have no derogatory notes about them, can publish things and bypass moderation queues, or spam filters.

Leverage your user information in such a way that "regulars" are not burdened with higher costs of entry, but new users (like those that might return over and over again to troll) have a heavier burden.

Once you gain access to IP information about users, in a per-post scenario in addition to registration IP per user, you can automate a process to locate users that are sharing an IP address. I've done that here. I even put it in a nifty web page that grabs the results of a clever SQL "SELECT" on the DB to let me know what usernames are sharing the same IP address, to better identify would-be abusers of the "one account per user" rule. (I generally don't act on this unless a user gives me reason to consider them-- like if they started a flame-fest with themself.)

No problem. Good luck.

Re: Need help with forum troll

My question is this:

If someone is abusing your forum, where would you go? I'd go to the support forum for my particular type of forum (i.e., VBulletin support forum). Why would you even think of coming to DEFCON forums?

Re: Need help with forum troll

Post the URL to your forum and the current username of the offender. I believe some here would perhaps like to see this firsthand so as to make an informed decision. Or not....

Re: Need help with forum troll

I'm not disclosing any private information about this user, but I can tell you the email address used is not from one of those generic, throw-away free webmail accounts, and the IP/SNM matches the provider in whois. (There are cheaper ways to SE exploits, and the users doesn't seem to be pushing request for exploit techniqes.)

There are other items which suggest this isn't a case of SE, but the prudent choice would be to provide suggestions on defense, but not offensive techniques.

Before answering, I attempted a few google searches to find HowTo on dealing with trolls, spam and more in a forum setting, but several searches revealed little more than comments about how much trolls and spam both suck.

I'm not vouching for this user, but a few suggestions on defense seem reasonable. I've omitted most techniques that require explaining an attack vector-- especially more advanced techniques. TOR is so widely known, I considered it a freebie. Even IRC Servers have supported filtering of Tor Exit servers to some degree for about 2 or 3 years or more.

Of course a URL to examples might help. It might also help to identify the forum being used, to better suggest application-specific solutions. (It would have helped me in google searches to suggest better search patterns so the user could help themself.)

Re: Need help with forum troll

I say ban the whole subnut, possibly all of apnic ... you will save yourself a lot of time at the cost of only a few worthless readers.

booya?

Re: Need help with forum troll

This is the URL of the website he posts under most often:
http://forums.thetowntalk.com/viewfo...9df977ef053acb
His user name is Raven Rivers but we think he also posts as JAKE49. In the past, when all of this started he was using Lawnrebel as his handle.
Yes any answers on defense is what I'm searching for. I'm not looking to beat a ban but to enforce one. I was just hoping that any information as to what he may be using would give me insight as to what course of action I should take but it's not necessary.
Thanks Again Guys.
IBTrippin

Re: Need help with forum troll

I know some people that do in fact ban all of APNIC. Depending upon your site, there might be good reasons to do it.

Re: Need help with forum troll

The way that is worded makes it sound like you don't positively know its the same person. Have you determined that it is the same user via IP address and/or subnet?

If you don't know, you probably need to start with some basics on how to identify users based on things like IP addresses and subnets on your Forum. (There's an old saying in these circles: "RTFM" or "Read The, uh, Fine Manual.")Since it appears you are using PHPBB, the manuals for PHPBB v2 and v3 are located here: http://www.phpbb.com/support/documentation/

Of course, part of what's implied there is that you have a basic understanding of how the Internet works in general, or at least a rough idea of how Domain Name Servers (DNS), and Internet Protocol (IP) Addresses work. A quick search on Google for both those topics (along with some words like "introduction" or "basics") should give you some information to get you started.

Excuse me if you're an ubergeek who set this all up, and the above is old hat, but from what you've said so far, it sound like you've been given the task of moderating the forum, but don't have too much technical experience. If that's true, you will probably need to learn a few basics of DNS and IP Addressing, and work with someone who knows those details quite well. That would at least get you up to speed so that the obnoxious users don't know more about how all this works than you.