As everyone may have already noticed, the project has been heavily hit by spammers. For the last weeks I've been fighting with up to 10k registrations per day, mostly just empty accounts which were created for unknown reasons (very few of them actually posted anything on forums or created profile/spam team).
I've been looking into possible ways to filter out the spammers right where they start (registration) and after looking at a few of possible solutions, I made a patch for the BOINC server to use StopForumSpam databases. For now, the server does not allow access to registration script from any IP listed in SFS db and it also refuses to create account with email address which is blacklisted there. This immediately filtered out more than 99,9% of new accounts, the rest is reviewed manually and eventually spammers that slipped through registration are reported back to the SFS.

There is also a daemon scriptwhich runs in background, randomly picking account and checking it against the blacklists, all accounts registered with blacklisted email address will be gone sooner or later together with any team and/or profile they have created (the script works very slowly, checking one account every few minutes, as I dont want to stress the SFS API which is a great free service).
The script won't touch anyone who has any credits or even hosts attached, so legitimate accounts should be safe even if someone has their email blacklisted.

---

M4 Project homepage
M4 Project wiki

The script won't touch anyone who has any credits or even hosts attached, so legitimate accounts should be safe even if someone has their email blacklisted.

Good idea. (Even though it does lead me to wonder why someone would be on that list if they're active enough to have credit....)


As an aside: "I don't know if this is related, but...": I've notice that, while logged in, the forum now doesn't necessarily mark a thread as read after I click on it.

---

Good idea. (Even though it does lead me to wonder why someone would be on that list if they're active enough to have credit....)

Some of the emails used by spammers are probably stolen or just randomly used by spammers (BOINC projects do not verify emails by defaut*), so there is a slight chance that legitimate email will somehow end up on blacklists.

As an aside: "I don't know if this is related, but...": I've notice that, while logged in, the forum now doesn't necessarily mark a thread as read after I click on it.

Does that change if you hit F5 ?

[EDIT]
I think the board does not mark a thread as read if there were any posts removed from the thread, newer than the current last post (spam). It should be relatively easy to fix.

* - I'm considering another patch to the server, to add email validation / account activation for all new accounts by default. It won't stop spammers from registering, as they actually do check their garbage emails for links to click (checked that already). But it'll stop them from using stolen or random emails.

---

M4 Project homepage
M4 Project wiki

Does that change if you hit F5 ?

I haven't checked since my last post (I've been away from here for a few days), but when I posted about it it took TWO refreshes for a thread to show as read. (I use a phone and a tablet, both Android based, for internet browsing. So more hitting a 'refresh button' vs using 'F5'. And this may imply a fault with Chrome at the time...)

---

As everyone may have already noticed, the project has been heavily hit by spammers.

http://www.captcha.net/ can be used to help filter out bots as the volume you indicated strongly suggests bots setting up accounts. Since captcha is the main enemy of bot users, expect that the site will suffer distributed denial of service attacks.

https://www.cs.cmu.edu/~biglou/captcha_crypt.pdf gives a detailed explanation and more if you are comfortable with calculus.

the rest is reviewed manually

I just looked at the team list and found that the majority have zero total credit, zero members, and zero recent average credit. I have also noticed many duplicate names. How long is "recent"? Do you have creation dates for the teams? Is there a way to get in touch with the creator of the teams?

I would suggest getting in touch with the team creator if there is a total credit and no recent average credit for ninety days. If there is no reply in thirty days, delete the team. I also suggest giving a specific date and time with UTC as the time zone to avoid any misunderstanding as to the deadline.

I would suggest deleting all teams with zero members as they are obviously abandoned.

I would suggest deleting all teams with zero total credit ninety days after creation.

These are just suggestions which you may use, modify, or not use as you wish.

Please note that DHCP (Dynamic Host Configuration Protocol) IP (Internet Protocol) addresses can be changed. In the past, when I had a change of IP address when I logged into my ISP (Internet Service Provider) and found that it was on a black-list, I forced an IP address change, no more problems. VPN (Virtual Private Networks) and proxy services may serve the same purpose. Emails are even easier as most services will allow as many email addresses as you may wish to create. Hacked emails are also a problem.

I just looked at the team list and found that the majority have zero total credit, zero members, and zero recent average credit. I have also noticed many duplicate names. How long is "recent"? Do you have creation dates for the teams? Is there a way to get in touch with the creator of the teams?

It's possible that people left the project (or didn't give it a chance) because they think we're still working on the third message we solved in 2013, and have never used the forums (which would tell them about the fourth and fifth messages). If we are contacting team members, we should inform them of the fifth message we are currently working on, since from the occasionally updated project news page, they would have no idea. Then they can inform team members, which could increase participation.

---

-Dan Q

danq.co

I had the same problem. I had to go through manually cleaning up my two teams. I now do not allow any new members.

---