Stop Forum Spam announce removal of Xen utilities users

Azhria Lilu said:
Well.. I found it... so it obviously wasn't that difficult ;)
Click to expand...
You found it because you knew what you were looking for... I can't exactly run a search in advance "is my application violating the SFS API terms of service". If I read the SFS API terms of service, it isn't.
 
Jaxel said:
You found it because you knew what you were looking for... I can't exactly run a search in advance "is my application violating the SFS API terms of service". If I read the SFS API terms of service, it isn't.
Click to expand...
I found it because I knew it was there, because I make a point of keeping up to date with the announcements by the people who offer the things I use.

If you want me to be blunt about it, as the coder of a mod that uses someone else's API, you should be checking their Announcements Forum regularly for updates to ensure your mod complies - that's your responsibility not theirs. I'm not a coder but I know they announce every change they make.
 
Azhria Lilu said:
I found it because I knew it was there, because I make a point of keeping up to date with the announcements by the people who offer the things I use.
Click to expand...
But you really didn't find it... because the thread you linked has nothing to do with reporting guilt-by-association. Its about false reporting and troll accounts. The way I consider it, none of the reports through XenUtiles are "false"; yes, they may have false-positives; but they are not fake submissions.

In all my mods, I use about THIRTY APIs... and SFS and Google are the only ones out there that actually post updates about their APIs, everyone else just changes it and expects you to figure it out on your own. But making changes to an API is NOT the same as making changes to terms of service. When google makes changes to ToS, they send out emails and notifications. SFS didn't even update their terms of service; they just posted on their forums.
 
Azhria Lilu said:
So, failed registrations aren't false reports? Interesting :)
Click to expand...
It didn't submit failed registrations... it resubmitted registrations already blocked by StopForumSpam/BotScout/FList in order to supply full data and to ensure that the SFS database knows that the particular spambot is still active.
 
Jaxel said:
It didn't submit failed registrations... it resubmitted registrations already blocked by StopForumSpam/BotScout/FList in order to supply full data and to ensure that the SFS database knows that the particular spambot is still active.
Click to expand...
That's not what the guy from SFS has said.

XenForo Utiles has the ability to submit failed registration attempts to stopforumspam. As no user has spammed, no user should be submitted. By submitting users that simply fail the registration, you pollute the database, waste peoples time and waste my time cleaning it all up. We operate a zero tolerance policy on the submission of fake / false data and while mistakes happen from time to time, automated submissions from non-honeypot systems is strictly a no go.
Click to expand...
 
Azhria Lilu said:
That's not what the guy from SFS has said.
Click to expand...
The problem SFS has with it is that when it resubmits, it resubmits with the full data... Lets say I make I try to make an account with an IP address and an email address that matches the SFS database; when XenUtiles submitted it back, it would ALSO include the username that the user tried to register with. While the IP address and the email address are prior guilty, the username itself was not; and is marked as guilty by association.

Take that another step, lets say a username and email address matches the SFS database; now XenUtiles submits it back and the IP address that the user tried to register with would have newfound guilt. Its really a pretty good system at detecting new spambots in advance; BEFORE they have a chance to spam. But SFS doesn't want guilt by association. Its the main reason why XenUtiles has been so effective at preventing spam. This week alone, 8WAYRUN has had 2100 blocked attempts to register by spambots.

So where do false-positives come from? Probably from forums that use high heuristics (instead of medium or low). With the high heuristics setting, the system only needs to match ONE positive in the database, instead of TWO. (remember there are 3 resources: username, ip address and email) When you only need to match one, it reports the other two resources as guilty. Lets say someone is trying to register, and they are not a spammer... they type in their username, but mispell their name. The name they mispelt however IS a spambot registered username. Now, even though they are not a spammer, their email and IP have been submitted into the SFS database.

Its not a common issue, but its pretty much the only source of false-positives in this mod. SFS has a system in place where people can dispute their listings in the database because of this reason.
 
Azhria Lilu said:
That's not what the guy from SFS has said.
Click to expand...
Yes, they also say in that post that they do not allow spammers to be submitted without evidence of spam...

Even though this announcement on their own forums (which is newer by over a year), explicitly states that they do allow the submission of spammers without evidence... it even goes so far to explain that they have a built in system for dealing with disputes.

http://www.stopforumspam.com/forum/viewtopic.php?id=4562

Also, what makes this a non-honeypot system? The fact that its not a pure honeypot?
 
I don't know if this helps you at all, but he also added:-

No one with a live system, in use by people, should be automatically submitting data without first having verified that spam has been posted in some manner, either onto the forum or in profile / signature links as silent spamming.
Click to expand...
Which sounds to me (I could be wrong) that he's saying the mod shouldn't be sending the info to SFS upon registration but upon them actually attempting to post spam.
 
Jaxel said:
Yes, they also say in that post that they do not allow spammers to be submitted without evidence of spam...

Even though this announcement on their own forums (which is newer by over a year), explicitly states that they do allow the submission of spammers without evidence... it even goes so far to explain that they have a built in system for dealing with disputes
Click to expand...

I don't know.. I read that slightly differently - them saying that you can add spammers without evidence, but don't be surprised if they delete your addition unless you can supply evidence. (my interpretation)

Also, what makes this a non-honeypot system? The fact that its not a pure honeypot?
Click to expand...
Can't help you on that one.
 
Azhria Lilu said:
I don't know if this helps you at all, but he also added:-


Which sounds to me (I could be wrong) that he's saying the mod shouldn't be sending the info to SFS upon registration but upon them actually attempting to post spam.
Click to expand...
Which is fine, I'm okay with this, and I accept it. My point being though that this has never been stated in the past. The "policy" that XenUtiles is being reprimanded under did not exist until now... and it exists BECAUSE of XenUtiles.
 
Jaxel said:
Which is fine, I'm okay with this, and I accept it. My point being though that this has never been stated in the past. The "policy" that XenUtiles is being reprimanded under did not exist until now... and it exists BECAUSE of XenUtiles.
Click to expand...
Technically it's existed since December ;) And if it exists because of Xenutiles then you're basically saying that your system has been abusing SFS and submitting people falsely as spammers so often that they've had to change things. . . .

Are you sure you want to take credit for that?
 
Azhria Lilu said:
Technically it's existed since December ;) And if it exists because of Xenutiles then you're basically saying that your system has been abusing SFS and submitting people falsely as spammers so often that they've had to change things. . . .

Are you sure you want to take credit for that?
Click to expand...
As a badge of honor! It has always been an acceptable level of false-positives. Its only been in the last week where spambot activity has skyrocketted where it has become an issue. 0.5% of 1,000 is a lot less than 0.5% of 1,000,000
 
Slavik said:
Agreed, they should include it in the official policy / documentation for their service on the main site. Not put it away on a support forum..

Almost makes me want to set up a service offering the same type of thing... I can already see several flaws in their system which would have made this whole escapade avoidable if they had put some more thought into it...

hmm....
Click to expand...
If you ever do and need infrastructure to host give me a shout....
 
Ok sorry guys, I don't understand any of this. Can someone please explain this to be in goofball terms? Do I need to be worried about this?
 

Similar threads

T
Fixed stop forum spam email hashing doesn't seem to work
Replies
6
Views
1K
XF Bug Bot
XF Bug Bot
NealC
Stop Forum Spam moderating users with normal first names only
Replies
2
Views
325
StarArmy
StarArmy
A
Add-on Stop Forum Spam for timezone (additional field)
Replies
1
Views
737
Tealk
Tealk
Steffen
Fixed Stop Forum Spam: Use HTTPS and "emailhash" for better privacy
Replies
3
Views
2K
Chris D
Chris D
Moddis
  • Question Question
XF 1.2 Use Stop Forum Spam and Project Honey Pot at same time
Replies
4
Views
6K
Moddis
Moddis
Back
Top Bottom