1. Forum
  2. DOVE-Net
  3. Synchronet Discussion

  • HTTP user security levels

    From DaiTengu@VERT/ENSEMBLE to All on Monday, February 24, 2020 13:27:18
    Yesterday I finally disabled HTTP registration in ecwebv4. I've had a few spammers sign up and immediately drop spam messages into various echos.

    I spent a little time looking to see if there was an easy way to add a flag to a user that signed up via HTTP, or set a specific security level, and it didn't look like that was the case.

    I'd like to re-enable HTTP registration, but disable the ability to post messages until they are manually verified. Does something like this already exist, or do I need to write a new signup module?

    Thanks!

    DaiTengu

    ... I got some powdered water, but I don't know what to add.

    ---
    þ Synchronet þ War Ensemble BBS - The sport is war, total war - warensemble.com
  • From echicken@VERT/ECBBS to DaiTengu on Monday, February 24, 2020 14:53:20
    Re: HTTP user security levels
    By: DaiTengu to All on Mon Feb 24 2020 13:27:18

    Yesterday I finally disabled HTTP registration in ecwebv4. I've had a few spammers sign

    I'd like to re-enable HTTP registration, but disable the ability to post messages until
    they are manually verified. Does something like this already exist, or do I need to
    write a new signup module?

    "newuser_level" in modopts.ini -> [web] specifies the security level that a user starts with, if they register via the web interface. Configure it (or your message groups / subs) so that users with this level can't post.

    I would like to add an email verifier at some point, and maybe I'll bump that up the list. Then they could automatically upgrade.

    The last time I looked into preventing bot signups, it led down a bit of a rabbit hole. The best ways to prevent it often rely on third party services (recaptcha) which I don't want to turn into a dependency.

    ---
    echicken
    electronic chicken bbs - bbs.electronicchicken.com
    þ Synchronet þ electronic chicken bbs - bbs.electronicchicken.com
  • From echicken@VERT/ECBBS to DaiTengu on Monday, February 24, 2020 15:05:13
    Re: HTTP user security levels
    By: echicken to DaiTengu on Mon Feb 24 2020 14:53:20

    "newuser_level" in modopts.ini -> [web] specifies the security level that a user starts
    with, if they register via the web interface. Configure it (or your message groups /

    Further to that, all of these are available:

    newuser_level
    newuser_flags1
    newuser_flags2
    newuser_flags3
    newuser_flags4
    newuser_exemptions
    newuser_restrictions

    https://github.com/echicken/synchronet-web-v4/wiki/Configuration

    So instead of using the security level, you could also use a flag or restriction.

    ---
    echicken
    electronic chicken bbs - bbs.electronicchicken.com
    þ Synchronet þ electronic chicken bbs - bbs.electronicchicken.com
  • From DaiTengu@VERT/ENSEMBLE to echicken on Monday, February 24, 2020 14:59:49
    Re: HTTP user security levels
    By: echicken to DaiTengu on Mon Feb 24 2020 03:05 pm

    "newuser_level" in modopts.ini -> [web] specifies the security level
    that a user starts with, if they register via the web interface.
    Configure it (or your message groups /


    Has anyone told you that you're awesome, lately?

    Because you're awesome. Thanks for this!

    DaiTengu

    ... In the long run, we are all dead.

    ---
    þ Synchronet þ War Ensemble BBS - The sport is war, total war - warensemble.com
  • From echicken@VERT/ECBBS to DaiTengu on Monday, February 24, 2020 16:29:19
    Re: HTTP user security levels
    By: DaiTengu to echicken on Mon Feb 24 2020 14:59:49

    Has anyone told you that you're awesome, lately?

    No, they've mostly taken issue with my choice of words. :(

    Thanks - and see my other reply about flag sets and exemptions/restrictions; some of those might also be of use.

    ---
    echicken
    electronic chicken bbs - bbs.electronicchicken.com
    þ Synchronet þ electronic chicken bbs - bbs.electronicchicken.com
  • From Rampage@VERT/SESTAR to DaiTengu on Monday, February 24, 2020 17:08:34
    Re: HTTP user security levels
    By: DaiTengu to All on Mon Feb 24 2020 13:27:18


    Yesterday I finally disabled HTTP registration in ecwebv4. I've
    had a few spammers sign up and immediately drop spam messages
    into various echos.

    if you have your HTTP logs turned on, it would be nice to know the user agent(s) of those signups...

    I spent a little time looking to see if there was an easy way to add a flag to a user that signed up via HTTP, or set a specific security level, and it didn't look like that was the case.

    i don't kow of a flag but a UA block would be a nice addition... kinda like the way apache web server can block UAs...

    I'd like to re-enable HTTP registration, but disable the ability to post messages until they are manually verified. Does something like this already exist, or do I need to write a new signup module?

    maybe use onf of the available email signup validators? if the bot is already written to handle the ecweb4 form, it may already be able to handle the sbbs registration emails... that remains to be seen, though... i think i've only had one or two sign up via the default runemaster interface but they've done actions like a real user since then... nothing like a bot might do...


    )\/(ark

    ---
    þ Synchronet þ The SouthEast Star Mail HUB - SESTAR