We're getting more of those drugs online SPAMs, now from different
boards.

This would be a good time to review your web user permissions.
Ideally, you'd need to have an account and authenticate to the BBS
before being able to even *read* networked message bases, let alone
post to them.

Guest users should never have posting permissions on web message
areas, IMO.

I typically leave my local areas read-only to guests, and only
authenticated users can post to any area.

Just a thought...




... Do the last thing first
--- MultiMail/XT v0.52
þ Synchronet þ realitycheckBBS -- http://realitycheckBBS.org
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

Re: Time to check your web permissions?
By: poindexter FORTRAN to All on Thu Jul 02 2020 07:22 am

We're getting more of those drugs online SPAMs, now from different
boards.

It's likely users that sign up via the web interface, then have the ability to post.

Setting a flag for users that sign up via the web interface, and then disallowing that flag from posting by default in Synchronet would probably be a good way to reduce or eliminate the issue.


Probably something DM can do in about 15 minutes. In the meantime, I'd suggest sending qwk netmail to SYSOP@<QWKID> (or is it Sysop@VERT/<QWKID> ? I've been doing the latter) just to make sure the sysops are aware.

DaiTengu

... Massachusetts has the best politicians money can buy.

---
þ Synchronet þ War Ensemble BBS - The sport is war, total war - warensemble.com
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

Re: Time to check your web permissions?
By: DaiTengu to poindexter FORTRAN on Sat Jul 04 2020 06:45 pm

Setting a flag for users that sign up via the web interface, and then disallowing that flag from posting by default in Synchronet would

probably

be a good way to reduce or eliminate the issue.

What's special about signing up via the web (vs. via the telnet interface)?
If a user signs up via the web interface and then logs in via the telnet interface, should tbey be unable to post just because of how they signed up?

Nightfox

---
þ Synchronet þ Digital Distortion: digitaldistortionbbs.com
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

Re: Time to check your web permissions?
By: Nightfox to DaiTengu on Sat Jul 04 2020 19:32:05

If a user signs up via the web interface and then logs in via the telnet

interface, should tbey be

unable to post just because of how they signed up?

That'd be better than allowing bots to post spam, even if it isn't great.

Having a unified email validation thing that applies to either kind of user registration would be a good idea, not that I feel like making it happen right now.

Another option is adding some logic to flag that a user registered via the web, and then automatically rejig their settings if/when they log on via telnet/rlogin/ssh.

---
echicken
electronic chicken bbs - bbs.electronicchicken.com
þ Synchronet þ electronic chicken bbs - bbs.electronicchicken.com
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

We're getting more of those drugs online SPAMs, now from different
boards.

Darn shame. But, I guess I'll just fatten up the twit list file.

This would be a good time to review your web user permissions.
Ideally, you'd need to have an account and authenticate to the BBS
before being able to even *read* networked message bases, let alone
post to them.

Until I verify the new user data, including a new user feedback
message, telling where they heard of the BBS, and what they want in
it, they don't see anything except the local areas (read only), plus
selected doors. They can download, but until they're verified, they
can't upload.

Guest users should never have posting permissions on web message
areas, IMO.

I typically leave my local areas read-only to guests, and only authenticated users can post to any area.

I concur with your thoughts.

Daryl

... Police station toilets stolen. Cops have nothing to go on.
--- MultiMail/Win v0.52
þ Synchronet þ The Thunderbolt BBS - tbolt.synchro.net
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

Re: Time to check your web permissions?
By: echicken to Nightfox on Sat Jul 04 2020 11:28 pm

If a user signs up via the web interface and then logs in via the
telnet interface, should tbey be unable to post just because of how
they signed up?

That'd be better than allowing bots to post spam, even if it isn't great.

Having a unified email validation thing that applies to either kind of user registration would be a good idea, not that I feel like making it happen right now.

Yeah, I guess it's too easy for bots to sign up via a web interface. I wonder if a captcha of some kind could help verify real users on the web side - even a simplistic captcha. I dunno..

Another option is adding some logic to flag that a user registered via

the

web, and then automatically rejig their settings if/when they log on via telnet/rlogin/ssh.

Yep, that would probably work too.

Nightfox

---
þ Synchronet þ Digital Distortion: digitaldistortionbbs.com
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

Re: Time to check your web permissions?
By: echicken to Nightfox on Sat Jul 04 2020 11:28 pm

If a user signs up via the web interface and then logs in via the
telnet interface, should tbey be unable to post just because of how
they signed up?

That'd be better than allowing bots to post spam, even if it isn't great.

Having a unified email validation thing that applies to either kind of user registration would be a good idea, not that I feel like making it happen right now.

Yeah, I guess it's too easy for bots to sign up via a web interface. I wonder if a captcha of some kind could help verify real users on the web side - even a simplistic captcha. I dunno..

Another option is adding some logic to flag that a user registered via the web, and then automatically rejig their settings if/when they log on via telnet/rlogin/ssh.

Yep, that would probably work too.

Nightfox

I added 2 checks in pages?001-forum.ssjs if(user.alias === 'Guest') { tell 'em to login ... exit(); } if(user.security.level < 50) { ... tell them to validate via telnet emailval.js exit(); } I don't let non-validated visitors even look at forums via http(s)

~Mortifis

---
þ Synchronet þ Realm of Dispair BBS - http://ephram.synchro.net:82
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

Re: Time to check your web permissions?
By: Nightfox to echicken on Sun Jul 05 2020 00:29:55

Yeah, I guess it's too easy for bots to sign up via a web interface. I

wonder if a captcha of some

kind could help verify real users on the web side - even a simplistic

captcha. I dunno..

I'll have another look at possible solutions.

There are a couple of dummy input fields in the registration form which seemed to help for a while; they're hidden by javascript, and if they are altered (checked, unchecked, filled, whatever) it's assumed that the client is a bot. This bot must be leaving them alone, and is perhaps based on a headless browser with JS support.

---
echicken
electronic chicken bbs - bbs.electronicchicken.com
þ Synchronet þ electronic chicken bbs - bbs.electronicchicken.com
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

Re: Re: Time to check your web permissions?
By: Mortifis to Nightfox on Sun Jul 05 2020 10:19:15

I added 2 checks in pages?001-forum.ssjs if(user.alias === 'Guest') {

tell 'em

to login ... exit(); }

That's one way to do it, if you really don't want guests to see *any* of the message areas.

The official/proper way is to set up a guest account with appropriate restrictions (can't post, maybe can't see some message groups/subs). This doesn't have to be 'Guest'; you can create a special user just for web guest access.

(However, if you restricted that user so much that no message groups were visible, or no subs in a group were visible, they'd probably just see a blank area where the forum should be. I should add some placeholder text there.)

---
echicken
electronic chicken bbs - bbs.electronicchicken.com
þ Synchronet þ electronic chicken bbs - bbs.electronicchicken.com
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

What's special about signing up via the web (vs. via the telnet interface)? If a user signs up via the web interface and then logs in
via the telnet interface, should tbey be unable to post just because of how they signed up?

I don't care how they sign up. If they don't go through the New User Validation process, they're not getting upgraded. Those who don't like
this, or the way I run my BBS, don't have to connect to it.

Daryl

... This tagline is restricted to day VFR use only.
--- MultiMail/Win v0.52
þ Synchronet þ The Thunderbolt BBS - tbolt.synchro.net
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

What's special about signing up via the web (vs. via the telnet interface)? If a user signs up via the web interface and then logs in via the telnet interface, should tbey be unable to post just because

of

how they signed up?

I don't care how they sign up. If they don't go through the New User Validation process, they're not getting upgraded. Those who don't like
this, or the way I run my BBS, don't have to connect to it.

Daryl

that's good practice! I didn't add any special flags, but if a new user signs up via web, they do not have access to forums period! not even to browse ... only upgrade is via telnet verifier or manual.

~mortifis

---
þ Synchronet þ Realm of Dispair BBS - http://ephram.synchro.net:82
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

Re: Re: Time to check your web permissions?
By: Mortifis to Nightfox on Sun Jul 05 2020 10:19:15

I added 2 checks in pages?001-forum.ssjs if(user.alias === 'Guest') { tell 'em
to login ... exit(); }

That's one way to do it, if you really don't want guests to see *any* of

the

message areas.

The official/proper way is to set up a guest account with appropriate restrictions (can't post, maybe can't see some message groups/subs). This doesn't have to be 'Guest'; you can create a special user just for web

guest

access.

(However, if you restricted that user so much that no message groups were visible, or no subs in a group were visible, they'd probably just see a blank area where the forum should be. I should add some placeholder text there.)

on mine guest can login via telnet and read messages (expect sysop only obviously areas) but cannot reply/post ... though, Guest can download QWK ... though I have noticed that even with security restriction U Guest can still upload .rep packets ... I don't see a setting to restrict qwk reply uploads :/

---
þ Synchronet þ Realm of Dispair BBS - http://ephram.synchro.net:82
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

Re: Re: Time to check your web permissions?
By: Mortifis to echicken on Sun Jul 05 2020 11:41 pm

on mine guest can login via telnet and read messages (expect sysop only obviously areas) but cannot reply/post ... though, Guest can download QWK ... though I have noticed that even with security restriction U Guest can still upload .rep packets ... I don't see a setting to restrict qwk reply uploads :/

The 'P' restriction prevents posts, even via QWK reply packet.

digital man

Synchronet "Real Fact" #34:
The back-up synchro.net nameserver and CVS repository is hosted by Deuce. Norco, CA WX: 77.4øF, 50.0% humidity, 11 mph E wind, 0.00 inches rain/24hrs
--- SBBSecho 3.11-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

Re: Re: Time to check your web permissions?
By: Mortifis to echicken on Sun Jul 05 2020 11:41 pm

on mine guest can login via telnet and read messages (expect sysop only obviously areas) but cannot reply/post ... though, Guest can download

QWK

... though I have noticed that even with security restriction U Guest

can

still upload .rep packets ... I don't see a setting to restrict qwk

reply

uploads :/

The 'P' restriction prevents posts, even via QWK reply packet.

digital man

I haven't tested uploading a .rep as Guest, though I assume it will reject any posts/replies during import? I have uploaded .zip and other files via QWK upload, which does allow the upload process, but obviously, fails importing, since they are not .reps. Is there a way to disallow any uploads for Guest at the QWK menu (without hacking the menus and such)? Also, are uploaded reps (or
other files uploaded via QWK menu) stored or are the deleted; I checked the temp_dir.

---
þ Synchronet þ Realm of Dispair BBS - http://ephram.synchro.net:82
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

Re: Time to check your web permissions?
By: Nightfox to DaiTengu on Sat Jul 04 2020 07:32 pm

What's special about signing up via the web (vs. via the telnet interface)? If a user signs up via the web interface and then logs in via the telnet interface, should tbey be unable to post just because of how they signed up?

Personally, I've never had a user sign up via the web and then log in via telnet. That said, I'm sure a flag could be set to disallow posting via the web interface only.

Really I'm just trying to come up with a fairly simple solution that will get rid of the majority of the spambots that are signing up and posting in echos.

DaiTengu

... I used to think I was indecisive, but now I'm not so sure.

---
þ Synchronet þ War Ensemble BBS - The sport is war, total war - warensemble.com
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

Re: Time to check your web permissions?
By: DaiTengu to Nightfox on Thu Jul 09 2020 01:26 pm

Personally, I've never had a user sign up via the web and then log in via telnet. That said, I'm sure a flag could be set to disallow posting via the web interface only.

How do you know? Do you have a user flag or something enabled that tells you if they signed up via the web or terminal?

Nightfox

---
þ Synchronet þ Digital Distortion: digitaldistortionbbs.com
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

Re: Time to check your web permissions?
By: Nightfox to DaiTengu on Fri Jul 10 2020 01:49 pm

Personally, I've never had a user sign up via the web and then log
in via telnet. That said, I'm sure a flag could be set to disallow
posting via the web interface only.

How do you know? Do you have a user flag or something enabled that tells you if they signed up via the web or terminal?

Hmm, now that I think about it, I'm not entirely certain. I know I don't get a message to the sysop if a user signs up via HTTP, and the "Connection" type is HTTP, but if they log in via telnet are they prompted to send a message?

DaiTengu

... An oyster is a fish built like a nut.

---
þ Synchronet þ War Ensemble BBS - The sport is war, total war - warensemble.com
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

Re: Time to check your web permissions?
By: DaiTengu to Nightfox on Sat Jul 11 2020 10:37 am

Personally, I've never had a user sign up via the web and then log
in via telnet. That said, I'm sure a flag could be set to disallow
posting via the web interface only.

How do you know? Do you have a user flag or something enabled that
tells you if they signed up via the web or terminal?

Hmm, now that I think about it, I'm not entirely certain. I know I don't get a message to the sysop if a user signs up via HTTP, and the "Connection" type is HTTP, but if they log in via telnet are they

prompted

to send a message?

That probably depends on your new user configuration. If you have the option enabled for new users to send a message, I'm not sure the web interface prompts for that.

Nightfox

---
þ Synchronet þ Digital Distortion: digitaldistortionbbs.com
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

Re: Re: Time to check your web permissions?
By: Mortifis to Digital Man on Wed Jul 08 2020 08:09 am

Re: Re: Time to check your web permissions?
By: Mortifis to echicken on Sun Jul 05 2020 11:41 pm

on mine guest can login via telnet and read messages (expect sysop only obviously areas) but cannot reply/post ... though, Guest can download QWK ... though I have noticed that even with security restriction U Guest can still upload .rep packets ... I don't see a setting to restrict qwk reply uploads :/

The 'P' restriction prevents posts, even via QWK reply packet.

digital man

I haven't tested uploading a .rep as Guest, though I assume it will reject any posts/replies during import?

Correct. If email or feedback is allowed though, those message could/would be imported fine.

I have uploaded .zip and other files via
QWK upload, which does allow the upload process, but obviously, fails importing, since they are not .reps. Is there a way to disallow any

uploads

for Guest at the QWK menu (without hacking the menus and such)?

No. Not sure why you'd want to do that.

Also, are
uploaded reps (or other files uploaded via QWK menu) stored or are the deleted; I checked the temp_dir.

They are deleted.

digital man

Sling Blade quote #23:
Karl: I reckon I'm gonna have to get used to looking at pretty people.
Norco, CA WX: 63.7øF, 90.0% humidity, 0 mph ESE wind, 0.00 inches rain/24hrs --- SBBSecho 3.11-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)