I had a huge problem with posting to my guestbooks by automated bots. I put in a meta noindex on each guetbook page, and have not had a problem since. The bots apparently gather up search results, and my guestbooks no longer appear in the serps at all.

Thanks, but don't know if that's applicable. We LIKE having the board show up in SERPS, because it helps generate traffic overall. In the end, we just need to babysit the board for a day until the owner gets a graphical password generator patch installed.

Pain in the butt though.

I'm taking it as a lesson, and as soon as we get it beat on that board, I'm gonna be doing some modding of the forums I have full control over.

Grelmar, if your board is reasonably busy, I really think you can require registration to post. It's simply not that onerous. I converted one board that was probably 80% guest posting and traffic/posting never dipped. The benefits were numerous - easier to prevent & clean up spam, no identity theft/confusion, and IMO the posters behaved more responsibly once they were working with a registered nickname. It didn't cure all problems, but I did see a reduction in stupid, throwaway posts.

The picture verification tool should stop the bots, though. Do you run popular forum software, or do you think this was a customized attack just for your site?

Its popular forum software. So, I'm thinking its a basic mass-automated attack.

And I kinda agree with you, but I down own that particular board, just moderate. The owner wants to keep guest posting because its a support forum for a service, and he believes (and I can't say I totally disagree with him), that in the interest of customer service, Guest posting makes it easier for his customers.

On the forums I have complete control over, I don't allow guest posting, period. That's what I have guestbooks for.

I appreciate the advice, I'm kinda looking for some ammo to steer the forum's owner to making registration mandatory. It would ease the load on the moderators a fair bit.

I just found the whole attack this morning (and that's what I'm classing it as, an attack), a little disconcerting. A couple spam posts here and there, who cares? Not that hard to deal with. But this was hundreds of posts in a mtter of hours (and, in fact, its still ongoing until the patch gets implemented, hopefully this afternoon). Heck, I hadn't even finished my first coffee when I came across the problem.

Oy, grel, that's a right *** for a morning wakeup! Ick. Ugh. Eww. *sigh*

I think you might be able to get your client to see that while this particular incursion was "easily" (yeah right!) controlled BECAUSE YOU WERE ON SITE, ON TOP OF THE PROBLEM, etc., the next time might happen when you were away, on vacation, ill, hospitalized whatever.... And having a registration procedure in place would mitigate the extent of such an incursion, reducing it to a minor glitch from a potential disaster of outrageous proportions.

I'm relatively sure that most reasonable people these days are NOT put off by the need to register to access a help/support board/desk. We ALL know about the dreck that floats around the net - some of us intimately from the "backside", others from the nightly news....

[edited by: eelixduppy at 9:38 pm (utc) on Feb. 18, 2009]

How about pre-moderation of guest postings? This seems to have kept my forums spam-free (although I realise that, by posting this message, I'm tempting the fates).

TheDoctor, by pre-moderating guest postings you are also creating a major incentive for your visitors to register, generally a good thing.

After 24 hours, we finally got it beat.

Our solution:

Leave guest posting, but have a "picture" code that needs to be typed in appear before guest posting. This should hold the automated bots at bay (for now, I'm aware that there are people working on "readers" for those graphical codes).

Increasing the "flood" threshold for guests to 5 minutes, and 180 seconds for registered users. Moderators have no flood threshold.

We're going to keep a close eye on the board over the weekend and see how it turns out.

A side "bonus" is exactly that. For managing to keep the board up, un-interupted, during the entire attack, the owner is gonna be throwing a little extra at the two moderators. (The site owner is the primary coder and moderator).

My own argument was to disable guest posting altogether, seeing as the registration requirements are pretty minimal anyway (pretty much all you need to enter is an alias and a valid e-mail). I got out voted, but I could see some hesitation among the other two who voted against this. One more attack and guest posting will be gone, is my guess.

After some basic googling, I discovered that this attack was specifically engineered against a particular BBS package, and that we were far from the only ones being hit by it.

If its alright with the mods here, I would be happy to post a general description of the attack, the software it affects, and a few simple counter measures (in an independant thread). I'm just asking first because I don't want it to appear as an insult against a particular package.