Page Index Toggle Pages: 1 [2] 
Topic Tools
Hot Topic (More than 10 Replies) Stupid question regarding referrer security (Read 3,214 times)
Bill Myers
God Member
Beta Testers
*****
Offline



Posts: 1,563
Location: Los Angeles

YaBB 2.4
Re: Stupid question regarding referrer security
Reply #4 - May 23rd, 2013 at 7:21am
Post Tools
xnoddyx wrote on May 22nd, 2013 at 8:28pm:
... if you turn off referrer security or let login2, register, register2 past referrer security as in to open it up you will leave yourself more open to spam attacks. <<< this has been tested and confirmed.

Have you ever tried deactivating Referral Security Checking? You'll never know until you try. Wink

I can tell you firsthand that spam-bots haven't been able to harm our forum even though its Referral Security Checking has been disabled. I'm not the only forum admin who's done this.

I believe the key factor for this is using ggn's anti-spam CAPTCHA hack, which was authored into a mod by Derek Barnstorm. You can see it in action near the bottom of Dandello's YaBB 2.5.4 Alpha test bed forum after clicking General Board.

Unfortunately, the perception that YaBB is easily, and successfully attacked by spam-bots has been so pervasive over the years, even highly educated, and otherwise experienced admins actually believe it's not possible to stop spam-bots.

Please excuse the expression, but I beat a dead horse about this issue for a very long time with the admin of this forum, but for whatever reason he simply refused to give ggn's anti-spam CAPTCHA hack a try.

Who knows what spam-bot automation will come up with next? But for those of us who've been using ggn's anti-spam CAPTCHA hack (available for use since December of 2011), spam-bots haven't been a concern.

As for reactivating Referral Security Checking, if or when it's needed, I'll happily use that feature again. Until then, why bother? As long as spam-bots remain defeated, there's no point in using it.

*************************************

Even over at Dandello's test bed forum (see this topic), there's apprehension about allowing YaBB's perfectly capable anti-spam tools to do its job. Instead, the tendency is to default to possibly unnecessary, and restrictive referral security settings.

It's defeatism born from fear of spam-bots, which means they win right from the start. Sad

« Last Edit: May 23rd, 2013 at 7:47am by Bill Myers »  

Morning, noon, or night, have a great one!

Note: This forum doesn't allow for us to freely edit our posts or topics to make corrections as needed, so please remember to look for subsequent posts if you see any mistakes or outdated information. Sorry for the inconvenience.
Back to top
IP Logged
 
xnoddyx
Support Team
Documentation Team
YaBB Moderators
YaBB Next Team
Beta Testers
****
Offline



Posts: 1,587
Location: UK:Scotland/livingston

None
Re: Stupid question regarding referrer security
Reply #3 - May 22nd, 2013 at 8:28pm
Post Tools
Bill Myers wrote on May 22nd, 2013 at 4:20pm:
batchman wrote on May 22nd, 2013 at 2:38pm:
... there are only five or six actions that I am allowing from outside my domain ...

I think an unfortunate mistake many admins make is to restrict access to their forums far too much with the Referrer Security feature. Too many do the same with Derek's Anti Spam Question mod when they ask questions only a minority of people can answer. But I digress.

For instance, why would an admin want to restrict access to their help section? That is one place I include contact information in case somebody's access to our forum is restricted, etc.

How about the RSS feed? That's an otherwise nice way to promote a forum. Or the sendtopic features?

Another example is that we have fans of our forum who provide registration from outside of our domain. Thankfully, because YaBB now has superb options to stop spam-bots, restricting the ability to register is no longer needed.

While I do believe Referrer Security is a feature admins should most surely use, I think they can better serve their forum's community by relaxing those restrictions.

My suggestion is to allow as many actions/features as you think you'd enjoy as a guest and potential member, and then work backwards by eliminating those actions/features when you see they're causing a problem.

In fact, just as an experiment that I'm guessing is likely to fail, I've nonetheless just de-activated referral security checking. Perhaps foolishly I guess, I'm curious to see what might happen.

Keep your fingers crossed for me. Roll Eyes



we have been over Referrer Security

from http://www.yabbforum.com/community/YaBB.pl?num=1351872351#32
xnoddyx wrote on Nov 11th, 2012 at 12:01am:
Jkulin wrote on Nov 10th, 2012 at 11:19pm:
Thanks Lads, (Weird I could have sworn I replied)

Activate Referrer Security Checking is checked and always was.

I have unchecked login and log-off in the referrer security, what does that do and will the general public see any difference?

i had the same prob with my last post
as to login and log-off in the referrer security they should've been unchecked and the same for login2, register, register2
what this is for is to stop Requests, Actions from outside your domain/url to YaBB can you check and see if login2, register, register2 are still unchecked



you can also see some more here
http://testbed.dandello.net/cgi-bin/yabb254/YaBB.pl?num=1359402117/0

but getting down to the bare bones of it if you turn off referrer security or let login2, register, register2 past referrer security as in to open it up you will leave yourself more open to spam attacks. <<< this has been tested and confirmed.

hope this is of help to you.  Smiley
  

YaBB install help video
1. what yabb forum are you running and the url
2. describe in as much detail as you can what happens and also post screenshots if you can
3. please be patient we live in different time zones and have other commitments but we will help you
as bill and ted say (Be excellent to each other)
Back to top
IP Logged
 
Bill Myers
God Member
Beta Testers
*****
Offline



Posts: 1,563
Location: Los Angeles

YaBB 2.4
Re: Stupid question regarding referrer security
Reply #2 - May 22nd, 2013 at 4:20pm
Post Tools
batchman wrote on May 22nd, 2013 at 2:38pm:
... there are only five or six actions that I am allowing from outside my domain ...

I think an unfortunate mistake many admins make is to restrict access to their forums far too much with the Referrer Security feature. Too many do the same with Derek's Anti Spam Question mod when they ask questions only a minority of people can answer. But I digress.

For instance, why would an admin want to restrict access to their help section? That is one place I include contact information in case somebody's access to our forum is restricted, etc.

How about the RSS feed? That's an otherwise nice way to promote a forum. Or the sendtopic features?

Another example is that we have fans of our forum who provide registration from outside of our domain. Thankfully, because YaBB now has superb options to stop spam-bots, restricting the ability to register is no longer needed.

While I do believe Referrer Security is a feature admins should most surely use, I think they can better serve their forum's community by relaxing those restrictions.

My suggestion is to allow as many actions/features as you think you'd enjoy as a guest and potential member, and then work backwards by eliminating those actions/features when you see they're causing a problem.

In fact, just as an experiment that I'm guessing is likely to fail, I've nonetheless just de-activated Referral Security Checking. Perhaps foolishly I guess, I'm curious to see what might happen.

Edited:
For the record, and this is something I had completely forgotten about, I had de-activated Referral Security Checking back in January of 2012, and had it off for almost an entire year without a problem (thanks to ggn's anti-spam CAPTCHA hack).

I had only reactivated it later on because knowledgeable admins told me I should. Roll Eyes

Keep your fingers crossed for me. Roll Eyes

« Last Edit: May 23rd, 2013 at 7:45am by Bill Myers »  

Morning, noon, or night, have a great one!

Note: This forum doesn't allow for us to freely edit our posts or topics to make corrections as needed, so please remember to look for subsequent posts if you see any mistakes or outdated information. Sorry for the inconvenience.
Back to top
IP Logged
 
Elrick.
YaBB Moderators
Beta Testers
***
Offline



Posts: 162
Location: Edge of the Abyss

YaBB 2.6.0
Re: Stupid question regarding referrer security
Reply #1 - May 22nd, 2013 at 3:26pm
Post Tools
A very pertinent question Batchman. The only ones checked in my forums are:

Display
Login
Logout
Messageindex
Resetpass

and always works as intended! Wink
  

Back to top
 
IP Logged
 
batchman
Support Team
****
Offline



Posts: 371
Location: Orlando, FL
Stupid question regarding referrer security
May 22nd, 2013 at 2:38pm
Post Tools
So here's the text from referrer security ...

Code
Select All
Select Board Actions (action=... in the URL) which are allowed from outside your own board domainname.
"Activate Referrer Security Checking?" must be checked in Security Center => Security Settings => General for it to work! 



This would seem to indicate that the actions that are checked are the specific actions you will allow from outside your own domain.

So when I check to see what actions are checked, there are only five or six actions that I am allowing from outside my domain, but they are some big ones like register or profile.

Which leaves me worried ... am I an idiot to be allowing these from outside my own domain, or should I have things reversed and be allowing these only from my own domain, and everything else from everywhere?

Yes, sometimes I can be an idiot who doesn't understand what I should ... but I figured I would doublecheck and make sure I have this set up right on my forums.
  
Back to top
 
IP Logged
 
Page Index Toggle Pages: 1 [2] 
Topic Tools
 
  « Board Index ‹ Board  ^Top