I'm new to Mbed and have some questions regarding the platform however this apparent forum hack is getting in the way of that.

Any ETA on stopping it?

Hi Jasper,

Calling it a hack is greatly overstating what is happening. It's spam, and it's being posted using pretty much the same methods that you used to post your question.

We've put captchas on signs ups and on posting questions, but it has not stopped the spam, which together with the abusive messages they have left addressed to "moderators" leads me to assume that it is being posted by actual people who just have too much time on their hands.

We are continuing to look at technical measures to make it harder to post spam while removing that which is still being posted.

Steve

Thanks Steve.

Why anyone would do that do the forum is just beyond me.

Money, simple as that. Although their time must be really worth very little with the expected ROI of spamming here.

Someone might do this to gain skills in spamming. Mbed would adapt to better anti-spam techniques over time, thus offering gradually increasing resistance which could be a useful adversary for an attacker, and mbed would also be relatively un-interested in retaliating in any serious manner.

At this point we've not had any of the "bamwar" spam for around 18 hours. I don't think it's safe to assume that we've seen the end of the problem yet. I am hopeful that in the future the impact of such a flood would be less than we've seen in the past week. I think this is a good point to let you know what we saw, what we've done and some of what we're going to do shortly.

Until just over 2 years ago, to sign up for an account you needed to own a piece of mbed hardware which had a signup code. We started getting occasional spam items on the site after we removed that restriction. This low level of spam perhaps made us complacent to the potential problem.

From the morning on the 7th of May the spam flood started by attacking the questions pages. Later, when we fixed a bug that was preventing posting in the forums, they were also attacked.

Above you can see a chart of our signups, each bar represents one hour. You can see a clear spike in signups on the 7th. The rise shows the start of the attack and the reduction came when we added captchas to the signup forms. That did reduce the signup rate but the volume of spam was still enough to make the questions pages and the forums almost unusable. I don't have full figures but we've removed hundreds, maybe even thousands, of spam users and tens of thousands of spam posts.

It's hard to know for certain, but I suspect that the attack was part manual and part scripted. Either way the captchas alone did not solve the problem.

I had heard that captchas are no longer effective. A bit of searching revealed that it is even possible to pay to have captchas solved for you. There are APIs selling captcha solutions. Artificial intelligence can solve many of them. For the rest there are marketplaces with prices that fluctuate with supply and demand where people solve them by hand. I saw prices as low as $1.39 for 1000 solutions.

It seemed worth trying Google's latest version of the captcha. You can read a more detailed comparison on Google's security blog, it's meant to be much easier for humans and much harder for robots. Which is great, I'm sure we've all had the experience of captchas being hard to solve. I can see that since we replaced our captchas about 30% of people only have to click on the checkbox to verify.

After we replaced the captcha system we added them to the forms for creating new questions and forum posts. This should at least slow down the spammers or make it more expensive for them to post.

We now prevent signups from IP addresses that spammers have used. We have started adding rate limits to how fast users can post new content to further reduce the spammers' impact.

To further improve our spam protection we want to

• continue adding and refining rate limits,
• use external services to check if signups are coming from known spammers,
• use external services to determine if new content is spam before it is published.

@Stephen thanks for sharing those facts.

What's the status now?

The status now is that over the last 24 hours 83 spam posts to the questions area were blocked using an external content checking service. After seeing the success there it was clear the service should be used elsewhere on the site and so that is now being used on the forums as well.

Hopefully this will massively reduce the impact of spam on the site. When some spam gets past the checks users can help by using the report buttons. When we remove spam we are now submitting the content to train the machine learning that filters new posts.

Hi colleagues,

I am in the time zone +4, and I noticed that in a time when in many countries are ordinary people sleep, the spammers are going to hard work. That is, at a time when I was active, I saw how they appeared in batches. If at this time was active at least one moderator, he could remove spammers, but this is not happening. As a result, after a few hours they have accumulated more than dozens.

It may be necessary at least one moderator on duty at this time?

Unfortunately the new google captcha doesn't work in China, presumably due to it being blocked by the national firewall there. So we've had to replace the captcha in use.