Anubis wrote:This is worrying. I wonder if they are actually human, or are indeed bots.
The security question currently has a four-character answer. Even with a timed lockout for a certain number of incorrect answers, a bot could crack it fairly quickly by throwing every combination of one to four letters at the security question. If the question was, "What is the full name of the organization? (Include spaces and capitalize properly,)" with a fifteen- to thirty-minute lockout on an incorrect answer, it would take a hell of a lot longer for the bots to start seeping through without the intervention of the bot's programmer/operator.
Of course, a static security question is like a password or combination lock, in that it can always be cracked. All you can do is delay the inevitable by including more characters and a wider variety of characters. Dynamic word verification image systems, have proven much more effective at keeping bots away, as they can't take the brute force approach of throwing random letters at the verification field over and over again, since the image/password changes each time it's loaded. I'm sure it's defeatable by some means, but those means seem to be well beyond your average script kiddy at present.
I've no doubt that this last one was a bot. What are the most popular indie and commercial titles right now? Minecraft, Modern Warfare 2, and World of Warcraft. Which places did the bot target straight away? The Minecraft and Modern Warfare 2 threads, and the World of Warcraft subforum. The content of its posts were so basic that I've little doubt the bot just has a selection of smilies and the advertising link to randomly pull from, when it makes a post.
Some bots are designed to produce pretty sophisticated deceptions, though. A few years back, the Subsim Radio Room was under siege by bots that actually managed to deceive the administrators into manually activating their accounts. The bots would then make lengthy posts introducing themselves (not as bots, obviously) and reply to a few threads without placing any adverising content in their posts. Some days later, they would then go back, replacing the content of their old replies with advertising content and spamming the hell out of the board with new advertising threads. The admins only found out that these were bots, when the duplicate account activation request messages started coming in, and they went back to the old bot replies to realize that they were so vague as to have nothing to do with the thread, without appearing out of place. (For example, the bots would hit a screenshot thread, quote something wrapped in image tags, and add text like, "Nice shot!" It's not difficult to find such a thread on gaming forums; there's high odds that anything wrapped in image tags in the thread is a screenshot, and enough real users are usually interested in the length of their e-penis to make a two-word post about a screenshot and move onto the next thread. In hindsight, it was obvious that the bots never mentioned submarines or U-boats in any of their posts, but that's the nature of hindsight.)
There's no reasonable way to stop every bot. All you can really do is get the rate of incursion down to a manageable level and then, well, manage it. To come full-circle, though, I think you could have a more robust security question/answer pairing, that would take a lot longer for a bot to crack, without asking an unreasonable effort on the part of new users.