Help

Security: Protecting Your Community and Its Members

A major part of owning an ezboard is keeping it safe.

Within minutes, an ezboard can be wrecked if you don't take the necessary precautions. Of course, this is preventable - read on to learn more about keeping your community safe.

Security Guide

I. Overview

II. Privacy and Member Management

III. Security Against Malicious Posters

IV. Security Against Account & Community "Hacking"


I. Overview

You are solely responsible for your community.

ezboard gives ultimate authority to the ezOp to make any decisions they wish regarding the running of their board, as long as it doesn’t violate our Terms of Use. ezboard also gives you the tools needed to make your board a safe and secure place for you and your members to enjoy; you only need educate yourself about these tools and use them wisely.

A common misperception is that ezboard will step in and take control of a board that is having troubles. That is not true: YOU are in charge of running and moderating your board. We will not step in and make any changes to your board, even if it means a spammer is erasing all your posts and there is no admin available to stop him. That is why we have tools such as Post Flood Safety Check, Membership by Approval and Membership Levels available for you to use. Any legal or security complaints will be dealt with in a timely manner, but not instantly. You must be prepared to take care of your board yourself.

top top

The limits of security on the Internet.

The Internet has provided us with a communication tool never before imagined. It also provides the anonymity that troublemakers flourish on. It is nearly impossible to find out “who” the person on the other end really is, and where he or she is coming from. You can report a spammer to their ISP; they’ll get a new one. You can ban their ID, they’ll get a new one. You can ban their email, but there are hundreds of free email sites to get a new one with. You can ban them by IP; they can disguise their IP or use a different ISP or computer in another location. These are the facts. Most trolls don’t bother to go through all that work and can be gotten rid of easily. For those that persist, remember, ezboard does not have some magical technique to stop these troublemakers. They have the same tools you do, and that is merely banning. But don’t lose heart.

What these troublemakers want more than anything is attention. They want to see you get flustered and upset. Don’t give them what they want, and they will grow tired and leave. What can they really do after all? Make a nasty post? Big deal, you can delete it. You have the power.

top top

How you can help make ezboard pleasant for all to enjoy.

ezboard takes your board security very seriously. Over the past few years, we have developed new security measures (Membership by Approval) and improved others. Post Flood Safety Check verifies IP addresses and is effective against even unregistered users. Admins may also thwart spamming attacks more effectively with improved Membership Levels functionality by implementing posting and viewing limits. Over the past few years, we have developed new security measures (Membership by Approval) and improved others (Post Flood Safety Check now checks IPs as well, and is effective against even unregistered users). With continuous bug checking and testing, we improve our program with each new release to be stronger and more reliable than the previous version.

If you are aware of a possible problem, we invite you to make a bug report at Bug Base so we can look into it immediately. If you feel it’s of a nature that shouldn’t be made public, feel free to email your concerns to legal. Our users are very savvy, and have helped us identify and quickly remove bugs on more than one occasion.

The best thing you can is to use the tools we’ve given you, and continue to grow your community. We have hundreds of thousands of boards, and we are happy to report that the overwhelming majority of them have never had any complaints or problems. With some preparation on your part, you can be one of them.

top top

II. Privacy and Member Management

Controlling who can view or post at your community.

You have control over who can view or post at your community. Select the appropriate level for each in order to enhance the privacy and security of your community. Please note that viewing restrictions supercede certain posting restrictions. For example, if you select the “Approved Applicants Only” viewing restriction then your posting restriction will be automatically set to “Approved Applicants Only” as well.

Who Can View – There are three options to regulate who can view your community.

  • Anyone: Anyone (including unregistered users) can view your community. No registration, no passwords required.
  • Registered ezboard users only: Unregistered users (people that do not have an ezboard Account) will not be able to view your community.
  • Approved Applicants Only (MBA): Users must apply and be approved in order to view your community.

Who Can Post – There are four options to regulate who can post (membership):

  • Anyone: Anyone can post to your community. No registration, no passwords required. Unregistered users will not have to enter a password, but the password box will still be on the posting page for them. Be aware of potential problems. First, unregistered users cannot enter any private or password protected areas of your board or forums. You cannot tell who a regular is, as anyone can post with any name, it can get confusing especially if a troll decides to have fun impersonating others. In addition, it is difficult to ban an unregistered user if the need arises. Use this with extreme caution.
  • Registered ezboard Users Only: Anyone can post to your board, as long as they have first registered as a Global or Local member and have verified their email with ezboard. This is the preferred choice for most public ezboards. It cuts down a bit on spammers (especially if you have post flood safety check enabled) because you can ban them by name, email and IP. They can come back, but it forces them to use a new email and IP address each time.
  • Registration and Password Required: Potential new members have to first check with you for your password before they are allowed to post, in addition to the benefits of Membership by Posting. This cuts down on “drive-by” spammers and trolls. This does NOT block anyone from reading your board unless you also password protect your forums. Limitations: it is possible that current members could give our your password without your knowledge.
  • Approved Applicants Only (MBA): A Gold Community feature. An improvement upon Membership by Password in that you pre-approve who can post at your board. It’s more secure in that there is no password that can be leaked; there is no way to post unless a board administrator accepts the member first. In addition, you can use Membership by Approval with an optional block (strict mode) that will keep non-members from viewing any part of your board. Any unwanted members can have their posting and viewing privileges revoked in a moment by simply deleting them from the membership list. This feature is only available on ezboard – other community sites do not match this level of security.

top top

Controlling who can view or post to your forums.

Using Membership by Approval can give you the option to block your entire board from being viewed by non-members. However, if your board is not a Gold Community or you only want certain forums blocked from view you can use the password feature to block the forums from being viewed by anyone but whom you grant access.

In the security section of your forum you will see the choice to put a password on the forum. You can either give the password out (which may present a security risk in case a member leaks the password to someone else without your prior permission) or you can manually add users to the allowed user list (link appears next to the password box when you activate this feature) as you grant access, which will allow those members you want to enter the forum without knowing the password, while keeping those you don’t want out.

We also offer even greater security for your individual forums with the Invisible Forum feature. This Gold Community feature allows you to hide the forum from view of anyone who is not on the allowed user list. Hackers won’t even know the forum is there to hack – it is easy to see why this is such a powerful feature.

top top

Dealing with unwanted members. What to do when you have a member that is disrupting the community?

You can remove their posting privileges in several ways:

Banning Help File

Ban User Name: Ban User Name: You can ban that ID from the board, and they will no longer be able to post in that ID. There are two ways to do this. The preferable way is to go to Control Center > My Community > Member Management   > Ban by Username > enter username > Ban. Banning this way has the extra benefit of banning that user's email, even if it's marked private, so that any other IDs he or she registered with that email will also be prevented from posting on the board. Please note: banning now keeps a member from viewing the posts on your board.

You can ban a user name that is not on your membership list (ban in advance, if you are already aware of a Global user name you don't want at your board) by manually typing in their name in the ban user name area. Note: this does NOT automatically ban their email, so if the user has already posted to your board it is preferable to use the above method to ban them for extra security.

Ban Email: Again, like the user name, you can manually ban an email, if you know it, in the ban email section. This is handy if you are already aware of alternate emails a banned user has used.

Ban IP: Use this with extreme caution. IP addresses change if the user has a dial-up ISP account, and often shares the same numbers with other members of that ISP. This is especially true of AOL users. So, you could effectively end up banning innocent users, too. Also, there are many ways troublemakers can mask their true IP, so they could get around this. This is the only banning option for Unregistered Users.

Please note:
If you use Membership by Approval strict, banning alone will not keep the member from viewing the contents of your board. You must also delete them from the user list. Deleting a member from the user list does NOT unban them.

If you have a troublesome Local user, after banning them you can also delete their entire account by deleting them from the user list.

top top

Membership Levels – another effective way to deal with spamming.

By creating Membership Levels, you will be able to assign custom titles and powers to members of your community, as well as give users posting and viewing limits. Post and view limits allow you to control all non-supporters' views and all users' posts on your community. This will serve to keep costs down, control spam and reward loyal users. Membership levels can be either manually or automatically added and the number that can be created is almost unlimited. This means that you have the choice to control membership levels for your members manually or allow members to reach different membership levels after a certain number of posts. For more information, please click here.

top top

III. Security Against Malicious Posters

The risks associated with HTML, signatures, pictures, etc and how to reduce them.

There are a great many clever people out there who know their programming languages, or love to copy off of those who do to make mischief. ezboard has certain tags and code words disallowed for use as a security caution, but even that has it’s limitations. ezboard gives you control on just how much of a risk you want balanced with fun features. Let’s look at them one by one:

HTML: ezboard’s recommendation is to not allow this on your board, and have your members use ezcodes instead. There are a great many ways that a clever person can use HTML to make mischief, such as causing pop-ups, a redirect to another website, cause a person’s browser to do things against their will...the list is endless.

Ezcodes: This will restrict posters to just the main features that HTML allows you, such as making text in bold or italics, posting pictures and links. This isn’t infallible, however, it decreases the chance of problems tremendously.

Signatures: Even if HTML is not allowed in your forum, if you allow signatures a poster can still do mischief with HTML in their signatures. Again, ezboard has many blocks against certain code, but we can’t possibly block it all. Use with caution.

Pictures: Some pictures can contain code that isn’t friendly. However, for most boards the admins just don’t have the heart to disallow all images, and the only way for sure to stop every single one is to disallow pictures, icons, signatures, HTML and even ezcode. Decide for yourself how much of the above you want to allow, and just proceed with awareness that all images (especially broken images) may not be what they seem.

top top

Post flood safety check - why it’s there.

One of the ways a malicious user may set out to harm your board is by posting a series of threads in rapid succession, in an effort to push legitimate threads off the forum. In a matter of minutes, all 20 pages of your forum can be filled, and all your forum’s posts deleted by falling off the last page. ezboard has a simple yet highly effective solution: Post Flood Safety Check.

Post Flood Safety Check prevents a member from posting again within 60 seconds of their last post. This may not sound like much, but that means a spammer has to sit for hours to do real damage, and he or she may give up trying, or that gives time for an administrator to be alerted so the user can be banned.

Yes, it will also prevent your normal users from posting every 60 seconds, and may catch a fast typist every once in a while. It has no effect on a moderator or administrator (who are immune so they can manage the board) and normal users will probably forgive the occasional annoyance of having to wait a minute in exchange for the security of the board. It’s no small matter; spammers usually target the weekends and nighttime when few people are online to notice what they are doing. Entire boards of thousands of posts have been wiped out this way.

top top

How to manage a forum that’s been attacked.

Three things to keep in mind when dealing with the aftermath of an attack on your board: 1) stopping the user immediately from repeating the attack 2) remove the posts to a secure area to protect your members and have evidence in case of a report to ezboard 3) setting up a plan to prevent this from happening again.

Stopping the user: The first thing to do is to secure the entire board quickly. If your board is Gold Community, the fastest way to do this is to immediately apply Membership by Approval to your board temporarily. You can also quickly add a password to the effected forums to keep everyone out until you have the situation under control. After doing one or both of the above, go straight to your user area and ban the IDs involved.

Remove the posts: If you don’t already have a password-protected forum to store nasty posts, make one. Move the posts (or in the case of a complete flood, several made by each ID for evidence, saving them all is not necessary and would be too time consuming – you may delete the rest) into that forum. If you cannot get to the post due to some code stopping you, go to the security section of that forum and turn off all pics, html, icons, posticons, and signatures, and also strip the forum down. Then see if you can access it. If you still cannot get to the posts to move or delete them, keep the forum password protected and report the problem to ezboard (via the help forums for fastest service as well as make a legal report) so ezboard can fix it for you.

Set up a plan to prevent this from happening:

  • You should have at least one administrator’s email available to members on the board in case of an emergency. If you don’t want to give out your personal one, set up a special email just for this purpose. (And check it often, or have it forwarded to your personal email).
  • You should have at least one back-up trusted administrator in addition to the ezOp. This person should also be a regular member who visits often and is easy to contact.
  • It is recommended you have trusted moderators assigned to each public forum. These mods can move or delete posts if needed, and should have the administrators’ email and IM contacts available to them.

top top

How to make a report to ezboard legal.

Before making a report, please read ezboard’s Terms of Use very carefully. As with legal matters in the real world, you have to show that written law (or in this case, specific part of the Terms of Use) was broken. And you need proof. Also, like in the real world, simply being a jerk is not illegal. So try your best to avoid and ignore those who try to provoke you.

Using the legal form, present clearly the facts of the case. Including, what user names and what boards were involved, a specific link directly to examples of the violation, and what part of the ezboard’s Terms of Use you felt was broken. It is important that you give details and exact links to the thread involved, ezboard does not search through the board, forums and threads trying to find what you are talking about. Click here for a Guide to ezboard Terms of Use Issues.

One thing to note, you MUST use the legal form to report any violation or any matter regarding ezboard security. Posting the complaint on the help forums is counterproductive because it may alert the user(s) or board that you are reporting to that fact and they could delete the evidence or worse, decide to take revenge on you or step up their efforts to get more attention. In addition, you may be mistaken about a violation, and it would be unfair to those involved to have an unfounded public accusation against them or their boards. It protects both sides.

top top

IV. Security Against Account & Community “Hacking”

How “hackers” get your password and how to prevent it.

Contrary to popular belief, those that fancy themselves “hackers” are not the super sleuths you see on TV that seem to be able to get through a website’s security and hack into the database, stealing what they need. No, what they do use is cunning, trust, and guesswork to get your password. A very few can manage to crack a password using “brute force” (a program that tries a series of words from a dictionary or random numbers and letters until it finds the right one).

How to prevent others from gaining access to your password, your account, and ultimately, your community:

  • Don’t tell anyone your password. No one, not even your closest friend. If you manage to let it slip, change it.
  • Don’t use the same password for multiple websites. Especially for other board systems such as UBB or ikonboard, as these administrators can see your password, and don’t have the security and privacy policies in place such as ezboard.
  • Don’t use common words found in a dictionary. Don’t use anything easy to guess such as your pet’s name. People who learn about you can use this in their guesswork.
  • Make your password at least 6 (preferably 8) characters long and use both letters and numbers. This would make it virtually impossible to guess or to crack with “brute force” as it would takes years for them to try all the possible combinations.

Final note about passwords: remember to keep your email up to date on your account. Free sites such as hotmail will delete inactive accounts after a time. If a “hacker” catches wind of this, all they need to do is register the same name at the email website, and presto, one click on forgot password and it’s theirs. It also goes without saying to make sure your email password is different and as secure as your ezboard password.

top top

Using the High Security feature to keep your account safe.

In addition to the steps outlined above, we recommend that all users turn this feature on. Please see: High Security

top top

Choose your administrators and moderators carefully.

A chain is only as strong as its weakest link. A board is only as secure as its least trustworthy admin or mod. Don’t give people power over your board if you don’t know them well and trust them completely. Give them the least amount of power as needed for their job. (i.e. - give them power in only one forum if that is where they are assigned, those in charge of board security can be made full board mods or admins) And above all, make sure they, too, are using secure passwords as discussed above.

top top

How to regain control of a community that has been hijacked.

An admin, preferably the ezOp if possible, needs to step in and immediately remove admin and mod powers from all other users until it is determined which ID is the culprit (not necessarily accusing them, but someone may have used that account without them knowing). Then, they can temporarily lock down the board (apply MBA or password protect the forums) until the board has been restored to its original state (or as close as possible). Please check the security log and make a report to ezboard if you have not found out yourself what had happened. The security log will report forum or thread deletions, changes to mod and admins status and bannings, but will not report changes made in the image, color or administrative areas of the board.

If the ezOp account itself was hijacked, then the ezOp needs to make an appeal to legal and accounts from the email that was on the account before the hijacking for the old email to be restored and a new password issued. This request MUST come from that email, and you must explain that it was changed not by you and you want it back.

top top

 

View the Security FAQs for more information.

 

NEXT: More Help: A List Of Resources »



© Copyright 1999-2004 ezboard, Inc. All rights reserved. corporate & legal | sitemap
ezboard and helping.people.connect are registered trademarks of ezboard, Inc. +