Main Area and Open Discussion > General Software Discussion

How to stop forum spam ?

<< < (3/4) > >>

mouser:
My observations:

1. Last year i discovered that some automated bots have been successfully defeating the captcha on the smf forum system we use, and registering 50-100 fake users per day.  I put in place several handmade fixes to the registration page, including a few changes to the captcha to make it harder and use non-standard fonts, and swapping around some of the input fields.  The result being that the automated bots that think they know how to solve smf forum system captchas now fail.  I also save the failed captcha attempts to a db table so i can look at them, and it's quite interesting to watch the bots fail.  for those curious, they also tend to fill in missing fields with the name of a US military branch (air force, navy, army, marines) -- why, i don't know.  So hardening the captcha on the registration page and using some non-standard changes to the default used by your forum system so that you stop spam bots from signing up -- this is your first line of defense.

2. But stopping bots wont stop all spammers, some sign up manually.  For that, integrating a service like stopforumspam can be incredibly powerful in stopping spam.  whatever forum you use, find an addon that can query stopforumspam or something similar -- that's your second line of defense.

3. Then you can try to make your forum less appealing, by doing some of the thing's app describes that i did, making links nofollow so that they don't benefit spammers much.  Personally I don't think spammers pay enough attention to realize this, so it won't discourage them, just deny them the benefits after they do spam.

4. The fourth and final line of defense is the human factor.  Here's what i did for us -- i wrote a custom email notification thing that alerts us moderations whenever someone makes a "suspicious" post OR profile modification.  What qualifies as suspicious is if it's their first or second post, if they are a new member, if they have a url somewhere in what they are changing, etc.  The email includes a summary of the change they made, and a quick link to ban them.  This is our secret for how we keep the tricky spammers from ever surviving for more than a few minutes on our site.. This is what allows us to catch the really sneaky ones who do tricks like make a normal post, then wait a month and edit it to add spam links in their old post.  Many forums will miss this kind of attack because no one notices the change.  So having these custom alerts is a big win.

JavaJones:
DC is fortunate to have a group of highly active mods. For smaller or less active sites, it's harder to be as quick to react to stuff that does get through. But having deal with this issue myself on 3 other SMF forums recently (due to a massive *increase* in spam starting a week or two ago), I can confirm much of the advice here and add some further specifics *if* you're running SMF.

First off I installed StopForumSpam and httpBL SMF mods. They helped, but surprisingly did not eliminate more than maybe 20% of spammer signups.

The thing that made the biggest impact so far is installing a completely different kind of CAPTCHA. As I understand it ReCaptcha is essentially compromised at this point, so it's not surprising that it doesn't fix the problem for you. I suspect almost any system will eventually be cracked, but switching to something non-standard at least makes you a much more difficult target and they may not bother. Once I installed notCAPTCHA mod, spam registration went down 90+%. Along with the other mods, StopForumSpam, httpBL, and a few of the other top antispam mods for SMF, my forums are doing ok now. I still have to deal with the occasional spam post, but even with only 1 or 2 mods it's not burdensome.

Obviously if you're not using SMF then you need to think more generally about this advice. For whatever forum system you have, look for more unusual CAPTCHAs, not ones based just on weird text warping and noise. Puzzle solving seems particularly difficult for bots, though mass human signups (Mechanical Turk?) it may not help.

- Oshyan

rgdot:
I want to add something rather obvious to the third point made by mouser. In addition to forums I have set up and managed dozens of WordPress sites over the years. It is impossible that every spammer or bot creator doesn't know that akismet works with minimal effort out of the box  yet years into the blogs' existence there are sometimes 100s of spam messages posted and caught by akismet per day.
My point is they just don't think, that's how you should approach spam prevention.

mouser:
I think the big-picture lessons about preventing spam are similar to good security advice, which is that there are TWO basic threats you have to contend with:

The first is the brain dead drive by automatic attacks by bots.  These will be performed by automated scripts that can and will find your site and use out-of-the-box attacks on you.  If your site is using a captcha that comes standard with your forum, there will eventually be exploits posted for that forum system, and they will get in.  So you need to use non-standard additions to block these.  When you do, you will basically 100% eliminate these attacks.  These attackers don't care about anyone who is doing anything non-standard, it's not worth their trouble.

But then the second is an attack by a determined and human opponent.  You *cannot* prevent these people from spamming your site, or whatever.  You just can't.  The best you can do is set up your OWN human defense to discover them quickly when they do and make remediating their spam/attack as quick and painless as you can.

JavaJones:
Well summarized mouser, agreed 100%.

- Oshyan

Navigation

[0] Message Index

[#] Next page

[*] Previous page