Discussion in 'Security & Legal Issues' started by Dilip, Nov 23, 2011.
Don't forget the amazing pornos.
I use the built-in CAPTCHA, a human-readable question, and email verification for registration. I've also hidden signatures and profiles for guests and have a tool that lets me quickly remove all content from a user's profile and all their posts. Seems to have helped; spam registrations only happen occasionally now - we used to get several a day.
I have StopForumSpam and a super secret anti spam script (OK I can't remember what it is called) and manual verification. So far we have not had one spammer or spam bot gain access.
On many of my forums, I am just going with StopForumSpam.com modifications, Q&A and email activation. CAPTCHA is broken, I wouldn't use it anymore... unless its custom.
As for the Q&A, IMO, its the best anti-spam method out there you just got to keep the questions related to your forum niche and somewhat difficult to answer. If a user has to look them up, oh well. Chances are a spammer or XRUMOR bot isn't going to be looking up the answer
Not so true any longer. Apparently some of the spam bots are capable of doing rudimentary Google searches. So 1+1+5-2= will allow the spam bot to sail on through. Enter the middle 3 letters of fools is a better question which is not so searchable.
Yes that is true, that is why one should use questions related to their forum's niche and make them somewhat difficult. Besides, even if they are hard, if someone likes the niche, they probably know the answer to it
Email verification, captcha & Q&A. Using IPB I also use there spam monitoring service which works really well.
hahaha we just added something like that to our registration question
Only people who play the main game we support now can register easily, and if they don't know the answer, they'll have to probably look it up on our wiki or do research on the net
Keeps the evil autobots out and filters for true game fans!
Aside from that IPB's spam monitoring service pretty much takes care of it.
1. Email verification
2. Anti-spam mod called Spam-o-Matic
4. All new accounts have restricted permissions (No links, PMs and so-on)
5. Every new account must have the first post approved by a moderator
Works for me.
re-Captcha doesn't seem to stop them for me ... for No. 5, do you need unless their first post is approved, they can't make second post?
All #5 means is new users are automatically placed in the moderation queue.
I used KeyCaptcha and haven't had a single spammer register, however it was a negligibly small community.
I read that these new type, "fun" captchas encourage humans to have fun and register multiple times just to "play", however I don't see that as an issue. It's just a human after all, and if they bother to start posting spam, there should be a moderating team to handle it - can't assume all spam can be handled via captchas.
After reading a bit on captchas in general, I am pretty certain that I won't ever use the word captchas. They're often annoying to solve and need to be redone several times. I am undecided on whether I will continue with the fun captchas though.
The sad truth about captchas is they used to be HIGHLY effective at combating bots but now they are nearly useless. They basically serve to keep out the most poorly programmed bots and to annoy any human that tries to read them. I have near perfect vision and I fail them all of the time because one or two letters are so jumbled up that I can't read them.
I find the best system is the question/answer one. This works great if your forum is devoted to a certain topic like a specific video game. You can come up with a list of say, 25 or so questions related to the game and require the user to give the right answer upon registration. It is just as effective as anything else at keeping bots out and is not very annoying for the user. Worse case they can look the answer up on google.
As you said nothing can replace a good moderating team. Combine that with actively banning known "attacking" IPs (hacked servers/PCs running bots) and a little randomness on the registration page and you're usually good to go. Worse case if you're a small forum you'll notice a bot right off, if you're a large forum they'll be dwarfed by legitimate accounts and again will be noticed right off. The amount of harm they do really isn't that bad, most users can spot a bot a mile away and won't click the links anyway and you should be deleting those threads long before they worm their way into the search engines.
BTW a one click/button system for: Deleting all the threads/posts by a user, banning their IPs, deleting their signature/user info, and banning the account all at the same time is great for those "bad days". Saves lots of time and work.
Email verification and Q&A plugin
I read good things about question-and-answer spam prevention, but I'm not aware of it existing outside of vBulletin. If there are such addons for other softwares, I haven't found them either.
While I can see why people recommend them, they need to be carefully considered, especially if they are based on a niche. Not everyone is familiar with the niche, and not everyone knows how to google, so you need to be watchful of a question too hard. Unless it's wordplay or something similar.
Q&A is comes with phpBB, and I think it is very effective. Especially when dealing with non-English based board...
For the most part, I use Q&A spam combat. It has reduced my spam to ZERO, none, zip, nadda
Just make sure the questions are not super easy and its better if they relate to the niche of your forum.
1) Question and answer verification. No math questions.
2) Blacklist of disposable/one-time/receive-only and spam-friendly free email addresses.
3) Blacklist of keywords and mashes (asd, sdf, etc) often found in spammer names and email addresses.
4) .htaccess that includes IP ranges of many Russian and Ukrainian Web hosts and troublesome ISPs, and Amazon AWS.
5) vBStopForumSpam plugin.
6) Country Moderations plugin. Registration from India, Pakistan, Sri Lanka, Bangladesh, Russia, Ukraine, Belarus, Nigeria, China, Philippines, and Vietnam are sent to a moderation queue for research.
7) MonkeyStop Keyword and URL Moderation plugin. Keywords include those often seen in spam. After a certain number of posts, members become "trusted", and posts with URLs and keywords are no longer sent to the moderation queue.
8) New Registrant analyzer plugin. My registratin form includes the member location. Spammers usually enter "USA" or an iconic city alone, often with an odd spelling ("the Newyork", "lasangelis", etc).
9) Look for other tells; two first names ("Robert John") as a real name, odd capitalization, registration IP is a Web host, etc.
Separate names with a comma.