Forum Anti-Spam Tips

If you have found a bug, or have a suggestion/comment then leave it here

Post » Wed Nov 30, 2011 11:48 pm

So I'm really impressed by how easy it is to sign up, yet there is no spam.

I set up a forum recently, which didn't even have any real posts before spam started showing up. I tried a bunch of annoying captchas, but none worked. Eventually I settled one that asks a customized question (eg "Are apples a fruit? Answer yes or no."), which has put a stop to the spam. But if possible, I'd like to get rid of it.

So! Any tips or tricks you're willing to share? You guys must obviously have some up your sleeve

The only option I can think of is to dig into the source and try to modify/customize it in a way that will break automated tools when they encounter something they don't recognize. But without knowing anything about the tools used, this sounds like it will be tricky and mostly trial & error.

Another suggestion I read was to block a specific time zone completely which is used by spam programs, but uninhibited by humans, but that didn't help.
B
22
S
9
G
5
Posts: 122
Reputation: 5,386

Post » Thu Dec 01, 2011 12:14 am

The one with the biggest effect and one of the simplest techniques is to relocate and rename your registration pages. We have it set to www.scirra.com/register but we get loads of 404 requests to www.scirra.com/forum/register.asp and www.scirra.com/phpbb3/register.php etc. Move it somewhere else and rename it, a majority of scripts will 404 and move on. This is pretty much blocking 90%+ of all spam signups.

Secondly, we have honey pots set up as well. If you view the source of the registration page you will see that there is a username field, but this is a hidden field. The actual username field is called something obscure. If the username field has a value when it is submitted, it will reject the registration. No real registration will ever fill a 'username' field out with a value, so if it has a value we know it's probably a bot. This seems to catch out a few spammers a day as well.

Lastly, a great bunch of moderators also really helps as well as a community who are able and willing to report spam posts :)

We still do suffer from spammers, but the spammers using automated tools (like the one beginning with xru...) are pretty effectively blocked. There's also literally nothing you can do about paid human spammers except manually nuke the user when you come across them. Labour in some countries is extremely cheap and this becomes +EV to hire if your running a spam operation sometimes.

Spammers are a royal PITA for web developers. Interestingly, when we have been forum spammed I've actually contacted a few of the websites the spammer is promoting. What I often find is that the website is *sometimes* oblivious to the fact their website is being spammed (other times they feign ignorance). They think they are paying an 'expert in SEO' to help their website rankings, but all they have managed to hire at the end of the day is another knuckle dragging spammer who litters the web with dirt that honest webmasters have to spend hours a week cleaning up! It's very frustrating, but it's something you have to accept and account for when running a website nowadays.

For a site which is the size of ours, we probably have to ban around 1 user a day now on average. This is completely manageable. Without some of those techniques described above you would probably be looking at around 20+ accounts per day. I'm fairly sure a lot of the ones we do ban are human spam accounts.

The techniques above as well are easily circumnavigated. However, it is not in the spammers interest to beat our system. If they do get through, we deal with the swiftly. Because we have taken these measures as well it would suggest to the spammers even if they did beat our system ours would not be a site worth spamming as the likelihood is we care about spam and would remove it quickly. There's much softer, juicier targets out there. A lot of spam prevention is just staying ahead of the pack in my opinion for this reason.

I could write a short book on SEO 'experts' and the scams like this people run. Unless you really really (really) know what you are paying for, don't pay for SEO. For all you know they could be spamming on sites like this as part of their service.

If spam is still a problem after all this we have looked at using a service such as Akismet. It's got an apparently amazingly low false positive rate and comes at high recommendation from many sources. We haven't needed to use it yet, but we will if we need to.

In regards to CAPTCHAS I want to avoid them. They are very inaccessible (which I care about) and I'm very certain they deter people from following through with signing up. Personally I've been on websites and had a CAPTCHA, got it wrong and the form was handled badly and asked me to re-enter a lot of fields. Sometimes you get stuck in a washing mashine of re-entering fields and CAPTCHAS and at the end of the day who can be bothered to do that? Best to not lose sign ups if possible. One way to do that is by not using a CAPTCHA.Tom2011-12-01 00:28:13
Image Image
Scirra Founder
B
125
S
37
G
25
Posts: 3,945
Reputation: 44,922

Post » Thu Dec 01, 2011 2:06 pm

Oh my wow. Thanks so much for the in-depth replies, this is one of the best topics I've read on the subject, better than anything I found through Google at the time.

I'll try the registration page first and see how it goes.

AKismet does look good, I looked at it for out blog comments but it just seems a little too pricey before you have some actual traffic (it costs more than our webhost!!)

I heard about the captcha sweatshops in India too... crazy stuff right? I wonder how much of it is myth, but this kind of stuff has also shown up on amazon's mturk before so there's obviously a market for it.


[quote]In regards to CAPTCHAS I want to avoid them. They are very inaccessible (which I care about) and I'm very certain they deter people from following through with signing up. Personally I've been on websites and had a CAPTCHA, got it wrong and the form was handled badly and asked me to re-enter a lot of fields. Sometimes you get stuck in a washing mashine of re-entering fields and CAPTCHAS and at the end of the day who can be bothered to do that? Best to not lose sign ups if possible. One way to do that is by not using a CAPTCHA.[/quote]

Amen! I owe you a beer.
B
22
S
9
G
5
Posts: 122
Reputation: 5,386

Post » Thu Dec 08, 2011 1:09 am

Hey Tom,

I'm on a forum that is presently being bombarded by spam sammies. The moderators say that many of them are spam bots but I think not! We report them as they happen but instead of deleting them, they get placed on the Banned List with all their links and info intact. I think this is making the situation worse... Sometimes there are more spammers than legitimate members logged in at a given time and I think that not stripping the info before placement on the Banned List is a contributing factor. What are your thoughts?

Do you delete or ban your spammers? And, would it be okay if I shared a link to this thread to the mods on our dialysis forum and see if they would be willing to take a view at the methods that are working well for you?

Thnx!
B
5
S
1
G
2
Posts: 45
Reputation: 1,315

Post » Thu Dec 08, 2011 5:05 pm

Always delete spam ASAP. If you leave it on your going to be encouraging them. Intelligent spam software will revisit posted messages to see how many have 'stuck' and not been deleted. If it has a high stick rate it will revisit it for more spam. Always delete spam!

Feel free to link to this post! I wrote it up as a blog post here as well which contains a bit more information:
http://www.scirra.com/blog/61/reducing-website-spamTom2011-12-08 17:06:17
Image Image
Scirra Founder
B
125
S
37
G
25
Posts: 3,945
Reputation: 44,922


Return to Website Issues and Feedback

Who is online

Users browsing this forum: No registered users and 1 guest