Menu icon Foundation
Forum Spam - What we're doing about it

This morning, our beautiful forum was spammed by a spambot. As annoying as they are for us, we know they are annoying for you as well. It seems we will need to add more security upon registration.

Moving forward, we find and implement ways of preventing this type of spam. We are thinking, we want to avoid using captchas. Doing an email confirmation seems like a better option as we can be sure the email address exists when accounts are created. We are also considering a service like Cloudflare who can help mitigate DOS attacks, will also block certain ranges of IP addresses.

We have discussed a 'report post' feature. Members can use it to report spam and unwanted posts.

So we are taking action to reduce the possibility of spambots spamming the forum. If anyone has some insight or suggestions, we would love to hear them.

forumspamOrbittopbar

This morning, our beautiful forum was spammed by a spambot. As annoying as they are for us, we know they are annoying for you as well. It seems we will need to add more security upon registration.

Moving forward, we find and implement ways of preventing this type of spam. We are thinking, we want to avoid using captchas. Doing an email confirmation seems like a better option as we can be sure the email address exists when accounts are created. We are also considering a service like Cloudflare who can help mitigate DOS attacks, will also block certain ranges of IP addresses.

We have discussed a 'report post' feature. Members can use it to report spam and unwanted posts.

So we are taking action to reduce the possibility of spambots spamming the forum. If anyone has some insight or suggestions, we would love to hear them.

Wing-Hou Chan over 5 years ago

Hey Rafi!

I was horrified this morning. There were like 6 pages of spam. Being in the UK I was probably one of the first to see it and considered dropping you a tweet but Twitter was blocked on the computer I was using. :(

I agree with avoiding captchas and an email confirmation seems the way to go.

I thought I saw a Report button before but I must have imagined it as it seems to have disappeared.

How about a moderation team? With active members around the world we'll be able to keep an eye on what is posted and weed out the spam should we find any.

Rafi Benkual over 5 years ago

We are looking into adding a report button; we haven't needed that until now. We looking into 3rd part options to help notify us when something is reported.

As far as helpful members like yourself, a tweet or email should do the trick for now. We should have a spam solution done today.
Thanks!

Karl Ward over 5 years ago

I worked with anti-spam mechanisms for an active forum, and I learned that both spam-bots and human spammers are relentless in their methods. Give them any breathing space whatsoever, and they will sneak through eventually. Although captcha kinda sucks for humans, there is a good reason why it is so effective ... If you don't want to use captcha, then why not use a human-answerable question? These prevention methods work, and will save you a lot of time and trouble. Add an invisible "honeypot" field method, and you are pretty sure to stop all spambots before they can even submit.

Many spambots and certainly human-spammers will confirm emails also, so I am not sure ultimately how effective that method is. It certainly helps! If I was you, I would add all prevention mechanisms at your disposal, as long as they are "acceptable" from the users perspective ... I think most users are comfortable filling a simple captcha/question and confirming by email these days ... Your forum is technically-oriented, so most users are relatively tech-savvy anyway ...

These are the following methods we implemented into the forums at imagevuex.com/forum/, to prevent both spambots and human spammers.

  • email confirmation link (requires authentic email)
  • cloudflare (first line of defense, although relatively ineffective)
  • honeypot (invisible field, trap for bots to fill in)
  • Country question + IP (we ask for country from the user, and then through manual activation email, we check it vs their IP http://ip-lookup.net/?ip=*.*.*.* ... Those who lie about location are normally human spammers)
  • Question captcha (ask a human answerable question, for example "what do we call frozen water?" ... it will ultimately stop bots, leaving human spammers).
  • Manual activation (within 12 hr)

With all the methods, is it necessary with manual activation? Although the methods above stopped all bots and most human spammers, in our case we still needed manual activation to filter out the most ambitious human spammers. In your case as a new forum, you can expect more spammers (both human/bot) over time, and you might as well set up the barricades properly ...

Joe Workman over 5 years ago

I swear by Cloudflare! Its an awesome service... The moment that I started using them, the number of malicious issues that I had with websites basically went to nil.

Joe Workman over 5 years ago

I should add that I don't think that Cloudflare is the only thing that you should do. Email confirmation will definitely slow the spam down considerably. But it definitely will not stop it.

I also think that the report/spam button is a good idea as well. You may want to think about allowing more moderators on the forums that would have to ability to act on those spam reports.

Rafi Benkual over 5 years ago

Thanks Karl and Joe! We are adding Akismet today and hooking up email confirmations as well.

We are opposed to captchas just because they are not very good (hard to read) and pose an unnecessary barrier to entry for user. That would be a last resort. It looks like a lot of this is actually human generated spam anyways.

Rafi Benkual over 5 years ago

We added a system called Akismet http://akismet.com yesterday and a few other behind the scenes changes. There may be some lingering spam while the system learns how to track it better. So far it has been helping a lot.

We are still working through the suggestion list and will do more tomorrow.

Paul @ cactusoft over 5 years ago

You could institute something like 4 or 5 members clicking on a report button hides the spam. You could probably get away with 2 or 3 to be honest. Because I think you guys work hard enough without having to pro-actively go through deleting spam.

Another thing we found quite effective at stopping automated spam is to change the names of the form fields on a rotating basis (obviously whatever system you use has to sync the form and the handler). And then stick in a couple of extra fields which are hidden and must remain blank. Most spam bots just push spam into everything, and try to post directly to the handler, so this can be quite effective - if you find any value in those fields which are hidden with CSS, you silently drop the post (but return the same message to the poster, so any machine cannot tell whether it was successful or not).

Lynda Spangler over 5 years ago

I have used Akismet on a project and it was catching most spam but was still letting some through. Even with Akismet I would still see all of the spam comments in the backend. I then implemented a solution that isn't full proof but when combined with Akismet took my spam to 0.

What I did was integrate a simple javascript solution as I found many spambots don't execute javascript.

I placed the action URL in a data-attribute and leave the action URL blank. Then on clicking submit or reply I would run a simple JS function that would take the data-attribute and make it the action URL then submit the form. Amazingly it took my spam from 50 - 100 comments a day to 0! I was shocked that it worked so well.

I may receive a couple spam comments a month now and those are human spammers which Akismet quickly filters out.

Just a thought. =>

Malou Geurts over 5 years ago

The spammer is back, he just got started. I think the report button is really necessary so that if enough people click report it will automatically dismiss the thread.

Lynda Spangler over 5 years ago

+1 for the Report Button or a Flag Button.

What about adding moderators as well? For instance anyone who is Foundation Certified or has a certain amount of forum points can automatically remove post be it spam or offensive. Similar to the way StackOverflow gives permissions to users as they gain points.