spam prevention
Consider a site with a registration - 5 account types - 1 free the other 4 paid and all different prices.
Each member who joins gets a profile page and members can post comments on other members profiles.
Also, there is a private message system where members can send each other PM's.
I have a captcha on registration, so auto spammers shouldn't get through.
But the free account worries me, and my client wants it to remain.
The problem I have is anyone can sign up for the free account in about 20 seconds and send spam PM's to other members and leave spammy comments on profiles.
I have spam reporting links and member blocking options, so when a spammer is identified they are banned, but really want some methods to try to avoid this in the first place.
My thoughts are, really there is no way to stop it. I allow sign up, so nature of the beast people can spam. But am hoping to get some ideas/tips/tricks to help reduce this happening.
I have seen suggestions for IP monitoring, but I don't like using IP's as any kind of unique identifier as they can change often. It's unfair to ban Joe's IP as John might have it next week and is unfairly banned from joining the site, John could even already be a member and get banned.
And of course people do use proxy for genuine reasons, and banning IP's will also ban proxies which might block numerous members if it's a popular proxy.
I think I will use the confirmation email system, as that drastically slows down spammers making multiple accounts.
My client wants to limit PM's sent by one member per hour/day.
But reg is free and fast so they could just setup a few accounts.
I also don't like taking facilities away from decent members just to avoid 'potential' spammers.
My contention is to only do this for the free account, as I believe hardly any spammers will be paying to join and spam. Does this sound realistic?
I know there is no magical solution, but want other peoples opinions and any ideas.
Cheers
webwiz posted this at 00:49 — 12th May 2008.
He has: 629 posts
Joined: May 2007
As most spam seems to come from 'bots, something like a "honeypot" trap works well for me. You are correct in assuming that you can't do much about human spammers, though. My own opinion is that captchas exclude genuine visitors without stopping human spammers at all.
Your client has probably the only solution, partial though it is - limit the number of messages - although I'd probably make that one per three minutes and a few per day.
This topic comes up a lot on web design discussion groups, and no-one has a definitive answer, AFAICT.
Cordially, David
--
delete from internet where user_agent="MSIE" and version < 8;
Megan posted this at 14:10 — 12th May 2008.
She has: 11,421 posts
Joined: Jun 1999
The PM spam is tough because you don't want to be watching people's private messaging too much. You have to rely on the community to report that and ban anyone caught spamming by PM. Don't put too many limits on the PM's, that will just annoy people.
You should be clear about what is and is not allowed and what the consequences are of breaking the rules - that's one thing we haven't got around ot re-implementing here since we moved this forum over. It's good that your client is concerned about this from the start. This way you can make sure you have your bases covered before the community launches. Spammers do tend to be creative about their techniques, so there will always be things you haven't thought of.
You should have an easy way to clean up any spam if it happens - can you delete a member's PM's? Can you delete all of their posts without too much trouble? In my experience that sort of thing doesn't happen too often.
Megan
Connect with us on Facebook!
greg posted this at 16:08 — 12th May 2008.
He has: 1,581 posts
Joined: Nov 2005
Thanks for the replies. You've pretty much confirmed that there are no methods I don't know about.
In my experience that sort of thing doesn't happen too often.
That's the balance I'm trying to get.
Prevention to a certain degree but with the thought that it wont happen often enough to remove functions from other members.
I have implemented a banned system. Where in admin CP a member can be banned and all their details (pm's, profile comments, friends list etc) are moved to a "banned_members" table.
That allows me to check usernames for banned members to give messages when they try to login, rather than simply delete them which would mean the username is available to register with again, and also the banned member trying to log in would just get 'username not found'.
Cheers
Megan posted this at 18:39 — 12th May 2008.
She has: 11,421 posts
Joined: Jun 1999
Another good thing to be able to do is track all of a user's activity. Usually this is built in to a given system but sometimes you miss things. Like what happens to deleted postings? Are they gone forever or can you still find them? Can you find all of a user's deleted posts.
Not deleting banned users is important. If they're just banned you can still keep track of their past activities. Sometimes you'll have people attempting to re-register and post the same spam again. If you keep the member on file you can go back and look at what they did before.
Megan
Connect with us on Facebook!
greg posted this at 20:27 — 12th May 2008.
He has: 1,581 posts
Joined: Nov 2005
Yeah, I think it's a good idea to keep banned memebrs details for a future reference.
I made it so when someone registers it gets their IP and domain and stores that unchanged indefinately.
Then each time they login it also stores current IP and current domain and logs a running total if any changes for those two.
There is nothing other than member details to need to keep really.
Private messages are just gone when deleted by user, row deleted from DB.
JeevesBond posted this at 06:11 — 15th May 2008.
He has: 3,956 posts
Joined: Jun 2002
Just wanted to mention something about this. We tried this for a short time, it worked so well, we caught the infamous spammer teammatt!
So, since teammatt is not a spammer, but a mod it's safe to say IP filtering doesn't work that well. I've been banned from http://drupal.org too, which was annoying.
Webwiz is correct that there's no solution. CAPTCHA's are bad because they're security through obscurity. Spammers are paying people in developing countries to solve them (and they're not un-solvable by machines either), think this is what happened to Google recently. Now the spammers are freely using their SMTP servers to send piles of spam.
Haven't really got anything to add to Megan's advice. Selectively storing information on spammers is very helpful. Just make sure you're not infringing on anyone's privacy.
a Padded Cell our articles site!
greg posted this at 12:15 — 15th May 2008.
He has: 1,581 posts
Joined: Nov 2005
I thought that myself. If they are publicly available, it only takes one person to sit and index them all and their references and distribute that list then it's a simple case of IF ELSEIF for automated spammers.
But stupidely I just believed if top company websites are relying on them then there must be something I missed.
I suppose the best one would be to make your own, unique per site. But enough images for it to work would realistically be 25+ and sitting making those imgs with references for the code wouldn't be fun.
Or would perhaps 5 do it? The reference/img names wouldn't be on any spammers nasty list to check, so they wouldnt get in automatically. They would have to actually try to manually register xx times to see them all. Then it would be defeating the object as they might as well just spam manually.
It wouldn't work for big sites like google as plenty of people wouold want to list them, but for a site that isn't too big maybe 5-10 would work?
Or better yet random text would be better. There must be a way to create a random string without outputting it to the browser. Store it in server ram or cache or something.
JeevesBond posted this at 15:42 — 19th May 2008.
He has: 3,956 posts
Joined: Jun 2002
CAPTCHA is still widely used, and an effective tool. I don't believe it always will be effective however, I have no idea what will come after CAPTCHA. I dread to think!
If you're looking for a good CAPTCHA program use the one we have on TWF, it's called ReCAPTCHA. The cool thing is that as people are solving the CAPTCHA they're also helping to encode books into a machine readable format.
ReCAPTCHA is known to produce decent puzzles as it only asks for words a computer could not OCR in the first place.
a Padded Cell our articles site!
Michael James Swan posted this at 08:31 — 21st May 2008.
He has: 400 posts
Joined: May 2008
One thing that i have always found to be good is that whilst using the CAPTCHA, you can also have all ip's of posts logged, SMF forum allows you to save and also view PM's.
If they SPAM, Ban the IP address and report it to their ISP.
I guess the only problem then would be PROXIES.
Hmmm, I guess some moderators that are good would be a nice idea.
PM if you have an offer.
I do not mind being a Moderator for the site in my spare time. I enjoy that kind of thing.
Best Regards,
Mike
Want to join the discussion? Create an account or log in if you already have one. Joining is fast, free and painless! We’ll even whisk you back here when you’ve finished.