Welcome to the MacNN Forums.

torsoboy · Mar 7, 2007, 01:10 AM

We have a forum on a web site and about once a day we have some new user spam it with sex links. I usually catch the thing before anyone has viewed it, but it's getting pretty ridiculous watching the forum all the time. We have a graphic validation thing in place ("enter the characters in this picture"), but it appears that it is something manually being done by people... they register as a new user, post their sex spam links and then create a new user the next day and do it again. It's driving me batty.... what can be done about something like this? Is forum user authorization the only option? I wonder why macnn doesn't have the same problem.

Doofy · Mar 7, 2007, 01:14 AM

Most of the IPs Russian by any chance?

mindwaves · Mar 7, 2007, 01:24 AM

Hah. We have a ton of spam every day here. It is just that the MacNN staff is good at deleting the spam and banning the users before it spreads too far. It is also good because the 'NNers here report much of the spam also.

reader50 · Mar 7, 2007, 04:16 AM

Check if a bunch of the spammers have identical or near-identical IPs. If so, ban some IPs or IP ranges.

subego · Mar 7, 2007, 04:26 AM

Tooki mentioned that the people who run the sex sites have people "register" for free porn, when what in they are in fact doing is acting as the human pair of eyeballs to get past your graphic validation. They get their porn and the site owner gets a constant stream of disposable spam accounts.

Devious, but still 'effin brilliant.

Big Mac · 04:41 AM

That's interesting and troubling, subego.

I run a blog (and site) for a moderately high profile organization, and for a while I was getting spam from a Russian source. I would block the IPs and then wait for another crop of submissions. After four or five go-arounds the spammer gave up. So if you can block IPs that's a really effective way to reduce spam.

Chuckit · Mar 7, 2007, 04:52 AM

I've found that many of the people who spam a site I run tend to enter the same several combinations of words, so I set up a filter that automatically flags anything with those words. Don't know how practical that is in your situation, but it's an idea.

houstonmacbro · Mar 7, 2007, 07:06 AM

Originally Posted by torsoboy

We have a forum on a web site and about once a day we have some new user spam it with sex links. I usually catch the thing before anyone has viewed it, but it's getting pretty ridiculous watching the forum all the time. We have a graphic validation thing in place ("enter the characters in this picture"), but it appears that it is something manually being done by people... they register as a new user, post their sex spam links and then create a new user the next day and do it again. It's driving me batty.... what can be done about something like this? Is forum user authorization the only option? I wonder why macnn doesn't have the same problem.

I'm in a similar boat. I run a discussion group in Houston and the ONLY way I keep them out is to make it diffucult for THEM to register. Actually, I approve all registrations by hand (not a problem because I do not have tons of registrants anyway ... maybe that's why... but I digress) and if I suspect a weird email address, I put their posts on manual review. What that does is gives me (the administrator) the ability to control posts indefinitely until I feel comfortable with their posts.

torsoboy · Mar 7, 2007, 07:38 PM

Dang, I guess I just have to start approving them then. I was hoping that there was a secret to keeping them out.

besson3c · Mar 7, 2007, 07:54 PM

What forum software are you running? Is there a public IP blacklist you could access to do real-time checks?

torsoboy · Mar 7, 2007, 08:10 PM

Originally Posted by besson3c

What forum software are you running? Is there a public IP blacklist you could access to do real-time checks?

We're using phpBB, I'm not sure about a list like that... I haven't heard of one before.

houstonmacbro · Mar 7, 2007, 08:34 PM

I am using Invision Power Boards and they have all kinds of hacks and things to help automate those processes, but I find them to be even more suspect to hackers.

Axel · 08:47 PM

I use phpBB2 and this mod is the best I've found against bots registration : Textual Confirmation
It lets you add a custom question in the registration page, and only accepts registration if the answer is correct. The bots can be trained to pass the graphical validation, but they can't actually understand something as :
"User, please enter the word lemur in the following text field, to prove you're not a bot"
It has effectively eliminated all bots from my forum.
The question and accepted answers are fully customizeable of course.

torsoboy · Mar 7, 2007, 11:24 PM

Originally Posted by Axel

I use phpBB2 and this mod is the best I've found against bots registration : Textual Confirmation
It lets you add a custom question in the registration page, and only accepts registration if the answer is correct. The bots can be trained to pass the graphical validation, but they can't actually understand something as :
"User, please enter the word lemur in the following text field, to prove you're not a bot"
It has effectively eliminated all bots from my forum.
The question and accepted answers are fully customizeable of course.

Awsome, thanks. I will give that a shot.

Eriamjh · 06:30 PM

Manually banning spammers, deleting posts, and creating black-lists is a losing proposition. My moderators have better things to do (all one of them - me).

Of course, I run pbpBB 2.0.22 and it was getting blasted by spam posts and spam users. Spam users are those who register just to put their spam links in their profile. They never post or even activate their userhood. phpBB's default CAPTCHA code was broken the day it was released.

I stopped spammers dead by installing two separate mods that use unique CAPTCHA routines. Each one alone might get broken, but since most spammers are spambots, I presume they aren't expecting a board to have two mods, especially mods that use totally custom challenge questions (I delete the defaults since those are likely already cracked). I never put the answer in the question (like asking someone to type lemur

) because a bot might assume the answer is in the question and brute-force guess it. I require 2nd grade math and answers spelled out (like "twenty" instead of "20". Some users complained it took a few tries, but they got registered so I don't really care. I'd rather lose a few users than have a hundred more spambots.

Since installing the mods, I have had ZERO posts from spammers (knock on digital bits of wood). I am happy.

PS: I use "Anti-bot question 1.0.3" and "Better_CAPTCHA 101" combined.

torsoboy · Mar 29, 2007, 10:43 AM

Originally Posted by Axel

I use phpBB2 and this mod is the best I've found against bots registration : Textual Confirmation
It lets you add a custom question in the registration page, and only accepts registration if the answer is correct. The bots can be trained to pass the graphical validation, but they can't actually understand something as :
"User, please enter the word lemur in the following text field, to prove you're not a bot"
It has effectively eliminated all bots from my forum.
The question and accepted answers are fully customizeable of course.

Well it has been three weeks since I installed this little module and it has worked awesome. I used to have one or two spam bots register every day and post links to porn, but since putting this in place I have had ZERO spam bots make it through registration. Thanks for the great suggestion! Maybe MacNN should try it.

torsoboy · Mar 29, 2007, 10:45 AM

Originally Posted by Eriamjh

I never put the answer in the question (like asking someone to type lemur

) because a bot might assume the answer is in the question and brute-force guess it.

That's true that they *could* try to brute force it, but they would have to try every word on every single input field description since they wouldn't know that field x was the one they got wrong. So far I haven't had any do that.

besson3c · Mar 29, 2007, 10:54 AM

I wonder if phpBB3 (which should be out shortly) will include a new default captcha?

Looks like 3 will be a substantial new release.

Eriamjh · Mar 29, 2007, 01:03 PM

Originally Posted by besson3c

I wonder if phpBB3 (which should be out shortly) will include a new default captcha?

Looks like 3 will be a substantial new release.

It BETTER have a new captcha since the old one is worthless. It needs something configurable and customizable. That is what keeps the bots away. There are probably developers out there who hack phpBB the moment it is released. It must be unique to work!

pete.z · Mar 29, 2007, 01:05 PM

The only thing what really helps is very active moderators/admins I'm affraid.

besson3c · Mar 29, 2007, 02:10 PM

Originally Posted by Eriamjh

It BETTER have a new captcha since the old one is worthless. It needs something configurable and customizable. That is what keeps the bots away. There are probably developers out there who hack phpBB the moment it is released. It must be unique to work!

It also needs to work

It doesn't work at all with the image handling libraries built from FreeBSD ports, and the developers were never able to figure out why as long as I frequented threads about this.

I did find a third-party captcha for Fuzzy Wombat though, which has been working just fine.

Olympus does look pretty nice, at least its skin looks nice

Diggory Laycock · Mar 29, 2007, 09:51 PM

I'd also recommend Textual Confirmation - I run a *very* obscure board, and used to get about 5 spam registrations a week. Since TC: none.

torsoboy · Mar 30, 2007, 11:49 AM

Originally Posted by pete.z

The only thing what really helps is very active moderators/admins I'm affraid.

You should read some of the other posts in here... it seems that the other methods work just fine for most of us. Moderation is of course important on a board, but for me and others that have responded it seems to no longer be very much needed for the spam bots.

Peter · Mar 30, 2007, 11:57 AM

ghporter · Mar 30, 2007, 05:21 PM

Originally Posted by torsoboy

You should read some of the other posts in here... it seems that the other methods work just fine for most of us. Moderation is of course important on a board, but for me and others that have responded it seems to no longer be very much needed for the spam bots.

Automated registration controls won't keep (so-called) humans from signing up and using their new accounts to blanket your forums with spam. That's what we run into-our spammer accounts are definitely manually registered, sometimes several at a time. So when we squash a spammer, we do some checking and... I squashed EIGHT spammer accounts at once this way. It does take plenty of human work to keep spam mostly out of our forums.