10 tips on fighting forum spam

[I, Brian]

Okay, reading through this board, it's obvious that spam has become a really serious spam for a lot of admins.

If you're a phpbb owner you'll see far more of it. It's a walking security vulnerbaility. Not only is phpbb commonly targeted by kiddie hackers, there are a huge number of bots and even worms on the net whose sole remit is to spam phpbb forums.

SMF and vbulletin are less targeted, but do see issues if you don't take basic precautions.

Here are some generic tips on stopping forum spam:

1. Use human validation

Default capchas have long since been cracked, so look out for mods that will set up random or customised questions.

2. Email verification

Ensure members must activate an email before they can post anything. That includes a profile link. A lot of spambots use random addresses.

3. Prevent new users posting links

Look for mods or apply usergroup permissions to prevent a new member posting a link until they have x posts and been a member y days.

4. Limit post edit time

Some crafty human spammers will edit old posts and either post blatant advertising links, or else hide them in punctuation and invisible images.

5. Limit signature links

Some people think cheap links by volume are good, and signature links are one way to get them. Ensure you dissuade them from spamming your forums with one-liners for signature links by applying restrictions.

6. Use conditionals

Memberlist spamming is a very old game - member registration for profile page link benefits. Either remove the link from the profile, or use conditionals so that any attempts will be worthless.

7. Block common sources

If you notice the same email domains or IP's being used in spamming attempts, block them either in your admin panel, or using .htaccess

8. Censor common offenders

Sometimes you'll get multiple spammers promoting the same service or website. Simply add it to your censored words list, and watch those spam viral marketing campaigns wither.

9. Have a moderator team

Nothing beats lots of different human eyes watching out for your forums. Moderators in different timezones who are frequently active in your community are ideal.

10. Remain vigilant

Keeping aware is as important as anything else. Many admins still don't know what memberlist spamming is, even though I raised the issue years ago. Also, as forums evolve, so do the spamming methods. So kee a general eye on what's happening, not just to your own forum(s) but also to other people's forums.


Here's a few resources for more information:

1. How to fight forum spamming - a detailed view of the above, but especially focused on vbulletin admins.

2. 5 Quick and Easy Ways To Stop Blog Spam Before It Hits Your Blog - sure, it's focused on blogs, but there are some great tips for forum owners in general if you don't mind getting your hands dirty with .htaccess

3. IncrediBILLs Random Rants - general reports on bot scrapers and spam nets in general, and IP ranges to block

4. SpamHuntress - General anti-spam crusader, with blog, forum, and general spam issues coverage.


Hope that helps fight the spam - enjoy!

[stymiee]

Stickied.

[mikexx2020]

Thanks! very helpful tips im sure everyone will appreciate!

[LazyP]

Install a spam filter for phpbb, available at:
http://www.phpbb.com/phpBB/viewtopic.php?t=275662
works wonderfully, I even can have guests allowed to post with almost no spam whatsoever.

[iTechno]

Heard them all before but they are the ultimate 10.

[bwdow]

Nice article. All forum founders have to read this

[Sorccu]

You can also give your form fields obscure names. While it won't stop the bots that are smart enough to read the field labels it will prevent most of the random spam. If your site gets targeted it's not gonna help much, though.

[x-termin8or]

Very good tips and nice ideas.

[Dan Schulz]

A lot of this is just plain common sense. But it is essential that somebody takes the time and tells everyone what to do in situations like this.

Brian, thanks a lot for posting this reminder/public service announcement.

[mcsolas]

Quote:

Default capchas have long since been cracked, so look out for mods that will set up random or customised questions.

Are all default capchas cracked or just some? Which forum is doing the best job out of the box?

Was having problems with ad submission spam and using a capcha worked wonders for me. Requiring session variables to be set also helped a lot.

[IncrediBILL]

Brian,

Good list but ShoeMoney's list only stops old school spam.

I normally don't post links to my own site, but since you already mentioned it, here's my additional comments on his 5 points:
http://incredibill.blogspot.com/2006...ng-primer.html

BTW, phpBB isn't just a spam target, the registration pages themselves are being used for SEO value:
http://incredibill.blogspot.com/2006...mming-for.html

Spammers appear to be creating tons of never used membership accounts on phpBB site for the sole purpose of getting any rank for Google, Yahoo, Technorati, etc. The people at phpBB really need to make all the links in their membership pages NOFOLLOW if they haven't already.

FYI, one of the easiest ways to stop spam is using javascript as most bots don't use javascript. You can embed captchas and post forms in obfuscated javascript which makes it hard, if not impossible, for their bots to even locate your forms or captchas.

[Contrid]

Man...there is nothing I hate more than forum spam. (email spam as well.)

A friend of mine headed off to college, and left his forum for a couple of weeks. After about three weeks, I decided to check on it to see if everything is still fine. I was wildly surprised to see that his entire forum was spammed by ads for viagra, valium, etc...etc...etc... It is SMF Forum 1.1

Thanks for the great tips!
I think the capthca/turing helps alot, since these spammers are bots 90% of the time.

[IncrediBILL]

FWIW, this is my favorite forum's response to spammers:
http://www.blackholenews.com/Forum/index.php

[Dan Schulz]

Wow, that's cold . I like it !

[john2k]

Brian, these are very useful tips for any forum owner. I publish 9 forums... one of which became targeted by spammers, but I got it under control using many of the methods that you mention.

One thing I might add to the list is to not permit guest posting. Or, if guest posting is permitted then make sure to use image verification and possibly set guest posts to moderated status so that they need to be approved by a mod.

A great team of moderators is probably most helpful in combating the spammers IMO.

[webnology]

Great advice, thanks man. Lately I've been getting spam on my IPB BOard. Very anoying. I'll try to implement some things. However, we can't limit it too much so that it becomes a burden for normal users to use the forum either.

M

[Slava75]

Thanks. I have a few forums with low activity and these steps are likely to save me tons of time i spend on deleting spam posts.

[I, Brian]

Oh, lordy - guest posting - this is where common sense really needs to be involved.

Yes, there's a lot of common sense above, but so many admins are fresh - or simply clueless - at what they're doing that it's easy to fall prey to the simplest spam methods. Check out the forum at Forbes if you want to see a huge corporate failure to address forum spam. Sometimes it simply takes experience of a problem to seek a solution reactively, rather than proactively as is best.

Quote:

Are all default capchas cracked or just some?

The more commonly used a captcha is, the more likely it's either cracked or being cracked. Custom solutions work best because the coders who write spambots are looking to hit volume, and don't want to fanny about with every obscure possibility.

The ones with random validation only a human can respond to are best - there's a great plugin for Wordpress that requires a simple sum to be answered before posting, but I'm not yet aware of similar for forums - as yet.

Also nice to see you posting, Bill - I think a point you made about having security in layers is another key common-sense approach - ie, never rely on a single barrier to stop the spammers, because if that becomes breached you're open to a flood of attacks. So have multiple barriers to stop different levels of attacks, and be aware that whatever you set up against spam bots, will not be a deterrent to human spammers.

2c, and thanks for the sticky, stymiee.

[webnoob]

Thanks very much for taking the tim to post this on here for us

[DanPatchett]

A Very useful thread

I own a popular IPB forum, and somedays the admins have to delete as many as 15 Bot posts!

The above measures will soon be added to my site, and hopefully, this will help

THanks!

[Hostpitable]

Very good list! I´m planning to start a phpbb forum and was wondering what mods you would need to have a fairly SPAM-proof forum straight away.

A list of those mods would be nice. I´m especially intersted in how you can prevent memberlist spamming (don´t quite get you post on it )

[ozfreejobs]

very helpful tips indeed! I will be applying these tips in my own forum!... If ever I get the time for this

[xhtmlcoder]

They [the kiddies] have evolved quiet a lot over the last six months I've covered all 10 but still they are persistent (but obviously they fail to post or leave signatures).

They now seem to be getting rather good at working around antispam mods though it's still a good list.

[paulsjv]

Quote:

Originally Posted by IncrediBILL

Spammers appear to be creating tons of never used membership accounts on phpBB site for the sole purpose of getting any rank for Google, Yahoo, Technorati, etc. The people at phpBB really need to make all the links in their membership pages NOFOLLOW if they haven't already.

I have a cron job that runs twice a day to delete any users that register, have zero posts, and a link in their profile. That seems to work fairly well.

Quote:

FYI, one of the easiest ways to stop spam is using javascript as most bots don't use javascript. You can embed captchas and post forms in obfuscated javascript which makes it hard, if not impossible, for their bots to even locate your forms or captchas.

I'd be very interested in seeing your code for this!

[Hostpitable]

Quote:

I have a cron job that runs twice a day to delete any users that register, have zero posts, and a link in their profile. That seems to work fairly well.

and I´d be very interested to know how that cron works