I’ve been hit with concerns regarding the recent rise in spam and wanted to make a quick announcement concerning this and what actions myself and EllisLab are taking to maintain the quality of this forum.

About a month ago a multi-national raid shut down the servers that powered about 80% of the world’s spam traffic. I’m sure many of you noticed a severe decrease in the spam in your inboxes at this time. Nonetheless, dirtbags will be dirtbags and they have of course found new locations to spring their attacks. Thus, the sudden rise in spam on these forums and more than likely your personal email inboxes as well.

EllisLab and myself have taken a number of steps to mitigate the spam you guys see. Although it may seem like a lot goes live on the forums, you would be amazed at the amount you never see. Various regions are blocked, others are on a physical moderation list which must be reviewed and approved before going live. Of course, if you are a legitimate user affected by these countermeasures, please contact myself or a member of the EllisLab team and we’ll get you access - we definitely don’t want to ostracize legitimate members of the community.

So, how can you help the spam effort? Every post (topics and replies) has a report link which immediately identifies questionable content to the moderators of these forums. That is by far the quickest way to have something removed (if my Inbox is open, it takes about 30 seconds to kill a post).

Additionally, we are looking into extra countermeasures to combat the spam and we’d like to ask for your help - what should we do?

We don’t believe implementing a Captcha for registration is the correct answer, as most spammers utilize powerful bots that are capable of solving all but the most ridiculous of images*. Ridiculous captchas confuse legitimate users and frustrate their registration process - the exact opposite of the end goal.

I have personally proposed implementing a service like Akismet on post and biography submissions. What ideas do you have?

* From DJ: Or low-cost humans-at-a-terminal, but the conclusion re: CAPTCHA is the same.

what about creating a plugin for EE that checks the first five posts a user makes against the askimet service? it kills alot of spam for wordpress everyday, there should be no reason why it wouldnt do the same for EE.

I agree, I don’t think captcha is the best way to combat SPAM. I recently came up with an interesting solution a few weeks ago, it’s worth while checking out:

http://idek.net/AJ3

I haven’t really tested this approach so don’t know much about it’s performance/reliability.

@trs21219
A solid idea in theory but in practice the spammers would rather create 5 accounts, each with 1 post, rather than post multiple times with the same account. The only time I have seen a spam account reused was the “Nike Shoe” guy 2-3 months ago and he was manually copy-pasting the spam across all forums.

You must be doing a good job of hiding the spam.  I don’t think I’ve ever seen any!

My first thought comes from a web developers perspective. Were I a spammer, I wouldn’t use forums that altered my urls with rel=nofollow.  However, I don’t imagine that spammers have SEO considerations.

My own blog automatically sets all comments in moderation until I approve them.  That doesn’t stop the spam at all from coming in.

What are the options for forums anyway?  Would this support a Voting system for hiding posts below a specific threshold?

Michael Wales - 08 May 2009 11:31 AM

@trs21219
A solid idea in theory but in practice the spammers would rather create 5 accounts, each with 1 post, rather than post multiple times with the same account. The only time I have seen a spam account reused was the “Nike Shoe” guy 2-3 months ago and he was manually copy-pasting the spam across all forums.

just found this on the EE forums…there is already a plugin for it. but even in that case it would catch the first time spammers as well as the people who post multiple times.

EDIT: OOPS FORGOT TO POST THE LINK

http://expressionengine.com/forums/viewthread/35740/

Use a system similiar to captchas. However, instead of using images you would use mathematical questions such as “5 + 5 = ...”. As far as I’m concerned there’s no way that a spambot would be able to crack it. You can see what I mean at the following page: http://kitabu.yorickpeterse.com/index.php/comments/add

Yorick Peterse - 08 May 2009 11:49 AM

Use a system similiar to captchas. However, instead of using images you would use mathematical questions such as “5 + 5 = ...”. As far as I’m concerned there’s no way that a spambot would be able to crack it. You can see what I mean at the following page: http://kitabu.yorickpeterse.com/index.php/comments/add

that would work for spam bots that are blindly targeting sites and stumble upon this one. but for targeted spam all they would have to do is read the characters and do the math.. computers are very good at math

Maybe something which links the fact their first few posts are similar/very short, and they have half a dozen links in their sig/bio?

Also, if their links are similar? A lot of spam posts have 2 or 3 links in their sig with the same URL but differant text

Another option would be to prevent them posting links in their first few posts (allow links to user guide/wiki though)

Thats all I’ve got off the top of my head for now

My votes with Akismet. It works really really well, has a simple API and is completely transparent to the user. There might be a cost for EL to use it here, but it’s likely very worth it.

IMO, adding captchas or the like is crufty. Users shouldn’t have to pay the price in reduced usability if it’s at all avoidable.

Another vote for Aksimet. In my blog it daily blocks about 100-120 spam comments, and that is all count of spam.

@Yorick Peterse @trs21219
There is some alternative (and more nicely) way to do it via something like fancy captcha , but it all is becoming as annoying as standart captcha after third use (for human beings)

Spammers are going to be a never ending problem.  I think that only through vigilance, and using smart deterrents like Aksimet is the only way that works.

As far as those template posters, however…  I’m not above banning people from forums. I find those kind of posts equal to spam. 

This forum, especially, is a priveledge to use and be able to access everyone’s knowledge.  I’ve been able to solve many coding problems because of this group.

Great to hear, that you guys are workin on that!

I must agree with all those that posted before me saying they vote for Akismet. I the Akismet API in my blogging software and it works like a charm. Easy to use and spots most, if not all, of the spam comments.

Akismet +1!

 
How about having to wait a specified period, maybe 24 hours before a new member can post?
 
Also for the first three posts having to re-apply for a new password.
 

From my observations the forums are receiving about 50 to 60 new registrations every day, 80% of those probably contain spam links in the profile url and/or bio. However, the number of those that get to actually spam the forums is minimal.

Whichever method is decided upon it needs to be active during the registration process as well as profile updates.

One idea may be for members with a decent number of posts to be able to “Report” spammer profiles.

Maybe also prevent URL and Bio details being added to profiles until after the user makes 10 posts. This would negate any benefit to spammers by signing up.

wiredesignz - 08 May 2009 09:40 PM

From my observations the forums are receiving about 50 to 60 new registrations every day, 80% of those probably contain spam links in the profile url and/or bio. However, the number of those that get to actually spam the forums is minimal.

Whichever method is decided upon it needs to be active during the registration process as well as profile updates.

One idea may be for members with a decent number of posts to be able to “Report” spammer profiles.

Maybe also prevent URL and Bio details being added to profiles until after the user makes 10 posts. This would negate any benefit to spammers by signing up.

I think your percentage is a bit on the high side; you’d be surprised how many accounts that look spammy turn out to be legitimate users.  But you hit on the most critical point.  We really don’t have a problem with spam in the forums.  Any posted content typically gets recognized right away, and addressed, and for forums with our traffic, it’s borderline trivial.  But we have no current mechanism employed to allow you to easily bring to our attention users who sign up with pharmaceutical URLs in their profile.  I must say, though, I’m completely jealous of the time you have to go through our site registrations looking for spammers.