Posted by GregoryHeller on November 14, 2006 at 10:22pm
On the drupal shop talk call today the issue of spam user registration came up (see notes). Laura suggested asking the question here.
How are people dealing with spam (in all its forms)
1) spam user registrations
2) spam content
3) comment spam
are you using Captcha or other user challenges?
Heavy moderation?
user based spam flagging?
let's here it!
Comments
A general approach
Spam filter on all content posted by anon and general registration users.
Captcha on posting anon content. (Sometimes on registration.) However, I've found that the bots often are able to guess through brute-force trial and error the simple math questions. Textimage works great, but accessibility becomes an issue there.
Report spam for trusted users only.
Troll module for banning users, though using the spam filter on troll content can be very effective.
Laura
pingVision, LLC
PINGV | Strategy • Design • Drupal Development
Spam Comments: Spam module
In my case, I´ve dealed with comment spam only, as is the only thing annonymous users can do :-).
40 new spam comments every single day, and that was too much for me to delete each one by hand. So I´ve installed the Spam Module (a couple of months ago) and I didn´t have problems since then.
Every now and then I´ve got a spam that gets to pass over the filter, but as I enter my site on a daily basis and delete them manually, I´m fine.
Just my 2 cents to the discussion :-)
Rosamunda
I've really only ever had
I've really only ever had issue with comment spam (The sites I've created haven't required anon content, and aren't big enough to attract human spammers).
The way I see it there are three main approaches and you need to decide based on where your resources are.
This includes things like spam.module which uses Bayesian logic to filter content, or Akismet which sends the content to the Akismet mothership for checking via several tests, or Bad Behavior which looks for spammer-like activity and blocks those users.
Setup for these types of solutions tends to be a bit of work, also they can slow your site down considerably depending on the amount of spam that you get and the power of your server.
This includes turing tests like captcha.module which presents a math problem or "numbers embedded in an image, or KittenAuth - the cute alternative, you're presented 5 images of animals and you pick the kitty. There's also things you can do in comment.module setup like requiring contact information, or requiring previews.
The problem is that image captchas don't do so well with screen readers or cell phones. This makes it impossible for people with vision problems or other accessibility problems to use your site. And Spam bots still get past the math captcha about 5% of the time. If your users have low technical abilities they may not know to hit the "submit" button after they preview. Or the extra click may "not be worth their time".
You could disallow commenting without approval in admin/access and/or something like Comment Mail which sends an email with approve/deny links to the admin every time a comment is submitted. Or you could have an army of content mederators to delete spam when they find it.
This method is of course a lot of work for your people, and depending on your method, there's either a delay in content getting posted, or a delay in spam getting taken down.
My method of choice is currently a combination of:
dave hansen-lange
--
Dave Hansen-Lange
Director of Technical Strategy, Advomatic.com
Pronouns: he/him/his
Akismet and required profile fields
For comment spam, Akismet has worked very well for us.
For non-anon posts, we've (so far) found that having a required, custom profile field seems to be enough to stop the bots.
This is also my experience
Akismet has done a great job with catching comment spam.
RE spam signups: custom profile fields have also done the trick -- I'd actually recommend two: one text, and one with a drop down list of preset values --
FunnyMonkey
Akismet for drupal?
Is anybody currently working on an akismet or akismet-like module for drupal? If not, it might be interesting to spec out this module and put some cycles toward creating it. I'd be interested in helping with that conversation.
http://24b6.net
One already exists
I've been using it for a few months: http://drupal.org/node/68535
It would be nice if someone
It would be nice if someone rolled this method into a drupal module:
dave hansen-lange
--
Dave Hansen-Lange
Director of Technical Strategy, Advomatic.com
Pronouns: he/him/his
mod_security
User registration spam is a tricky one, but in addition to the Akismet module, take a look at mod_security for Apache. http://atomicplayboy.net/blog/2005/01/30/an-introduction-to-mod-security/ looks like a good article on configuring it to fight comment spam.
What about Access Rules for blocking spam registrants?
I wonder if we could come up with a list of "likele spam user" names or components and add them to the Access Rules list. Would that block people from signing up with user names like that?
For example, any user name with "Casino" or "Viagra" in it would be disallowed.
I would be happy to regularly flag user accounts that look like spam users, but there is no easy way to do mass user administration (is that coming in 5.0). For example, search for all users with "Viagra" in the name, and then update them to be "blocked".
http://www.CivicActions.com
http://www.GregoryHeller.com
http://GregoryHeller.com
Won't make much difference
I run some phpBB forums and know from experience that spammers use all kinds of names, including non-obvious ones like suzy, bob etc.
Understoon
On the site I am most concerned about, basic users cannot post anything anyway (at this point) but i want to stop the spam bots from signing up alltogether because we do try to use the "number of users" as a guage of how we are doing.
http://www.CivicActions.com
http://www.GregoryHeller.com
http://GregoryHeller.com
I focus on spammer account email addresses...
...in the account sign-up, or in the content. A quick google/yahoo search reveals the spam patterns.
I've thought about building a drupal module that automatically searches using the google/yahoo APIs and looks for spammy content from someone with that email address... but I am not sure it's workable. Anyway, in my experience, it's not the username, it's the email addresses that give away the spammer's game.
-Mike
Michael Curry
Drupal and Windows Tips
anyone worked with 5.0 to report admin interface changes?
I takes a lot of clicking to manualy look into profiles and delete those new registered spammers :(
Spam Karma 2
Over on a Wordpress blog I run (yes I know - one day it will be moved to Drupal!) we've been using Akismet for about 6+ months. However recently it has begun marking genuine comments as spam too.
So we're running a trial of Spam Karma 2 which, on paper, appears to have a good selection of ideas which are combined to produce a barrier to the annoying comment spam.
It could be a starting block for something to be ported to a Drupal module?
Interesting Proposal
A semi-relevant proposal from back in May can be found here: http://drupal.org/node/64861
Sorry if it's a little off-topic, but I just found it today.
captcha module and text
captcha module and text image module.
http://xamox.NET
spam.module, captcha.module, human spammer patterns
edit: minor updates & corrections
I use the spam and captcha modules. I have my systems set up to notify me (using the advuser and notify module) by email when new users register or post content which I then review (we are still fairly low traffic, so this is workable.) If I see spam, I block the user, update the spam filter(s) if necessary, and add access rules that block the user from ever registering again with the email address (or variations).
I've noticed an interesting referrer log pattern that precedes a spam posting by a new user (almost all have been 'cell phone' spammers trying to post free classified ads for cell phones and other electronics on my sites) - and all have been humans, as far as I can tell due to some of the features of my classified ads module. (We did get a small amount of bot-generated site feedback form spam, but enabling the captcha.module stopped it cold.)
The new user almost always arrives at my site via a particular google (or other engine) search that identifies my site as 'open' to visitor posts, and the keywords have nothing to do with my site topic - all generic keywords having to do with posting free ads. A search for the new user's email address on yahoo or google provides fast verification that the user's email address has been used to post similar content on dozens if not hundreds of sites. This is interesting to me, because I think it is possible to automate the process on new user sign-up, and block the user, or flag the new user's posts (unpublished, moderation, etc.) so that the spam never shows up on the site. (Well, a guy can dream, can't he?)
Michael Curry
Drupal and Windows Tips
More signup spam observations
I think that spambots look for user registration forms having certain field types visible on the registration form beyond the standard email address/password fields.
For example, text fields (textarea), URL fields, etc. I've blogged about my most recent attack
here.
(I'd paste it here, but I don't want to duplicate the content)
Hope this helps,
Mike
Michael Curry
Drupal and Windows Tips
Observation Confirmed
Since removing the public, editable text fields from the signup forms on several sites, spambot account signups dropped to near zero (we were getting several per day per site!)
So, it looks like the spambots that were targeting my sites move on to another target if they can't find anything besides an email address on the account creation form.
(And I'm not using captcha module or other spambot prevention.)
Michael Curry
Exodus Development | Drupal and other developer info
Michael Curry
Drupal and Windows Tips
groups.drupal.org policies on spam content and spam accounts
The link to the content below might be helpful if and when it receives replies from the g.d.o gurus.
What are g.d.o's policies to remove spam & spam user accounts? How does g.d.o prevent spam?
Walt Esquivel, MBA; MA; President, Wellness Corps; Captain, USMC (Veteran)
$50 Hosting Discount Helps Projects Needing Financing
Walt Esquivel, MBA; MA; President, Wellness Corps; Captain, USMC (Veteran)
$50 Hosting Discount Helps Projects Needing Financing
Another way: access rules blocking spammy email domains
I notice that most of my spam account signups have come from *@gmail.com, *@yahoo.com, *@hotmail.com, etc. While not really 'spammy', these domains (and especially yahoo, in my case) are favorites with the spam account signups.
So, on some sites, I've created access rules blocking account signups with email addresses matching '%@hotmail%, %@gmail%, %@yahoo%.
Yes, this will block legitimate users. I've not received any complaints as yet, and on the two sites that were still receiving non-bot spam accounts, I've not seen any more spam accounts in the last week. The jury's out whether this is worth the trouble, but I'm quite happy with the results so far.
Michael Curry
Exodus Development | Drupal and other developer info
Michael Curry
Drupal and Windows Tips
New user signups & advuser module
On smaller (younger) sites, I review every new user account - I check the user's email address, and if a google or yahoo search shows that the new user has dumped spam on other sites, I block/delete the user and/or ban the email address that was used to sign up.
I've recently taken over as maintainer of the advuser module, and I've added a new feature that can be a great help - the module has always had the ability to notify by email when a new user signs up or an existing account is modified.
I've recently enhanced the notification feature that allows insertion of the new user's email address, and also inserts a link to a google and yahoo search for the user's email address into the notification email - this allows me to just click a link in the notification email, and I know very quickly if I'm dealing with a spammer.
Michael Curry
Exodus Development | Drupal and other developer info
Michael Curry
Drupal and Windows Tips
The Modules I Use
Comment Mail
Registration Code
Spam
Troll
I do not allow anonymous comments, and the Registration Code module has worked great so far in blocking automatic registrations. I post the current registration code as an image in a block just below login so human visitors know what to enter to initiate registration. For those who may block images, the title of the image is the current registration code.
I also do as inactivist and block some email domains.
Is groups.drupal.org using
Is groups.drupal.org using the captcha module for authenticated users?
yes
Yes, it is. There was quite a problem with comment spam that came from authenticated users. This is an extra problem on groups.d.o because a comment spam not only spams the page but also spams quite a few inboxes and RSS readers. For example, this group has 340 subscribers. Even if only 20% of them are subscribed to get mail from comments having a spammer post 20 mails into the group is still quite a real problem. The use of captcha here is hopefully annoying enough to stop the spammers but not annoying to regular users. It only requires the captcha entry every few posts so that you can do it once and then not have to do it for a while.
--
Knaddisons Denver Life | mmm Chipotle Log | The Big Spanish Tour
knaddison blog | Morris Animal Foundation
strangely enough, I am
strangely enough, I am constantly getting comment spam from comments posted to this particular thread - and from no other comments from posts on other drupal groups. Irony abounds!
yup!
Same here. Does this suggest a technique for luring spam to an innocuous post? ;)
Spam User Registrations
I am having a problem with spam user registrations. So far I have had no spam posts or comments and I am running Akismet, but how do I stop spam registrations?
Mollom
This thread is pretty dated by now. Since it was started, another option has come into play: Mollom. It works like Akismet, but was (co-)developed by Dries Buytaert, so it understands Drupal perhaps a bit better. It's a pretty basic module and service at this point -- no option to simply unpublish offending comments, for example -- but does cover the registration process, afaik. http://drupal.org/project/mollom
Laura
pingVision, LLC (we're hiring)
PINGV | Strategy • Design • Drupal Development
Invisible captcha
I've also made a "invisible captcha" challenge for Captcha module. It’s based on the algorithm of Scott Allen (http://www.hybrid6.com/webgeek/plugins/wp-spamfree), a captcha free plugin for Wordpress.
I would appreciate feedback on it: http://blog.ag-prime.com/2009/06/drupal-captcha-invisible-captcha-challe...
Drupal Addict,
Gabriel Ungureanu
www.ag-prime.com
I use a Shinobi method to stop SPAM
I stop SPAM in my site mastering the art of silence. No Javascript, no Flash, totally accesible.
Stupidly simple.
And it works wonders. My log has the proof.
http://www.isegura.es/blog/stop-spam-your-site-being-invisible-honeytrap...
And it does not piss off users, by the way. Double plusgood!