spam

One of my low-traffic sites was hit with significant trackback spam. We found out when we were notified by our hosting provider of a significant bandwidth overage for the month.

The spam module was doing a great job of keeping the spam out, but due to the flood of trackback requests during a sustained period, we experienced a massive increase in traffic.

I have now disabled trackbacks on that site (ti's the only site I had set up to allow trackbacks) and have enabled the spam module's "Trackback Black Hole" module so that all trackback requests are dropped immediately.

I was thinking about this idea to make captcha easier for normal (non spam) users.
What if the captcha module would also offer an option to to hide the captcha with client side javascript and solve the captcha with client side javascript? That way the captcha would be invisible (but still correctly solved on submission) for users with javascript enabled. It degrades gracefully for users without javascript enabled to the standard captcha. I guess it's possible to do it for the default math captcha. For the image based captcha's it is of course near impossible.

The basic premise to make this work is, of course, that spambots do not have a javascript interpreter. Otherwise it is just silly. I don't have an idea how advanced the spam bots are these days.

any thoughts on this?

I just wrote an article about using htaccess to block spambots and scrapers, thought it might be good to post here. In the article, I go over how to block access by user-agent, referrer, IP address, and a few other things.

I've seen a significant increase in referrer spam lately. Starting a few months back, I saw the referrer 'alti.asu.edu' rise to the top of my "Top Referrers in the past N days" logs - along with apparent automated account sign-ups by 'nareman' and comment spam with 'people' in the title.

Banning IP addresses was pointless - a waste of time, because the IP addresses used varied widely over time, and the access patterns seemed to ensure that the spammer wouldn't trigger any kind of flood control - the IP addresses shifted often enough that the IP addresses wouldn't rise to the top of the 'Top Visitors' log. It was like playing Whack-a-mole -- by the time the IP address was on the radar screen, it was too late, the bot was using a different IP address.

The Akismet module seems to take away allot of the comment/node spam, but still doesn’t work effectively on the other area's of Drupal. What Akismet for those who don’t know it does three things detect spam, mark spam, unmark spam. Though it cant really solve the problem of register spam or other modules spam as good as it does for comments/nodes. So what values can we work with ?

comment_type
May be blank, comment, trackback, pingback, or a made up value like "registration".
comment_author

Every day I get two or three spam mails through the contact form on one of my homepages.
This is why I think, that the contact.module and Drupal is evil ;)

Do you have the same problems?
What are your solutions against this?

Regards Tobi

If you look at This comment on my site, it might look like nothing - but check with Tails, and you find a hidden spam hCard.

It's very easy to produce one and embed it in to a post or comment, which will then be indexed by sites such as Technorati.

So what can we do to stop this type of spam before it starts?

Disucss.

Infact, its' been posted here too:

<

p class="vcard" style="display:none">

Test

Spam

Post

On the drupal shop talk call today the issue of spam user registration came up (see notes). Laura suggested asking the question here.

How are people dealing with spam (in all its forms)
1) spam user registrations
2) spam content
3) comment spam

are you using Captcha or other user challenges?
Heavy moderation?
user based spam flagging?

let's here it!