Posted - 24 June 2007 : 18:28:13
| It seems the spammers have been at it harder than ever. As a result there have been numerous requests for information on stemming the spam tide. Typically we've been telling everybody to go search and find all the varied and separate topics where we've discussed the varied and separate solutions to fighting spam. This works, but its awfully cumbersome for the poor schmuck who's got to look for all of them.
So, to make life easier, I've decided to try and collate all the various tips, tricks, and advice in one topic. You may apply these suggestions in whatever assortment and combination floats your boat. I can't promise that it will 100% stop spammers (really no such thing - anyone who tells you otherwise is selling something), but it will help curb it. I'll try to keep this up to date as new information surfaces, but I make no promises from the get-go.
Before we begin
Before we begin, the best thing you can do is bring your forum up to date. Get with the latest version and make sure you've done all the updates recommended in DEV Bug Reports (Open). But you're already doing that anyway, aren't you?
The simple stuff
One of the easiest ways to cut back the number of spammers in your midst is to turn on E-mail validation. More often than not the spammers are not using valid e-mail addresses, and therefore can't validate the e-mail they don't get. This leaves their account pending until you go and delete it.
You can turn it on by going to Admin Home » E-mail Server Configuration » and set "E-mail Validation" to "On". Its a good idea to also set "Require Unique E-mail" to "On" as well. This will require that every member have a Unique E-mail address and that they validate it before they can use the forum.
If you have some unvalidated accounts, before you delete the account you may want to double-check if the person really is a spammer (as opposed to someone who doesn't check their e-mail often). One way is to use the Pending Member Profile MOD to check the profile for some obvious signs: A gender of "1", same link for every field but the name and gender, same name in all name fields, you get the idea. At the time of this writing, the MOD is in need of a little clean-up, but it shouldn't be too hard to fix the few minor issues.
Really this is the easiest way to stop the majority of spammers from ever getting in your forum. The only drawback is that you've got to go to the Accounts pending and clean it out once in a while... and you may annoy some lazy soul who doesn't want to bother with anything that doesn't provide instant gratification - thus causing them to go elsewhere. Trust me, they're not worth worrying about.
The simple people (Added 01 July 07)
Some people are simply amazing. They buy a spam tool called "Forum Poster" (can you guess what its for? ) and use it to spew their spam. Most of these lazy folk don't even change the user agent string, so with a simple check you can bounce them on their merry way. Thanks goes to MarcelG for putting this bit together.
In config.asp, after you see the line:
Response.Buffer = true
Dim isSpambot : isSpambot = 0
agent = LCase(Request.ServerVariables("HTTP_USER_AGENT"))
If InStr(agent, "forum poster") > 0 Then isSpamBot = 1
If InStr(agent, "fp.icontool.com") > 0 Then isSpamBot = 1
If InStr(agent, "icontool") > 0 Then isSpamBot = 1
If isSpambot = 1 Then Response.Redirect("http://" & Request.ServerVariables("REMOTE_ADDR"))
'End Anti-ForumPoster Code
This will cause anybody using the Forum Poster tool to be automatically re-directed away from the site. They'll never even get to your "Members Pending" table - assuming of course that they are also lazy enough to not spoof the USER_AGENT string.
The next step
The next step is to require some additional fields - fields that aren't required in a default installation. The short way to do this would be to use Shaggy's Anti-spam Birthdate Add-on. This will make the birthdate - a field not normally required in Snitz - required for registration. This will stop the majority of the current generation of spam-bots and keep them from making it to your pending members list (assuming you've got e-mail validation turned on).
If you really want to make it interesting, JJenson has put together the "Require Member Profile MOD" which will let you make any field you want required. At the time of this writing, its still in Beta and may have a few bugs - check the original topic for updates.
We're still at minimal drawbacks here. The only real drawback is that you may require a field which is asking for information the person doesn't want to give you... see earlier response - they're not worth fretting over.
You may have noticed...
You may have noticed already that most of your spam registrations are coming from the same IP address and/or are using the same bogus domain. gpctexas has put together a great MOD to ban IP Addresses and MarcelG has put together a neat MOD to block a given e-mail domain (for which Sonic has put together an admin panel).
Now we're starting to hit some drawbacks...
Some ISPs keep large chunks of their users behind a proxy - as a result everybody looks like they are coming from the same IP. If you ban the IP for that proxy you ban everybody who is behind that proxy.
Also, while some domains are obviously bogus, you probably aren't going to ban @yahoo.com because some yahoo is spamming from a Yahoo! account...
Moving on up
Moving this up to the next level, you can install some sort of CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart - see http://www.captcha.net/ for more info.). The most common is where you see an image with some text that you have to type in. The idea being that a human can see the text in the image and a computer just sees the file name. There are a few other types too.
Podge has put together two of the better ones floating around for Snitz - his GateKeeper - Antispam Add-on and his Image CAPTCHA.
If accessibility is an issue (or a requirement, check your local laws etc.), the former <i>may</i> be the better way to go. Most people prefer the latter, image-based CAPTCHA as its the more familiar type they see. However, anybody using a screen reader or some other handicap-accessibility tool may not be able to use your forum.
Not to mention that if you aren't careful with your question you may keep out a lot of idiots... wait, is that a drawback? Actually, if your gatekeeper question is not one that may be easily understood you'll confuse a lot of people like I did with this sentence's odd structure. Get the point?
Added 09 October 07: I've been meaning to add this... Podge will no longer be maintaining the Image CAPTCHA because of accessibility issues. (i.e. people with screen readers will never be able to use them.) He is instead encouraging the use of the GateKeeper MOD.
If they do get in...
All the measures mentioned so far are designed to stop automated attacks. Some spammers prefer the "personal touch" and therefore are not stopped by this. What to do then?
One option is to keep members from sending e-mail before they've reached a given number of posts. This will stop spammers from registering and sending e-mail as soon as they get a valid account. You'd be surprised how many e-mails they can get out with a little "copy 'n paste".
This won't stop them from posting spam, but it will at least stop them from e-mailing all of your members. Please note: even if they do start sending e-mail (you didn't install this or they got the number of posts and started e-mailing) your member's e-mail addresses have not been compromised (unless they are stupid enough to reply).
Added 02 July 07: I almost forgot to add that matko had put together a spiffier version of the code ruirib had put together above. matko's version allows the Admin to override the post limit on people you know and trust. It will also send the Admin an E-mail when someone attempts to send an e-mail through the forum so you'll know if you need to investigate the person or not.
[size=4]So where does that leave us?[size=4]
This is by no means a comprehensive list of options, but its enough to get you started. I tried to keep it short and to the point. There are numerous points to consider when implementing anti-spam techniques - more than I wanted to try and type in the first run.
Like I said at the beginning, I'll try to keep this up to date as I go, but no promises.
Edited by - AnonJr on 07 March 2009 07:57:47