How do I protect my forum against spam?
Asked Answered
E

14

6

I have a forum on a website I master, which gets a daily dose of pron spam. Currently I delete the spam and block the IP. But this does not work very well. The list of blocked IP's is growing quickly, but so is the number of spam posts in the forum.

The forum is entirely my own code. It is built in PHP and MySQL.

What are some concrete ways of stopping the spam?

Edit The thing I forgot to mention is that the forum needs to be open for unregistered users to post. Kinda like a blog comment.

Exploration answered 27/1, 2009 at 20:34 Comment(0)
P
12

In a guestbook app I wrote, I implemented two features which prevent most of the spam:

  • Don't allow POST as the first request in a session

  • Require a valid HTTP Refer(r)er when posting

Pittsburgh answered 27/1, 2009 at 20:48 Comment(5)
I like the 'don't allow post as the first request in a session'; thanksOri
I like these kinds of solutions better than CAPTCHA. CAPTCHA inconveniences all your legitimate users, whereas the solutions above don't.Betti
"Require a valid HTTP Refer(r)er when posting" <-- This can be easily faked, as it's just a header coming from the userDermatogen
Also, HTTP Referer is not required to have anything for the call to be valid. I can turn it off, I guess. But, you can put something in session ( & expire it in X minutes) when the form is loaded.Izy
I like the idea of rejecting a POST in first request, but what about POST ajax calls on the website? How do I allow a direct POST request for ajax, but disallow it for everything remote?Nonchalance
S
5

One way that I know which works is to use JavaScript before submitting the form. For example, to change the method from GET to POST. ;) Spambots are lousy at executing JavaScript. Of course, this also means that non-Javascript people will not be able to use your site... if you care about them that is. ;) (Note: I don't)

Sacha answered 27/1, 2009 at 20:40 Comment(1)
I often leave the action of the form blank and set it in script too.Essary
V
5

In my experience, the best easy defenses come from just doing something "non-standard". If you make your site non-standard, this makes it so that any automated spam would have to be coded specifically for your site, which (no offense) probably isn't worth the effort. Note that if the spam is coming from human spammers, there's not really anything you can do that won't also stop legitimate posters. So the goal is to find a solution that will throw away any "standard" posts - that is, "fill out the whole form and push submit".

A couple examples that come to mind of things that you could try:

  • Have a hidden form field with a name that sounds like something a spammer would want to fill out, like "website" or "homepage" or something like that. If the form field gets filled out, throw away the message instead of posting it, because it was a bot automatically filling in the whole form, even invisible fields.
  • You don't have to use a "real" captcha, but even something simple like "Enter the following word backwards: <random backwards word>" or "What is the domain name of this website?". Easy for a human to do, but it would require a fairly complex bot to figure out what to fill in.
Vasya answered 27/1, 2009 at 21:17 Comment(0)
P
4

You could use a captcha, there are some good scripts like PHPCaptcha or use a spam control service, like Akismet, they have a PHP API.

Pardo answered 27/1, 2009 at 20:41 Comment(0)
A
2

You might want to look at this question, which has several answers that describe how you could implement a non-intrusive captcha.

Another thing to consider is to require time between posts to prevent massive spamming.

Afroasiatic answered 27/1, 2009 at 20:42 Comment(0)
S
2

Include a CAPTCHA that is always "orange".

Somaliland answered 27/1, 2009 at 21:30 Comment(0)
S
2

The spams may be by bots or humans - bots are more likely.

To stop the bots, put in a hidden field populated by Javascript - there is a 99.5% chance that a standard, stupid bot that isn't customised to your site will fail to fill that in.

If they fail to fill it in correctly, give them a message that Javascript is required or something, and give them an opportunity to post some other way (e.g. with a captcha or registration). That way anonymous users who aren't spambots can (mostly) still post with no problems, and most spambots (which haven't been tailored for your specific site) won't.

Don't bother blacklisting IP addresses or using third party blacklists, that will just generate false positives. Almost all bots use the same IP addresses as (some) legitimate users.


Another trick is to put in a text field with a plausible sounding name, which is made difficult to see with CSS - anyone filling this field in with anything is considered to be a bot.

Statue answered 27/1, 2009 at 21:32 Comment(0)
F
2

Advanced solutions:

You can try your luck with non-standard form:

  • fields that must stay empty hidden with CSS
  • fields with misleading names, e.g. <input name=email> for something that is not an e-mail.

For me CAPTCHA is like giving up to spammers and letting them damage your forum anyway – except that instead of spam damage, you get usability and accessibility damage.

Flowerless answered 5/4, 2009 at 15:56 Comment(0)
B
2

Something I've found to be surprisingly effective: disallow comments that contain too many URLs (more than, say, 5). Since doing that, I've had zero comment spam.

Edit: Since writing the above, I've had recurring comment spam with only one link. I have now added some honeypot fields and have had no commend spam for a few months now.

Beachcomber answered 5/4, 2009 at 16:11 Comment(0)
T
0

Don't let anybody post until they respond to an email sent to their registered email address. You'll see lots of forums and mailing lists generate a unique email address or web url that is sent to the new user's given email address, and they have to respond to the email or click on the link to finalize their registration.

Telegram answered 27/1, 2009 at 20:37 Comment(0)
A
0

Captcha is definitely the easiest method - try KittenAuth if you want something bot-proof (Although I got pandas this time)

Alta answered 27/1, 2009 at 20:52 Comment(0)
A
0

There is no single answer since Spam is really a matter of economics: how much is it worth it to someone to put their stuff onto the web. There, however, some solutions that seem pretty good

Alan answered 27/1, 2009 at 21:30 Comment(0)
I
0

I want to say that in most time, a CAPTCHA is enough for you to prevent SPAMers. But do use a strong one, like http://www.captcha.net/.

Remember that SPAMers do not want to spend much time to deal with a particular site(except heavy traffic sites), they use a tool to post AD on a lot of sites. So make your FORM a little unusual, (e.g. give the user a image says '1.5+2.4=?' and let users to answer, this will block most of the spam tools :) )

Indulgence answered 5/4, 2009 at 15:49 Comment(0)
C
-1

The easiest thing I've done to stop spammers with (so far) 100% consistency is to validate the text that was submitted. If you use the php function strstr() to check for "a href" or even a non-clickable http or www, you can then just reroute the spammer elsewhere. I actually have a script then write to my .htaccess file to deny the offending IP address. Not sure if there's any other kind of spam to be concerned about, but links are all I've seen so far.

Charlottetown answered 9/5, 2013 at 1:36 Comment(1)
A forum that doesn't let legitimate users post links is pretty useless.Leathers

© 2022 - 2024 — McMap. All rights reserved.