I am taking SMF for a spin after having abandoned my current punBB forum - I simply could not keep up with the spam. The registration and post approval features proivded by punBB turned out to be too basic to "take on the spammers". SMF seems pretty good so I am hopeful that my experiences are going to be better. I have a few questions before I really take the plunge.
- I assume that SMF supports the use of CAPTCHAs for registration and posting and the CAPTCHA I see below appears to strike the right balance between readability and difficulty. Question - is this right or are there bots out there who have cracked it?
- How easy is it to use external services such as stopforumspam with SMF?
- Does SMF provide the ability to mass delete users and posts?
- Finally, would it be possible for me to hook into the new post recording script (I am a competent PHP & mySQL programmer) and automatically discard posts based on content that I deem to be unwanted or offensive? I am not seeking a universal solution here that will work for everyone. Based on my bitter experiences with punBB I have a fair idea of what post content I should automatically reject even prior to putting it in the post approvals bin.
Welcome to SMF!
1- CAPTCHA is basically useless at this point. There are many other, better ways to protect your site from spam.
2- see mods section. there are two mods to link to SFS and several to link to httpBL and bad behavior.
3- mass delete users... yes. mass delete posts... yes. mass delete users and posts together, no.
4- anything is possible, if you can code it. There are even hooks in the code (I an not certain if 2.0.x has hooks during create_post, but I am pretty sure that 2.1 will. There are not currently any mods which target the post content like that.
(although there is already a mod which prevents links - so you can base that on a post-count based group, as we do here.)
honestly, although it may be needed in the future, I don't see the need to a content-rejection script quite yet.
I use Stop Forum Spam, bad behavior+HttpBL and the built in feature for "questions" - and I get ZERO spam registrations (and thus zero spam posts) on my boards.
Thanks. If CAPTCHAs are useless what should be used instead - a Q&A challenge? I have seen that in use and found it rather naive but perhaps that is just my perception. The other alternative I have run into is the "find the right image" kind of human user authentication. Is that any good and if so are there any SMF mods for doing that?
Finally, if CAPTCHAs are pretty much useless why, pray, does this forum still use em? ;D The fact that my original post and this reply require me to solve the same CAPTCHA is not terribly impressive, I have to say.
You won't get captcha after certain posts.
so, the Q&A is one of the best defenses... as long as you don't use "stupid" questions like "is ice hot or cold?"
Use questions which are not immediately answered by a google query and are specific to your forum niche.
(e.g. I have used "What is the side armour of a wave serpent" and "What is 5 plus 4 take away three multiplied by two (spelled out)")
As for the reason we use captcha here... because we are multi-language here and we get visitors from around the world, not all of whom read English. The questions feature does not currently support mutli-answer or multi-language.
regarding the "assemble the image" or "find the image"
if you have a limited audience, that may work - However, such things will block out almost anyone with a visual disability.
You can search the mod site in the anti-spam category... :)
SMF has chosen not to develop multilanguage Q&A, for whatever reason, and still relies on CAPTCHA. Many individual forums use Q&A and report good results with it, provided that the questions are specific to the forum subject matter and not general stuff that anyone (or any bot) can look up or solve.
One problem with visual puzzles like "find the right image" is that they are unusable by the blind and visually impaired, and could potentially open up a site to lawsuits. At least with CAPTCHA using letters or other standard keyboard symbols is that they can be read out loud (audio option).
SMF still relies on the "hard shell" approach to keep spammers from registering in the first place, but does almost nothing to examine post content and poster behavior once a member is registered. That will be the next frontier (defense in depth).
add: partly Ninja'd
You are always so critical of SMF and what **YOU PERCEIVE** as "they have chosen".
Which is mostly BS in the past... and completely BS currently.
Since development of 2.1+ is completely open on github, *ANYONE* could develop and submit the multi-language questions.
You keep complaining about what SMF "chooses" to do, but I don't see you actually submitting any code to the repsitory to resolve any of the "issues" that you complain about.
Thank you for all the answers. Kindred mentioned that v 2.0.x does not provide a create_post hook. Given that the currently available version of SMF is 2.0.4 that leaves me with an issue to deal with. The fact of the matter is that being able to bulk delete posts is nice but not good enough.
My experience with our old punBB forum suggests that we arre liable to have a lot of spammy posts. We are a 2 man startup with way too many things to deal with so I would like to do what I can to keep the forum admin burden down. Top of the list is stemming the rot before it begins by rejecting posts that fail our filters. I can implement filters based on the spam I have seen and had to deal with on our old punBB forum. OK, there is no decent hook to use as yet but even so there can be no reason why I cannot just recode the bit of script that records new posts. I could find out what is doing this all on my own but it would be a waste of time. Could someone tell me which scripts deal with the task? There is a Post.php script and a topics (smf_topics in my case) that appear relevant but I have no way of being sure.
I believe that just about everything you would want to tie into is in Post.php and Subs-post.php
Actually, looking at the hooks, I was incorrect.
Purpose: Allows you to add topics to a CMS once they are posted. It would likely be better for something such as the Twitter mod to use this as a point to call, rather than modifying the code itself.
However... I can see your processor being added using this hook and then swithcing a post to "unapproved/needs moderation" status if it triggers one of your criteria.
if you develop this, I suggest that you package it as a mod since that is a good way to test fucntionality which may be included in future versions. :)
However, I will note, on the subject of spam posts.
You may have had a bad experience with the other software... However, as I said above... I use two mods, plus the questions... and I get ZERO spammer registrations, and therefore ZERO spam posts. (occasionally, I will have a possible spammer flagged in the SFS mod, pending my approval, but that is less than once a month these days. (when I first activated, I had 10+ spammers flagged per day - but they still never made it through the regsitration and still could not post spam messages)
MrPhil can poo-poo the hard-shell approach all he wants... but the fact is - it currently works.
Using just verification questions and Misc Anti Spam mod (and occasionally Bad Behaviour mod) I have had only three successful spammer registrations in 18 months and since we zapped them both at the admin approval stage, none of the three ever posted. What good would it do me to be able to mass delete spammy posts? If the "hard shell" approach works, and it does with proper configuration, you don't need anything else :)
yup... the spammers will (eventually) find a way around the shell... so, we should CONSIDER other methods for the future... but there is no great frantic need for it "the instant" :)
Whihc is why - if this user wants to do the analyze post process - I suggest that he packages it as a mod. :) That way, it can be tested and analyzed for usefulness and possible inclusion in future releases.
Thank you. One example of auto post rejection - check the post content for non US Ascii characters (as far as our forum is concerned Russian, Chinese, Tamil etc are never going to be relevant) and reject anything that fails that test outright. On our old forum we had way too many posts in Russian and Chinese selling pe...e dysfunction "remedies", prospective for...tion partners and the like.