A Guide to Combating Spam on a Simple Machines Forum

Started by Account Abandoned, September 17, 2011, 04:23:20 AM

Previous topic - Next topic

Account Abandoned

Combating Spam on a Simple Machines Forum (Version 2.0)
By: Shawn J. Gossman (www.AnotherAdminForum.com)

When I visit the SMF support forums, I frequently see new topics all over the place over spam and how to stop it from happening on forums. I decided than a good article on all spam combat options on an SMF 2.0 forum would be a great thing to write. I am sure there are other articles on this but I thought I would give it a shot as well.

First, we need to understand what spam is. Spam is unauthorized or annoying advertising topics and posts that usually come from spam bots, human spammers and even members who don't even realize they are spamming the forum. Spam is a big annoyance on the internet in general; a common occurrence in email and many online communities and social networks are often hit with a lot of spam every day. There are ways to combat spam and especially on SMF 2.0 powered message forums.

SMF's built-in features to help reduce spam

In your forum's Administration panel, under Security and Moderation (hover over the Configuration tab), there is a link to Anti-Spam. You should click on this link to go to the built-in anti-spam features that SMF has to offer. Here, you can adjust all the anti-spam features that SMF has to offer. You can decide whether or not guests have to fill out a verification (CAPTCHA Code) on registration, guest searches, guests reporting of posts, guest posting (I recommend to NOT allow guest posts due to spamming) and you can even require verification until a member reaches a certain amount of posts. You should check most of these boxes. However, you should know that CAPTCHA should not be taken as your single line of defense against spam as it is often broken through by spam bots and human spammers.

So this is a good time to move down to the Configure Verification Options and Verification Questions (on the Anti-Spam page). I wouldn't be so worried about what to set the Verification Images to be (I personally choose simple) but I would enable the Questions Verification as this feature is often one of the best lines of defense on an SMF community. SMF really made a great choice by implementing this anti-spam feature. I personally set mine to where a new member only has to answer one question. You can choose how many you want but I would keep it 1 to 3 questions only so a real member doesn't have to be annoyed by having to answer a bunch of verification questions.

When you create your questions, don't make simple ones and stay away from math problems. Math problems on these systems are often beat by spammers and often too hard for people to answer. I myself am not good at math at all and if the question is too hard, I just choose not to register because of that and that is bad for marketing. Instead, make your questions have to do with your niche. You can make them a bit difficult to answer if related to your niche because most likely, people will look the answer up (the real members that is) because they are taking interest in the niche and want to learn more about it. I would also make as many questions and answers as you can so that you don't have the same ones over and over again which could be beaten by spammers eventually.

SMF's Registration Options

Now you should go to your Administration panel on your SMF community and hover over the Members tab. Then hover over Registration... and then Settings. Here you can do some more to combat spam. You can the Method of registration for users. I suggest Email Activation and what this means is that a user will join and then be sent a link in their email (the one they used to join with) and it will require them to activate their account. Many times, spam bots and such use fake emails that don't work when attempting to join forums. If the email doesn't work, how will they activate the account!? You could also choose Admin Approval which will require you and/or other Administrators to manually approve new members when they join. This is a decent way to combat spam but if membership registration rates get high, this method can become overwhelming at times.

I also suggest checking the option to notify you of a new registration. It will send you an email every time there is a new membership. This is good because you can go review the member if you are able and watch them to make sure they are not spammers or to activate their account, etc. pending what setting you have enabled for the Method of registration. I also suggest that you enable COPPA, for one it can get you out of legal situations that really do happen. Another reason, if you reject under a certain age, many spammers who fill out a birthday that is under the age limit will be rejected from joining. Any way you can prevent spam is a way to follow, in my opinion.

Third-party modifications to help combat spam

One of the modifications that I always suggest people add to their SMF community is the Stop Forum Spam modification. This blocks so many spammers from joining that it isn't even funny. I just suggest not scanning for usernames as some of the most common usernames are listed as spam names. This could make you lose a lot of real potential members if you enable it to scan for usernames. I think setting it to scan for IP addresses and emails is well enough to make the system work for you. There is also other modification such as one that use Project Honey Pot, Askimet, Bad Behavior Mod, Delete Spam Posts, Photo CAPTCHA and Stop Spammer Mod.

When installing these third-party modifications, it is important to know if the version is compatible with your version of SMF. The ones above are compatible with version 2.0 from what I read; those are all the spam modification I could find for SMF 2.0 in their modifications database. I would also read all the reviews, support discussions and a comment of each modification to make sure it's as good as it is listed to be.

The importance of staff members and active owners

All the methods listed above will greatly help you reduce spam on your SMF 2.0 community. However, it may not keep all the spam out. There is no such thing as software that blocked all spam 100% and if anyone tells you there is, they are wrong. The best method to block spam is human intelligence. This means that being active on your community and having active staff that constantly look for spammers and spam posts will be your best method of combatting spam. This will especially help for human spammers as they will see an active team that doesn't put up with spam on their forums. It is a great deterrence for some human spammers.

I really hope this article helps you better understand ways to combat spam on version 2.0 of the Simple Machines Forum software. Please feel free to comment with your thoughts on my articles and anymore suggestions you may have to help prevent or combat spam on SMF. You may redistribute my article on other websites as long as you keep my name and link (below title) intact and a link back to this original article. Thank you for reading my article and good luck with your forums!

Chris Burgess

Great advice, and perfect timing for me as I had just started my SMF forum and just received my first spammers.

One thing you didn't cover though is what you would recommend to do with member accounts guilty of spamming. Ban them? On email address, or ip etc.? Just delete the account? I'd love to hear some advice on this.

Account Abandoned

Well this article was mainly on combating the spam bots. For what to do, I would ban spammers by username, IP and email address. :) Thanks for reading!

Robert.


Account Abandoned

Thank you Dr. Deejay! :) I hope it helps some of the new SMF owners out a bit!

Augster

Quote from: Shawn Gossman on September 17, 2011, 04:23:20 AM
Combating Spam on a Simple Machines Forum (Version 2.0)
By: Shawn J. Gossman (www.AnotherAdminForum.com)

I suggest Email Activation and what this means is that a user will join and then be sent a link in their email (the one they used to join with) and it will require them to activate their account. Many times, spam bots and such use fake emails that don't work when attempting to join forums. If the email doesn't work, how will they activate the account!? You could also choose Admin Approval which will require you and/or other Administrators to manually approve new members when they join.

This feature is no longer truly protective as my forum is now being successfully registered via bots even with e-mail activation.  They definitely have successfully defeated the CAPTCHA and reCAPTCHA verification system as neither has stopped the bots, even at the most extreme setting.

Perusing the various user names, IP's and e-mails utilized to successfully register, there isn't any one readily identifiable method to easily distinguish the spam bots utilizing the built-in tools of SMF 2.0.


Quote from: Shawn Gossman on September 17, 2011, 04:23:20 AM
I would enable the Questions Verification as this feature is often one of the best lines of defense on an SMF community.

Yes I wholeheartedly concur with this recommendation.  What I determined so far as of today (September 22, 2011), enabling this registration requirement has completely eliminated spam bots from registering.  I do have 3 questions required, although they are rather simple ones for humans to understand and answer.  I have now switched back to e-mail activation versus Admin approval but enabled notification of new registrations so I can finally once again step back from having to micro-manage my forums.

Account Abandoned

Although it isn't fully protective, it still does protect your better than having it instant activation, there are still some spam bots that cannot get through it :)

oversee

I know there are employers in India that hire data entry people to decode captcha. I am assuming they are doing it realtime - the bot tries to register and sends the captcha to the people who enter it and then the bot continues the registration process. I would imagine eventually they will do the same with the question, but I haven't seen any evidence of this yet. Do you have any ideas what we can do when they get to this point?
I have also seen an advertisement asking for a program that would generate new valid email addresses at 15 minute intervals. They could use the same email address to join hundreds of forums but there would not be any way for the individual forum owner to know this.
I know that some forums require an introductory post before the member can post anywhere else. I saw one forum that took new members to a topic called spam, and the new members had to post three times there before they could make a post in the real forum. The spam topic wasn't visible to members. What do you think of this idea?
This has probably been asked before, but I am worried. I have had hundreds of bots join in the last few days. Is there any other damage these bots can do besides posting spam and clogging my server? I have my forum set up so the member can't post any links until they have made 10 posts. Is there another threat from these bots I should be aware of?
I have a friend who doesn't delete the bots because he says having more members increases his advertising revenue. Is this a valid approach, or is he asking for trouble?
I have also seen job listings asking for email addresses scraped from forums. In my opinion, I don't think there is any reason to allow email addresses to be shown. If a member wants to contact another member, they can send a private message.

captaingeek

good guide. thanks!

can someone disable post verification on my account here??

sambling

You shouldn't allow members with under 3 posts to edit there own profiles.... That stops profile spam.
www.forumhoopla.com Forum Promotion

Account Abandoned

Quote from: captaingeek on October 28, 2011, 07:49:08 PM
good guide. thanks!

can someone disable post verification on my account here??

After you get so many posts here on SMF, it will disable itself. Its a way to block spammers :)

captaingeek

getting spammed like crazy now its growing exponentially one fake user every few hours now.

captaingeek

I added a simple question we'll see how that goes. It'd be nice if you can remove all of a users post when banned.

Account Abandoned

A simple question will likely be answered correctly. Make your questions moderately difficult and related to your niche. As for deleting posts, if you choose to delete the member instead, you can delete all their posts and topics when you do it :)

Install Stop Forum Spam, you will be shocked as to how much spammer accounts stop!

MtnDon

Good article!  Captchas are useless when it comes to a good robot IMO. We upgraded our 1.1.15 forum to 2.0.1 about a month ago. We were using a medium difficulty captcha plus a rotating/random question mod for the past couple of years. We had very little spam. When we upgraded to SMF2.0.1 there was a period of about 10 minutes when the only registration protection was the captcha built into SMF. It came to life with the difficulty set at medium just as in 1.1.15. In that 15 minutes we had 6 new registrations, all of which were found to have extensive spammer histories (250+ reports in Stop Forum Spam). Three of those made multiple spam posts with many links.

I had loaded SMF2.0 on a test sight before the upgrade in order to have a good look at the admin tools. As soon as I entered and activated the Verification Questions I had decided upon the spammer registrations stopped cold. I could see their IP's trying to register, but all attempts failed. That proved to me the validity and usefulness of questions.

Since then I have also instituted an additional profile field/question and made it a mandatory fill. Nothing too difficult but also nothing predictable like a math question. That makes a new member fill in a field that is not expected by a robot. Xrumer spammer software can be programmed "see" an unexpected field and compare the contents of what comes before the field to a table of simple math questions and answers and try an answer that might be appropriate. Devilishly clever software.

I have performed a couple of experiments since then. I set the captcha to extreme difficulty. I removed the questions and extra profile field. Left for a period of 15 minutes there were 5 registrations that came up in both StopForumSpam and Project Honeypot. Two immediately started posting messages containing spam. Once the questions were re-instated the spammer registrations ceased immediately. Xrumer can read many captchas, including Gmail type, faster than most people can.

2. I removed the captcha altogether. No discernible change in registrations. But much more friendly to "real" people.


Notes:
I have also restricted guests to simple viewing of topics. Guests can not see member profiles, etc.   

New members must make one post to topics before they can modify their own profile. I have only had a couple of queries my members about this in the couple of years we've had this policy in place. Zero signature spam. We use "post count" so members automatically advance after the first post.


Account Abandoned

Restricting guest view of posts could harm your search engine ranking, just be warned about that :)

MtnDon

By restricting viewing, I mean to say just about all the guests can do is view all the general membership topics. They can not post to topics, can not see the memberlist, and so on.

No problems with the bots reading our forum; Google does 10000 on an average day; good numbers on all the others too.

Account Abandoned

Quote from: MtnDon on November 22, 2011, 11:11:21 PM
By restricting viewing, I mean to say just about all the guests can do is view all the general membership topics. They can not post to topics, can not see the memberlist, and so on.

No problems with the bots reading our forum; Google does 10000 on an average day; good numbers on all the others too.

Oh okay, I see what you mean :) Yeah guest posting IMO is always a bad idea.

beanflying

Good Guide  :)

Also highly recommend making a post count group for all newbies that requires first X number of posts to be approved by a moderator.

While this is a small delay to posting it is worth it to help keep the spam off the list from manual signups. Currently I have this set to only 1 on our forum as by the tone of the first post you get an idea of what the intent is normally.
Owner of many many shiny toys.


Advertisement: