Preventing Forum Spam-bots? 124
A concerned reader asks: "Recently it seems that forums have become the new target for spam bots advertising everything from porn to casinos. The forums that I admin are constantly harassed by these bots even though you must enter the visual confirmation code code (the picture with letters/numbers) as well as reply to an e-mail in order to register. This only started a few months ago so I'm suspecting that some new spam program was released that somehow gets around these anti-bot measures. How can I get rid of these annoying bots?"
One word: (Score:5, Informative)
Please use correct terminology (Score:5, Informative)
Also... (Score:4, Informative)
Re:Grace period? (Score:4, Informative)
If a site makes me wait three days, though, I'm likely to forget about it in that time.
Or were you talking about smaller grace periods? Perhaps 10 minutes? That might work well.
Re:Don't use well known forum software (Score:3, Informative)
Much as I hate to agree with that, he speaks the truth -- the bots are written to target specific forum packages, and they almost always go after the popular ones. phpBB has taken a lot of stick for one or two security problems that came up, but in truth it's as good, if not better than its competition; the reason it gets hit so badly is simply because it's so popular.
So if you can use a less-well-known package, that will keep you away from the prying eyes of most of the bots.
Alternatively, you could mod one of the well known packages, so that the bots no longer work with it. That could be something as simple as changing the fieldnames on the registration form, or changing the URL of the registration page. If you know enough PHP/ASP/whatever to make the necessary changes, that would be a good solution; you'd still have the features of your favourite package, but not the bots.
While you're modding the forum, it would also be a good idea to add a block to prevent new members from posting links. (if you're really lucky, your forum packages may include this feature already). Spambots aren't any use if they can't post spam, and spam requires a link, so kill off the links, and you'll kill off the bots. Members should only be able to post links after they've proved themselves trustworthy.
CAPTCHA is a great idea, but if you're using a common one (ie the one included in your forum package), the odds are that the spammers have cracked it already. But again, the bots are likely to be programmed with the specific CAPTCHA-cracker for their forum, so if you can replace it with a less-common method, that will also bamboozle the bots.
If you are still using a well-known forum package after all that, you should also consider modifying the page template to remove references to the software name and version. Some bots look for specific versions of a forum to attack a known weakness, so stripping out the identifying marks will make it harder for them.
Security by obscurity is a much hated phrase around here, and with good reason. It is highly effective against the blind automated attacks of your average spam-bot, but whatever you do, even if it seems to be working, don't take your security for granted. Never let your guard down.
Re:Good moderators help... (Score:3, Informative)
I know this won't help with the unsightly comments on your website, but since this is the slashdot crowd just flag all the comments with URLs in them as 'hidden' and on a daily/whenever basis go through them deleting spam and unhiding legitimate comments. Stick this all in a central control panel and it's unlikely to take up more than 10 minutes of your time.
In addition to that, just stop any client with a useragent string that contains a URL or one of the known spambot names.
http://www.kloth.net/internet/bottrap.php [kloth.net] - A quick implementation of a bot-trap, which bans bots which don't follow your robots.txt directions.
What's worked for me: easy damage control. (Score:3, Informative)
I had reasonable success by limiting posts to people who have verified their email address -- I think that that was also a feature of a recent phpBB update.
But the spam still outnumbered posts, so in the last two weeks I've added these two phpBB mods:
http://www.phpbbhacks.com/download/4878 [phpbbhacks.com] - this mod checks each registration IP address against the dns blacklists. I think that it improved the situation, but it didn't stop the problem out right, and I still had to clean up the board once in a while.
http://www.phpbbhacks.com/download/6208 [phpbbhacks.com] - this mod gives a really easy way to delete a user and all of their posts at once. It's not a fix, but it's turned out to be the best solution. It only takes a few seconds to undo the damage from any one individual, no matter how many spam posts that they have made. A person could spend 20 minutes registering and posting 20 messages and I have to spend 20 seconds nuking the account and all it's posts. It's a fair trade, and I get some small satisfaction in that!
mod_security (Score:2, Informative)
Re:Good moderators help... (Score:3, Informative)
I basically gave up on blogging because I had to sort through 500 spam comments a day. I know another blogger who had to clean 7,000 (yes, thousand) spams out of his blog every day.
It took both of us longer than 10 minutes.