Preventing Forum Spam-bots?

A concerned reader asks: "Recently it seems that forums have become the new target for spam bots advertising everything from porn to casinos. The forums that I admin are constantly harassed by these bots even though you must enter the visual confirmation code code (the picture with letters/numbers) as well as reply to an e-mail in order to register. This only started a few months ago so I'm suspecting that some new spam program was released that somehow gets around these anti-bot measures. How can I get rid of these annoying bots?"

One word:

[MadDog Bob-2]

kittens [thepcspy.com]

Please use correct terminology

[Raul654]

For the record, those blurred/skewed letters and numbers are called a "Completely Automated Public Turing [wikipedia.org] test to tell Computers and Humans Apart" - Captcha [wikipedia.org].

Also...

[Raul654]

...it's patented. [uspto.gov] (and Turing is spinning in his grave...)

Re:Grace period?

[Donniedarkness]

While this will keep some of the bots away, it will also cause the site to lose members. When I sign up on a forum, it is usually because I want to post RIGHT THEN. Of course, I'll probably continue to post on it.

If a site makes me wait three days, though, I'm likely to forget about it in that time.

Or were you talking about smaller grace periods? Perhaps 10 minutes? That might work well.

Re:Don't use well known forum software

[Spudley]

Don't use phpbb, vbulletin or whichever other forum software everyone uses

Much as I hate to agree with that, he speaks the truth -- the bots are written to target specific forum packages, and they almost always go after the popular ones. phpBB has taken a lot of stick for one or two security problems that came up, but in truth it's as good, if not better than its competition; the reason it gets hit so badly is simply because it's so popular.

So if you can use a less-well-known package, that will keep you away from the prying eyes of most of the bots.

Alternatively, you could mod one of the well known packages, so that the bots no longer work with it. That could be something as simple as changing the fieldnames on the registration form, or changing the URL of the registration page. If you know enough PHP/ASP/whatever to make the necessary changes, that would be a good solution; you'd still have the features of your favourite package, but not the bots.

While you're modding the forum, it would also be a good idea to add a block to prevent new members from posting links. (if you're really lucky, your forum packages may include this feature already). Spambots aren't any use if they can't post spam, and spam requires a link, so kill off the links, and you'll kill off the bots. Members should only be able to post links after they've proved themselves trustworthy.

CAPTCHA is a great idea, but if you're using a common one (ie the one included in your forum package), the odds are that the spammers have cracked it already. But again, the bots are likely to be programmed with the specific CAPTCHA-cracker for their forum, so if you can replace it with a less-common method, that will also bamboozle the bots.

If you are still using a well-known forum package after all that, you should also consider modifying the page template to remove references to the software name and version. Some bots look for specific versions of a forum to attack a known weakness, so stripping out the identifying marks will make it harder for them.

Security by obscurity is a much hated phrase around here, and with good reason. It is highly effective against the blind automated attacks of your average spam-bot, but whatever you do, even if it seems to be working, don't take your security for granted. Never let your guard down.

Re:Good moderators help...

[drspliff]

Google, Yahoo and MSN have already done this. Simply insert 'rel="nofollow"' into all the tags that people post in the comments, and although they still show up it makes it pointless for those spammers trying to increase their PageRank.

I know this won't help with the unsightly comments on your website, but since this is the slashdot crowd just flag all the comments with URLs in them as 'hidden' and on a daily/whenever basis go through them deleting spam and unhiding legitimate comments. Stick this all in a central control panel and it's unlikely to take up more than 10 minutes of your time.

In addition to that, just stop any client with a useragent string that contains a URL or one of the known spambot names.

http://www.kloth.net/internet/bottrap.php [kloth.net] - A quick implementation of a bot-trap, which bans bots which don't follow your robots.txt directions.

What's worked for me: easy damage control.

[WoTG]

I run a quiet phpBB for forum support of some websites of mine. For the last few months SPAM has outnumbered real posts by a large margin. I tried a CAPTA module (I think it was the built in one) and it did next to nothing - they aren't programs, the posts are from humans who have (low paying) jobs to post links on message boards.

I had reasonable success by limiting posts to people who have verified their email address -- I think that that was also a feature of a recent phpBB update.

But the spam still outnumbered posts, so in the last two weeks I've added these two phpBB mods:
http://www.phpbbhacks.com/download/4878 [phpbbhacks.com] - this mod checks each registration IP address against the dns blacklists. I think that it improved the situation, but it didn't stop the problem out right, and I still had to clean up the board once in a while.

http://www.phpbbhacks.com/download/6208 [phpbbhacks.com] - this mod gives a really easy way to delete a user and all of their posts at once. It's not a fix, but it's turned out to be the best solution. It only takes a few seconds to undo the damage from any one individual, no matter how many spam posts that they have made. A person could spend 20 minutes registering and posting 20 messages and I have to spend 20 seconds nuking the account and all it's posts. It's a fair trade, and I get some small satisfaction in that!

mod_security

[fthiess]

I've had quite good luck by using Apache mod_security (modsecurity.org) to filter web activity. Yes, all the suggestions people have been giving about CAPTCHAs, blocking people with addresses in high spam domains, etc., are all good and useful, but mod_security lets you cover a base those approaches are missing: it lets you block spammers from posting spam, even if they somehow manage to get through your registration defenses. I use a mod_security ruleset based on one published at http://gotroot.com/tiki-index.php?page=mod_securit y+rules [gotroot.com] which watches POST content for URLs and terms commonly used in spam postings, and blocks them--in adddition to rules that are more traditional for mod_security, such as blocking phpBB exploits--which I've also found it to be invaluable for. I administer several forums and wikis that were having quite bad problems, even with CAPTCHAs, email verification, and so on. . . but the problems pretty much went away once I pulled mod_security into the battle.

Re:Good moderators help...

[Baricom]

Stick this all in a central control panel and it's unlikely to take up more than 10 minutes of your time.

I basically gave up on blogging because I had to sort through 500 spam comments a day. I know another blogger who had to clean 7,000 (yes, thousand) spams out of his blog every day.

It took both of us longer than 10 minutes.