Preventing Forum Spam-bots?

A concerned reader asks: "Recently it seems that forums have become the new target for spam bots advertising everything from porn to casinos. The forums that I admin are constantly harassed by these bots even though you must enter the visual confirmation code code (the picture with letters/numbers) as well as reply to an e-mail in order to register. This only started a few months ago so I'm suspecting that some new spam program was released that somehow gets around these anti-bot measures. How can I get rid of these annoying bots?"

Re:Please use correct terminology

[croddy]

Before you implement a captcha, please consider the effect this will have on visually impaired users. Obviously, any system relying on an image will not be accessible to blind people; systems making use of colored images may not work for colorblind people. Providing audio captchas would help, but this will be a problem for people who are deaf -- and one cannot simply assume that users are not both deaf and blind.

I have seen some captchas that ask users in plain text to solve a simple arithmetic or logic problem. This is going to be far more accessible than anything relying on embedded media.

If you're sure that none of your users are blind or colorblind (which would be plausible only for an extremely small user base), then I suppose something like KittenAuth [arstechnica.com] might be appropriate.

add ad hoc customizations

[etymxris]

Add hidden variables to submission forms that change everyday. This will force the bot software to do pagescraping for your specific webforum, which probably isn't worth their time. They will go to the easier targets first.

But if they are defeating captcha, there is probably someone who just sits there manually spamming forums through anonymous proxies. The amount of money that can be made by doing this spamming is probably enough to pay people with lower standards of living to just do it manually. And if that's so, there's just no way to get around it. I started logging how many bots the captcha and hidden variables were catching, and it was tons. Still, I get spammers. Just not nearly as many.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Please use correct terminology

[Xibby]

The forums that I run have a "If you are visually impaired or cannot otherwise read this code please contact the Administrator for help." with a mailto link.

This has yet to be a problem as the forums that I run are orientiated around shooters or MMPOGs. :)

Be proactive!

[BertieBaggio]

There are a number of options you have, depending on how aggressive you want to be. You may have implemented some of these suggestions already, but they may help other forum admins in a similar quandry.

Firstly, disable anonymous posting. What works for slashdot does not necessarily work for phpbb. This may sound obvious, but a forum I check on now and again is slowly haemorrhaging members due to guest bot spam.

Secondly, find yourself a list of public proxy servers. Ban them. Find some more. Ban them too. Also, take note of the IPs the spambots were using to post. Ban them as well (unless they are AOL IPs -- be smart and do an nslookup). Keep this list of banned IPs, and are them with the blacklist groups, or other forum admins you know. You help them, they help you.

Thirdly, augment your signup process. You say you are using CAPTCHAs, but if the bots are getting arond or through them, you have to do more. Write a few hundred straightforward questions; you can get your community to help you for this one. Have one o two of those questions displayed at regitration time, along with the CAPTCHA. For example:

Which of this is not one of the seven dwarves?

• Doc
• Sleepy
• Bashful
• Horsey

Or would you like another question ?

Keep this as simple as possible. "What color is the sky?" is about the level you are looking for. A bot won't be able to answer these unless it is specifically programmed to. Need I say you should serve a random question?

For bonus points on this one, make the questions something to do with the topic of the forums. If the forums were about widgets, you could ask something (really basic) like "What is the most common color of widget?". Or make come of the questions about the TOS. You know, the thing everyone checks the box saying "I agree to abide by the TOS". This may alienate some people, though, which you may or may not want. Also remember to consider non-native English speakers.

If you are sill getting those darned bots, consider manually approving by hand all registrations. This will obviously depend on how many new signups you get, and what kind of manpower you have (think moderators and "trusted community members"). On the other hand, you should be able to spot and stop bots right off the bat.

But why stop there? Be even more proactive! Set up a honeypot. Disallow a certain directory with robots.txt, and ban all IPs that find their way there. Include an invisible link to the disallowed location and see what falls in the trap. Remember that blacklist you started earlier? Add (and share) these IPs!

Finally, let your community know what you are doing. They will appreciate the effort (If you have noticed the spam, so have they). Set clear guidelines, and encourage community vigilance.

In the end, remember: spam is beatable.

Use Slashdot's method

[c0d3h4x0r]

"Captcha" techniques aren't bulletproof. If someone can automate all but the "captcha test" part of the posting process, then someone can sit and repeatedly answer the captcha test and still post spam pretty efficiently.

The only truly effective way to stop this crap is to require a certain amount of time to elapse before being able to post another post, like the way Slashdot does it, and to implement some kind of moderation+filtering system so the crap can be all be modded down by vigilant users. Combine that with a couple other requirements (you must have a user account to post, and new users can't post for the first 48 hours), and you'll easily sqaush the spam problem.

Re:What email addresses are they using?

[John Miles]

That's actually a really good point. You could require a GMail account for registration -- effectively leveraging Google's spamfighting capabilities for your own purposes.

Re:Please use correct terminology

[Dr.Evil]

If you read the article introducing the kittens concept, you'll see that the author intends it to be customized to each site, thus preventing spambots from simply memorizing the pictures. And randomly picking three out of 9 images only gives a possiblity of success of 1/84, better than many word captchas are achieving these days.

Anyone who wants to custom-program a bot for a single site would just be better off manually posting their spam.

Re:Please use correct terminology

[Fulcrum of Evil]

While not illegal, some may considering it amoral to discriminate against stupid people.

Immoral? Hell, it's a moral imperative!

Re:Grace period?

[FLEB]

It would work reasonably as well in reverse: Allow the person's posts, but forward them to a moderator. If the moderator determines them to be spam, that poster gets the boot (along with all their posts). Add in some intelligent "Find Similar" logic, and you'd have y'erself a good start at a forum anti-spam system.

Re:Unstoppable captcha-buster

[Baricom]

I've wondered what would happen if you distorted the CAPTCHA using a site's name or URL instead of a random background. Do you think at least some people would hesitate a moment if you went to some random porn site and had to type a CAPTCHA with slashdot.org watermarked in the background?