Category_Forum Administration, Category_Moderation, Category_Security and Privacy, Category_Webmaster - January 28, 2015

Fighting Spam Effectively: The Three Layer Defense

Fighting spam effectively can be difficult, but using three different technologies, it can be quite achievable. Forums do not need to use member validation, or impose the requirement to first post in a particular forum. Instead, a forum needs to use the following three techniques to form a passive and active defense against forum spam.

Defense Layer #1: Good Anti-Spam Software The most important aspect to any spam defense is software. Within this "Layer," an administrator should use four different technologies to defeat spam. Those technologies are as follows.

reCAPTCHA: Google's reCAPTCHA is currently the most effective anti-spam mechanism. There are other tools which integrate ads, or allow the user to simply slide a bar to verify that they are not a spam bot, but these are less effective. There are reCAPTCHA plugins for all major forum systems.
- MyBB: http://mods.mybb.com/view/recaptcha
- phpBB: https://developers.google.com/recaptcha/old/docs/phpbb
- IPB: Built-In.
Q&A CAPTCHA: For bots which are sophisticated enough to split past reCAPTCHA, Q&A CAPTCHA is a very effective defense. Simply define a few custom questions, such as "What is the name of this forum," or classically, "What color is the Sky?" and most bots will not be able to create accounts. Note that for larger forums, a bot may be designed to know the answers to these questions, so this defense should be used in conjunction with reCAPTCHA.
- MyBB: http://community.mybb.com/thread-83250.html
- phpBB: https://www.phpbb.com/support/docs/en/3.0/kb/article/how-to-configure-q+a-captcha/
- IPB: Not necessary because of IPS Spam Services
Email Validation: This is a feature which most modern forum systems use by default. It stops a very large number of spam bots, but not all. This is most likely enabled on your board by default, but if not, I recommend enabling it.
Spam Databases: There are a number of alternatives for different spam databases to use. For IPB users, IPS Spam Services (which is bundled with your IPB License) is extremely effective, and prevents a vast majority of all spam. For non-IPB users, StopForumSpam is a very good option to use.
- All major forum systems: http://www.stopforumspam.com/contributions
- IPB: Use IPS Spam Services, which is built in to IPB.

Defense Layer #2: Permanent Bans & Cleanup Tools Despite the strong defenses of layer #1, there is a class of spam bots which will evade them, and still cause issues on your forum. If your forum is large enough, these potential spam bots include human beings. The most effective tool for dealing with spam bots who have passed through layer #1 are immediate, permanent bans. But also, you will need to use a good removal tool to remove their content from your forum. Below are instructions on how to do this on major forum platforms.

MyBB: Use the following plugin, or the "Delete User" feature of the ACP: http://mods.mybb.com/view/goodbye-spammer
phpBB: Refer to the following support topic: https://www.phpbb.com/community/viewtopic.php?f=46&t=1187175
IPB: Hover over the user's name and click "Mark as Spam." Searching "Mark as Spam" in the ACP will allow you to configure what this button does.

However, there are some spam bots which are so clever, that even the most intelligent admins cannot be sure that they are spam bots. There is one final defensive layer to use against these nasty customers.

Defense Layer #3: Moderator Queue Sometimes, a user will register, post a perfectly allowable topic asking a question like "What dating script should I use?" Once a couple members have replied, then will then say "Actually, I decided to use . It's a very good product!" When a new user posts something suspicious, the admin should then add that user to the moderator queue. That way, if the user turns out to be a real person, and it was all a misunderstanding, then the user can be taken off the moderator queue. Here are instructions on how to do this.

MyBB: Create a new group and check "Moderate new posts" on the edit group page. Add suspected spammers to this user group as their primary user group.
phpBB: Create a new user group, and configure its permissions for each forum to "Moderate new posts." Doing this is beyond the scope of this tutorial, although a google search for "phpBB Moderator Queue" will help configure this. When you identify a suspected spammer, add that user to this user group.
IPB: Create a new user group. When editing the group, under Forum -> Restrictions, set "Moderate content of everyone in this group?" to "Yes." When you identify a suspected spammer, add that spammer to the user group you just created. Make that the user's primary user group.

Basically, the moderator queue requires moderators to manually approve each post by the user. This can be burdensome, but if a user continues to spam after being added to the mod queue, then the admin can then proceed to ban the spammer. NOTE: Do not set up your forum to add newly registered users to the moderator queue, unless you are very certain that that is a good idea. Only add spam bots who get past layers 1 and 2 of your anti-spam defenses to the mod queue, and do so manually via the ACP. Adding all users to the mod queue by default will discourage them from posting.

Conclusion Spam is a problem which many forums have. Using a three-layer defense, administrators can thwart all spam, and keep their forum clean of advertising. If you found this tutorial useful, or have any questions, please leave a comment on this blog post. Thank you for reading!