Anti-spam issue

[Ghost]

Since July 12, 2012 (the day GeekPath started) my main anti-spammer plugin has stopped 842 spammers from registering. However, in that time it has also stopped regular users from registering.
While many of my registrations come from other sites that I belong on, I won't know if a normal user that finds us from Google gets denied access.

What, in your opinion, is the best way to fix this issue? 842 blocked spammers (automatically) is worth not having a few members. However, not having those few members potentially leads to us not getting loyal, high posting members.

 

[pandaa]

Well, you could consider making it a little easier, if you have time to eliminate spammers. A few have gotten through even with this plugin, but I would be willing to knock out a few more. 😉

 

[Ghost]

pandaa. Our course of action, as recommended by Mark, will be the following:
Install a good reCaptcha plugin.
Add random security questions.

I will also:
Add a random, hidden field that bots will auto fill, but the registration will only be accepted if it is blank.

Block certain countries: Russia, certain Asian places, Poland and other European countries.

Add plugins that do the following (I've seen these around):
*Disable the posting of links and links in profiles to newly registered users.
*Spam detector - detects spam and puts users on moderation that are detected.

and do the following:
*Add more filters/censors that disable emails with multiple periods (. signs) in them.
*Disable a large list of email extensions (@____.__) that are known to be affiliated with spammers and 10 minute mail sites.
*Lock out people from the site that try to register more than once. Often people who register and get denied try more times. I have about 12 attempts each from a few denied spam bots.
*Enable stricter rules.
*Add a captcha to even VIEW the registration page
*Add an extra, custom page to the registration page that forces users to click a button to finish the registration. OR add a custom bubble that must be clicked (in addition to agreeing with terms&conditions) to register.
*add a captcha for newpost/newthread/etc for the first 1 post of any user.
*add a large list of known spammer emails/usernames/IPs to the autobanlist

 

[Fergal]

my main anti-spammer plugin

Which plug in are you using?

When you block spammers you should try to re-direct them to a contact page and encourage them to contact you, if they believe they have been unfairly blocked. That way real humans who genuinely want to get in touch with you will have an easy way to contact you, if they want to be a member of your site.

The measures you outline in post #3 sound great, the only thing I would caution is that you don't make it excessively difficult for genuine members to register. It should only take a minute to register on your site and if you make it difficult people wont take the required time.

Unfortunately it's difficult to get the balance right between blocking as many spammers as possible and having too many false positives.

 

[CyberFreak]

Am I right in guessing that you are using a plugin that integrates stopforumspam.com checks into the registration process? If so, the chances of false positives can be reduced by doing any of the following:

1) Disable username checks against the API (High chance of innocent users being stopped)
2) Don't block based on IP (Can in some cases result in innocent users being caught up). Email checks are more reliable as only that user has access to that email where as with IP's, users can easily change their IP and another user could be assigned that dirty IP.
3) Make use of the frequency it appears in the database or the confidence score given by the SFS API.

The key to stopping spammers is a layered approach. Don't rely on just one method. Use a mixture of different method such as a hard to Google Q & A, a required profile field, utilize checks against a forum spam database and block common spam domains. Also make use of a newly registered group if your forum software allows you to set one up so they can't set a signature for example or so their first post needs to be moderated. There are even mods available that allow you to force posts into the moderation queue if the post contains a certain word. If users have no reason to post url's with their first post, you could also consider disabling new users from posting URL's in their first few posts.

You will never get a perfect solution and there will always be some innocent users that get stopped and some spammers that get through but there is alot that can be done to bring the number of spammers down to a manageable level while not being too strict and blocking most of the world from accessing your site. Blocking server IP/webhosts can be OK to do but blocking whole countries or whole broadband providers can be a bit too strict in my opinion.

add a large list of known spammer emails/usernames/IPs to the autobanlist

That is probably not the best thing to do. Spammers cycle through usernames, emails and IP's pretty quickly if they want to and alot do. By the time that you block the information, the spammer has probably changed their information causing alot of the information you have in your ban list to become redundant. Also some spammers use common names so adding them to a ban list can annoy legit users. That is also why I suggested disabling username checks if you check against forum spam databases.