Spam fighting update

I'm very sorry about the flood of spammy notification e-mails sent out from last night's spam deluge. I stopped it by disabling registration.

We still don't know how these users are getting through. I suspect our StopForumSpam API key was not being accepted as we were receiving errors when trying manually report. I no longer get those errors now.

In the short term, I could use help auditing my probation plugin (we need to make sure that Twitter registration users are placed on probation). We also probably need to make sure Captcha is done during Twitter registrations.

Long term I'd like to address the spam profiles (that don't post discussions). It looks really unprofessional that elgg.org hosts stuff like this. Some brainstorming:

  • Would eliminating all URLs from profiles help? We could hide them until the user earns karma in some way.
  • Admins should see more data on user profiles, like account creation time, system email, origin (form, Twitter, or manual creation), # content objects, last few IPs (with geo links).
  • Agreed with Michele.. We all have issues with spam. We will come up with something to stop those spammers. Thank you for this awesome community.

  • On one of the client sites that was suffering from flood of spam, I disabled registration page and load the form via AJAX. No spam so far.

  • If you cannot delete and report users as spammer, stopforum is most likely down or throttling. And that happens quite often is my experience. While down registration is still functioning. You might consider to disable registration if stopforum is not responding or indeed probational access while under review and maybe allow posting, but do not send out notifications while under review and also do not allow friending or sending messages for the first few days.

    Another big spam concern is those who register 10 minute email addresses. There are a lot of sites allowing to register their own domains for free. I have not come up with a solution for that. Any ideas on how to stop those ?

  • On that last topic, this is worthwhile reading. http://www.sitepoint.com/stop-the-use-of-disposable-email-addresses-in-wordpress/

    You can use the plugin email_ domains to create a list of the mentioned disposable email domains. Maybe I (or someone else fow that matter) will write a plugin to query this API http://www.block-disposable-email.com/, so we don't have to keep track of disposable email addresses ourselves.

  • My +2 cents here is.

    We've tried some methods: captcha, another register URL, new register action, blocking IP/emails etc

    But excellent Xrumer cracks these solutions very well.

    3 days ago we just changed the fields in our custom (and renamed) register form/action (name, username, password, email...).

    The result: a spam registration was stopped.

  • Being frank here, community's problem is mostly that no one on the core team wants (or has time) to work the problem. Consider making this choice:

    Adding spam-fighting features to community takes hours because it involves diving deep into the weeds of our existing spam "solutions". And if it doesn't work, that time was a waste and we have to spend 30 to 60 minutes cleaning spam from the site, and spammy notifications still went out, and it looks awful and bothers tons of existing users.

    Manually making a new account takes less than a minute, involves a pleasant interaction with a human, and yields about 0% spam.

    Obviously this situation isn't ideal for new users and won't scale, but for the moment I'm happier plugging my time into Elgg features.

  • We've not be able to find an answer to spam registrations for many, many years now. No matter what we try, no matter what plugin we use, they just keep coming. I would be happy to manually approve every legit registration, but then how do we know who is legit and who is not. If we would turn off registration somehow, then how would you suggest that the legit people register? We've just not been able to find a solution, so we stopped using elgg completely. Would love too, just too darn many nasty folks that register for no reason than to do us harm.

  • all i did was monitor which IP addresses were creating the spam accounts and then blocked their IPs. no more spam!

  • Thank you ura soul. So I understand. You allow everyone to register and then you block their IP address when recognize they are spamming your site?  Question: What plugin do you use to block the IP addresses?

    Our problem here is that if we allowed everyone to registers and then we had to monitor each, it would be really time consuming. Sometimes we could get several hundred new registrations in a day.

  • you can use spam login filter to do this somewhat automatically, but i found that in the past it wasn't catching all the spammers (though it did a good job for a while). so during one period where i was getting a lot of spam from one particular location on earth, i just looked at the profiles involved, looked at the IP used to create them (using the IP tracker plugin) and then added the IPs to my server's firewall block list. i have about 120 IPs in there and haven't had any spam at all for probably over a year.

Feedback and Planning

Feedback and Planning

Discussions about the past, present, and future of Elgg and this community site.