Spam and Elgg | Ways to fight it.

Hello all!

Recently I've been involved with a high profile and very important project based on elgg. It is being protected by the known tools against spammers:

-Spam Login Filter (Fasim and stopspam key enabled)

-Spam Throttle

-Akismet Anti Spammer


-Country based block

However, still bot spammers are getting through after day two of being online.

How can I prevent such thing?

How can we do to protect elgg against any known and future spammers?

How are other elgg projects handling spammers? How is the elgg community handling spammers?

I would like to hear some insight from all of you, involved with elgg projects.



  • @iconMatrix doesn't Spam Login Filter already have that capability though?

    I had an idea involving using the user points concept (see existing plugins) in order to help with spam.  The idea is to use points like a sort of currency where good actions and content earn positive points and potentially bad actions cost points.  For example posting a comment with a link might cost 3 points.  Posting a blog post might cost 3 points for every link within it.  Posting a link within a profile might cost 3 points for each link.  OTOH users could earn positive points by logging in during a 24 hour period or say posting content which is not moderated after X days (allows the admin time to notice spam). The idea is to still allow real users full access while making it extremely difficult for spammers to do what they want (to post spam links). 

    Something more simple like disallowing all links for the first seven days (or until manually approved) might go a long way to remove the incentive to spam. 

  • Why would you want to manage spammers, that's like telling crooks not to use a gun because that would be bad. They don't care. Find them, then eliminate them

  • If they are unable to do any beneficial (for them) actions they will eventually cease.  That is what it really is about not so much moderating users in that way.  Real users would tend to accumulate enough points where they are practically immune.

    I noticed if I did not install spam prevention plugins I would soon get thousands of spammers a day.  If I installed the plugins (and submit their IPs to community blacklists) but left the site alone for a week it would pick up to hundreds of spammers a day by the end of the week.  But If I police a site many times a day and remove every single piece of spam which gets through religiously for weeks at a time it all stops dead and they no longer even try.

    I've seen evidence that there is a real human going through and testing my defenses after I made some changes.  It seems once they see that there is no way they can do anything useful they pretty much give up. :)

  • I haven't had any issues after using the known techniques you've listed.  Is it a current version?  I know there were some security fixes that dealt with a work-around for registration.

    Turn on the email notification from spam_login_filter to see if it's even blocking any - I get about 20 a day, which lets me know it's working.

  • Agree with dhrup that deleting spam is actually bad long term. Core needs to provide a way to mark as spam and quarantine it for processing later on. Swarm if you'd like to see this happen.

    At the end of the day you also need some kind of training system that looks at your DB and does classification based on some "features" that you give it. For the sake of privacy it seems like this would have to run within each instance of Elgg, not deferring to a third party, but I suppose we could make the system extensible enough to include third party signals as features. Right now the community has hard-coded custom rules that detect spammers (e.g. if the number of messages sent in a few minutes is above a certain threshold, mark as spammer). Basically you need to be able to write custom code if you want to fight spam, or go try a bunch of plugins and see if they work. We should be making it a lot easier than that, and spam fighting should definitely be a stock Elgg feature, not a plugin.

  • i got caught with my spam wall-blocks not q setup (tootally forgot..)  @ one of my demo/test elgg domain & those dangz spammer botz got in with ~2000 spam users who actually look quite real!! damn!
    and.. i noticed one was actually posting junk as i watched...
    sooooo as he was working so so harddd --> 
    i emptied all the database tables...!!!!


  • just tested a slightly new way to detect & confirm spam registers without giving any hint/s to the spammer as they register that they've just been given the wild-merry-go-around and they don't even know what's hit them, and they'll try again and again until they figure out they've been had and all their precious time been's wasted so much. anyone here interested in this new trick will need to PM me, be known to me as an Elggster from before from their activity. i'm not giving any secrets away just in case a real spam artist wants some of my logic logic to analyze against their bots.

  • Great Dhrup! May be you can roll out an alpha version.

    Also I was thinking about a name verifier or something like that. There has to be a way to properly defeat spammers.

  • Reason stated by DDS is why I choose to eliminate instead of managing their damage, today, so far I received registration requests from, and all of them with a China IP. Which one do you think I should let in to award a star for being a nice blogger.