Spam fighting update

I'm very sorry about the flood of spammy notification e-mails sent out from last night's spam deluge. I stopped it by disabling registration.

We still don't know how these users are getting through. I suspect our StopForumSpam API key was not being accepted as we were receiving errors when trying manually report. I no longer get those errors now.

In the short term, I could use help auditing my probation plugin (we need to make sure that Twitter registration users are placed on probation). We also probably need to make sure Captcha is done during Twitter registrations.

Long term I'd like to address the spam profiles (that don't post discussions). It looks really unprofessional that hosts stuff like this. Some brainstorming:

  • Would eliminating all URLs from profiles help? We could hide them until the user earns karma in some way.
  • Admins should see more data on user profiles, like account creation time, system email, origin (form, Twitter, or manual creation), # content objects, last few IPs (with geo links).
  • i found that using domain blocking was not practical for me, since domains were sometimes ones that anyone could use, just like an IP address. the reason i went with IP address is that it worked! if the spammers were using dynamic IP addresses then a) they would probably have returned and b) i would need a different approach. since all of my spam was coming from specific locations (which are locations i do not target for my site), i did not see it as a risk to block them. some people took the desperate measure of blocking entire nations from their server to get rid of the spam! at least i didn't go that far! ;)

  • it would be good if spam filter login had a custom page that is displayed to those that are blocked, giving them the option to send a message about why they should be unblocked.

  • use version 1.10 and up to the moment I have no problems with spam thank God

  • I agree with all that has been discussed on this topic of spam fighting update discussion. In addition, I gave a suggestion on how to make an elgg spam plugin work and the discussion can be found here.

    In the past I have used two Elgg Plugins that I developed and I have only 5 spammers who were able to go through for the last 4 years and I suspect that those accounts were registered by humans during registration and then later linked to automated computers to spam the site. Here are the plugins:  Elgg Captcha  and Elgg Hammer  

    Elgg-Hammer uses its own php-session-like-but-better client tracking mechanism … Elgg-Hammer's storage mechanism (a serialized array in a flat file) is the same as a php session, too. And like a php session, it is anonymous; aside from the hammer time info, it store no other data server-side

    The main aim is to make the Elgg Captcha only be activated once the Elgg Hammer has detected the a spammer activity  just like Facebook does so that the law abiding elgg members should not even notice those Plugins in action.

    For example, I used the Elgg Captcha for a blog post once a user is suspected to be a spammer and I have only had 3 spammers from china who manage to post spam blogs for the past 4 years!

    I could have written more but I have to stop here and attend some other functions at the moment. Hope this can help someone.

  • The Spam Login Filter plugin already has a plugin setting to display a custom page if someone gets blocked. By default this page displays "You're not allowed to view this page. If you want to know more, please contact the site administrator and provide your IP address (%s) as reference." The view that creates the output of this page is in mod/spam_login_filter/views/default/spam_login_filter/403.php and if someone wants a different content on the error page the view could be overridden by a plugin. Or if someone just wants to change the text shown, the language string spam_login_filter:403:description can be overridden.

    I think the important thing is that you not only install the Spam Login Filter plugin but also report the spammers back to StopForumSpam (can be easily done with the "Report and delete" option when deleting the spammer account) and to do the reporting and deletion as soon as possible and regularly. While this might not stop spamming immediately I think it will still have a positive effect in the mid to long term as the spammers will surely realize at some point that their efforts are fruitless.

    I also suspect that allowing account creation with 3rd party accounts (Facebook and maybe specifically Twitter) is used by spammers to get into Elgg sites. So, it might reduce spam if not allowing this.

    If it's not necessary for anonymous users being able to see the content of your site and if the content can be found via search engines, make your site a walled garden site and use a robots.txt to disallow crawlers to index your site. Spammers want to benefit from backlinks (higher ranking on search engine sites) and if they notice that it's on no use they might lose interest.

  • Some time ago I exposed how spam was completely gone after we removed the registration page and created a custom registration page. We don't even use captcha or spam login filter.


  • @RJ yeah I was thinking the same thing via Ajax.

  • i changed the pagehandler for my registration page and also had an ajax registration for a while.. however, i did still get some spam after that.

Feedback and Planning

Feedback and Planning

Discussions about the past, present, and future of Elgg and this community site.