Elgg and Spam/Security

Seeing a number of spammers just on this site, and not having opened my Elgg site public yet, I wonder about keeping the spammers out. Now I realize that this site isn't using the same captcha system as the Elgg 1.7.1 default, but it still makes me consider if the default captcha is actually decent enough to use or if I need to look at replacing it.

Any thoughts, suggestions?

  • @RpgR

    I may sound somewhat naive.. but...

    We use the trad SiteAccess Captcha. We have 114K++ registered users.. Spam users level = almost 0%. When spammers hit us - we usually track them via their IP# using our home-grown IP Logger and within minutes they are killed. We might be lucky in this area - because with so many simultaneous users online - the users *will report spammers and predators within minutes of being harrassed and -- we can track the spammers via IP, country, state, city, etc and then zap ;-) Sometimes we have blocked whole countries because of spam activity from floating dial-up IP#s.

  • Are you refering to the captcha in the Site Access mod?

    Handling em after the fact isn't a problem, I'd just prefer to stop them at the door as much as possible :)

    I realize that no system is going to be foolproof, but some methods are better than others. I'll give vBulletin props, I never had much problem with spammers getting in under their captcha. Some yes, but it was quite minimal.

  • Yes SiteAccess captcha is what we use -- means 99% of spam-bots are blocked, only real human spammers get thru - those are the baddies we hunt via IP logs, etc.

  • Ok thanks, I'll take a look at that mod. Not much we can do about live vermin, but if I can stop most of the bots I'll be happy.

  • There's also "UnCaptcha" that either Brett/Cash wrote which is most probably a very good way to stop bots. Also Elgg v1.8 has a new PlugIn called "Visual_Captcha" (look in the SVN) that you probably should check out ;-) http://code.elgg.org/plugins/trunk

  • That VisualCaptcha appears to be what they are using here already...that doesn't boost my hopes.

    I'll look again at the UnCaptcha mod as well.

    Thanks again

  • As I understand it the spammers hitting this site are humans rather than robots.

  • My apologies if I come across as bashing on the captcha on this site a bit, wasn't really my intent, more just posting what I saw here as a common example plaguing lots of sites these days. I do have concerns about the visual captcha however. It would seem that without a significant library of images to select from, it's going to be an easier system to crack.

    Then again, I honestly know very little about the visual captcha you are using so my concerns may be moot as to the security of it vs. the standard captcha or something like recaptcha.

    Again, this isn't meant to be an attack on the site's captcha, more me wanting to find out possible more secure alternatives if they are available and relatively easy to work with both from a programming and user perspective.


  • On the topic, I decided to test out the reCAPTCHA system from Google. Works pretty well and quite easy to implement. So easy, I whipped up a replacement captcha mod for Elgg and posted it :)

  • cool - i will be taking a look at your plugin code just for fun ;-)