Elgg and Spam/Security

Seeing a number of spammers just on this site, and not having opened my Elgg site public yet, I wonder about keeping the spammers out. Now I realize that this site isn't using the same captcha system as the Elgg 1.7.1 default, but it still makes me consider if the default captcha is actually decent enough to use or if I need to look at replacing it.

Any thoughts, suggestions?

  • Not bloody much of my code really in it.

    The start.php is mostly the original captcha plugin stripped of the captcha functions that were no longer necessary and a copy/paste/minor edit of the reCAPTCHA code.

    Same with the captcha.php file, merely a replace of the old visual display with the reCAPTCHA called from google.

    I just wrapped a bow around it and passed it along :)

  • RPG - you need to edit and enable comments on the PlugIn..

    Yes i see that you packaged the google code for Elgg, but anyways.. smarty piece of quick work ;-)

  • Hmm, I swear I did that, but lemme go check it.

    Isn't repackaging already written code a big part of the game? Why reinvent the wheel when it isn't necessary. Most all of my modding of Elgg so far has been simply tweaking the existing code to fix my needs and repacking it as my own version model for ease of upgrading later. Of course that's one of the nice things about open source :)

  • As Cash hinted, captcha isn't much use against human spammers (rather than spambots).

    My flexreg plugin (part of the form and related suite of plugins) provides a couple of different options to deal with human spammers:

    a. you can set registration up to require that people enter a lot of content first and then allow admins to review and approve the account before it goes live, or

    b. you can set up a by-invitation-only site where you can send an invite message to a list with a unique invite code for each user. In that case, there is no need to confirm the email address, so the user is logged in immediately upon registration.

    Obviously using either of these approaches requires more work from the site operator but might be appropriate for niche professional networks that can afford to be picky about their membership base.

  • The human spammer, as I said, is a whole different proposition. Not much you can do more than some of the things you already listed. But also as you said, that puts a heavier load on the site operator. I find it easier to deal with the small number of spammers that do get through the other layers of security (such as they are) than I would having to approve every registration by hand.

    I'm more likely to implement captcha on every form to combat the human spammer. If nothing else it will slow them down if they have to do it every time and cost them time and money. Plus, I can always turn something like that off for 'trusted' or paid users.

    I did see an interesting honeypot idea in another mod, uncaptcha I believe, that has the site operator seed a hidden field into every form as if the form is returned with that field filled in, it was done by a bot. I might incorporate something like that as an additional layer. Again, it won't stop everything, but it's another way to hinder some.


  • Actually, if in the circumstance of form input - within a timeframe of registration (first 24hrs to first week) the captcha is called on all form inputs; you might have some success. I dare say you'd be slowing down the !!!$#@ and they may realise quickly that they are wasting their time....? (random thought)


  • @James

    Yes I'm thinking along the same lines. You could fairly easily program a system that would enforce captcha for a period. I agree just having to do the captcha every time they want to post a piece of spam should annoy them enough to go elsewhere. The problem though with a limited period after registration, what about those who create a profile and come back months later to spam. Going by post counts or similar is kind of self-defeating because, well, they are spammers. Their post count will be fairly high usually :)

    At the same time, I'm looking to monetize the site as well and offering to remove the captcha restrictions and say ads for a minimal monthly fee... On the other hand, it's also best not to annoy your non-paid users too much or you'll never grow, so it's a toss-up.

  • Agreed :-)

    Another random thought for the elgg genius' to consider. And I think this stems from my recent readings about an 'Elgg federation' ...is an Elgg blacklist.

    We're all using Elgg, we're all dealing with spammers. Imagine a plugin the elgg community could download & implement into their various sites and that nightly or weekly it downloads an updated list of blacklisted IP's (or whatever detail is obtained/needed) and that this info is from a central database. I'm not singing a John Lennon song here, but imagine if Elgg.org, the most likely-to-be-the-biggest producer of blacklist worthy details hosted the database. There's further consideration for whether the database is added to from inside the plugin, report this, the criteria etc etc etc. But i suspect this type of concept is food for thought on a united anti-spam front.

    *insert unneccessary guitar solo here*

    Sorry Cash & Brett for putting the onus on you guys in that random idea...  ;) hehe


  • LOL, bit of a plug and an evil thought.

    I just updated my reCAPTCHA plugin to allow it to be used on other forms in Elgg. (the plug).

    So now I can let the spammers register by turning off reCAPTCHA on registration, but enable in on blogs, bookmarks, comments, groups, etc., inflating my membership numbers and drive them batty trying to get anything done. (the evil thought).


    And, no I won't do this, but in a way it's tempting!