Elgg and Spam/Security

Seeing a number of spammers just on this site, and not having opened my Elgg site public yet, I wonder about keeping the spammers out. Now I realize that this site isn't using the same captcha system as the Elgg 1.7.1 default, but it still makes me consider if the default captcha is actually decent enough to use or if I need to look at replacing it.

Any thoughts, suggestions?

  • @James

    The blacklist is a good idea, but you'd have to have a reasonably quick method of resolving inadvertant blacklisting issues. You are going to get people blacklisted that don't belong on the list. Usually from IP banning beyond a single address, and even that can be an issue since many people do not have static addresses, and the spammers can certainly switch IPs. Even blocking groups is problematic.

    So you have to have someone dealing with those issues, which could turn into a full time job on its own.

  • It looks like the visual captcha was beat by a bot on Friday. I don't have access to the server log to confirm this but several accounts were created at a rate that is faster than I'd expect a person to be able to maintain.

  • What is the size of your image pool? From what I understand, that's the biggest flaw in the visual captcha system.

  • I don't know anything about it.

  • my site is full of spam : elgg1.7.1
    it's frusteted to cancell all account...they are now over 200 spam accounts on my elggsite and all about sex. i hope that recaptha is a solution and i think that captha plugin isn't a good one at all. it's better to think also to akismet to block spam and bot in a proactive action and to reduce queries on database. :(

  • http://code.elgg.org/plugins/trunk/visual_captcha/ is the code for visual captcha.  There is a pool of 20 images, mostly because I was tired of picking out and resizing images by that point...

    Looking at the logs Cash seems to be right--On Friday a few bots (or the same one from different IPs, or a spam farm using a proxy) were able to crack Visual Captcha...I suppose the hunt continues...

  • Way too few images in the pool.

  • I think we need a plugin that would track all user's input and ban those that post only advertisements and links. With a bit of tweaking, such plugin could detect patterns of user activities and ban those that don't match the pattern of regular users. Possible checks are:

    - wether his email is from gmail/yahoo/hotmail

    - wether his email contains numbers

    - wether user's posts contain spam pattern (links in profile, multiple links in river)

    - viewing (it's possible to track times user has viewed various pages)

    - wether user has friends

    - wether user has enought points (for joining and creating groups/posting/commenting/etc.)

    - wether user has icon

    - probably more


    In case user don't have enought points, don't allow him to post and don't display user's profile data.

    On elggdev.com I used a single rule - user's can't post any content without belonging to any group. Since all groups are available with invitation only, this temporarily fixed the problem. I understand not everyone has so simple solution though.

  • LOLZ ;-)

    Spammers beware !!

    Brett/Cash just kicked Ms Sofia who was swinging around the Elgg Community ;-)

    Great job guys - if you have some secret PlugIn/Utility that detects this - please share.. or we hafta write some funky code to detect such occurences automatically.. I've been thinking this over and maybe there is a way..

  • @Sofia may be gone.......... But Julia is on !!!!!

    she says I love you and you only to many elggers hehehehe :P

    As if she is not satisfied with the crowd here she has created many new to say she loves them also hehehee weird Julia :P