Registration Protection Isn’t Enough Anymore
The focus for the past several years for board owners has been to prevent (or at least have some easy way to ignore) spammer registrations. When spammers thought it was useful to have an entry on a board memberlist they were often satisfied with getting through the registration process. They didn’t bother to activate their account. As a result, one of the most popular (and fortunately very easy) MODs for discussion boards was to prevent inactive members from showing up on the member list. This is the standard configuration for phpBB3, no MOD required.
Spammers reacted by altering their process so they can activate accounts. (I as well as other board owners have seen a dramatic increase in use of gmail accounts for this, so clearly Google’s registration process has been cracked and automated as well.) Like many board owners, I would like to have a “clean” database. But it wasn’t a huge imposition to get spammer registrations. If they never posted, they were not a contributing member of my board but at least they weren’t getting in the way. I had a MOD that prevented board members from entering a web site until they had a minimum number of posts on my board, so at least I didn’t get a member database sprinkled with unsavory web links. There are also MODs available that prevent zero-post users from showing up, and for pruning inactive or zero-post users after some specific period of time. All of these were okay in their day, but are not as effective anymore.
I’ve posted many times about my Checkbox Challenge code. It has served very well in protecting my blogs, several phpBB boards, and even my comment forms from spammers. However I am starting to see some issues, and that bothers me. Why? Because the new spam seems to be coming from humans rather than bots. I don’t know how we can combat that. Spammers seem to be quite creative with their posting strategies as well.
Spammer Posting Strategies
I’ve seen many different types of spam posts. There are streams of sentences that look like they were copied from a recent news article with random links thrown in for spam. There are more creative folks that put reasonable looking text and then make the punctuation marks links. There are folks that post highly useful text like, “This post was great, it answered all of my questions.” and then create a fake signature with spammer links. There are folks that post spam and format it to match the background color of the board style. There are folks that enter a normal spam-free post and come back days (or weeks) later to edit the post to include spam links.
What is a board owner to do?
There is no Internet governing board where we can report this type of activity. It’s rather pointless (at least most of the time) to track down users by IP address as the spammers are either using proxies or zombie computers, or their in some foreign country that could care less if your small board was defaced by someone using a computer under their jurisdiction.
One of the nicer features of phpBB3 is the ability for a moderator to be able to clean up all of the posts from a specific user in one step. The posts can be deleted or moved to a specified forum. (I prefer the move option, as I can preserve the evidence in the cases where I do decide to try to take some sort of action.) There is a separate step to ban the user that often occurs just before (or just after) the posts are removed. I generally would do the ban first to keep the user from further posting, and then do the clean-up work.
I wrote a MOD for my own boards that I called the phpBB Doctor Spammer Hammer. It is unfortunately getting used more because of the human element. The “hammer” takes the following steps:
- Deletes any session records that belong to the user, effectively logging them off.
- Marks their account inactive, preventing them from logging back on.
- Updates their registration “activation key” so that they can’t request a resend of the activation email. That way they can’t reactivate their account.
- Any topic started by the spammer is moved to a hidden forum. This includes any posts from legitimate users, as most of them are probably just “ooh, this is spam” types of responses. Nothing of value there.
- Any posts in topics that were not started by the spammer are also moved to a hidden forum. This catches any post replies in existing topics.
The Spammer Hammer has several safeguards built in. First, you cannot hammer someone with more than a certain number of posts. If you’re a spammer, we’ll figure it out before you reach 200 posts, so anyone above that threshold (just as an example) is immune. Board moderators and administrator accounts cannot be hammered. And a log is made of each hammered account so I know who took the action and when. I started to write an “undo” function, but the complexity of the code increased dramatically and in my opinion there should never be a need to undo the action.
Conclusion? That’s optimistic, I guess. The story is far from concluded. As the spammers continue to get more creative the escalation will continue. As a board owner I do my best to keep spammers from getting in. If (when) they get in, I have systems in place to clean them up quickly and easily and (most importantly) completely. That’s about the best I can do at this point.
I started to include some statistics on spammer posts and registrations as a percentage of valuable traffic. But the truth is that with the Checkbox Challenge in place my boards continue to be relatively protected. I get a few spammers at most a month, and I am getting 25-35 new user registrations every day on my most active board. So I decided to skip it for this post. I also thought about calculating the average response time for my moderator team. I would take the date and time for the initial spam post and compare it to the application date/time for the Spammer Hammer and see how long they take. We rarely have spammers that last more than a few hours, and in many cases it’s minutes. I have a great moderator team.
We take some of their time, they take some of our time.
The solution to the spam problem is to log off and abandon the Internet. There’s something to be said for being offline, where they can’t get you.
Comment by Dog Cow — May 1, 2010 @ 1:03 pm
Nice work on your Spammer Hammer. It much reminds me of a vBulletin feature called “One-touch Spam Ban and Cleanup.” As I described elsewhere, the feature adds an option to the drop-down menu of a user which, upon selection, directs you to a page that asks for confirmation on several actions (which you may enable or disable in the Admin CP). Here are two screen shots showing how it works:
Fortunately, it’s a tool I uncommonly use, as the overwhelming majority of spam registrations are not human assisted, and can’t get passed a simply astronomy question: what’s the closest planet to the sun?
Comment by Hyperion — May 30, 2010 @ 3:09 am
I notice the same thing, in particular at refugees dot com, more and more spam with human-like authors.
Why not set a minimum post count before urls can be posted, in combination with a max post count per day?
If you set the first to say 25 and the second to 8 it would be enough to check every three days and hammer the shit out of the spammers that are about to get url posting permissions.
Comment by dogs and things — July 16, 2010 @ 7:34 am