Forums | Mahara Community

Open Discussion /
The spam is back!


Aaron Wells's profile picture
Posts: 896

20 March 2014, 5:14 PM

So, I've noticed around a half dozen spam messages in the past week.

(Funny story: I was giving my talk about new features in Mahara 1.9 at the Mahara Hui in Wellington. I'd just finished telling people about how we'd implemented anti-spam measures that had nearly eliminated our forum spam problem. Then, up onstage, I open up the mahara.org forums to show people the forums where they can contribute to Mahara, and there are multiple spam messages in the Support forum!)

These new spam messages are getting past the anti-spam measures we added last November because those measures just ban messages with URLs in them (like http://www.mahara.org ). These new messages don't have URLs, they just have domain names (like www.mahara.org ).

So, I'm going to have to implement some more antispam measures. Anyone got any suggestions? Currently I'm leaning towards using a heuristic spam detection system.

Perhaps as a stopgap, I'll prevent new users from posting messages that contain domain names.

Cheers,

Aaron

Dirk Meyer's profile picture
Posts: 423

23 March 2014, 1:01 PM

Hi Aaron,

perhaps for you to include in your spam fighting efforts, I wonder what could be done to stop spammers from creating accounts. If that is difficult, as is mentioned in some of the links you reference, I wonder what could be done about spam accounts that have been created but are never accessed more then once.

My public site has been the target of some automated spam bots lately and somedays several hundred accounts are created. There is hardly any spam produced on the site itself as the actions seem to be restricted to creating accounts only.

Anyways, I wonder if there is a way to a) allow for self-registration while  b) delete accounts that were never modified by the user. I am thinking if someone does not modify their account within say 24 hours, we could assume they are spammers and as a result automatically blow the account away.

 

Kristina Hoeppner's profile picture
Posts: 3587

23 March 2014, 4:10 PM

Hello Dirk and Aaron,

Unfortunately, there is nothing really that can be done against spammers as they seem to be humans in many cases. There are ways to incrementally improve things based on what sort of spam we have seen, but they'll be back with other measures. We'll always lack behind. And we'll need to find a balance between restricting spammers but not making the life of legitimate users more difficult as they'll ultimately suffer from more restrictive spam prevention measures. Now they seem to be putting spaces into the URL in order to get around typing it.

Turning on pending registrations on publicly open sites (can't really for mahara.org as it would mean people can't post their questions immediately, but have to wait until an admin approves their account) is a good measure as accounts are not created until the admin approves the account and then the person actually comes back to finally create it.

What could be improved is to allow for bulk approving / denying on the pending registration page to make it easier for an admin.

One possibility for mahara.org could be to put a moderation queue into place for forums: Let the person write their post but not send it out / make it visbile to regular users until an admin / forum moderator has seen and approved it. If it is deemed spam, delete the forum post AND suspend the account at the same time.

Cheers

Kristina

 

Aaron Wells's profile picture
Posts: 896

24 March 2014, 3:06 PM

One of my coworkers here at Catalyst pointed me to http://www.stopforumspam.com , which is a giant database of forum spammer details. They have a free web service where you send them a username, email, and/or IP address, and it tells you how closely it matches any of their known spammers.

I ran the emails of the 10 most recent spammers on mahara.org through their database, and all 10 came back as exact matches. So that's quite promising. I'm hoping to get that integrated into the registration process, and also possibly update our "suspend user" system to feed data back to their database.

But that will probably have to wait until after we get 1.9.0 out (this week or the next). If the spam gets really bad in the meantime, we can reconsider turning on manual registration approval. But I haven't seen any spam posts over the weekend (maybe it's the spammers' weekend too?) so hopefully we can hold out.

Cheers,

Aaron

4 results