HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Please upgrade here. These earlier versions are no longer being updated and have security issues.

Spam influx makes me want to close my Vanilla forum

mattmatt ✭✭
edited August 2013 in Vanilla 2.0 - 2.8

I've been using Vanilla for 8 years now, but recent spam influx makes me want to close my Vanilla forum.

Help me, please.

Comments

  • vrijvlindervrijvlinder Papillon-Sauvage MVP
    edited August 2013

    what methods have you tried ? Have you tried Restrict Registration Logger plugin ?

    Ban applicant ? what version of V ?

  • ToddTodd Chief Product Officer Vanilla Staff

    I'll tell you what we do here.

    1. Make sure you make users confirm their email addresses. Make sure the confirm email address role can't post anywhere.

    2. Use stop forum spam. You can tweak the settings a bit, but the defaults are okay.

    3. Use akismet.

    We do have a bit better of a spam workflow in 2.1 which is right around the corner. In order to help combat spam we also appreciate a bit more detail.

    Where is the spam? Are there spam registrations? Is the activity feed being spammed? Is it new discussions? Stuff like this.

    vrijvlinderShadowdareUnderDog[Deleted User]
  • phreakphreak Vanilla*APP (White Label) & Vanilla*Skins Shop MVP

    I experience. Spam registrations. Activity wall spamming and recently also bots that create discussions, holding a short line of text and a link.

    • VanillaAPP | iOS & Android App for Vanilla - White label app for Vanilla Forums OS
    • VanillaSkins | Plugins, Themes, Graphics and Custom Development for Vanilla
  • Although there can be weaknesses in some systems, I don't think the software itself should be reason enough to leave. You also have to use common sense, make sure that part of the forum that are open to spam, like keeping profiles private, and activity closed.

    You can also make it less fruitful, such as restricting links for newcomers.

    I just think there isn't enough people making professionally made pluigns. Therefore the solutions are very bitty.

    Id be happy to do a registration one if I'm paid properly.

    However manual spam can still be a problem, the best way to restrict that is make it less attractive.

    grep is your friend.

    UnderDog
  • ToddTodd Chief Product Officer Vanilla Staff

    So yeah what I think we're seeing here and I'm hoping @matt can confirm is communities with applicant level registration are starting to get a lot of spam registrations. There are a couple things I want to do to help this.

    1. Add a captcha to the applicant form to reduce the bot traffic.
    2. Try and get stop forum spam to fire before akismet. Stop forum spam has the ability to ignore a registration if it passes a threshold while akismet can only report spam/not spam.

    I think we'll move to combining our two spam plugins into one so people don't have to worry about this or that. For now I'll try and get the above addressed asap.

    vrijvlinderUnderDog
  • x00x00 MVP
    edited August 2013

    reCaptcha is actually pretty simple, and you created a handy function to do it in the core.

    public function EntryController_Register_Handler($Sender){
      include_once(CombinePaths(array(PATH_LIBRARY, 'vendors/recaptcha', 'functions.recaptchalib.php')));
    }
    
    public function UserModel_BeforeRegister_Handler($Sender){
      $FormValues = $Sender->EventArguments['User'];
      $CaptchaPublicKey = ArrayValue('Garden.Registration.CaptchaPublicKey', $FormValues, '');
      $CaptchaValid = ValidateCaptcha($CaptchaPublicKey);
      if ($CaptchaValid !== TRUE) {
         $Sender->Validation->AddValidationResult('Garden.Registration.CaptchaPublicKey', 'The reCAPTCHA value was not entered correctly. Please try again.');
         $Sender->EventArguments['Valid'] = FALSE;
      }
    }
    

    in the view

         $CaptchaPublicKey = Gdn::Config('Garden.Registration.CaptchaPublicKey');
         $CaptchaSSL = (StringBeginsWith(Url('/', TRUE), 'https') || Gdn::Request()->GetValueFrom(Gdn_Request::INPUT_SERVER, 'SERVER_PORT') == 443) ? TRUE : FALSE;
         echo $this->Form->Label("Security Check", '');
         echo recaptcha_get_html($CaptchaPublicKey, NULL, $CaptchaSSL);
    

    I would use that and something additional.

    grep is your friend.

    UnderDog
  • mattmatt ✭✭
    edited August 2013

    Hi all,

    The main issue is that it all went so long unchecked that I have a massive cleanup operation. 5000 spam users and 11000 spam posts. Cleanser took care of a few, but now I am down to 2500 users/6500 spam posts and it is becoming very hard work to delete them effectively. I'd appreciate better tools to do this. I'd love to just prune all users (and their content) between certain date ranges.

    As for ongoing spam, a few days ago I activated Stop Forum Spam, Akismet, Registration Restrict Logger, BotStop (question at registration), temporarily added registration approval and tweaked some settings. This seems to have slowed/stopped the influx of new spam users. Existing spam users are still spamming. Akismet is busy. Annoyingly you cannot select/delete all, you have do it page by page.

    Confirm Email status users have never been able to post anywhere. All spam users are Member status.

    Running version 2.0.18.8

    Forum is: http://www.agbic.com

    So the influx is slowed, for now, I am looking for advice on the cleanup.

    thanks

  • these registration tend to follow certain patterns so you could use mySQL.

    grep is your friend.

    UnderDog
  • @matt said:
    Confirm Email status users have never been able to post anywhere. All spam users are Member status.

    Running version 2.0.18.8

    Forum is: http://www.agbic.com

    I am looking for advice on the cleanup.

    Semi-code:

    Update Users SET Role = `Reconfirm Email` WHERE (SELECT Discussions, Comments Where NumDiscussions / NumComments < 10)
    

    Now you will have all possible spammers in a separate Role, other than member.

    You can also put all members in another Role. Then the users with enough posts go back to the Member role.
    All can be done with SQL Statements, no problems at all.

    How many real users do you have? Find how many posts they have for sure. That way you can easily move all other members to 'reconfirm' and 'possible spammer' roles.

    hgtonightvrijvlinderperegrine
  • My forums have also been overrun with spam in the last 1-2 months, unfortunately. I'm using ReCaptcha and BotStop, plus require email confirmation, but the bots are still getting in. I'm also looking at moving to a new platform, and have been keeping a close eye on Discourse.

  • @evanw said:
    My forums have also been overrun with spam in the last 1-2 months, unfortunately. I'm using ReCaptcha and BotStop, plus require email confirmation, but the bots are still getting in. I'm also looking at moving to a new platform, and have been keeping a close eye on Discourse.

    @evanw
    maybe if you go to the poll and describe where the spam is and an example of recurrent spam, the community and vanilla developers can get a handle on fixing it, but without knowledge of where, what patterns, etc. can't really help you.

    http://vanillaforums.org/discussion/24785/poll-which-registration-method-and-plugins-do-you-use-to-deter-spammers-and-their-efficacy

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

    vrijvlinderUnderDog
  • I'm going to need a bit more help with the SQL method.

    Any more detailed steps?

    I have an SQL admin interface.

  • @matt said:
    I'm going to need a bit more help with the SQL method.

    Any more detailed steps?

    I have an SQL admin interface.

    give a detailed example of what you want to accomplish.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

    UnderDog
  • @matt Well, since this spam is quickly turning into a emergency on your forum, You can do these things to try to stop it



    1: Use Troll Management (when you mark a user as a troll, they become invisible and eventually leave)
    2: Ban people who are spamming

  • You can also use other addons to block spam

  • I haven't been on the forum for a while, so I'm not really in touch with things. But I have a problem in this area too.

    I have a website with a Wordpress blog and a small Vanilla forum incorporated. The forum isn't a "community", just a place to allow comment if people want to. Thus I want to make it easy to allow quick comments, which a full registration process would inhibit. But I too have been hit by spam recently, filling up my user list and starting new "discussions" that I need to manually eliminate.

    I know I could put the full Captcha - email registration thing in place, but it would defeat the purpose of allowing quick comment.

    Blogs have the same requirement to allow quick comment, and my Wordpress blog solves this problem with a plug-in called "Captcha-Free". Here is some text from the plug-in site:

    "WP Captcha-Free blocks comment spam by using a combination of time-based hash (a.k.a. Time Based Tokens, TBT) and JavaScript (AJAX). When a comment is posted the plugin validates a hash based on time (and some other parameters). Comments posted via automated means will not have a hash or will have an expired hash and will be rejected. Unlike using a captcha, this does not place any burden on the commenter.

    Additionally, WP Captcha-Free uses ajax to get the hash only when the form is submitted instead of adding it statically to the page (which is cached by caching plugins). This adds another layer of security and makes it compatible with caching plugins like WP-Cache.

    Features:

    Blocks automated comment spam and ensures that your commenters are human.

    Works without inconveniencing visitors with CAPTCHAs, challenge questions, etc.

    The plugin requires no database access and adds almost zero overhead.

    The plugin works out of the box without any configuration or setup.

    Compatible with all cache plugins, including WP-Cache.

    Doesn’t require editing any .php files."

    And it works. Very few span get through on the blog.

    Is there any similar plug-in/extension for Vanilla. Is there any reason why there couldn't be (except of course, people finding time to do it)?

  • vrijvlindervrijvlinder Papillon-Sauvage MVP

    You would need to create some kind of guest role that you could customize permissions for so they could only comment and not start new discussions.

    Then you could create a plugin which adds a simple captcha to the comment form and validates it. There might be a way to add the hack to the form itself.

  • I thought I would share this as I seem by accident to have sorted at least the spam problem I was having. I recently updated a forum by an automatic installation facilitated by my hosting company cpanel. Whilst I kept the old database I set it up in a totally new directory. Rather than moving the whole install, I merely set up a frame page in the old directory, pointing at the new index page in order that people would not have to change their link for the forum. The only draw back that is apparent after a month is that if somebody does a page refresh it actually reloads the forum start page rather than just refreshing the page that they are on. Not the best solution I guess but as the man said "it works for me".

Sign In or Register to comment.