Vanilla 1 is no longer supported or maintained. If you need a copy, you can get it here.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Spam and vanilla

edited December 2006 in Vanilla 1.0 Help
Hi guys, This is officially my first post here, and I wanted to have a good start. So let's talk about spam, baby. :) Another (phpBB) forum I moderate is being flooded by spam, especially these last few weeks. SInce I plan to install Vanilla for a new project, I was wondering how spam proof Vanilla actually is. My research leads me to believe spam is a bit of a non-issue here? 1. There are only two anti-spam extensions: 2. And I could find just 30 threads with the keyword spam: What have your experiences with Vanilla spam (prevention) been?


  • Options
    Someone correct me if I'm wrong, but the lack of spam here is because Mark approves all new users first. So someone can't just sign-up and post. It seems that the "latest" trend has been to register for a forum, gather as many usernames as possible, and then send out a mass PM (if the board has that feature). I know SMF has been whacked hard by it, and (as you mentioned) phpBB as well. The best approach I've found to it, with Vanilla, is to follow Mark's lead. Approve any new members manually. It used to be fine to let verification happen through email, but either the bots are getting better or spammers think it's worth it to actually use a legit email address and check it. Spam sucks. You know though, I don't know what bothers me more. They wouldn't exist if it didn't pan out to a profit. Which means that after all this talk everywhere about people being ticked off about spam... some idiots are still out there clicking and buying their crap.
  • Options
    MarkMark Vanilla Staff
    edited December 2006
    I've been fooled a few times by spambots applying for membership here. But it's easy to clean up a post or two about buying Phentermine or penis enlargement pills.

    With regard to malicious user-related spam - ie. the type of spam that happens when someone tries to post the same message a ton of times and flood the board with bs - Vanilla has a built in mechanism to place blocks on people's accounts if they post a certain number of comments within a certain number of seconds. It's completely configurable through the settings tab's "application settings" form.
  • Options
    Mark you have done a great job on keeping spammers out. I can only think of maybe three posts that were spam, and they were quickly taken care of.
  • Options
    All right. Thanks for the feedback, guys. :)
    I think manual approval is still one of the best ideas. However, it is just very nice to have a fully automated solution.

    [brainstorm mode]
    In the future, a combined automatic and manual approach would suit me best. Maybe something like Akismet filtering to filter out real spam combined with some Bayesian filtering to detect suspect postings, which would then be presented to an admin to manually resolve the spam/ham question? I know, that is somewhat of a fantasy. However, Akismet is available, and for Nucleus (a blogging tool), we have a plugin for Bayesian filtering of comments (link).
    [/brainstorm mode]
  • Options
    I would really like it if we could integrate akismet spam protection to vanilla, coz it stops every single spam comment on my site!
  • Options
    edited December 2006
    I really don't see why -- unless you have open registration (BAD IDEA) there's no point. Either you are hand approving members, having a member recommend another member (accountability) or you are doing email verification. Any one of these things are steps that spammers wouldn't do. And the asshats/spammers that WILL go through that trouble are very, very few and are often one-off spams (which is hard for Akismet to spot!) so it wouldn't help much anyway.
  • Options
    Well I hate to break the bubble.. but the email confirmation part was broken long back.. and its of no use nowdays. Secondly captcha is gone too.. I like the one's where a user who wants to register.. has to answer some mathematical question.. like 3 + 1 = ?. My forum would get hit by a lot of spam bots, thats the reason i stayed off Phpbb and SMF. So it is a top priority before the public release. And the bh are a lot lot lot lot many. once your forum is found! Vanilla isn't on the list right now. But very soon it will be. Since we are growing at a very good rate. And the forum is fantastic. My priorities lie in this order. 1) Aesthetics 2) Simplicity 3) Security First two are taken care of.. third one is still a question mark. Coz I can't keep it like manually approved user list.. or user recommended. I need it to be open. Any more suggestions? And chuy thanks for your help, i had covered those grounds already.. but none the less feels good when people genuinely try to help.
  • Options
    but the email confirmation part was broken long back.. and its of no use nowdays. Secondly captcha is gone too..
    I'll consider it not broken until shown otherwise. I know that both of these CAN be circumvented, but it takes a considerable amount of extra time and effort on the part of the spammer for those two tactics to work out.

    There are NO PERFECT SOLUTIONS. Period. Yes, spammers CAN get past email verification. They CAN get past captchas. They CAN get past Akismet (and they do on regular occasion on my wordpress blog). Heck, Mark even points out how they can get past hand verification! I have not yet seen a single spam solution that is 100% effective because there is no such thing -- just like there is no such thing as perfect encryption.

    However, each additional hurdle is one more thing that it takes them time to break -- and that is the deterrent. Why bother with your site when one IP address away some noob just setup an old phpbb install? Woot!

    Now, I don't know what kind of super massively popular site you run, but I can tell you from running some fairly large sites (20,000+ users per site) that the number of bots who can complete email verification has been about -- well, none that I have ever seen, actually. Secondly, I could show you an encyclopedia's worth of log files that show spam bots being bounced by a simple Javascript automated captcha. So, I do agree that these things can be broken, but I never see them go the lengths to do so.

    NOW, some solutions for you:

    You say that you can't go with hand verification, I assume because you'd find it too tedious. I can see that. You probably don't want to use "invited by a friend" type feature either because that would lock out outsiders who didn't know anyone. Why not make a mashup of the two? Allow people to apply, allow all users to see the applicant list, and allow users to sponsor other users into the site. This way you use your current user base as a spam bot detector and can take away the privledge from people who prove to be very bad at it :)

    If you really think Akismet would be the solution, put it in! It's very easy to make an extension that can hook into the comment/discussion pre & post posting actions. You could just jab akismet in right post part and have it scan the comment and hide it if it comes back sour. You'd want to be notified that this happened, of course, but that's not too much work either.
  • Options
    Let's see still thinking.. if i come up with anything better than yours ill keep you posted... till then your idea will be working for me :) Cheers, Fu
This discussion has been closed.