To make life much harder to spam bots the forums should require a capcha validation on each post and more importantly on user registration. I know it’s embarassing for honest users but that helps.
New users whose preferred name has already been taken?
Pretty weak I guess. If it’s going to be a ball-ache it’s probably not worthwhile. You can put lurkers’ mind at rest though - the last-active-on record should shield them from any cull
For the forum on the jPCT-website (based on SMF 1.1.12 with its weak captcha too), i maintain a large ban list. With some experience and the help of http://www.stopforumspam.com/ you get a pretty good feeling of what to put on the ban list and which account to delete. Spammers’ stategies change from time to time, but you can easily adopt to it. With that, i’ve reduced spam accounts from 10-60 per day down to 0-5. Of course, this may hurt some people whose mail addresses match the current spamming strategy by accident, but i can live with that. For example, i’m banning every account from registering where the mail address matches [0…9]@gmail, [0…9]@live and [0…9]@hotmail to ban all those dumbashell152326@gmail.com suckers who register using dynamic IPs so that you can’t ban them by IP.
I tried to use alternative captchas for SMF but they all sucked in one way or another. The problem with doing your own is, that you have to modify the code again every update.
It’s still annoying and if somebody plans to use a tank to roll over some spammers, please count me in.
Haha… sorry, I meant “reject any post that contains links by users with < 10 posts”.
Might unfairly penalise people posting for the first time to show of their project, which a lot of members do in their first post.
Some other forums replace links in posts of new users with a message saying: “links for users with less than 5 posts disabled”. After 5 posts the links auto-enable.
As those spambots easily make over 10 posts, that’s not really effective.
I think it’s best to hide links from new accounts for 24 hours (since registration).
Yes, but spammers aren’t using it that much ATM.
does it really matter if the links from spambots show or not? posts get cleaned up pretty quickly anyway, i think the bigger problem is them posting in the first place and their posts showing up which is really the inconvenience here.
Exactly, that is why I propose not allowing the post if it has a link. Just removing the links isn’t that helpful. It would probably be sufficient to require at least 1 post before you can make a post containing a link.
Yeah, like next time I will just ignore the posts that have nothing to do with the issue at hand – like removing those ancient accounts.
sorry, probably came across too harsh/rude there, wasn’t the intention.
This is the plan:
In the post process of members with zero or one posts, a post with a link in it will be (silently!) rejected and thus will not show up on the forum. Instead, the contents of the topic will be sent to the emailaddress of the poster, explaining this is an anti-spam measure, and kindly requesting him/her to make a new post without the link(s).
It conveniently leaves the post count at zero, preventing the case that everything (including spamming) is allowed after N posts. I’m pretty sure only human spammers can get through – you’re never going to stop them anyway.
Anybody opposed to this? Please enlighten me of any downsides.
Sounds good to me.
Is there any way to disable signatures for new users? Much of the spam in the past has been plain text, with the actual spam links in their signature.
Additional captcha in registration process:
http://www.java-gaming.org/index.php?action=activate;u=0;code=0
(naturally it won’t work when you try to actually activate it, as there is no userid 0)
Well that seems to have worked, I haven’t seen a spam post since 
Bizarrely, there are still spam profiles getting through. I find it incredible that there are real people out there who have the knowledge to compile and run a java snippet who find it worthwhile to spam forums. Do we know if they try to post, or is their objective just to get the signature into the DB? Does the verification snippet change? Is it possible that the solution is being shared amongst spammers?
I also note that I’ve gained a “Delete this account” ability that purports to nuke a user and all their posts. Is this safe to use? Have the potential DB problems been resolved?
I have to admit, its presence makes me slightly nervous. I’m pretty sure I’m not going to abuse the awesome power it affords, but who knows what evil lurks in the hearts of men? It’s like a big red button labelled “DO NOT PRESS” :persecutioncomplex: