I use native EE capabilities—but I use a lot (if not all) of them, plus my own anti-social instincts.

Just got a new spam comment, indicative of the bot wars.

Gives Thanks, Very fascinating read, you should be dramatic of your web logs. I’ve been genuinely delighting developing up your situations from meter to time. Looking forward to understand your future positions Many wonderful selective information, thanks for partaking.  Testament definitely be back more often….

I love it. Uh huh. Yeah.

It claims to be from SEO Positive in UK. They didn’t even leave a link.

While I am not using EE yet (I am investigating), I have a Wordpress Blog and found Bad Behavior essential for blocking out Bots. Akismet would just create extraordinarily large queues that needed to be moderated. However, while the combination is very good, I am now using the Google Safe Browsing API as well as the urlblacklist.com database to block unwanted links on my site - so that I don’t end up on McAfee SiteAdvisor or similar blacklist.

Rich

Bit late to this party, but here’s my take. I use Askimet and it works well at catching the spam comments. The only problem is that if you get a lot of spam (I’m currently getting about 30 a day) then you need to be sure to check the ‘pending moderation’ list regularly because if it gets too long then trying to report-and-delete them all at once will fail/crash/timeout. I took a week’s holiday recently, and came back to over 250 spam comments waiting in Askimet; the only solution wass to go through and mark them manually, and delete in batches of about 15-30. A PITA.

There are two anti-spam techniques that I would dearly love to see built natively into the EE comment form:

1. Solvable puzzle: ask the poster to answer a question such as “is fire hot or cold” or “what is 5+4”. Humans will get it, bots are less likely to.

2. Honeypot field: a field that must be left blank in order for the form to successfully be submitted. (bots will tend to fill out all fields/inputs in a form). The field can be hidden from normal users by some combination of CSS/javascript (and, ideally, an explanation given stating that they should not fill the field in).

If either the question is not answered or the honeypot is filled in, then the form should not submit, but ideally should ‘fail silently’.

EE2? Pretty please?

Rick, in our experience bot spam is falling by the wayside in favor of cheap labor humans at terminals.  For instance, in the CI forums, I’d wager that 99.9% of the spam is human borne, and many of them even try to post on topic.  It’s a myth that most spam is automated and running on scripts - it’s cheaper to pay 20 unsilled laborers in a low income area at terminals all day than it is to pay a skilled developer to write and maintain a script that would have similar success rates.

Turing tests are simply losing their value in combatting spam, and just irritate “good” users, so I don’t see EE increasing these types of measures natively.  That said, there are extension hooks in EE’s CAPTCHA mechanism that would allow for both of the features you mention, if you feel it would bring value to your site.

My big question on this has to be though :

Why do they do it in the first place though?

We (my Wife and I) run a forum which gets around 300,000 hits a month and get so much spam on there at the moment that it’s just not funny any more. Unfortunately it’s running on an absolutely ancient Nuke variation (yeuuuch!!) but we aim to move it across to ExpressionEngine as soon as we can get all the posts across but we have found that someone is auto-registering to the site with different e-mail addresses every day. There are usually around 20-30 new users every day and if we ban an e-mail address they just sign up with another. These are definitely auto made logins by a computer system or something but then we do get posts that to me seem more like they are probably a person writing them than a computer.

I just want to know why though?

Why would anyone pay someone to do this?

Best wishes,

Mark

Mark Bowen - 17 August 2009 08:34 PM

My big question on this has to be though :

Why do they do it in the first place though?
Why would anyone pay someone to do this?

I’m also mystified at the motivation. I assume that it must be profitable in some bizarre way, because I can’t believe that people would go to so much effort (and expense if they are commissioning script developers or paying people to write spam comments manually) simply to jerk people around for pure fun. But the economics of the spam industry have always bewildered me (unlike the phishing industry where the benefits are clear).

In any case, I implemented the blacklist functions in EE which cut down my comment spam a little bit… but not that much. And of course it didn’t help with contact form spam. So a few weeks back I also implemented the Accessible Captcha noted above, which in fact corresponds precisely to one half of my hoped-for antispam features (the other being honey pots). It seems to have dealt with the vast majority of my form spam. I currently get no Comment spam at all. In fact I just checked my Askimet tab in EE CP and it’s got zero comments awaiting moderation—and I’ve not checked it for a week or more. Previously that would have had about 80+ spam comments needing deletion after a similar period.

I’m still getting occasional contact form spam, so maybe that means that the forms really are being filled in by humans. Still can’t understand why though. I mean, do you know *anybody* who receives an obviously spam submission from their web form, where the phone number is given as AXHDSPTHWBXL and the message consists of links to cheap medications and *ahem* enhancements, and thinks to themselves “hmm, those links look interesting. I think I’ll check them out”?

I mean seriously.

Why? Links and SEO. Yes it is profitable - pay per post. People labor, today, is cheaper than scripts.
Even ‘big sites’ suffer from this. Sometimes the game is really not about what content they spam you with but rather what happens after that. Other than harvesting real addresses often you will have malware installers in js or linked that will compromise the machine, turn it into slave or ghost, used as port 25 relay etc. etc. “Web form” is just another way to get into your house (through your site post) is all.
A lot of spam is generated by users not even knowing.
But common…who does not want to be “Larger” and “have more energy” and “surprise that someone special”...and all this from the conform of your home? 

Finally, I changed the default text “notify me of follow up comments” and the email when someone replies text to something other than the default text, and Woo Hoo! The spam rate dropped dramatically. Precipitously. Amazingly.

Shoulda done that a while back. Oh well.

But I’ll put in the good word about it here to let others in on it—it’s very effective.

Susan - 14 December 2009 05:39 AM

Finally, I changed the default text “notify me of follow up comments” and the email when someone replies text to something other than the default text, and Woo Hoo! The spam rate dropped dramatically. Precipitously. Amazingly.

Shoulda done that a while back. Oh well.

But I’ll put in the good word about it here to let others in on it—it’s very effective.

This might be the ultimate trick to prevent spam. We’ve got a pretty popular website (60k pageviews, per day) and in a (really) bad month we notice about 3 spammers. Therefor we have hardly any anti-spam methods installed, and I guess the trick is our custom language pack and lots of custom work to the forum-templates.
Before we switched to an EE forum we had a slightly customized phpbb-forum, but all the html-codes and names were standard phpbb and we had about 10 spammers per day.

Customization means spammers won’t be able to find your site and as a bonus the audience you do want on your site, will find you sooner.

Forum spam is the main problem for our sites.

We’ve employed Lows NoSpam using the TypePad AntiSpam option and that helps although it sometimes blocks legitimate users, I must point out that’s down to TypePad and not Mr Schutte who does excellent work for the EE community.

We also operate some sites running SMF as the forum software. And while SMF has it’s drawbacks I think it’s far better at preventing spam registrations than EE forums - a lot of this has to be attributed to the stopforumspam.com plugin available which has completely eradicated spam registrations on our SMF forums.

A plugin for this service would be excellent for EE.- or even better native support in the EE forum module for third party antispam services.

http://www.stopforumspam.com/