One thing that i have always

ms2134 — Wed, 21 May 2008 08:31:16 +0000

One thing that i have always found to be good is that whilst using the CAPTCHA, you can also have all ip's of posts logged, SMF forum allows you to save and also view PM's.

If they SPAM, Ban the IP address and report it to their ISP.
I guess the only problem then would be PROXIES.
Hmmm, I guess some moderators that are good would be a nice idea.

PM if you have an offer.
I do not mind being a Moderator for the site in my spare time. I enjoy that kind of thing.

Best Regards,
Mike

CAPTCHA is still widely

JeevesBond — Mon, 19 May 2008 15:42:46 +0000

CAPTCHA is still widely used, and an effective tool. I don't believe it always will be effective however, I have no idea what will come after CAPTCHA. I dread to think!

If you're looking for a good CAPTCHA program use the one we have on TWF, it's called ReCAPTCHA. The cool thing is that as people are solving the CAPTCHA they're also helping to encode books into a machine readable format.

ReCAPTCHA is known to produce decent puzzles as it only asks for words a computer could not OCR in the first place.

JeevesBond wrote: CAPTCHA's

greg — Thu, 15 May 2008 12:15:40 +0000

JeevesBond wrote:

CAPTCHA's are bad because they're security through obscurity. Spammers are paying people in developing countries to solve them (and they're not un-solvable by machines either)...

I thought that myself. If they are publicly available, it only takes one person to sit and index them all and their references and distribute that list then it's a simple case of IF ELSEIF for automated spammers.
But stupidely I just believed if top company websites are relying on them then there must be something I missed.

I suppose the best one would be to make your own, unique per site. But enough images for it to work would realistically be 25+ and sitting making those imgs with references for the code wouldn't be fun.

Or would perhaps 5 do it? The reference/img names wouldn't be on any spammers nasty list to check, so they wouldnt get in automatically. They would have to actually try to manually register xx times to see them all. Then it would be defeating the object as they might as well just spam manually.
It wouldn't work for big sites like google as plenty of people wouold want to list them, but for a site that isn't too big maybe 5-10 would work?

Or better yet random text would be better. There must be a way to create a random string without outputting it to the browser. Store it in server ram or cache or something.

I have seen suggestions for

JeevesBond — Thu, 15 May 2008 06:11:24 +0000

I have seen suggestions for IP monitoring, but I don't like using IP's as any kind of unique identifier as they can change often. It's unfair to ban Joe's IP as John might have it next week and is unfairly banned from joining the site

Just wanted to mention something about this. We tried this for a short time, it worked so well, we caught the infamous spammer teammatt!

So, since teammatt is not a spammer, but a mod it's safe to say IP filtering doesn't work that well. I've been banned from http://drupal.org too, which was annoying.

Webwiz is correct that there's no solution. CAPTCHA's are bad because they're security through obscurity. Spammers are paying people in developing countries to solve them (and they're not un-solvable by machines either), think this is what happened to Google recently. Now the spammers are freely using their SMTP servers to send piles of spam.

Haven't really got anything to add to Megan's advice. Selectively storing information on spammers is very helpful. Just make sure you're not infringing on anyone's privacy.

Yeah, I think it's a good

greg — Mon, 12 May 2008 20:27:46 +0000

Yeah, I think it's a good idea to keep banned memebrs details for a future reference.
I made it so when someone registers it gets their IP and domain and stores that unchanged indefinately.
Then each time they login it also stores current IP and current domain and logs a running total if any changes for those two.

There is nothing other than member details to need to keep really.
Private messages are just gone when deleted by user, row deleted from DB.

Another good thing to be

Megan — Mon, 12 May 2008 18:39:49 +0000

Another good thing to be able to do is track all of a user's activity. Usually this is built in to a given system but sometimes you miss things. Like what happens to deleted postings? Are they gone forever or can you still find them? Can you find all of a user's deleted posts.

Not deleting banned users is important. If they're just banned you can still keep track of their past activities. Sometimes you'll have people attempting to re-register and post the same spam again. If you keep the member on file you can go back and look at what they did before.

Thanks for the replies.

greg — Mon, 12 May 2008 16:08:54 +0000

Thanks for the replies. You've pretty much confirmed that there are no methods I don't know about.

Megan wrote:

It's good that your client is concerned about this from the start. This way you can make sure you have your bases covered before the community launches.

In my experience that sort of thing doesn't happen too often.

That's the balance I'm trying to get.
Prevention to a certain degree but with the thought that it wont happen often enough to remove functions from other members.

I have implemented a banned system. Where in admin CP a member can be banned and all their details (pm's, profile comments, friends list etc) are moved to a "banned_members" table.
That allows me to check usernames for banned members to give messages when they try to login, rather than simply delete them which would mean the username is available to register with again, and also the banned member trying to log in would just get 'username not found'.

Cheers

The PM spam is tough because

Megan — Mon, 12 May 2008 14:10:18 +0000

The PM spam is tough because you don't want to be watching people's private messaging too much. You have to rely on the community to report that and ban anyone caught spamming by PM. Don't put too many limits on the PM's, that will just annoy people.

You should be clear about what is and is not allowed and what the consequences are of breaking the rules - that's one thing we haven't got around ot re-implementing here since we moved this forum over. It's good that your client is concerned about this from the start. This way you can make sure you have your bases covered before the community launches. Spammers do tend to be creative about their techniques, so there will always be things you haven't thought of.

You should have an easy way to clean up any spam if it happens - can you delete a member's PM's? Can you delete all of their posts without too much trouble? In my experience that sort of thing doesn't happen too often.

As most spam seems to come

webwiz — Mon, 12 May 2008 00:49:40 +0000

As most spam seems to come from 'bots, something like a "honeypot" trap works well for me. You are correct in assuming that you can't do much about human spammers, though. My own opinion is that captchas exclude genuine visitors without stopping human spammers at all.

Your client has probably the only solution, partial though it is - limit the number of messages - although I'd probably make that one per three minutes and a few per day.

This topic comes up a lot on web design discussion groups, and no-one has a definitive answer, AFAICT.