Composr Tutorial: Anti-spam settings

Written by Chris Graham (ocProducts)
Attack by spam-bots can be a major problem for a website. Fortunately Composr provides a number of tools to help you.

This tutorial will go through the tools available, and our philosophy regarding them.
The actual configuration options are under Admin Zone > Setup > Configuration > Security, and should be reasonably intuitive.

This tutorial does not cover validation, which is covered in the Policing a community site tutorial.





(Click to enlarge)

CAPTCHA is the conventional tool to stop guest actions (such as joining, or posting) without first proving your human.
Composr uses a unique method behind-the-scenes to generate the CAPTCHA (the 'CSS' method), which has proven very effective.

Generally-speaking, CAPTCHA will fully protect you from spam. The exception tends to be when real humans do set up accounts, then spam using them. Some spammers subcontract CAPTCHA solution to humans on low-salaries. Other spammers serve target site's CAPTCHAs out to video sites (for example) where viewers unwittingly are made to solve them in order to be allowed to watch a video.
Therefore, we have additional controls.

Alternative CAPTCHA systems, such as solving maths problems, or recognising cats, or answering domain-problems (i.e. something specific about the subject of the website the CAPTCHA is on), are very popular. However this is purely "security through obscurity". A spammer can easily target a specific site's collection of answers, then spam that site enormously – because unlike the regular CAPTCHAs, these CAPTCHAs work on a much more limited set of problems and solutions.

Other CAPTCHA systems use scanned text, or incredibly distorted text, that often even humans don't understand. We don't go with this approach, as it is a terrible user experience.

In other words, Composr's default CAPTCHA tries to be both highly secure, and reasonable for a human to use, and then we have additional protections too.

We have an audio option for the CAPTCHA which is important for users with visual impairments. You can also remove the distortion effects from the CAPTCHA, which makes readability easier, but makes it much easier for a spammer to crack it.

Remote Block Lists (RBLs)

Remote Block Lists (RBLs) are a technique whereby Composr checks third-party lists of known spammers, via special RBL-protocols, based on DNS. You don't need to know the technical details other than that Composr can be configured to use an RBL service.
We have picked defaults options within Composr to help you get started with the best service(s).

Update: Actually the default list is now empty, as we learnt that there currently aren't any very reliable services for this. Common ones may block too widely, for example blocking computers that were at any point in the last year infected with a virus.

Stop Forum Spam

We use the popular Stop Forum Spam system system to look for known spammers based upon IP address, username, and e-mail address. We also report who you identify as spammers, back to Stop Forum Spam.



The options

The options

(Click to enlarge)

The options are located at Admin Zone > Setup > Configuration > Security options > Spammer detection.

You can configure when spam checks are performed via the "Spammer checking level" option:
  • Every page view (performs RBL checks always, and full check on actions)
  • Actions (joining, posting, trackbacks)
  • Guest actions (joining, Guest posting, trackbacks)
  • Joining
  • Never

Some anti-spam services (RBLs, Stop Forum Spam) will provide a 'confidence level' (out of 100) for whether they think an IP address is a spammer. Services that simply return yes/no will be given the value of the 'Implied spammer confidence' option as the confidence level if they say yes.

The confidence level is then compared about a number of configured thresholds:
  • Approval (the staff will have to validate a content submission, even if privileges normally say it would go through immediately)
  • Block (the attempted action will be blocked)
  • Ban (the user's IP address will be banned)

Other options include:
  • Specifying how long spam results are cached for
  • Specifying how long to trust reports of a spammer that were assigned a "last spam activity" date

Black hole


The black hole in a form's HTML

The black hole in a form's HTML

(Click to enlarge)

Composr forms can include a 'black hole' which is a specially hidden field that should not filled in, but spambots are likely to fill in by accident (because they don't have the same sense for 'hidden' that a human does). If a spammer fills in the black hole field then they will be marked as spammers.

Project Honey Pot

We integrate the Project Honey Pot service, for injection of a hidden Honey Pot link onto pages. Spambots following the link will flag as spammers in the Project Honey Pot system. This feeds the HTTP:BL block list, which is one of the RBL services Composr can use.
You need to specifically configure the options for Honey Pot – it requires you to sign up for their service, and fill in some special configuration options.

Reported posts

If someone spams on the forum (assuming you are running Conversr ) then they can use the 'report post' feature to alert the staff to the spammer activity.
This is described in the Policing a community site tutorial.

What we don't do

We're not a fan of all anti-spam systems. Here's a run-down of what we don't do:
  • Some popular spam checking tools will run checks through a commercial third-party server. We'd rather deliver our code to you within Composr, for improved performance, and in line with our Open Source philosophy.
  • We don't try and use pattern-analysis to detect spammers, because it would be so easy for a spammer to adjust their spam-bots to get past our filters.
  • Various alternative CAPTCHA systems (as explained above, under 'CAPTCHA')

Making a spam report to the developers

It is possible that occasionally a spammer may get through Composr's options. If so, please make a thorough report via the forum – so that we have the chance to properly look into how it got through.

  1. What exact anti-spam options are configured
  2. Where the spammer is getting through (e.g. making a forum post)
  3. The spammer's IP address
  4. The spammer's user-agent
  5. The time of the incident
  6. Whether the spam was by a guest (and if so, if you have guest posting permissions configured)

Avoid being anecdotal or emotional – give clear and concise facts.

Once you've made your report hopefully someone can then tell you what case category you are in:
  1. Incorrect Composr set up – in which case someone may be able to advise
  2. Manual spammer attack
  3. Insufficient protection within Composr – in which case we can consider making Composr improvements


A security image/sound consisting of numbers that a human must enter into a text box. It is designed to prevent bots from spamming your website.
A block list service, detecting whether to block the IP address of a known spammer.
A malicious program a spammer runs, to automatically submit spam to websites. It is often written using techniques similar to that of a search engine crawler (to find targets), and then tries to simulate humans but while posting spam. Some spam-bots run on infected PCs, which is why it can be hard to directly block known spammers.
Honey Pot
A hidden link of area where spam-bots may get to, but a human never would. An effective way for detecting spam-bots.

See also


Please rate this tutorial:

Have a suggestion? Report an issue on the tracker.

Back to Top