Composr Tutorial: Anti-spam settings
Written by Chris Graham (ocProducts)Attack by spam-bots can be a major problem for a website. Fortunately Composr provides a number of tools to help you.
This tutorial will go through the tools available, and our philosophy regarding them.
The actual configuration options are under Admin Zone > Setup > Configuration > Security, and should be reasonably intuitive.
This tutorial does not cover validation, which is covered in the Policing a community site tutorial.
Composr uses a unique method behind-the-scenes to generate the CAPTCHA (the 'CSS' method), which has proven very effective.
Generally-speaking, CAPTCHA will fully protect you from spam. The exception tends to be when real humans do set up accounts, then spam using them. Some spammers subcontract CAPTCHA solution to humans on low-salaries. Other spammers serve target site's CAPTCHAs out to video sites (for example) where viewers unwittingly are made to solve them in order to be allowed to watch a video.
Therefore, we have additional controls.
Alternative CAPTCHA systems, such as solving maths problems, or recognising cats, or answering domain-problems (i.e. something specific about the subject of the website the CAPTCHA is on), are very popular. However this is purely "security through obscurity". A spammer can easily target a specific site's collection of answers, then spam that site enormously – because unlike the regular CAPTCHAs, these CAPTCHAs work on a much more limited set of problems and solutions.
Other CAPTCHA systems use scanned text, or incredibly distorted text, that often even humans don't understand. We don't go with this approach, as it is a terrible user experience.
In other words, Composr's default CAPTCHA tries to be both highly secure, and reasonable for a human to use, and then we have additional protections too.
We have an audio option for the CAPTCHA which is important for users with visual impairments. You can also remove the distortion effects from the CAPTCHA, which makes readability easier, but makes it much easier for a spammer to crack it.
Remote Block Lists (RBLs)Remote Block Lists (RBLs) are a technique whereby Composr checks third-party lists of known spammers, via special RBL-protocols, based on DNS. You don't need to know the technical details other than that Composr can be configured to use an RBL service.
We have picked defaults options within Composr to help you get started with the best service(s).
Update: Actually the default list is now empty, as we learnt that there currently aren't any very reliable services for this. Common ones may block too widely, for example blocking computers that were at any point in the last year infected with a virus.
Stop Forum SpamWe use the popular Stop Forum Spam system system to look for known spammers based upon IP address, username, and e-mail address. We also report who you identify as spammers, back to Stop Forum Spam.
You can configure when spam checks are performed via the "Spammer checking level" option:
- Every page view (performs RBL checks always, and full check on actions)
- Actions (joining, posting, trackbacks)
- Guest actions (joining, Guest posting, trackbacks)
Some anti-spam services (RBLs, Stop Forum Spam) will provide a 'confidence level' (out of 100) for whether they think an IP address is a spammer. Services that simply return yes/no will be given the value of the 'Implied spammer confidence' option as the confidence level if they say yes.
The confidence level is then compared about a number of configured thresholds:
- Approval (the staff will have to validate a content submission, even if privileges normally say it would go through immediately)
- Block (the attempted action will be blocked)
- Ban (the user's IP address will be banned)
Other options include:
- Specifying how long spam results are cached for
- Specifying how long to trust reports of a spammer that were assigned a "last spam activity" date
Project Honey PotWe integrate the Project Honey Pot service, for injection of a hidden Honey Pot link onto pages. Spambots following the link will flag as spammers in the Project Honey Pot system. This feeds the HTTP:BL block list, which is one of the RBL services Composr can use.
You need to specifically configure the options for Honey Pot – it requires you to sign up for their service, and fill in some special configuration options.
Reported postsIf someone spams on the forum (assuming you are running Conversr ) then they can use the 'report post' feature to alert the staff to the spammer activity.
This is described in the Policing a community site tutorial.
What we don't do
- Some popular spam checking tools will run checks through a commercial third-party server. We'd rather deliver our code to you within Composr, for improved performance, and in line with our Open Source philosophy.
- We don't try and use pattern-analysis to detect spammers, because it would be so easy for a spammer to adjust their spam-bots to get past our filters.
- Various alternative CAPTCHA systems (as explained above, under 'CAPTCHA')
Making a spam report to the developersIt is possible that occasionally a spammer may get through Composr's options. If so, please make a thorough report via the http://compo.sr forum – so that we have the chance to properly look into how it got through.
- What exact anti-spam options are configured
- Where the spammer is getting through (e.g. making a forum post)
- The spammer's IP address
- The spammer's user-agent
- The time of the incident
- Whether the spam was by a guest (and if so, if you have guest posting permissions configured)
Avoid being anecdotal or emotional – give clear and concise facts.
Once you've made your report hopefully someone can then tell you what case category you are in:
- Incorrect Composr set up – in which case someone may be able to advise
- Manual spammer attack
- Insufficient protection within Composr – in which case we can consider making Composr improvements
- A security image/sound consisting of numbers that a human must enter into a text box. It is designed to prevent bots from spamming your website.
- A block list service, detecting whether to block the IP address of a known spammer.
- A malicious program a spammer runs, to automatically submit spam to websites. It is often written using techniques similar to that of a search engine crawler (to find targets), and then tries to simulate humans but while posting spam. Some spam-bots run on infected PCs, which is why it can be hard to directly block known spammers.
- Honey Pot
- A hidden link of area where spam-bots may get to, but a human never would. An effective way for detecting spam-bots.
Please rate this tutorial:
Have a suggestion? Report an issue on the tracker.