Making the case for anti-spam feature even for posting

psychobunny

@baris just pushed a fix that hopefully solves the user deletion bug, and I guess we all know what we're doing in the upcoming weeks re: spam prevention

julian

@psychobunny said:

I guess we all know what we're doing in the upcoming weeks re: spam prevention

Yeah, and all we needed was to have a spambot hammer us for half an hour

a_5mith

What about adding support for Project Honeypot, I use it on my forum and haven't had a single spambot registration in 7 months. It stops them before they even get to the registration process. Then an option for either a Q&A or one of them new fangled captchas where you need to click the spanner or something.

julian

I use it on my forum and haven't had a single spambot registration in 7 months.

Hey, good enough for me -- I might just look into it

anooxy

@julian Check out http://www.stopforumspam.com/ while you're at it, most forum systems have this and it works a wonder. You can use them both to be uber-protected.

But for now, I think a simple spambot prevention would be a nice, like reCaptcha.

finid

@anooxy

reCaptcha can be a pain. See Anti-spam solution for registration page #1213.

a_5mith

Most Captchas are easily broken by bots, the only real way you can stop a spambot by using a captcha is if you build your own or use one that's not well known, the spam bot creators don't bother hacking the smaller captcha providers.

An option to use each one would be nice though, maybe a few different captcha providers, or a Question & Answer form. Then run them through someone like Stop Forum Spam whilst we're there. This, by default would also give you an edge over other bulletin board software, as most just handle it through a plugin/add-on.

frissdiegurke

I'd like to have an option within ACP like "Allow posting without javascript" and "Allow registration without javascript", because many bots do not have js activated.
The following traps could be done as well:

• measure time the user lasts on the page (hidden timestamp input-field). If it's less than a few seconds it's most likely a bot. (you may skip this test if the user has some reputation since copy+paste may result in short delays too)
• honeypot (user-hidden (js if enabled, otherwise css) input-field with common name like 'email', if it gets filled it's most likely a bot)
• confirmation-page (or dialog if js is enabled) with checkbox like "I am a human" or simple question like "What is more valuable gold or glass?"

If these options are implemented the following should be configurable within ACP:

• Enable time-measure, minimum time
• Confirmation Question + Answer (if answer is true or false show checkbox with opposite default-value)
• Skip confirmation if javascript is enabled (default: true)

In combination with the database suggestion by @anooxy this should filter most bots without annoying (javascript-enabled) users in any way.

Schamper

Interestingly enough I had the idea of making a Project Honeypot plugin 2 months ago
Never came around to doing it though... Still have that Poll thing and the video chatting...

finid

On my new site, I have more bot-registered users than real users. The list just keeps growing by the minutes. Nothing to stop them.