@bentael Really glad to see the evolution of NodeBB's first anti-spam plugin!! 🙂
The spam is real.
Or else another idea is to come up with nbb native anti spam :
Drop a cookie every time a page is loaded via browser, if someone tries to comment without the cookie being dropped in the browser! Its probably not human and the comment can be moved to a moderation queue. Whether it be comment or new topic.
Second, if a user is making more than 3 new topic every minute, the fourth topic need to not be allowed to create without a cool down period of 30 minutes. This is used by reddit.
Third, there are many servers like stopspam and all which stores a list of the most spamming IP addresses, so nbb can check an IP against their database before allowing an IP to post more than 5 topics per hour, but a person with more than 3 reputation points can be avoided these checks.
This way, u don't need to have akismey or spots without honeys or captcha, if user wants additional protection, they will install plugins.
Project Honeypot checks against known spammers and blocks them at registration, this solves 90% of automated spam. A good Q&A would solve the rest usually. I'm pretty sure we can already limit how often someone can post/create topics. Post based permissions are always a good one, I used them on SMF, less than 5 posts, you couldn't post links or more than a topic every 2 minutes or so. Until they hit 10 posts.
I believe our post limiter is set to something low like 10 seconds. Having it set higher until you hit a certain rep threshold may be a good idea.
Here we go: gh#2335
The spam doesn't even make sense.
Gibberish gibberish gibberish, email address. Perhaps time to add a deny from to nginx?
@a_5mith I'm thinking it's a manual sign-up... they don't really make much sense, but if it were automated, we'd be getting a whole ton more.
@a_5mith I have had very good luck with Akismet on some Vanilla forums I run. Sometimes tools like Project Honeypot or StopForumSpam let new spammers through, while Akismet detects spam and hides it. I believe a combination of both is pretty powerful.
I do agree though that captchas just aren't good these days. I hate filling them out, and they're pretty ineffective against modern spammers.
The question plugin works fine for me, albeit I'll admit I'm using the EVE Online API plugin for most of the forums that I run so there's no way a bot could sign up without being a real person in the corp in question.
Not saying that all of their posts could be considered to be not spam but hey, who's counting.
The who.is info of the sites they promote comes back as private, however looking at where the nameservers point, and complaining to them may get them blacklisted by emailing their abuse email.
They've also been hammering talk.kano.me as well as a whole host of other large sites, IGN etc.
Scumbags. You'd think it would be easier to just spend $20 on google adwords, rather than paying 10 guys in a shed to spam forums with rubbish.
They just keep going, very persistent.
The issue with Akismet is when a user posts a link without manually changing its appearance (http://google.com instead of Google) the plugin is likely to "prevent the topic from posting" the user gets an alert, the composer stays active.
In reality, the plugin allows the post.
Very easy to get several duplicate topics like this.
@Ted is this an issue with spam-be-gone's handling of spam topics, then?
@julian I think that's just an issue with akismet as part of the spam-be-gone plugin, enforcing someone to embed a link with Markdown doesn't really constitute spam prevention, just user annoyance.
^ Testing a link as-is
Edit: Seems to work
Trev last edited by
@julian Of course my issue was when the old Markdown library was in use. I can't imagine Akismet would have had an issue with it but not the new library considering both simply render text into links -- unless the old library operated at the time of post and the new one operated at the time of display.
Those must've been around when the daily digest got sent... at least, I hope that's the case!
@Ted the new markdown library functions in the same capacity as the old one, on the server-side. If it does happen again, please let me know!
So far we've been without spam - hopefully that didn't jinx us - so I don't see myself incorporating Akismet support in the plugin anytime soon. In the event that it becomes an issue, I'll look into it.
Then once everything's broken, I'll let you know @julian
We also happened to be on an old version of spam-be-gone (
.4instead of something like
.24), though @bentael assures me it makes no difference
I'd never enabled Askimet because the free plan is supposed to be for non-commercial use only. This morning I decided that this forum constitutes a non-commercial entity (that being a support forum for an open source project), so that was ok.
do you require email confirmation before allowing new users to post?
@bentael We do not, no, as this forum was up before that particular option made it into the ACP, and we saw no reason to restrict it.
I could turn it on, though I'd also point out that with some of these "temporary email" services, it's almost trivial to automate the email verification process.
(I keep spelling it as Marinator )