Disabled "About me" and "Signature" profile elements as the "Spam Be Gone" plugin does not check these
This, I feel, will help us a lot. We have a lot of bots using this vector and really see essentially no legitimate usage of it.
I believe our post limiter is set to something low like 10 seconds. Having it set higher until you hit a certain rep threshold may be a good idea.
Here we go: gh#2335
The spam doesn't even make sense.
Gibberish gibberish gibberish, email address. Perhaps time to add a deny from to nginx?
@a_5mith I'm thinking it's a manual sign-up... they don't really make much sense, but if it were automated, we'd be getting a whole ton more.
@a_5mith I have had very good luck with Akismet on some Vanilla forums I run. Sometimes tools like Project Honeypot or StopForumSpam let new spammers through, while Akismet detects spam and hides it. I believe a combination of both is pretty powerful.
I do agree though that captchas just aren't good these days. I hate filling them out, and they're pretty ineffective against modern spammers.
The question plugin works fine for me, albeit I'll admit I'm using the EVE Online API plugin for most of the forums that I run so there's no way a bot could sign up without being a real person in the corp in question.
Not saying that all of their posts could be considered to be not spam but hey, who's counting.
The who.is info of the sites they promote comes back as private, however looking at where the nameservers point, and complaining to them may get them blacklisted by emailing their abuse email.
They've also been hammering talk.kano.me as well as a whole host of other large sites, IGN etc.
Scumbags. You'd think it would be easier to just spend $20 on google adwords, rather than paying 10 guys in a shed to spam forums with rubbish.
They just keep going, very persistent.
The issue with Akismet is when a user posts a link without manually changing its appearance (http://google.com instead of Google) the plugin is likely to "prevent the topic from posting" the user gets an alert, the composer stays active.
In reality, the plugin allows the post.
Very easy to get several duplicate topics like this.
@Ted is this an issue with spam-be-gone's handling of spam topics, then?
@julian I think that's just an issue with akismet as part of the spam-be-gone plugin, enforcing someone to embed a link with Markdown doesn't really constitute spam prevention, just user annoyance.
^ Testing a link as-is
Edit: Seems to work
@julian Of course my issue was when the old Markdown library was in use. I can't imagine Akismet would have had an issue with it but not the new library considering both simply render text into links -- unless the old library operated at the time of post and the new one operated at the time of display.
Those must've been around when the daily digest got sent... at least, I hope that's the case!
@Ted the new markdown library functions in the same capacity as the old one, on the server-side. If it does happen again, please let me know!
So far we've been without spam - hopefully that didn't jinx us - so I don't see myself incorporating Akismet support in the plugin anytime soon. In the event that it becomes an issue, I'll look into it.
Then once everything's broken, I'll let you know @julian
We also happened to be on an old version of spam-be-gone (
.4 instead of something like
.24), though @bentael assures me it makes no difference
I'd never enabled Askimet because the free plan is supposed to be for non-commercial use only. This morning I decided that this forum constitutes a non-commercial entity (that being a support forum for an open source project), so that was ok.
do you require email confirmation before allowing new users to post?
@bentael We do not, no, as this forum was up before that particular option made it into the ACP, and we saw no reason to restrict it.
I could turn it on, though I'd also point out that with some of these "temporary email" services, it's almost trivial to automate the email verification process.
(I keep spelling it as Marinator )
okay.. i dont know.. how are these bots bypassing captcha on registration? Mechanical Turk? OCR ?