Fighting BOTs and spammers


The fight against BOTs and spammers is a never ending battle. glFusion continues to evolve to prevent BOTs from registering on your site or spammers posting in your forums and comments. The CAPTCHA plugin helped for a while, but even enhancing CAPTCHA to utilize services like Google's reCAPTCHA, we're finding CAPTCHAs are becoming less effective and are very inconvenient for your users. CAPTCHAs do still help, but they are not enough and many sites simply do not like to use them. With our latest release of glFusion we have added some additional BOT and spam protections that are proving to be very effective.

Types of Spam

It would be a lot simpler if we only had to combat one type of spam, but in today's environment, we have to deal with Registration spam, Forum & Comment spam, Trackback spam, Referer spam and a whole lot more.

Bots and spammers will try to register on your site so they can put links to websites in their profile information. Bots will visit your site with links to scam, porn, and other types of sites in the Referer header in hopes that you will display the Referer information in your stats. Bots and spammers will try to post spam posts with links to other sites in your forums and in comments.

Some of these we simply ignore, such as Referer spam. We would prefer these spammers not hit our sites, but we also don't display Referer information so they don't get any of the benefits they are hoping for. The other types of spam activity we want to make sure we block and stop.

Let's review the tools that are available to all glFusion sites and how we can leverage them to stop, or at least, slow down bots and spammers.

CAPTCHA

We updated the CAPTCHA plugin to provide the ability to implement the CAPTCHA widget on the Login form and the Forgot Password form. 

The glFusion CAPTCHA plugin supports several types of CAPTCHAs. We support Google's reCAPTCHA which is effective and somewhat user friendly. It does require that you register your site with Google and obtain a site key. The Math Equation CAPTCHA is also very effective and less intrusive on your users. They need to solve a very simple math problem (i.e.; 34 + 7) and it does not require any external site access like reCAPTCHA.  If you are using reCAPTCHA, please review the Google reCAPTCHA Privacy Policy to understand what data they review and store.

CAPTCHAs still provide some level of protection against BOTs, but there are tools available now that can bypass all forms of CAPTCHA, including Google's reCAPTCHA.

Stop Forum Spam

Stop Forum Spam (SFS) provides a list of spammers that persist in abusing forums and blogs with their scams, ripoffs, exploits and other annoyances*. They provide these lists so that you don't have to endure the never ending job of having to moderate, filter and delete their rubbish. glFusion has integrated SFS to the new user registration, comment posts, and forum posts. Before a new user is allowed to register, or a comment is saved, or a forum post is saved, the user's IP address, email, and username are checked against the SFS database. If it is found, the action is denied. SFS blocks a large percentage of the SPAM / BOT attempts, but it doesn't catch everything.

New IPs, emails, and usernames are being used all the time by the BOTS / spammers, so it may take a little time before they appear in the SFS database. Because there can be a delay from the time a BOT or spammer starts their activity using a set of emails or IP addresses, we've implemented a feature in glFusion that allows you to check your existing users against the SFS database. It is a good idea to check your new registrations on your site weekly to see if they have shown up in the SFS database.

Stop Forum Spam is enabled and working right out of the box, no additional setup or configuration is required. You should review Stop Forum Spam Privacy Policy to understand what data they review and how they use this data.

Akismet

Akismet is a spam filtering service that filters spam from comments, trackbacks, and contact form messages. The filter works by combining information about spam captured on all participating sites, and then using those spam rules to block future spam. Akismet is offered by Automattic, the company behind WordPress.com. You must register with Akismet and obtain a site key before you can  utilize their service.  Akismet offers several plans, including a free plan for personal websites. Commercial websites may need purchase a monthly subscription. Please see the Akismet's Plans page for more details. Also, the Akismet Privacy Policy is located here.

Bad Behavior2 Plugin / http:BL

The HTTP Blacklist, or "http:BL", is a system that allows website administrators to take advantage of the data generated by Project Honey Pot in order to keep suspicious and malicious web robots off their sites. Project Honey Pot tracks harvesters, comment spammers, and other suspicious visitors to websites. Http:BL makes this data available to any member of Project Honey Pot in an easy and efficient way.

Http:BL provides data back about the IP addresses of visitors to your website. The Project Honey Pot data indicates the type of visitor to your site, how threatening that visitor is, and how long it has been since the visitor has last been seen within the Project Honey Pot trap network.

Http:BL is part of the Bad Behavior2 plugin. Http:BL is not enabled by default on a glFusion install. You must first register with Project Honey Pot and request an access key. Once you have your access key, you will need to enter your key in the Bad Behavior2 Configuration screen. Once the key has been added, the Bad Behavior Plugin will begin checking every site request against the HTTP Black list and deny access to anyone listed. This feature can also eliminate a significant amount of BOT / spam traffic on your site. Project Honey Pots Privacy Policy is located here for your review.

Privacy

Keep in mind, using the external services above can raise privacy concerns for some users. glFusion will pass the user's email, username, IP and the content of their post to these external services. Personally, we do not feel this is a concern and have reviewed the privacy policies for each of the services (listed above for your convenience).  We recommend that you review their privacy policies and make your own determination. It is also recommended that you update your site's Privacy Policy to reflect which external services you use. You can check out glFusion's Privacy Policy for an example of how to update your own.

glFusion provides bot and spam protection that does not rely on external services and they work reasonably well, but the crowd sourcing approach used by Google's reCAPTCHA, Stop Forum Spam, Akismet, and Project Honey Pot provide the highest level of protection and helps reduce the risk of false positives.

Summary

glFusion provides several tools to help combat BOTs and spammers. The multiple layers of defense help build a strong barrier to stop, or at least, significantly reduce the amount of BOT and spam traffic. I recommend that you use all of the tools available in the glFusion arsenal to combat the BOTs and spammers. If you need any help in setting things up, post in the Support Forums, there is always someone around willing to help.


by Mark

Mark is the main developer on glFusion. When not doing his real job and playing with his family, he really enjoys working on glFusion and the collaboration with the glFusion community.

Share It

Be the first to comment