BuddyPress.org

A good idea is to change the signup slug to something else. This will help significantly. Also, if you don’t need to provide blog registrations, then turn this option off.

The problem with bundling a solution in the core is spammers will eventually get around this and it will become useless. The best way to fight spam is to have something unique on your site that stops them in their tracks. A completely unique signup slug is a good way of doing this.

I will but I would like to take a little more time to see if it works. So far it looks like it does. However I have not tried on bp 1.2. Gotta install that first and see how it goes there.

@guristu: WOW – that sounds very promising, I always found the hashcash-plugin a very good and simple solution. Why not sending your “hack” to the developers, so that they can update their plugin-version for all the future bp-users

I have adjusted the wp-hashcash plugin to work with buddypress signup. Here is what I did: I got the wp-hashcash plugin and I added the following code to the file:

global $bp;

// get our options
$options = wphc_option();
$spam = false;
//if( !strpos( $_SERVER[ ‘PHP_SELF’ ], ‘wp-signup.php’ ) )
//return $result;

// Check the wphc values against the last five keys
$spam = !in_array($_POST[“wphc_value”], $options[‘key’]);

if($spam){
$options[‘signups-spam’] = ((int) $options[‘signups-spam’]) + 1;
wphc_option($options);
$bp->signup->errors[‘spam’] = __(‘You did not pass a spam check. Please enable JavaScript in your browser.’);
} else {
$options[‘signups-ham’] = ((int) $options[‘signups-ham’]) + 1;
wphc_option($options);
}

}
add_action( ‘bp_signup_validate’, ‘wphc_check_signup_for_bp’);

function wphc_error_hook_register_page(){

do_action(‘bp_spam_errors’);

}
add_action(‘bp_before_register_page’, ‘wphc_error_hook_register_page’);

Then, under the line (line number about 507)

I put this line:

Then I activate the plugin. It should keep spam bots from being able to create accounts, but humans spammers can still do it. Anyway, if you can’t get it to work, let me know via PM and I will try to send you the file.

Later

I never had spam on my main site, until now. The invisible-defender plugin doesn’t help at all and clashes with Beau Lebens’s wp-email-login plugin. Haven’t had time to try any of the other solutions yet. It’s now after midnight, deadlines tomorrow, wasting time deleting spam accounts…

I am having major problems with spam as well. Ironically it started as soon as I put my link in the showcase thread on this forum. I think the spam bots are looking there for easy targets as well.

Why do people make spambots that don’t even advertise stuff and just waste everyone’s time filling sites with meaningless crap. Is it like they are trying to sabotage Buddypress?

How does one submit domains and sites and IP addresses to spam traps.

http://www.bp-tricks.com/tips_and_tricks/stopping-the-sploggers/

i guess this is one of the best trick against spam blogs and “wild” registrations.

Step 1 and 2 are a bit obvious, but 3 and 4 are really efficient.

Keep in mind that on a wpmu site each blog created by a member has his first post and comment appearing on the default template – the good ol’ kakumei… on which is also written “powered by…” ( Step 2 is only for main blog i think) Spam bots eat this with delectation i suppose.

Spam programs are written to bypass signup. Well. I presume other narrow words like join, fall in, get together are also activ in such programms. But what do these programms if you choose “groink” or “methabolic” ? So follow the explanation and choose a really original word for your signup redirection. This works well for the moment. And don’t forget to put the functions.php file the in mu-plugins folder (to be theme independant).

To use in addition with some other solutions (wp-ban, invisible defender, …) of course.

Crap, the spammers have now found my site.

These are not the spammers with name+year usernames, like ‘johndoe1973’, that I used to get on test sites. Those seemed to bypass the registration and activation process, because they didn’t show up on my mailing list.

The spammers I get now have realistic sounding full names and apparently usernames generated from those fullnames (my regular custom registration). I recognize them from the long random strings they add in my custom Company field.

Haven’t seen them registering blogs yet. What are they even trying to achieve?!

Sploggers is a serious problem that WPMU/BPAutomattic needs to address!

BuddyPress uses regular WP Mail functions. Perhaps they’re getting caught as spam.

Checking your referral logs is one way you can see how they’re getting in. Tip: login to the bbpress admin area and CLOSE SIGNUPS.

Obviously this only applies if you are running a seperate bbPress install.

One thing to remember, the spammers can see the signup code. That’s what they build their scripts for.

The better you can customize your site, the better you can stop them.

Checking your referral logs is one way you can see how they’re getting in. Tip: login to the bbpress admin area and CLOSE SIGNUPS.

Do follow is also a great way to encourage users to create and fill out a profile, specifically if you create custom fields for their “websites” in their profile. Spam registrations are already a major issue ( at least for us ) so that isn’t much of a deterrent for us at least.

I’m in the same boat. Have used a bunch of different captchas including the recaptcha that has been reworked for BuddyPress to no avail. Even took down our registration page for a day to make sure spammers weren’t bypassing via bbpress or somewhere else…. it was nice not having to delete spam accounts for a day. We may end up taking buddypress out at some point here until there are better spam tools in place.

I know on the MU side, you can ban registrations from specified email domains. (Site Admin -> Options)

Can’t remember if this translates over to the BP side.

There was a new blunt solution here. Apparently having a couple of required custom profile fields also cuts down spam.

I was just about to ask the same thing – never had much trouble before when using re-captcha but now I have upgraded we’re talking 20-30/day and increasing

Which brings me to my next question – is it better to mark both user and blog as spammer or just delete them both?

Good thought about the reputation. YOu might be able to combine it with the achievments plugin! In any case let us know if you attempt anything like that.

@mike: Even with just a small site. I was running it on first with a VPS hosted site and it got shut down by the provider. They say that the “huge” amount of mail coming from BP notifications are “spam” and a violation of their TOS since, they say, it got the IP blacklisted.

I moved it to a dedicated server but I’m concerned that the IP address will be blacklisted if the system sends out hundreds of mail notifications in an hour. Problem is, I don’t know how much mail is too much. And if that should qualify as spamming. Should this be a concern?

Was just wondering if there’s a way for the admin to set email notifications off by default. Or if not, if there’s a code we can edit to do that. Feedback would be great.

Your Bp email server might become an open relay server for spammers !

Raise a ticket. This is a usability/privacy issue. It should be blatantly obvious to the user who is replying to a private message that they are sending to more than the sender.