Skip to:

Attacking spam — different approaches + results

  • Peter Kirn


    We’ve just gotten through some epic development work, nearly at the end, which leaves more time to turn more efforts to truly spam-proofing BP.

    So, I’ve tried a number of things, and I have a site that’s getting actively targeted enough that I’m getting some data. (Had had conversations with @jeffsayre + @apeatling at various times…) While it’s taken me a LONG time, having watched it over the last few weeks, I feel like I have a better handle on what’s going on. A bit sleepy, but want to get some words out on this. This is what I’ve found.

    1. Captchas
    No-go. ReCaptcha seems worst of all. SI-CAPTCHA did marginally better. But it’s clear that the scripts are already breaking the captchas.

    2. Removing old bbPress installs, registration pages
    This is in fact a variable as near as I can figure; at least some of the scripts will find old bbPress registration pages, so delete them. Also, I deleted the deprecated wp-register.php file you’ll find in the default WP install. It’s just a redirect, but it’s an additional target for some scripts.

    3. Human verification
    This is, by far, the most effective counter-measure. It doesn’t entirely eliminate spam — some are apparently finding the questions — but you can ask something specific to your community and get some really good results. I’ve used both the free bp-humanity and the WPMU premium plugin (which offers a pool of human questions as an option); both appear to work equally well.

    4. WPMU anti-splog premium
    Mixed. It does something — but it can also generate false positives. It is effective as another filter. I’d like to see these folks open it up, however, and simply do a suggested fee as Automattic does with AKismet. The collected data *could* make this more effective, in the way Akismet is, but that will require a larger user base. I think part of why the algorithm isn’t working better is that it may not have a large enough pool of data. But I’m just speculating; they would know better than I. I can see this being useful, and in all frankness, they have some fantastic plug-ins at that site and I appreciate the GPL-as-business-model idea. I just wouldn’t necessarily spend money on a subscription for this plug-in alone, even apart from the problem of needing to find a solution for all BuddyPress users.

    5. Honeypots
    I’m waiting on @johnjamesjacoby for some code to test on BuddyPress; stay tuned. Again, I’ve just gotten through some epic development pushes, so I’ll have more time to focus on this.

    6. Changing the slug
    This could be one of the best solutions out there; disguising the registration page could clearly cut down on the volume of sign-ups (which is a good thing on a whole number of levels).

    So, the issue is, I don’t think this is a one-dimensional problem. It’ll get better once BP incorporates a series of countermeasures and continues to improve, so that it’s one step *ahead of* the spammers instead of one step behind.

    Also, I’ll say, there isn’t a whole lot of human effort on the other end that I can see. It’s still mostly – though not entirely – scripted. That means this is indeed beatable. We cease to become a target once there’s reasonable effort required to get in.

Viewing 13 replies - 1 through 13 (of 13 total)

  • teebes


    Nice write up! Looking forward to the honeypot idea. I recently switched the registration slug on my BP site which helped tremendously! I also run a medium sized forum and couldn’t believe how adding a simple math question or ‘reason for joining’ question practically nullified our spam hits.

    Judging by the amount of Spam this site has been getting lately, I hope this topic stays a float :)



    One question ! Point no #3 Human Verification , you mention about WPMU Dev premium plugin ? Can you please tell the name of that plugin ?

    David Bisset


    Changing the slug sounds intriguing but I would imagine a script could find that page without too much trouble via registration links.

    Peter Kirn


    @Dimensionmedia: good point. You know, I think what we could probably do is then obfuscate the one link in JS. ;) Ditto the submit button, which I didn’t include here.

    @AnindyaRay: this is the anti-splog plug-in.

    One trick with that is that moving the signup there doesn’t yet work with BuddyPress, but could. But I think manually changing it is fine. And BP-Humanity does the same thing as far as the human verification. The biggest utility in Anti-Splog at the moment is that it has a moderation queue. But I’m not yet convinced by their API.

    What I can say without a doubt is that captcha/recaptcha *doesn’t work*.

    Jeff Sayre


    Interesting write up, @peterkirn. Please suggested this topic as a possible agenda item for tomorrow’s BP dev meeting:

    Also, I assume that you’ve seen this older thread started by @foxly?



    Whats the latest word on stopping spam? I was good for about a month but now suddenly I am getting nailed every night while I’m sleeping. It’s like they know when I go to bed and then start, lol.



    I was also good for about a month, spammer free, after applying a lot of the methods, including my own adjustments of site creation. And now all of sudden, every night. It’s almost like they also read these threads to see how they can combat our anti-spam measures, hehe.



    Ya, all of measures are no longer working, captcha, humanity, .htaccess stuff, etc. They are some how bypassing everything.



    Try bad behavior plugin and see what happens…. use the list feature.



    Does anyone know how to test the .htaccess change (found here

    I can’t seem to get it to redirect when I test it.



    With bad behavior it seems like you just trade spam signups for blocking real users. I had it installed for 1 day and keep getting messages from legit users getting blocked. CANT WIN.



    I had some luck with a plug-in called Monty Spam for awhile. But it made a very large file in my database and I had to quit using it. for those of you who aren’t afraid of excessive data files.

    Kevin Murray


    I’ve had a few false positives recently from sign-ups. When I classify them as not a spammer, their profile doesn’t appear on the members page. Does anyone know what happens then? Do they then get a confirmation email?

    I would love to have a filter so I could see all the users who were identified as spam. Then I could check out the false positives more systematically. Does anyone know a plug-in that can do that?

Viewing 13 replies - 1 through 13 (of 13 total)
  • The topic ‘Attacking spam — different approaches + results’ is closed to new replies.
Skip to toolbar