Attacking spam — different approaches + results
We’ve just gotten through some epic development work, nearly at the end, which leaves more time to turn more efforts to truly spam-proofing BP.
So, I’ve tried a number of things, and I have a site that’s getting actively targeted enough that I’m getting some data. (Had had conversations with @jeffsayre + @apeatling at various times…) While it’s taken me a LONG time, having watched it over the last few weeks, I feel like I have a better handle on what’s going on. A bit sleepy, but want to get some words out on this. This is what I’ve found.
No-go. ReCaptcha seems worst of all. SI-CAPTCHA did marginally better. But it’s clear that the scripts are already breaking the captchas.
2. Removing old bbPress installs, registration pages
This is in fact a variable as near as I can figure; at least some of the scripts will find old bbPress registration pages, so delete them. Also, I deleted the deprecated wp-register.php file you’ll find in the default WP install. It’s just a redirect, but it’s an additional target for some scripts.
3. Human verification
This is, by far, the most effective counter-measure. It doesn’t entirely eliminate spam — some are apparently finding the questions — but you can ask something specific to your community and get some really good results. I’ve used both the free bp-humanity and the WPMU premium plugin (which offers a pool of human questions as an option); both appear to work equally well.
4. WPMU anti-splog premium
Mixed. It does something — but it can also generate false positives. It is effective as another filter. I’d like to see these folks open it up, however, and simply do a suggested fee as Automattic does with AKismet. The collected data *could* make this more effective, in the way Akismet is, but that will require a larger user base. I think part of why the algorithm isn’t working better is that it may not have a large enough pool of data. But I’m just speculating; they would know better than I. I can see this being useful, and in all frankness, they have some fantastic plug-ins at that site and I appreciate the GPL-as-business-model idea. I just wouldn’t necessarily spend money on a subscription for this plug-in alone, even apart from the problem of needing to find a solution for all BuddyPress users.
I’m waiting on @johnjamesjacoby for some code to test on BuddyPress; stay tuned. Again, I’ve just gotten through some epic development pushes, so I’ll have more time to focus on this.
6. Changing the slug
This could be one of the best solutions out there; disguising the registration page could clearly cut down on the volume of sign-ups (which is a good thing on a whole number of levels).
So, the issue is, I don’t think this is a one-dimensional problem. It’ll get better once BP incorporates a series of countermeasures and continues to improve, so that it’s one step *ahead of* the spammers instead of one step behind.
Also, I’ll say, there isn’t a whole lot of human effort on the other end that I can see. It’s still mostly – though not entirely – scripted. That means this is indeed beatable. We cease to become a target once there’s reasonable effort required to get in.
- The topic ‘Attacking spam — different approaches + results’ is closed to new replies.