spam prevention

[nicholassolutions]

I'd like to come up with a reasonable way to prevent spam on the site, while allowing legitimate new users to sign up. Here's what I am thinking. Please let me know your thoughts:

I. Principles:
1. The most important thing is that the limited time people spend here is productive. That means improving the site in meaningful ways, not just removing spam. This is even more important than getting new legitimate members. So, within reason, we have to prevent spammers from signing up, and remove the ones who are here.

2. It should still be possible for new users to sign up somehow.

3. #2 should not be too time consuming either, for the same reasons as in #1

II. Practice (my suggestions for actions to take)
1. Delete all accounts that are >3 months old and have no posts.
2. Disable automatic sign up.
3. Create an email address to write to in order to request an account.  Uses will have to include their emails, proposed username, and a brief description of their interests and why they want to join. There is no review process, this just insures that actual human beings are signing up. Unless things change, I predict we will get very few of these emails. The mail can fwd to me, huntress, and coral, who will make the account manually.
4. I will look into CAPTCHA options instead of #3, which may do a good job preventing bot signups, and then we will not need to manually make accounts.

[coral1]

I was going to ask if #4 worked with our software.  ; )

I am looking at IP addys, and one I have up now, list signup attempts back to April 13, 2009, with Sender Verify fail. And 2 attempts today, with No Such User Here.

NARF! 
Somebody is yelling at me they can't get their grill going.  : (
I'll be back...

[nicholassolutions]

I was going to ask if #4 worked with our software.  ; )

In theory, yes, but in practice it may be a PITA. In general, our software is kind of patchy right now. I need to look around and see what is available, but it may be that the best thing to do is scrap what we have now, and rebuild with a forum, wiki, and articles. Everything else seems to have been pretty much unsuccessful anyhow. The idea would be to leave what we have now in the forum as an archive, and move everything else over to a new platform (which will no doubt get scrapped eventually itself). The main issue is whether I can migrate the users over to new software/databases...

For the time being, I'm going to disable new signups...

[GrandSchtroumpf]

how about using "member approval" in registration settings?
that's pretty easy to manage... i guess.

[coral1]

Maybe a reply email with a site generated password before they can logon.

[Huntress]

I think CAPTCHA or re-CAPTCHA is probably the best way to go.  It does well on many other sites I'm on.

http://recaptcha.net/whyrecaptcha.html

[nicholassolutions]

how about using "member approval" in registration settings?
that's pretty easy to manage... i guess.

Yeah, that is what I turned on a couple days ago. The problem is, then we get tons of "spam" from the site every time a bot signs up (once every few minutes). Iit's hard to tell if the sign up is legit or a bot, so for any given signup it's difficult to decide whether to activate or not. The only reliable way would be to email the person and only activate if you get a response. But that could get to be a PITA very quickly.

Maybe a reply email with a site generated password before they can logon.

That's an interesting idea. There's no easy way to do that using the CMS we're running, so I think I'd have to write my own sign-up script, but it shouldn't be that hard. I've also got scripts from previous work that would be more or less drop-in solutions for the hard parts of this. I'll get back to you ;)

I think CAPTCHA or re-CAPTCHA is probably the best way to go. 

I like reCAPTCHA a lot, especially since it's pretty accessible, and it uses the user input to do something useful (digitize old books). I've had a pretty easy time setting it up on other sites. The problem is, hooking it into our current software is not super easy, and I don't want to spend time figuring it out. If I upgrade the forum, there are pre-existing solutions to link it in, though. This is one of many reasons to upgrade the forum and wiki, and ditch the current CMS, I think. I just need to make sure I can port at least the user info.

[coral1]

Just had a thought, how much load will the password email put on the system?
Sending out passwords to bots seems like a waste.
Doing IP checks last night, I saw several with 6-8 hits on them. And I only did about half a dozen, before you killed the signup  (thank you).

Anyway we can add a text box for them to type in the SUBMIT link, instead of them just clicking the button?
Maybe spell it in haxor, with instructions to type it correctly.

[Huntress]

Just keep us updated on what you decide and need from us and we'll help in any way we can.  I've just been through the userlist and cleaned it up a bit.  Not sure why the ban filters aren't working right but that's moot since most of these are signed up via proxy accounts with different IPs.  Anyway....we're here.

[GrandSchtroumpf]

Are you saying that there is no email verification at all?
All the CMS i have looked at have that...
The system sends either the initial password (like drupal) or an activation link that needs to be clicked?
No wonder we have problems with spambots.

[coral1]

Hmmm... looks like the notifs are down also. I didn't get one for GrandSchtroumpfs post.

[Huntress]

How odd.  I didn't get one for GS either but I did get one for coral1?  Must be an intermittent problem?


Found a bug...Tried to upload an avatar and got this--> The attachments upload directory is not writable. Your attachment or avatar cannot be saved.   Just a heads up.  Was wondering why I couldn't see any avatars.

[coral1]

I think there is a problem with the Avatar directory.
They stopped showing up after the move, just the place holder was there.
And after a couple of days, I think Nick turned them off, because even that stopped showing.

[Huntress]

That's what I thought.

[nicholassolutions]

it was a server setting I forgot to update. should be fixed now ;)