Now that our site has grown with incomming traffic spammers have started hitting the site hard. I have verified registration setup on the site per the instructions .pdf provided here. What I'd like to do is have a manual user approval process setup. I'd much rather approve or ingnore requests quietly behind the scenes than wake up and delete 56 spam messages that hit the site.

As an aside it's the ventrian news article module the spammers are hitting not the active social forums or discussions.

Are they actually registering on the site, Aaron?

Aaron,
Are the spammers actually verifying the account? What role do you have set for Community Members? What role is allowed to add comments?

Assuming you have news articles comments settings set to registered users only?

Yes, they must have some time on their hands. They register with an account (required for posting comments) and with no logical order they have gone all over the site and post comments in the articles (ventrian news articles). Enabling CAPTCHA would slow them down but enabling comment moderation simply kills the activity on the site. Comment moderation also greatly increases double posting.

I think this is where the suggestion for a universal AS comments module, with Digg or Slashdot style voting, might help a bit. I reckon if it contribution to some kind of reputation score, that is one of the most effective methods.

Could also include a service like Akismet for it. Chuck in a report post style button for good measure.

Will, unfortunately you don't have to verify an account in order to post in ventrians news article module. You just have to sign up for an account. Active Social is pretty well locked down :)

The only option I see in the module (ventrian) under [Comments] is to uncheck [Allow Anonymous Comments] requiring users to register.

I wanted to see if I could stop the users at the registration process because they are all seem to be coming from the same part of the world.

Yes that's correct.

I've been having similar problems as well.. Commenting on photo contest entries and such.. Also getting posts in the forums tho.. I'm not currently using the AS registration, but have been leaning toward switching over. Just out of curiosity, do you use the AS signup, the DNN default, or another?

Admittedly I haven't been here keeping up to date on new topics lately but your idea is good. I realize AS can't be all things for all people but an AS implementation of a news articles module would fit the bill for my site. This way security could be handled by AS and it would make the user experience much more seamless.

I've added the facebook like button and Addthis integration (Digg, Slashot, etc) to the news articles module seen here.

http://www.motoiq.com/magazine_arti...art-2.aspx

I use the AS registration / signin.

Aaron,
I would suggest creating a community role that users are added to once the account has been verified. Then lock down your comments to that community role. That still isn't going to stop all the spammers, but it will stop a lot of them. Using the Active Social sign-up with the community role set to registered users kind of defeats the purpose.

Will thanks for your comment. Sometimes you have to do what the boss wants and for this site the boss wanted easy and "seamless" for the users to register. Most users on MotoIQ are used to vbulletin type forms and are resistant to using anything else. Unfortunately this seamless experience makes it really easy for spammers to do their spammy things. More to the point though the process you mention locks down AS just fine its ventrian news articles I'm having problems with. There's no comment lockdown based on user role in news articles.

I found this article from Mitchel Sellers on banning IP's which I may implement.

http://www.mitchelsellers.com/blogs...ilter.aspx

Maybe you could ask Scott about this?

Scott is awesome about answering e-mails I'll get a thread started. I found a code (linked below) that can be added to show IP addresses for Admins. I may implement this along with Mitchel Sellers lockdown until another solution is in place.

http://www.ventrian.com/Support/Pro...aspx#41222

You can also place some text in your comments template that states you use rel="nofollow" and that if the poster is found to be a spammer, their IP will be banned from the site. Every little bit can help to detour them.

BTW good find on Mitchel Sellers, same technique I use since it's built into DNN.

My experience with spammers is that they are not bots, they are humans usually based in India, Pakistan and Bangladesh. Whatever methods you put in place must address this issue.

One thing you can do is to use some kind of redirect based on their location. For example, if you know that you have few, if any, users from India then setup a redirect page to send all IP's from India to a page that is really a fake registration page. Let them fill in all their info, waste their time, and then have that role essentially not be able to do anything on the site.

If you want to be really mean and waste their time like they waste yours then set it up so they have to fill in a humongous amount of info with all the fields being required.

The key is to make it not worth their while and have them go someplace else instead.

Even though I'd probably only tick-off a few users I wouldn't feel right about banning entire regions from registering. What I probably need to do is dive into the Ventrian news article code and implement Akismet

http://akismet.com/

*edit* your solution is pretty awesome though (evil laugh)

It's your call. One thing you have to remember is that these people are relentless and the more spam that gets posted, the more spam you will see in the future.

I have no proof of this but my personal opinion is that these people work in teams or somehow communicate with each other when they find sites they can spam, and sites they can't spam.

We get very little spam, maybe one or two accounts a week. Sometimes none at all. I did this by disabling registrations when the site was not being monitored, like overnight. Then every time a new user shows up they are monitored. If they spam the forum within minutes their account is closed, IP is banned, and spam is deleted.

Over time the spam level dropped to practically nothing which leads me to believe that the bulk of spamming is either done by the same groups of people, or these people communicate with each other about which sites are good to spam and which don't accept spam.

If you want to be rid of spam you have to be vigilant, ruthless and persistent. It's like eradicating weeds, you can't even allow one weed to remain for any period of time.

For those that are interested here's Scotts post on how to restrict News Article posts to user groups.

In the template, wrap the [POSTCOMMENT] token with [ISINROLE:XXX][/ISINROLE:XXX]

where XXX is the rolename

http://www.ventrian.com/Support/Pro...fault.aspx

Just out of curiousity are you blocking IP's at the site level (DNN) or though IIS/Apache or Firewall?

This particular group in my case is in China. The IP's are all over the board. This site looks to keep lists of IP ranges for countries that have no SPAM or hacking policies what so ever.

http://www.parkansky.com/china.htm

Regularly updated lists.

http://www.okean.com/thegoods.html

I really like your idea of turning off registration while eyes are away from the site. Perhaps there's a work around to direct users to a friendly page why registration is off.

It's really irritating that this type of traffic hurts all the SEO we've worked so hard for.

The site I am referring to is not a DNN site. In the forum software it allows you to block IP's from posting. I'm in the process of converting the site to a DNN/ .net one so the solution I have proposed has not been implemented yet.

There is something called project honeypot that lets you install software that reports spam IP's to a centralized dbase and then you are able to query this on registration.

It would be great if Will could create an option to use this during the registration process, or maybe someone else can create a DNN module that does that. There is an API and some .net code available.

If that's not available it might also be possible to use Dynamic Registration to submit a query against it and then if it's a confirmed spammer to automatically move that user account to a dormant inactive group.

Spam is annoying, but you have to have the mindset that these people are more than spammers, they are thieves who want to steal advertising space from your site on behalf of their clients, who they charge.

That's what infuriates me, they have essentially made themselves ad salesmen for your site, they take money to place their client's ads, but they don't pay you any of it.

I absolutely agree with the comments above. After a month of abuse I'm caving on my previous comments about not wanting to block an entire country. This is just like graffiti on a billboard. Once it starts it's like an open invitation for more and more. I have no doubt my site has been passed around as an open target for hackers on message boards somewhere.

The boss got so mad he wrote this article http://www.motoiq.com/magazine_arti...china.aspx

I was turning registration off at night and then back on again during the day assuming the Chinese had to sleep at some point but we got nailed a few more times.

I'm looking at implementing this tool linked below. Which I think works similarly to Google Analytics but can block IP's by region as well.

http://www.web-stat.net/

On another note is there a way to setup AS registration for a manual verification process? What I mean is when a new user registers and creates an account their response message would state something like "your account will be verified shortly" along with the other standard message and if the account looks legigimate we can then add the proper roles to the user. I assume I would need to slightly alter the "verified" registration I already have in place.

I've hosed myself in the past with group permissions where some users couldn't send PM's.

Lets say they really are targeting your site, what are you going to do when they mask their IP address? You are going to drive yourself mad trying to keep up and tying in other products. A good comments system needs to support moderation. It also needs to support trusted users. Comments are no different than forums. You should be able to trust users by role, auto approve after x number of posts, change moderation settings per user and properly moderate everything else. Blocking IPs is a waste of time.



Sure, you could do this. You would need to add another role in addition to your community role. The new role would control participation access which means you would need to update any affected modules appropriately. Then you have to manually add users to the role once you believe the user is legit. I can assure you that this process isn't going to be foolproof either.



Sounds like we really need to release our stand-alone comment module.

Absolutely right and this has been my experience. The more vigilant I became with deleting the spam, the more the spam diminished.

These people are smart, they are not going to go where their time is wasted, and they are going to go where they have success. Getting rid of spam is much like getting rid of weeds, you can't even let one go.

One word of caution though. These people are also smart in terms of getting around roadblocks. If you decide to block all IP's from China, don't go announce it otherwise they will just mask their IPs.

Don't ever announce what you are doing to stop spam unless there is a need for it.

Will you're absolutely right. It's only a matter of time before they proxy around the IP block. Ventrian News articles comments does support moderation but unfortunately moderation kills the organic nature of letigimate comments. Those comments sit in a queue until we can release them meanwhile the user thinks their comment didn't go through and they post it multiple times.

It would be really cool to implement something like Akismet http://akismet.com/ which weights messages as SPAM or not and puts flagged messages in a holding folder. I set an e-mail to their support about tweaking the code for DNN and so far no reply from them.




Thanks for the feedback. I'll create this new role. Nothing is perfect and these SPAMMERS are smart. I'm sure it will only be a matter of time before they start copying existing user profile names so their accounts look legit.

Scott over at Ventrian has created a pretty awesome product with News Articles. But there's no disputing the different feel and disconnect between the Blog News article section of my site and the AS/Forums created by Active Modules. If you guys created your own blog with comments as part of AS or as a separate module I would gladly purchase it.

Yes! Been really looking forward to this...

In case others haven't seen, I think this is what Will is referring to:
http://www.activemodules.com/Commun...fault.aspx

Great News!

Yes please. Consistent comments throughout the whole site FTW! :D