Hey guys,

So the spammers have started to hit in a big way. Whether it's the "Hi want to hookup" wall messages which I've even had here on ActiveModules.com, the traditional register and post spam, or the spam registrations which are obviously seeding for some kind of future spam attack, it seems like it's really time to look seriously at anti spam - especially heading into the DNN 6.x integration of AS. Obviously it's not a good look if your ability to reduce spam registrations and attacks is limited. I feel that this has been responsible for people moving to other platforms, regardless of AS use or not.

The AS approach of requiring verification is good, but it's now falling short quite frequently. It just doesn't go far enough, particularly with humans being paid to do spam registration nowadays. I don't believe we can totally eliminate it, but we can drastically improve the tools available to mitigate and combat the problem, with what I believe is a minimum of development effort.

By contrast, we've adopted Disqus for comments through the site, and the anti spam is fabulous - partly because they have a lot of my below suggestions implemented and available for use.

Here's some suggestions which I feel would make a massive difference for registration and login:

* optional recaptcha integration - stopping bots with the best captcha implementation. Although they often can't verify, they are getting more sophisticated, and having them stopped from registering at all is ideal.
* domain blacklist - people registering from these domains as their email will have to be approved by admin. This will help kill the tom.com, qq.com, 163.com, sohu.com, and even hotmail/yahoo registrations that are driving myself and many others (on other platforms as well) crazy
* optional akismet integration - if their email is already listed for spam, manual approval required (or configurable)
* use Project Honeypot and Cloudflare email and IP data - see http://www.projecthoneypot.org/httpbl_api.php and http://blog.cloudflare.com/api-how-to-build-cloudflare-into-your-web-app - this would be useful both to lookup spam and suspect IPs, but also to report new spam
* inbuilt IP and country blacklist

If you combine this with the existing verification approach, I believe this will drastically limit the amount of spam possible, and there is simply nothing out there DNN-wise that can do this. With AS being best-of-breed for DNN, I fully believe this should be in there. Equally, from what I've seen, all of these are relatively easy to implement in ASP.NET, with most having existing controls that are ready to go (or being very simple APIs).

The Active Modules team have always been great with customer feedback, and I doubt that's changed with the DNN acquisition. I know I'm by no means alone in this problem, and it's not new (but is getting worse) - so I'm hopeful of seeing some action. I would be more than happy to beta test and I've been able to provide some great feedback for previous betas.

I'd also love to see this incorporate support for disabling password retrieval (so that only password reset can be done) as this *mostly* works but generates an error after the fact. Equally, it might be an opportunity to check out Auto Friend which works *most* of the time, but occasionally errors out and doesn't successfully add people (annoying to have to go back through and add people).

I believe this will be an important step forward for DNN as a whole, and I know that the DNN team are keen to reposition DNN on top - so I think it's a do or die. Happy to hear from others too. Please - let's knock this out of the ballpark and show everyone how it's done!

Cheers,

Matt

You are not alone in this. We don't get hundreds, but we do get them pretty regularly.

Add me to the list. I would say that in the last 6 months or so it has been steadily increasing. Thing is they seem to be able to auto post in AF as well.

Anyone have additional suggestions for spam prevention? I think these aren't too bad, and I guess no reply means that Will et al are considering it - fair enough, at least it's not rejected offhand

Heys guys,

I am going to throw this out there for you to think about...I am using Dynamic Registration instead of the AS registration module and I never get any spam.  It still wouldn't stop a human spammer but it would take a little work.  I am using captcha as well as verified registration, so my players must verify their email address.  It seems to be a good combination.

Matt,

For our situation we call for a sign up email:

http://www.mofga.net/Home/SignUpReq...fault.aspx

That is read by a human and then they are sent a link to the registration page if they are valid.

If they are spammers it says something like this and has a 'lame' free email address from soemwhere.

Your Name Esther love11
Your Email es.op100@yahoo.com
Your Farm or Business Name I visite your profile and I find out that you are the type that suit my heart,
Your website there come me
Why do you want to create a MOFGA.net profile? hello,
I visite your profile and I find out that you are the type that suit my heart, which am seeking for, I hope and believe we will walk it out for heart desier, let come out for something good for our love, i believe someone with good zeal, someone who knows what is love and you are the type, when replying contact me through my e-mail adddress. (es.op100@yahoo.com) Iam waiting for the love.
Esther Opwaki

If they are ok it says something like this:

Your Name Karina ***
Your Email kna**@gmail.com
Your Farm or Business Name
Your website http://nxtblo***.blogspot.com/
Why do you want to create a MOFGA.net profile? I'm incredibly interested in the livelihood of farms across the country. But I happen to be a Maine resident and want to support the growers in my community - this seems like a good place to start.

If there is any doubt their email address is Googled to see if they are legit. So this has worked 100% of the time for us but certainly is not best in all situations. This client really wants a high quality, 'locked down' site with zero spam.

thanks,

Will

I have also thought of a kind of fun 'captcha' kind of tool would e a timed quiz that you made people take to join a community. So a module where you populate 25 or so questions about the subject of your community (a music group, sports team, whatever) then 3-4 randomly pop up and you have a few seconds to choose the right answer before you can move on to register.

thanks,

Will

Thanks for the feedback. I honestly think, though, that the ideal answer is for the additions to Active Social per my first post. Private registration is too much overhead, and there's certainly reasons I can think of upfront that and the quiz could turn off prospective members.

Equally, Dynamic registration as an additional cost would not be an option for us. Equally, since the problem is predominantly human registrations - they work cheap, obviously - the captcha by itself wouldn't solve it. Need multiple layers of prevention to truly be effective.

Certainly hopeful that Will is taking it onboard and making plans

This is a good topic and touches on a few things that I'm trying to get into DotNetNuke 6.2 as part of the Active Social integration. As Matt mentioned, different registration methods only go so far. When we talk about anti-spam for a website we really have to think almost exactly like anti-spam for email. The biggest difference is that email has one data input method which makes it easy to setup a checkpoint or roadblock. A website can have an infinite number of data input methods which means we have to be a little more meticulous with how we setup checkpoints or roadblocks.

As I've mentioned in previous posts, we are not just simply plugging Active Social into DotNetNuke. We have been evaluating every single aspect and making the best decision possible. The Registration Module is a perfect example. We are not going to be using the Active Social Sign-up wizard. Instead we will be enhancing the current registration module so that it can provide the benefits that were offered in the Active Social Sign-up wizard. At the same time, I believe (just like Matt) there are still several aspects where both modules have been lacking. I would like to see a Whitelist/Blacklist API added in the core that would support IP Addresses, Domains, keywords, user agents and locations. If setup correctly, this could help with the majority of the spammers. Next would be a content filter api. This should be provider based and allow for module developers to access this API to determine the quality content being submitted. After that would be Behavior Tracking. This would be the most complicated to implement but the most effective. There are several types of spammers. First I would classify as link bots. These are spammers that are simply looking for input areas where they can post links into your site. Some of these will be repetitive, but some might just post to one or two blogs.

The next group I would classify as harvesters. These are usually actual humans trying to share links but also get contact information from users. In my opinion this is the worst kind of spammer and really where behavior tracking is most effective. Anyone with a high traffic site will experience one of these spammers eventually, if they haven't already. These spammers will get through captcha, use valid email addresses and actually attempt to interact with users on a site. However, their behavior is very scripted. The content they use is usually copy & paste material. They usually target community sites where they can easily reach a large number of users. They will post to activity feeds, shout boxes, comments, private messages and forums. With Behavior Tracking we could setup rules to detect repetitive patterns and take appropriate actions as necessary. However, a project like this would take a great amount of R&D and I don't see it becoming part of the core anytime soon. This has been something I've been very interested for quite awhile. Maybe I will setup a codeplex project to do some R&D work.

Cool Will.

You might want to check out Project Honeypot and Cloudflare too - they do a lot with harvesters and bots, and it might be useful for the behaviour tracking. At present the only implementation for Project Honeypot I've found is the free HTTP Spam Shield (http://www.snowcovered.com/snowcove...eID=17686) which is nice enough, but relies purely on the IP blacklist functionality. There is probably more that could be leveraged, especially from Cloudflare. The two are closely related so I tend to lump them together, but Cloudflare uses Project Honeypot, Akismet, and other sources for their stuff .. you could almost call it the commercial arm of Project Honeypot, although they still have a (good) free service. Neither of these prevent all possible outcomes - or I wouldn't have any issues with spam registrations - but I know that Cloudflare in particular are keen for developers to use their APIs to improve and extend the service.

But like Will, I've found at lot of these harvester/spam registrations are so repetitive that they use a small set of email domains - like tom.com, qq.com, hotmail.com, etc - so a feature like a blacklist that required admin approval for users with these email domains would be pretty effective too. The idea of course being that you don't lose out on "real" users from hotmail.com, they just have mild inconvenience while waiting for approval .. but admins can banish the rest with a click or two. Nicer than setting *everyone* for approval, and makes the site more flexible in dealing with new challenges.

Thinking out load, perhaps the "right" approach with behaviour tracking would be plugin based, like with content filtering. So DNN ships with a basic capability, but third parties can create their own implementations to do different approaches. So as Will mentions, we treat this like email in some ways - let's call this reputation based services if you like, since that's a common enough term. Whether this is a basic third-party blacklist implementation like HTTP Spamshield, plugged into Project Honeypot - and perhaps that could be the "core" capability that would suit most users - or one that uses multiple DNS blacklists for mail and web browsing, along with other filters. Take something like MailMarshal's Blended Threats capabilities, and plug it into DNN? Well, that would be amazing!

Thanks for the reply Will, and it's great to have an insight into where this is likely to be headed. In all honesty, if 6.2 were to come out with a whitelist/blacklist implementation for registration - where admins just add domains/IPs/agents/etc and configure the portal's behaviour for matches - I think that would be an amazing start, and really kick a lot of spam back. I'd probably suggest an implementation of ReCAPTCHA too, for those admins who want it. Frankly the existing DNN CAPTCHA is ... well, it's broken for me at the moment, not for the first time, and it pales in comparison to ReCAPTCHA

Maybe (speaking hypothetically, of course) 6.2 could include an initial implementation of provider-based content and behaviour filtering, and be improved based on feedback from the community and third parties. So rather than having to put *all* the work upfront to implement, it has some basic capabilities which can then be enhanced and improved by third parties, and the core in future versions.

Thanks again

Matt

Some kind of api that would link to akismet and other services like http://www.stopforumspam.com/ would be a great benefit.. FYI, the post frequency throttle on AF doesn't work right. It won't allow you to post new topics or edit old posts within the specified time frame, but you can reply to existing topics as quickly as you possibly can. We had a spammer post over 100 replies in less than 10 minutes with the filter on.. We've been getting a lot of spam lately as well.

Matt, I no longer use DNN, but I thought I would give you some of my insights anyway since this is one of the rare occasions I'm visiting this forum.

I run a forum and most of our spam comes from human spammers, not bots.   What I have done is to close the registration during the times the forum is not being monitored.   Also, I'm constantly monitoring new user registrations.

I've made a point of checking the IP's of spammers and from my experience 95% of them are from India and Pakistan.   The remainder are from China and the Philippines. It makes sense since these are the places where wages are dirt cheap.  

My advice would be to have two registration systems, one for "safe" countries, and another for these spammers.   Setup some geolocation redirect script where you can send the potential spammers to a registration form that requires manual approval and send the safe visitors to the regular registration.

It might be a little work to setup, but there really is no other way, these spammers will figure out any other barriers.   With this system they won't as long as they don't know there are two different reg systems depending on where they are posting from.

Good luck.