homepage Welcome to WebmasterWorld Guest from 54.235.61.62
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / WebmasterWorld / New To Web Development
Forum Library, Charter, Moderators: brotherhood of lan & mack

New To Web Development Forum

    
How to fight spam on forum powered by vBulletin
dailypress




msg:3838805
 5:13 am on Jan 31, 2009 (gmt 0)

I recently installed vBulletin® Version 3.8.0 to run my forum. Within the first week I have several registered users which I identify as spam because of their name and email addresses. One had also posted several links to random websites.

What is the cause?
And how do I fix it?

Please help!
-Frustrated admin

 

wheel




msg:3838925
 2:44 pm on Jan 31, 2009 (gmt 0)

1) Get used to it. It will not stop. 'several' users is small time. I get a dozen a day. Others get far more.
2) add a captcha.
3) require that you manually validate each new registration.
4) manually ban large swaths of Ip addresses - look at the IP's of the spammers. I blocked much of China, Ukraine, Pakistan and I think Indonesia and that shut the majority of it down.

rocknbil




msg:3839114
 4:03 pm on Jan 31, 2009 (gmt 0)

They always hammer new forums. Give clear indication it's moderated (by wheel's #3 advice) and most of it will die off in a short time.


2) add a captcha.
3) require that you manually validate each new registration.

Good advice, but with both of these enabled, spammers will still use your forum as a "test bed" for the captcha-breaking programs out there. Had it happen.

In addition to these two, what really stopped the captcha-bots was adding a custom registration field with a trivia question. You set the custom registration field to NOT appear in the profile, so in effect it's a validation field only at signup. "What is 6 plus four?" You have adequate controls to explain the question and put it last in the registration form.

I had to change this field over a period of 2 weeks or so, as they kept coming back and manually changing the values for their bots. After that it just stopped. Completely.

I've never had to ban by IP (yet,) although I HAVE banned by email pattern (.ru, meds, pharm, etc . . . )

Last is get registered at and dig around the vBulletin forum itself, lots of useful contributions there for just about anything (including this solution.)

dailypress




msg:3839132
 4:28 pm on Jan 31, 2009 (gmt 0)

Get used to it. It will not stop. 'several' users is small time. I get a dozen a day. Others get far more.

Thanks guys, im glad to know im not the only one. Its my first time installing a forum.

I did add an image verification captcha. But as you mentioned I think I should use the security questions instead!

I did notice a few emails with the .ru extension. I googled the address and found a list of spam emails on this one website.

blocked much of China, Ukraine, Pakistan
The problem with that is that my forum is targeting some of that area (Asia - Middle East)

require that you manually validate each new registration
the problem with that is I will deter many users who want to immediately respond to a thread! But you may be right and that may be my only option as some point,

what really stopped the captcha-bots was adding a custom registration field with a trivia question. You set the custom registration field to NOT appear in the profile, so in effect it's a validation field only at signup.

Not sure if I understood that correctly. Can you explain that one more time?

rocknbil




msg:3839257
 7:24 pm on Jan 31, 2009 (gmt 0)

the problem with that is I will deter many users who want to immediately respond to a thread!

Nah, if they are determined, it won't, unless they want to flame and enter an invalid email, in which case you don't need them. When thinking about this question, consider "I want all links to open in a new window so they won't leave my site. . . " it's the same line of thinking.

Can you explain that one more time?

The below are set up using the numeric "trivia" question I posed above, change to suit.

1. Log in to your vBulletin admin.

2. Open User Profile Fields.

3. Open link to Add New Profile Field.

4. For profile field type, select single line.

5. Set up the question.

For title, something like "Human Verification Question" should do the trick, in description, something like "To prevent automated registrations . . . "

Max length of user input: 1 or 2, depending on question.

Field length 3.

Required No, but display at registration.

Field editable by user: only at registration.

Private Field Yes

Field Searchable on Members List, Show on Members List both no.

Regular expression is the key. So if you ask "what is the product of three times two?" you would enter 6. Or being that it's a regexp, you could enter ^six¦SIX$ if you want to confuse everyone. :-)

Leave "show on page" at "Edit Profile" because by making it private it won't be seen.

Save it, test it, it works.

Original documentation from vBulletin [vbulletin.com]

More anti-spam measures [vbulletin.com]

dailypress




msg:3839354
 10:18 pm on Jan 31, 2009 (gmt 0)

rocknbil: thanks a lot for the detailed instructions. I didn't know that spamming on forums was that common!

I also listed a few email addresses on my ban list that you may find useful:
[theadminzone.com...]

in description, something like "To prevent automated registrations . . . "

Shouldnt I write the question like TWO TIMES THREE under the description field?


Regular expression is the key. So if you ask "what is the product of three times two?" you would enter 6. Or being that it's a regexp, you could enter ^six¦SIX$ if you want to confuse everyone. :-)

So im assuming thats the field I put the answer. When I used a number it worked but when I tried the same example ^six¦SIX$ and entered " six " it didnt work.

Also when I entered the wrong answer it banned my registration and email address and said contact admin.
So as admin, where do I unblock the email addresses that I used to test the software?

Another question:
How do I remove the question and answer displayed on the user pending registrations approval's profile? Or do you think its not a big deal and that I shouldn't bother?
What should I put for the "Which page displays this option?" field?

Swanny007




msg:3839488
 2:52 am on Feb 1, 2009 (gmt 0)

Instead of making the user think, I just use the custom field to have them retype a word that I can change whenever. It works wonderfully, in fact I haven't need to change that word, it's been like that for about a year.

dailypress




msg:3839511
 3:36 am on Feb 1, 2009 (gmt 0)

Instead of making the user think, I just use the custom field to have them retype a word that I can change whenever.
Interesting concept! Do not make your visitors think AT ALL!
Swanny007




msg:3839544
 5:28 am on Feb 1, 2009 (gmt 0)

It's not really "don't make them think" so much as it is "make it super easy to sign up". Less barriers = more user friendly.

dailypress




msg:3839570
 7:04 am on Feb 1, 2009 (gmt 0)

"don't make them think"

I think there was a book on that.

Anyway, I made the changes and so far so good. We'll see how it goes.

dailypress




msg:3839721
 3:58 pm on Feb 1, 2009 (gmt 0)

in regards to CPC I am having other issues: has anyone experienced the same?
[webmasterworld.com...]

rocknbil




msg:3839753
 5:26 pm on Feb 1, 2009 (gmt 0)

...When I used a number it worked but when I tried the same example ^six¦SIX$ and entered " six " it didnt work....

I'd hoped you picked up my intent there, I wasn't serious about spelling out six . . . but it probably didn't work because the pipe ¦ needs to be an actual pipe, the character when you type shift -\.

Also when I entered the wrong answer it banned my registration and email address and said contact admin.
So as admin, where do I unblock the email addresses that I used to test the software?

I don't know *everything* about vBulletin, so I'm not exactly sure - I'd say try vBulletin Options -> User Banning Options.

dailypress




msg:3839759
 5:43 pm on Feb 1, 2009 (gmt 0)

but it probably didn't work because the pipe ¦ needs to be an actual pipe, the character when you type shift -\.
I think I had used the actual pipe. but anyway it works now. I simply used a number :)

Thanks a lot for your help! :) So far so good. No more spam registration! Now I need to work on getting people to sign up!

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / New To Web Development
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved