I didn't quite understood what you meant, but I guess you refered to forum-spamming (in contrast to email- or SE-spamming).

As I understand it, forum spamming is more and more an automated process. The spammer him/herself, gets more and more into the role of a software developer. He checks the forum, sees how it works, then programs a few lines in PHP or PERL, and fires off.

Some insight was given here: [theregister.co.uk...]

Ah heck pmkpmk, I hadn't considered that possibility as I had that happen once before (long time ago) and banned the source. Now I need to comb thru the log files and see if those posts were random or had something in common.

Thanks for the heads up.

What will you do? You might find an IP address, but as the article says they are not using their own address but rather remote controlled bots on infected PC's of otherwise innocent users. You might find strange user-agent strings, which you can block. But then the spammer simply adjusts the script so it shows a new user-agent or fakes to be IE or FF.

You're on a losing battle, and I see only two ways out:

• Apply technology to your forum which rates the content, just like spam filters for email do.
  
• Use captchas [captcha.net]
  

I think captchas is the way to go, however some of your regular users might not like them.

Nothing to do at this point as 15 minutes scanning access logs concluded it was just 3 random people with nothing in common, different browsers, etc. I've just run hassle free for years, this will just make me crazy if it continues.

Captchas isn't such a bad idea, thanks for reminding me, I've been comtemplating them for a while and got lazy. I may also quickly implement full email validation before accepting the submission which means a real human has to initially click a link in an email and do something the first time, that foils bots as well.

I guess it's just a wake up call to get my lazy butt in gear and finish pending projects.

just 3 random people with nothing in common

... or so you believe. Just to recapitulate - modern forum spammers are high-tech warriors. They control bot-nets very similar to the ones used for distributed denial of service attacks. It's fairly easy for them to use the IP's of three different people, and fake 3 user agents. Most likely the bots even use portions of the Internet Explorer (THANK YOU, Microsoft, to embed it so deeply into the system) and therefore it's UA string.

full email verification

And you mean for somebody who can set up a bot-network to spam forums, it would really be a problem to collect email from various POP mailboxes, scan them for links and "click" on these links?

well, based on my limited attack today (kept coming) i think it's random people just trying to ride the million page view traffic train. One that I deleted even came back and did it again, which is why I think someone was watching. At least 1 repeat offender I blocked so they can't post anything that included the URL to the site they were spamvertising, so one is stopped unless they have other domains.

And no, I don't think an automated spam post systems (if indeed it is) would address my mailback confirmations.

I could be wrong, but we'll find out tomorrow :)

Why not just scan messages before posting but instead of giving warnings, make it appear that the message has been posted. Example,

1)Spammer Joe writes a script to spam your forum to push the sale of Joe's Widgets.

2)You most likely already have server-side code in place to format the submitted post data. Just add a few lines of code to check for the word "Widget" or "Joe's Widget".

3)If the message contains the words "Widget" send a confirmation that the message was posted succesfully (or whatever you normally do) but instead actaully have your script delete the post.

4)The spam script will think that the posts are getting made and the spammer will never know the difference unless they actually take the time to visit your site.

5)Now if they do visit your site and figure out what is going on and change their spam script to use differen't forms of the word "Widget" like "W1dget" or whatever, then simply adjust your script accordingly.

6)Inevitably, unless the spammer really hates you, they will tire of this game and go find easier prey to target their abuse upon.

or, if you want to do it the easy way,

If you have a bad-word filter, just add "Widget" to the filter and make it display some other words in it's place.

I'm not sure what my thread has to do with "Forum Community Building"

Just color me baffled and bewildered at this point.

For anyone interested, I have (for now) solved my problem with the automatic FORM posting

The solution turned out to be trivial after thinking about it for a while.

I just check to see where the post came from, and if the form isn't submitted from the form page I reject it.

If they figure it out and fake a page referrer I'm back to square one, but I'm hoping they aren't that interested to figure it out.

Wow! Like most things truly genial it sounds so ridiculously easy when you hear how it is done.

What about refining it with form-submitting-pages which change names per each submittal by an algorithm only you know. So referrers can't be tweaked since they change each time.

No need to change file names, some simplet methods on my site possible now that I think about it.

I also have session tracking technology in the site and I can also bump visitors that hit the form-submit that don't have an active session. If I wanted, I could even set a transaction ID into the form each time someone pulls it up and verify that ID is passed to the submit page.

Fortunately the nonsense has stopped, but if it starts up again I have new ideas to protect it.

What I do to prevent (automated ¦¦ manual) comment spam in my blog is check the post for HTML if any html exists then the entire post gets dropped and will not go to the database.

I reward those that don't attempt to drop HTML into the post by giving them their home page link that does not contain a ref=nofollow tag.

That seems to be working for me.