Gmail a popular address generally.

It isn't quite clear what the problem is. Do you:
1. Have a lot of spam spoofing gmail accounts which is quite distinct from genuine registrations?
2. Have spam which is spoofing registration requests?
3. Think that a high proportion of genuine requests from gmail customers may be from people who will then spam your forum?
4. Have requests from gmail customers that appear to have been created by a bot?

The trick isn't to sort the mail but to block the junk before it hits the mailbox.

All of the most widely used applications to help prevent spam are generally good but at the same time are the most widely attacked.

Customize your approach for best results. I find a lot of bots have problems with input boxes that are where they should be on any given site but are hidden so that a human wouldn't see it to type anything in. If a bot adds anything to it, ban them.

Custom questions work too, but nothing generic or mathematical.

Captcha works, but I find using captcha that doesn't come with the application works better. If a bot was looking for a particular type of forum it expects a particular captcha system, swap it out for something different.

The more you customize the fewer bots you will likely see. Human spammers on the other hand will get through but they tend to be hit and run types anyway.

To Piatkow:

The problem I am having is that, having set my forum's registration process to "Must be activated by The Moderator," when I look to see how many members are awaiting for me to activate their account, I have a long list of emails, and I don't know which are the spammers and which are the genuine ones. It is a big pain. I mean, I could go ahead and tick ALL of them to be activated - but then I run the risk of finding a huge innundation of spammers in my forum!

OK, people have registered and some of them might be bad guys who will post spam. The only way you can tell which is which will be once they start misbehaving.

If it is just spam bots finding your registration form and sending you spam through it then you need a captcha to block them there rather than trying to filter the results.

I would expect the forum software to support both captchas and flood protection which should provide additional, second line, defences.

Is your forum geographically specific?

I run one that is U.S. only. I look up the IP address of the registrant, if it's China, Europe, etc., it's outta there.

I have heard of forums simply not allowing hotmail/gmail/yahoo email addresses during registration.

Captcha works, but I find using captcha that doesn't come with the application works better. If a bot was looking for a particular type of forum it expects a particular captcha system, swap it out for something different.

nice tip.

I have heard of forums simply not allowing hotmail/gmail/yahoo email addresses during registration.

Because of the users aren't trusted or because of those providers' reputation for treating automated response messages as spam and not delivering them?

Rocknbil

But how can you be 100% sure if ALL the registrants from China, Europe etc. really are spammers? A couple of genuine registrants might be in there too.

Don't over obscure the captha - some are terrible nowadays.

and

Dont make the question too hard either - yesterday I was going to join a woodwork forum and was asked a question something like - "name of a wooden joint which is the same as a birds name"

I know some smarty pants will know it but i did not :) LOL

PS is it lap wing or lap something - this is driving me nuts.

Dove tail?

With that sort of Q&A captcha I would expect a multiple choice. Otherwise you have to code at least for "dove tail", "dovetail" and "dove-tail" before getting on to obvious mis-spellings like "tale" and then should you be accepting the name of the joint or the name of the bird?

how can you be 100% sure if ALL the registrants from China, Europe etc. really are spammers?

In this particular instance, there is no reason for non-US registrants to join, but you're correct - you have to tread carefully and read other signs. A combination of a foreign IP, a free mail server, and an email like abc1235@yahoo.com is not a good sign. People tend to personalize their emails, most of the time.

I guess it's a balance between the benefit of gathering more members and the time you want to dedicate to maintenance.

I added a required custom field during registration that filters out 95% of the spam. The rest can be detected by checking the IP (most BBSs should have an IP checker built in). If the IP gets traced to India, China, etc., I usually nix them. I also scrutinize the email address.

It's going pretty well with this approach.

... and that wood joint question is quite ambiguous. I would bet on dove tail, but that's part of a bird, not a bird itself. That captcha was ill-conceived :D

Maybe try googling some email addresses from wannabe members (which may get thro captcha, say), see if on any blacklists.

Nothing is perfect, since "human verification systems" can always be defeated by employing cheap humans to solve whatever you throw at them. However, simple combinations of captchas, verbal questions, and hidden form fields can block most bots.

If your forum serves international users, then no country-based filtering will be useful. And I know lots of people whose only address is from Gmail, Hotmail, etc., so simply not allowing those addresses will be a problem.

A "defense in depth" strategy may help. After doing what you can to block spam registrations, take additional steps to block spam posts. For new members, as one example, you could put their first post into a moderation queue. Or their first five. Or, you could scan new member posts for links or keywords and let most through but hold suspicious ones.

I was getting so many spam posters/registrations that I just shut down the forum. I was using phpbb3. I tried to manually approve the registrations but it was a pain as noted above.

Too bad there isn't a system for forums that works as well as akismet.

Because of the users aren't trusted or because of those providers' reputation for treating automated response messages as spam and not delivering them?

because of the volume of spammer signups using those providers.

I came up with a novel solution that completely got rid of all forum spam registrations and as a happy benefit also seemed to drive the bots away. The problem is that it only works on boards that aren't especially busy or popular.

What I did was simply turn off forum registration altogether. I then redirected the link to register for the forum to lead to a static HTML page I created. On that page it lists instructions to register for the forum (the user simply has to send me an email with a few pieces of information). The email link itself is embedded in javascript and can be changed quickly and easily should the email address get spammed out (so far that address has remained spam free). I then manually register the users.

I had a friend who also has a VB board try this and it worked. But we both have very small forums. Needless to say, if you have 100 "real people" a day registering this isn't going to work. But for smaller, less-active boards, doing this can be a real time AND bandwidth saver. My server has worked sooooo much better since I started doing this.

We use a custom made captcha and it stopped all the automated spam registrants. We also require email confirmation which stopped a lot more. Admin approval on the first 5 posts stops even more. you'll never kill ALL spam, but I've found these techniques to be the most effective.

oh, and captchas don't have to be complicated to work, of course if someone writes a script against you they need to, but our captcha has you type in three, clearly easy to read numbers and it still stopped 100% of automated registrants.

I'm using phpbb3 as well, and I found the following suggestion to be very helpful!

Custom Profile Fields as an Anti-Spammer Tool [phpbb.com]

You'd want to tweak your custom fields, of course.

The email link itself is embedded in javascript

if by "email link" you mean a "mailto:mbx@example.com" url that is a usability issue for those who use web mail.
the mailto: scheme will start up the default email client which may not be familiar to the user or may not exist for that user on the platform they are using such as a borrowed or public computer.

Sounds like you need some help going through those emails to me.

I modded my phpbb3 install so that if a spammer gets through registration, users aren't allowed to post links until they have a certain number of posts. Even then, the links they post are nofollowed and only after they hit a high number of posts (say 150) then it'll remove the nofollow because presumably that user is trustworthy.

Profile pages are denied in robots.txt and links only appear to logged in users.

We have three clients with phpBB. The spam got so bad they wanted to shut down their forums. We recently setup an automated connection to stopforumspam.com which keeps a blacklist of spammers - and is automatically updated with data from member-forum-owners.

The spam has stopped!

We suffered from a huge spam problem on our phpBB board. Two measures stopped the spam completely

1. For bots: Custom-coded math question in the registration form.

2. For humans: added this notice to the registration form.

"Spammers, note: all outgoing links on this forum are nofollow. Do not bother!"

No spam now.

..But how can you be 100% sure if ALL the registrants from China, Europe etc. really are spammers?..

We don't, but we don't care. We don't sellt to China, India, or a host of other countries where 95% of the spam comes from, so we just block the entire IP range.

We use vBulletin, and have email verification that auto registers. In addition to a range of IP's that are blocked, we also block any email registration that comes from a host of countries and servers, such as *.cn.

@ Truegho, for the bots you need to stop them at the door. That means an effective captcha system. As far as human spammers are concerned you need to make it unappealing for them. For example hiding profiles, memberlist, signatures or anywhere else they can get a link in that a bot might find.

For those of you using phpBB, the GD captcha in phpBB3 has worked quite well up until a few months ago. It is still somewhat effective as it can be adjusted but the harder you make it the harder it is for human to read. Slight adjustment on my own forum has shown to keep the bots at bay.

Captcha works, but I find using captcha that doesn't come with the application works better. If a bot was looking for a particular type of forum it expects a particular captcha system, swap it out for something different.

With the release of phpBB 3.0.6 which is currently in the RC phase you'll be able to do this out of the box as it will include a captcha plug-in system. It will be released with 3 winners of a competition they had including the popular Q&A captcha. You could of course create your own plug-in or download from other selections. The addition of this should prove to be quite effective against bots because you'll have numerous systems to choose from which can be updated independently of phpBB3.

Bots were dancing right by the captcha in the VB boards I manage, the custom profile question was the only thing that made them go away. The human spam regs where the ones that got through, and as mentioned, a combination of IP address, mail server, and other "fishy clues" indicate whether it's a problem or not.

pardon me while I spam this thread with a link to another some what related thread ;-)

Professional Forum spammers:
[webmasterworld.com...]

If you practice a good user weed every couple of weeks it can cut way down on problems. Just weed any act that isn't validated.

You can also go the next step (like we do here) and weed any act not posted to for about 60 days.

Both those actions nuke any sleeper bots out of the user file.