×
K5.1.1 is released (10 Jun 2018)

The Kunena team is pleased to announce Kunena 5.1.1 [K 5.1.1].
Please read the blog post for information:

× This is for users to help other users, to discuss topics that are related to forum administration in general or problems in running Joomla. This is not the place to ask for Joomla support. If you want assistance with Joomla please ask at forum.joomla.org

Merged How to protect my forum from spam

More
8 years 5 months ago - 5 years 1 month ago #1 by LittleJohn
Spambots and open forums is a pain.

I've learned through my work on a large forum, that most spam can be avoided with 3 simple mechanisms:

1. Keep an empty input field on the form and check if it is empty on submit (hidden by css)
2. Use spamhaus.org to lookup ips posting
3. Keep writing-page protected by js. Eg. Use the "Reply"-button to submit a js form for the write-page (see below)

Our system turns #2 off, if a user logs in.
#3 is a bit hard to implement, but #1 and #2 keeps large amounts of spam away...


<a href="javascript:document.frm.submit();">REPLY</a>
 
<form name="frm" method="post" action="/write.cgi">
	<input type=hidden name="thread_level" value="1" />
	<input type=hidden name="category_id" value="123" />
	<input type=hidden name="reply_to" value="123456" />
	<input type=hidden name="top_parent" value="112233">
</form>


Best regards
Last edit: 5 years 1 month ago by sozzled. Reason: Changed subject to improve relevance for search purposes
The following user(s) said Thank You: APrestoRoma

Please Log in or Create an account to join the conversation.

More
8 years 5 months ago #2 by LittleJohn
Just forgot...

The existing captcha and floodprotection is good (two very different things!), but they both needs a config option to turn each of them off for eg. registrered users vs public users. :)

Or even better ... They should be configurable pr. forum (a lot of the configs really should be that way :P)
The following user(s) said Thank You: ThomasWilson

Please Log in or Create an account to join the conversation.

More
8 years 5 months ago #3 by etusha
i working on a "system" ANTI SPAM it will be like spamhaus stopforumspam
may be later will be add at Kunena

Please Log in or Create an account to join the conversation.

More
8 years 5 months ago #4 by Jens_K
Hi!

I have a Kunena 1.5.5 installation running on a Joomla 1.5.14 Website.

In the last few days, i am dealing with lots of spam posts to one of the forums. With that, i could live - but what makes me curious is that the posts are in a forum, that is not existing.

In 'jos_fb_messages' i find messages with 'catid = 9', but in 'jos_fb_categories' there is no 'id = 9'.

Now i have createt a special "Spam" Forum and changed the category id manually to 9 so i can view the posted messages. This special forum can only be accessed by Admins (front- and backend), but spam-posts are still coming in.

Can anyone help me with this issue?

Thanks in advance!
Jens

Please Log in or Create an account to join the conversation.

More
8 years 5 months ago #5 by LittleJohn
Spambots can most certainly target nonexistent categories.
Url's to them, has no requirement of a link (as we humans almost do :P)

I assume you have looked in the logfiles to see identify the target of the spambots?
Have you looked at the IP's to see if the spam originates from the same place(s)?
Can you identify some referrer from the logfiles?
What is the url of you forum (and the targetted categorie(s))?

There is some simple spamprotection within Kunena such as captcha, valid email requirement and a few others.

If that isn't enough, you can get some simple tips from a recent thread here:
www.kunena.com/forum/119-feature-request...imple-spamprotection
That might be manual work in the templates, but in the long run it's better than the spam.

Just beware, the bots will probably target your forum anyway, so you wont get rid of the bandwidth (or serverload) they consume.
That way you'll have to use some more advanced ipblocking on the server.
The following user(s) said Thank You: ThomasWilson

Please Log in or Create an account to join the conversation.

More
8 years 4 months ago #6 by Jens_K
Hi!

Thanks for your reply.

I am aware of the fact, that an open-to-everybody forum attracts spam bots. But in this case, the forum into which the spam posts are posted is a restricted one (only visible and accessable to admin-rank or higher). And that is even only possible, as i have created the forum with catid = 9 after the spam posts were made. Before that, the forum didn't even exist.

How can a spam bot post into such a forum without even being logged into joomla?

The URL of the forum is
aufdenklippen.de/index.php?option=com_ku...func=showcat&catid=9

Please Log in or Create an account to join the conversation.

More
8 years 4 months ago - 8 years 4 months ago #7 by LittleJohn
I see this:
'Du hast keinen Zugang zu diesem Forum!'
Good. The restrictions apply.

Next question:
'How can a spam bot post into such a forum without even being logged into joomla?'

Well, imo, 1) the bots either found a hole in the application / your server or 2) the bots created themself as users, logs in and posts spam (which is not unrealistic).

Why are they targeting catid 9?
It could be random or on purpose (maybe from old urls?)
Anyhow, I fail to see why 9 is a better option than fx. 1.

More info please:
- Is the posts really not from logged in users? (Joomla/kunena/other components login)
- Is the posts from many ips - or just a few ips? (can you post some or look them up to see if they are in spamdatabase)
- Does cat 9 have anything in it, that has security of 'Everybody'?
- Is there anything in apache logs releaving the http referrer of the bots?
- Can you see (in apache logs) if bots only hit one page at a time or they hit multiple pages in one visit?
Last edit: 8 years 4 months ago by LittleJohn.

Please Log in or Create an account to join the conversation.

More
8 years 4 months ago - 8 years 4 months ago #8 by sozzled
Every couple of months I trawl through the offerings at the Joomla Extensions Directory for better solutions to tightening security on my websites. I encourage all users to follow my example and make it a practice to visit the JED. B)

Obviously, site security starts with user registration. It doesn't end there, of course, but this is where I think it's necessary to put most of your effort. If "undesirables" can't get into your site then they can't cause mischief.

For this reason (and mainly for this reason) I have used Community Builder. It doesn't solve all my user registration problems but it does help. For a long time, however, I have not been too happy with Community Builder lacking a CAPTCHA facility - there are alternatives - but I also wanted to share one idea that I recently saw in the JED: CB Passphrase .

This plugin ads a Passphrase Field to the Community Builder Registration. After making this module published and defining the passphrase in the Plugin Management Section of Community Builder, only users entering the correct passphrase are able to register. It is intended for closed communities, just mail your targeted group the passphrase you have defined.

If you're developing a website for a closed group then this idea may help stop intruders from registering.

I realise that this isn't what was asked at the outset - how to stop spammers from infiltrating an open forum - but open forums are a lot more difficult to protect.
Last edit: 8 years 4 months ago by sozzled.

Please Log in or Create an account to join the conversation.

More
8 years 4 months ago - 8 years 4 months ago #9 by jeff_j_dunlap
100 percent of my spam has links to other websites. I really think that the simplest solution would be:

Moderate posts with urls automatically?
Last edit: 8 years 4 months ago by jeff_j_dunlap.
The following user(s) said Thank You: Shimei, HowAboutPrague

Please Log in or Create an account to join the conversation.

More
8 years 4 months ago #10 by sozzled
jeff_j_dunlap wrote:

100 percent of my spam has links to other websites. I really think that the simplest solution would be:

Moderate posts with urls automatically?

That's a good suggestion. :) Why not submit it to UserVoice ?

Please Log in or Create an account to join the conversation.

  • Not Allowed: to create new topic.
  • Not Allowed: to reply.
  • Not Allowed: to add attachements.
  • Not Allowed: to edit your message.
Time to create page: 0.122 seconds