The Kunena team has announce the arrival of Kunena 6.2.4 [K 6.2.4] which is now available for download as a native Joomla extension for J! 4.3.x/4.4.x/5.0.x. This version addresses most of the issues that were discovered in K 6.1 / K 6.2 and issues discovered during the last development stages of K 6.2
Merged How to protect my forum from spam
I've learned through my work on a large forum, that most spam can be avoided with 3 simple mechanisms:
1. Keep an empty input field on the form and check if it is empty on submit (hidden by css)
2. Use spamhaus.org to lookup ips posting
3. Keep writing-page protected by js. Eg. Use the "Reply"-button to submit a js form for the write-page (see below)
Our system turns #2 off, if a user logs in.
#3 is a bit hard to implement, but #1 and #2 keeps large amounts of spam away...
The existing captcha and floodprotection is good (two very different things!), but they both needs a config option to turn each of them off for eg. registrered users vs public users.
Or even better ... They should be configurable pr. forum (a lot of the configs really should be that way )
I have a Kunena 1.5.5 installation running on a Joomla 1.5.14 Website.
In the last few days, i am dealing with lots of spam posts to one of the forums. With that, i could live - but what makes me curious is that the posts are in a forum, that is not existing.
In 'jos_fb_messages' i find messages with 'catid = 9', but in 'jos_fb_categories' there is no 'id = 9'.
Now i have createt a special "Spam" Forum and changed the category id manually to 9 so i can view the posted messages. This special forum can only be accessed by Admins (front- and backend), but spam-posts are still coming in.
Can anyone help me with this issue?
Thanks in advance!
Url's to them, has no requirement of a link (as we humans almost do )
I assume you have looked in the logfiles to see identify the target of the spambots?
Have you looked at the IP's to see if the spam originates from the same place(s)?
Can you identify some referrer from the logfiles?
What is the url of you forum (and the targetted categorie(s))?
There is some simple spamprotection within Kunena such as captcha, valid email requirement and a few others.
If that isn't enough, you can get some simple tips from a recent thread here:
That might be manual work in the templates, but in the long run it's better than the spam.
Just beware, the bots will probably target your forum anyway, so you wont get rid of the bandwidth (or serverload) they consume.
That way you'll have to use some more advanced ipblocking on the server.
Thanks for your reply.
I am aware of the fact, that an open-to-everybody forum attracts spam bots. But in this case, the forum into which the spam posts are posted is a restricted one (only visible and accessable to admin-rank or higher). And that is even only possible, as i have created the forum with catid = 9 after the spam posts were made. Before that, the forum didn't even exist.
How can a spam bot post into such a forum without even being logged into joomla?
The URL of the forum is
'Du hast keinen Zugang zu diesem Forum!'
Good. The restrictions apply.
'How can a spam bot post into such a forum without even being logged into joomla?'
Well, imo, 1) the bots either found a hole in the application / your server or 2) the bots created themself as users, logs in and posts spam (which is not unrealistic).
Why are they targeting catid 9?
It could be random or on purpose (maybe from old urls?)
Anyhow, I fail to see why 9 is a better option than fx. 1.
More info please:
- Is the posts really not from logged in users? (Joomla/kunena/other components login)
- Is the posts from many ips - or just a few ips? (can you post some or look them up to see if they are in spamdatabase)
- Does cat 9 have anything in it, that has security of 'Everybody'?
- Is there anything in apache logs releaving the http referrer of the bots?
- Can you see (in apache logs) if bots only hit one page at a time or they hit multiple pages in one visit?
Obviously, site security starts with user registration. It doesn't end there, of course, but this is where I think it's necessary to put most of your effort. If "undesirables" can't get into your site then they can't cause mischief.
For this reason (and mainly for this reason) I have used Community Builder. It doesn't solve all my user registration problems but it does help. For a long time, however, I have not been too happy with Community Builder lacking a CAPTCHA facility - there are alternatives - but I also wanted to share one idea that I recently saw in the JED: CB Passphrase .
If you're developing a website for a closed group then this idea may help stop intruders from registering.
This plugin ads a Passphrase Field to the Community Builder Registration. After making this module published and defining the passphrase in the Plugin Management Section of Community Builder, only users entering the correct passphrase are able to register. It is intended for closed communities, just mail your targeted group the passphrase you have defined.
I realise that this isn't what was asked at the outset - how to stop spammers from infiltrating an open forum - but open forums are a lot more difficult to protect.
Moderate posts with urls automatically?
That's a good suggestion. Why not submit it to UserVoice ?
100 percent of my spam has links to other websites. I really think that the simplest solution would be:
Moderate posts with urls automatically?