Sticky How to protect my forum from spam

:ohmy: Our web site, www.k5sar.com Kunena Forum is getting lots of SPAM posts. It is becoming a daily job deleting the bad posts and banning the user names that put them there.
As web master, I get e-mail notification of e-mails that cannot be delivered and that is how I get daily notification of SPAM posting. I then go in and delete then permanently delete and then find the user name a click on the “Ban the User Column”.
They just keep coming back with a new user name. Is there any way to stop this???
Carl

*** Topics merged ***

How people's websites become the target of spam is outside the purview of the Kunena product but there are many strategies that people can employ to reduce the incidence or, at the very least, make it more difficult for spam merchants to attack your website. The best strategy is to make it more difficult for people to register at your site. J! 2.5 includes built-in feature that can assist you. For instance, you can require that people need to enter a CAPTCHA code when they register or tick a box "I agree to the terms" before their registration becomes active (like we do here at K.org)

Another strategy is to use a plugin like Spambotcheck (look it up on the JED for more information, which is also something we do here.

You can also require that the first n posts must use CAPTCHA - this is something you can set in the Kunena configuration settings. You can also require that new users must use a category where all messages must be reviewed before they appear in the forum - but this means that you have to be prepared to look at those messages and approve them.

A lot of people expect that there should be lots of "automated", hands-off tools that will do these kinds of things for them but, as I have written many times in this topic, "the most effective defence against spam is vigilance." We're fairly vigilant here at K.org and that's why you will not see much spam on this website.

I hope that helps.

Hi Sozzled

I know it's a never-ending topic that you must be bored of, but I really think there's something big being missed here.

Sure, I understand and agree that forums require diligence to keep clean, etc, but I am almost convinced now that something is not working as it should with the Kunena Captcha implementation.

Please try this as an experiment on your forum (or here, on k.org). Open up a board to guests (with Captcha check enabled). It will look as though Captcha checks are working fine when using the front-end from a browser, but within a few days or so I'd predict you'll get swamped and swamped by hundreds spammy messages that somehow seem to completely ignore the captcha (or have found a really cheap way of cracking or bruteforcing re-captcha).

My Joomla/Jomsocial user-registrations use Re-captcha too, and there we maybe get one spammy registration every few days (that are very obviously done by someone manually creating an account, so they're easy to promptly deal with by diligence). But on the Captcha protected forum we'd get at least 10 or 20 a day who get past Re-Captcha. Surely Re-Captcha can't be so utterly ineffective?

The j_antispam plugin I was espousing earlier, sort of stopped doing its job properly, so, yesterday I found this plugin:
extensions.joomla.org/extensions/access-...urity/captcha/11964/

Have set it to a permanent answer to a simple idiot question that literally spells out the answer, and I haven't received a single spam post since (that plugin also has more complex maths, recaptcha, etc options). Suffice it to say, HIGHLY recommended.

However, this really does lead me to believe that some clever spammer has found a way to post to Kunena as a guest without having to validate the Re-captcha. I'm not trying to be a pain, but is there any remote way that this is technically possible or that there is a bug in Kunena's spam checking / Re-captcha integration code?

Hello,

someone is hacking kunena forums from the last 2 days : inserting topics about viagra,...
I am not the only one forum so i think it is a security issue of kunena 2.0.4


it seems he is not using frontend submission form he appear as a member without beeing registred...

Have a look :
www.google.fr/search?q=kunena+Tentozeron...675&biw=1255&bih=886
search for "kunena Tentozeron" on google

Can you help us on that ?
thanks in advance
loïc

It's called SPAM. It typically happens on websites that are poorly maintained and seldom updated. The Joomla website itself needs to be up-to-date and reasonably secured, not just the Kunena part.

When you see entire forums riddled with that garbage you have to know that the administrators have basically abandoned the website--or have no idea how to use Joomla! If that was a genuine security issue, you would see spam at this website, given the traffic it generates.

So where to begin? Well, you make sure Joomla! is up-to-date. Then you make sure you're running the latest Kunena. Your 2.0.4 is most recent. Next, you think about your access rules and Kunena configuration settings. Is your forum open for all the world to see? Are you using any form of captcha? Are you using lousy third-party software that have given spammers a way in? Perhaps the problem is your hosting company.

I encourage you to work inside-out (rather than outside-in) because I really think that if the 2.0.x series had a legitimate security break for spammers, this website would be replete with frantic reports of SPAM infiltration.

We are all getting hit with SPAM attacks every day and every hour. The difference is that some Joomla! websites don't defend the attacks--and then you get to see those charming Viagra ads.

naimless wrote: Please try this as an experiment on your forum (or here, on k.org). Open up a board to guests (with Captcha check enabled). It will look as though Captcha checks are working fine when using the front-end from a browser, but within a few days or so I'd predict you'll get swamped and swamped by hundreds spammy messages that somehow seem to completely ignore the captcha (or have found a really cheap way of cracking or bruteforcing re-captcha).

Allowing non-registered users (I.e. guests) to post at K.org is something we would never do; on a more personal note, it's not something I would allow on any forum that I have built. Allowing the posting of material on a forum, without requiring the need to be logged-in first, is an almost open invitation to those who post spam on the millions of websites around the world to say "Post your spam here".

CAPTCHA is not spam-proof. Indeed, there is a whole industry built around evading and overcoming CAPTCHA defences. I'm not saying that CAPTCHA is ineffective. I am, however, saying that Kunena is not the only web-based discussion forum product using CAPTCHA that is less immune to spam attacks than any other web-based discussion forum product. The reason that this discussion seems to be making a lot of noise about Kunena, in particular, is because Kunena is the most popular forum discussion extension for Joomla. It's because there are hundreds of thousands if websites around the world that use Kunena that there are potentially thousands of opportunities for spammers to ply their trade. The spread of spam is made easier if people do to take appropriate measures to combat it.

Allowing people to post on your website, without first requiring them to register at your website, is the first step in allowing the posting of spam on your forum. I understand that there are many people who want "guests" to post on their forums but, in allowing this, they also should be aware of the associated risks.

I am not bored with this subject. I gain useful knowledge from reading what people have to say and suggest. But I would also ask people to remember that this topic is not "Dear Sozzled, what do you have to say about spam". As with everything else on this forum, this topic is for everyone to pitch in and discuss the issues.

Let me make two points very clear. Firstly, there are many automated methods to combat spam; I have yet to find any one method that is 100% spam-proof. Secondly, spam happens and that's just something we have to accept as a fact; spam does not completely evaporate despite the best anti-spam measures you've put in place.

There are ways to reduce how much spam your forum can receive.

CAPTCHA is good. Protecting your site by implementing more rigorous registration is better. Requiring that only logged-in accounts can post in your forum is better again. But the most effective defence against spam is vigilance.