Merged How to protect my forum from spam

It's called SPAM. It typically happens on websites that are poorly maintained and seldom updated. The Joomla website itself needs to be up-to-date and reasonably secured, not just the Kunena part.

When you see entire forums riddled with that garbage you have to know that the administrators have basically abandoned the website--or have no idea how to use Joomla! If that was a genuine security issue, you would see spam at this website, given the traffic it generates.

So where to begin? Well, you make sure Joomla! is up-to-date. Then you make sure you're running the latest Kunena. Your 2.0.4 is most recent. Next, you think about your access rules and Kunena configuration settings. Is your forum open for all the world to see? Are you using any form of captcha? Are you using lousy third-party software that have given spammers a way in? Perhaps the problem is your hosting company.

I encourage you to work inside-out (rather than outside-in) because I really think that if the 2.0.x series had a legitimate security break for spammers, this website would be replete with frantic reports of SPAM infiltration.

We are all getting hit with SPAM attacks every day and every hour. The difference is that some Joomla! websites don't defend the attacks--and then you get to see those charming Viagra ads.

naimless wrote: Please try this as an experiment on your forum (or here, on k.org). Open up a board to guests (with Captcha check enabled). It will look as though Captcha checks are working fine when using the front-end from a browser, but within a few days or so I'd predict you'll get swamped and swamped by hundreds spammy messages that somehow seem to completely ignore the captcha (or have found a really cheap way of cracking or bruteforcing re-captcha).

Allowing non-registered users (I.e. guests) to post at K.org is something we would never do; on a more personal note, it's not something I would allow on any forum that I have built. Allowing the posting of material on a forum, without requiring the need to be logged-in first, is an almost open invitation to those who post spam on the millions of websites around the world to say "Post your spam here".

CAPTCHA is not spam-proof. Indeed, there is a whole industry built around evading and overcoming CAPTCHA defences. I'm not saying that CAPTCHA is ineffective. I am, however, saying that Kunena is not the only web-based discussion forum product using CAPTCHA that is less immune to spam attacks than any other web-based discussion forum product. The reason that this discussion seems to be making a lot of noise about Kunena, in particular, is because Kunena is the most popular forum discussion extension for Joomla. It's because there are hundreds of thousands if websites around the world that use Kunena that there are potentially thousands of opportunities for spammers to ply their trade. The spread of spam is made easier if people do to take appropriate measures to combat it.

Allowing people to post on your website, without first requiring them to register at your website, is the first step in allowing the posting of spam on your forum. I understand that there are many people who want "guests" to post on their forums but, in allowing this, they also should be aware of the associated risks.

I am not bored with this subject. I gain useful knowledge from reading what people have to say and suggest. But I would also ask people to remember that this topic is not "Dear Sozzled, what do you have to say about spam". As with everything else on this forum, this topic is for everyone to pitch in and discuss the issues.

Let me make two points very clear. Firstly, there are many automated methods to combat spam; I have yet to find any one method that is 100% spam-proof. Secondly, spam happens and that's just something we have to accept as a fact; spam does not completely evaporate despite the best anti-spam measures you've put in place.

There are ways to reduce how much spam your forum can receive.

CAPTCHA is good. Protecting your site by implementing more rigorous registration is better. Requiring that only logged-in accounts can post in your forum is better again. But the most effective defence against spam is vigilance.

Thanks for your response Sozzled. And actually, an apology is in order and I clearly spoke too soon.

Another spammer found my forum after installing the easycalc captcha plugin (this spammer strangely only posts in Polish or some such - the old viagra, etc ones have disappeared). I've tried 4 different Captcha methods in the plugin, including Re-Captcha, and each of them has been rapidly cracked (with a break of an hour or two after changing the method).

So, again, apologies - Kunena is clearly working as well as any other solution out there.

Sozzled, I think you're right - when allowing guests to post it seems to be simply practically impossible to protect the forum using ReCaptcha (or any other Captcha), except for possibly a very obscure custom captcha or code that doesn't have the economies of scale to make it worthwhile for spammers.

Will consider disabling guest posts, though that would be a real shame.

Until then, I hope the spammy bastards all die a painful death one day.

Cheers!

Was going through our server logs and just wanted to share a GET request I happened to see.

The aim of this is pretty obviously a spammer trying to post - quite a few similar requests come in every day.

This doesn't seem to work when I try it in my browser, but out of interest - is the aim of this to try and automatically get past the Captcha and the like?

Anyway, not sure what it means, but thought would share, maybe someone cleverer than me could do something with it or maybe even block these kind of misshapen requests directly in future if they serve no legitimate purpose?

I have kept kunena up to date, added the catchable codes, made very complex passwords, etc. and still we get spammers putting messages on our forum on a regular basis. How do they create user accounts? How do I do i stop this? Is it because of our .us extension instead of .org?

Our site: www.12tharmoreddivisiomassociation.us

Try to use this plug-in : spambotcheck
extensions.joomla.org/extensions/access-...pam-protection/14027
It have worked for me

*** Topocs merged ***

I think your users should be given a repo score. Bases on these repo scores they can be limited to the numbered comments and ideas that they can post.

Also in FB, they have set an algorithm which will consider a user a spammer if the user posts more than 5 comments in less than 10 secs.

We are still using the setting from FireBoard to check if the user posted in x seconds and block him from sending the message:

Configuration > Security > Flood Protection, defaults to being off (just like in FB).

Hi guys

Like kunena 2.0.4 as it works perfect except for security where spammers keep coming into as unwanted users using some sort of .php.

1. Captcha did not stop them.
2. Only registered user can post did not stop them.
3. Set to Flood control to 1 sec, not sure it stop them.
4. Ticker exaByte, my host, to extend their spam tools that is covering the email to cover this but they said nothing.
5. Meanwhile i click on to www.stopforumspam.com at the security dialog but due to lack of knowledge, cannot move forward. Will appreciate the lead to what to do to get it moving eg where to put the codes and what are they? Unfortunately someone in this forum said it also won't work.
6. Also thinking about using spmbotcheck plugin. Can this work?

So i am getting desperate and has unpublished Kunena for the time being until i learn more to fight this menance. Help~~ :sick: :evil: