Are spam accounts on the rise in your community?


(Todd Nilson) #1

One of our customers is seeing a large number of spammers registering for new accounts, to the extent that one day he found 55% of the registrations were spam accounts! Here’s a recent data set with trendlines:

Now, this is mainly due to the fact that the community he manages is on an older platform that does not validate against email. However, it occurred to me that it might be an interesting question to pose to the community.

Are you seeing a large number of spam accounts? Are spam account registrations on the rise for your community?

And, if so, what are you doing about it?

Advice, tools and tips are welcome!

(Janet Swisher) #2

We see a similar rate of spam accounts. For us, it seems to be a symptom of success of the site, that spammers want to leverage our SEO juice. (So, congratulate your customer that he is drawing spammers’ attention!) Profiles are not heavily used by our members, so for now we are disabling the “about me” and “website” fields (which were used for spam text and outbound links, respectively). We may eventually re-implement them as an earned privilege, not available to brand-new accounts.

We have two authentication methods: email validation, and Github login. Profile spammers pretty much never use Github logins.

(Sarah Hawk) #3

Do you still struggle with high spam numbers at SitePoint @ralphm ?

(Ralph Mason) #4

Self promotional and spam accounts are rife, yes. It’s a pity humans get up to such things, but one just has to be a bit detached and treat it like other natural phenomena—such as diseases and the like. :-(

Fortunately, Discourse has evolved somewhat, in that profile accounts don’t get as much search engine attention as they used to. But ultimately, you have to fight this with humans. We’re very fortunate to have a dedicated team of sleuths who care enough about the community to sniff out all this rubbish and keep it under control. It’s a shame they have to, though.

(Todd Nilson) #5

Thanks for the reply, @Janet_Swisher! I appreciate the insights. The Github credentials is interesting. Alas, in our case, not only do the spammers not use it but neither do our users.

Interesting that the About Me and Website fields are spam magnets. My client has found exactly the same thing!

(Todd Nilson) #6

@ralphm well said!

Our client’s members are also quite vigilant. And yet, when you get so many nuisance accounts there’s got to be a way to cut down on them from an automation standpoint. It’s a matter of making sure you aren’t putting odious measures in front of legit members who are trying to register. There are many days when I have felt my eyes bleed due to poorly implemented captchas!

(Ralph Mason) #7

I’ve come to the conclusion that if I were to start my own forum I’d have to put up some kind of firewall (so to speak)—such as a pay-only forum, or only log in from something like GitHub … although I really don’t like that kind of signup process (relying on the existence of a 3rd party). ಠ_ಠ

(Sarah Hawk) #8

So this is interesting. I manage two Discourse forums, and neither of them get spammers signing up. We’ve had one spammer ever here at FeverBee, and none (since we moved to Discourse) at UXMastery.

I don’t believe we do anything differently to SitePoint, so I wonder what makes some forums more attractive to spammers than others.

(Joe Velez) #9

I guess it’s a combination of things really…
size and audience probably is a big part of why some sites are targeted more than others … there’s also the fact that some sites are easier to spam compared to others.

There’s nothing we can do to stop spam but we can make it difficult for them.

The first thing spammer do is try to get in automatically via bots. If that doesn’t work they will do it manually. If they believe the effort is worth it they will do it MANUALLY.

Register. Confirm. Post. Repeat.

For those looking for a solution maybe this will help…

A little background…

We are a large site - almost 1 million professional and student members. We require email address and confirmation when registering.

We do not have a captcha but do have a unique “registration” process that is constantly changing. The goal is to make it difficult for bots but not for our readers. It seems to be working.

For spammers that do get through we’ve built some obstacles for them.

For starters, all new members are throttled. Submitting anything requires xx minutes (floodtime) of wait time between posts. (This applies to new members only.)

This step will not stop all the troublemakers.

So what can we do???

At this point I decided to automatically set all posts with a link to moderation. Keep in mind that most members are here to ask questions not to share links. 100% of the time spammer exists to share links.

This moderation step continues for the first xx number of posts submitted by new members.

The idea behind this is to give our moderators plenty of time to review and ban the spammer before their messages become visible to the community (when the above obstacle no longer applies).

We also filter posts based on certain keywords/phrases (set to moderation).

There are a few more obstacles but that’s the gist of it.

It works.

(Sarah Hawk) #10

Interestingly, Discourse does almost all of these things by default (with the exception of changing the registration process regularly – I like that) which is one of the things that I love about it.

It doesn’t stop spam being an issue at SitePoint though.

(Ralph Mason) #11

I’d like to throttle a lot of our new members. :stuck_out_tongue:

(Darren McKay) #12

I get very few spam members on what is quite a large community (23k members, 323k threads, 7.4m posts, 4-6m page views a month). Our protection measures are not particularly sophisticated but they seem to do the job…

  • Must answer community-specific question, randomly selected from a pool, upon registering. If you have an interest in the subject you’ll know the answer without having to look. If you are a human, you could quickly find the answer. If you are a bot, you’ll get stuck here. I change the pool of questions every month or so.
  • Must provide email address at point of registration.
  • Must click on registration link emailed to you.
  • All new members manually authorised. Any obvious spammers are rejected at this point. A quick search on Facebook and/or twitter with the email address can also be helpful in identifying if there is a legitimate looking person behind the registration.

Additionally, new users are unable to post a URL in their first 10 posts.

I have also recently implemented a change such that each of the first 10 posts of a new user also need to be reviewed manually and authorised before they appear within the community. I didn’t make this change to protect against spammers however - we had a bit of a problem with abusive (but real) new members.

(Bas van Leeuwen) #13

:heart_decoration: this!