The MU forums have moved to WordPress.org

What would discourage spammers? (33 posts)

  1. donncha
    Key Master
    Posted 13 years ago #

    Hello spammers, I'm sure you're going to be reading this thread.

    It's obvious from recent posts on blackhat SEO sites and our own experiences that WPMU is a target for spammers creating spam blogs. They come on to your site, create dozens or thousands of blogs and fill them with spammy content and links. Soon your nice little community is floundering under the deluge of spam.

    Current measures obviously don't work. If we make it more difficult for spammers, it becomes more difficult for legitimate users to register.

    WordPress MU is attractive to spammers because it's easy to create content and links to their own sites that are indexed by Google and blog search engines. Their blogs are also listed on your blog listing pages making it easy for them to find human visitors. What's to be done?

    What about a new blog quarantine? New blogs:
    1. Are not listed on sitewide blog lists.
    2. Don't allow search engines to index their pages or follow their links by using the noindex,nofollow meta tags.
    3. If you have global tags pages, don't include them.
    4. Don't allow trackbacks or pings from them.
    5. Maybe delete blogs that aren't used before the restrictions above are removed.

    After a period of time these restrictions are lifted. I would suggest at least a month for the first 3 conditions, and a week for the trackback one.

    Even if the spammers don't post their content to their new blogs until the month is up, you the administrator will have a month to catch and delete all those empty blogs.

    Like nofollow on comment spam I don't think these measures will stop spam, but they will limit their effects.

    Anything else we can do?

  2. KKWangen
    Member
    Posted 13 years ago #

    I think it's a good idea to keep new blogs hidden, but if it's implementet, there should be an option for admins to approve a blog as well, if they see it's for real.

    And maybe any users and spamblog names should automagically be added to some kind of blacklist.

    And there's wp-signup.php; maybe the signup form should behave more like the comments form, so spammers can't just type domanin.tld/wp-signup.php to get a blog.

  3. SteveAtty
    Member
    Posted 13 years ago #

    I did write a long rant here but its not really on topic.

    Spam is a major pain everywhere and even if you put steps in place (captchas, moderation queues) they still post it. You can remove files and 18 months of 404s later they will still try to push their crap through it.

    I certainly think that hiding news blogs from search engines and not putting them in things like a "new blog" or "update blog" list is good.

    Also allowing an admin to basically "hide" a blog - so they can check to see if its a splog or a hijacked real blog - would be good

  4. mark-k
    Member
    Posted 13 years ago #

    What is the real damage of spamming except for the annoyance?
    I understand that if I will get 30000 spam blogs I will run into problems concerning the linux directory size for the files folder, but if I get 5 splogs a day and they are being cleaned every week, what is the harm?

    If the problem is with how they are displayed at the front page of the site, maybe the solution is not capthca, but simply limiting the number of character being displayed as the title of the blog?

  5. SteveAtty
    Member
    Posted 13 years ago #

    Mark - the problem is what would you rather spend you time doing: clearing up after spammers and spending time putting systems in place to stop them spamming you, or actually working on enhancing your system to make it a more "feature rich" environment?

  6. andrea_r
    Moderator
    Posted 13 years ago #

    The splogs are also eating up resources - filling your db, sucking your bandwidth, filling error logs and skewing your stats. Besides, even if you do clean 'em up once a week, if I wanted to sign up for a blog somewhere, I'm less likely to do so on a place where I see spam blogs listed.

    I've hacked mine to moderated status where I get the email to activate the blog. Deleting a half-dozen or so emails is far less annoying than having to clean up splogs out of the system. Moderation works for the short term and only on small system. Not perfect by any means.

    I'm still trying to ferrer oput exactly what process they go thru.

  7. lunabyte
    Member
    Posted 13 years ago #

    Although this is something I believe should be discussed, it's too bad that those same dirty spammers can also read it.

    Therefore, unfortunately, we're kind of stuck from coming up with something really, really good as they can see what's being planned and in turn plan their work around.

    I have a few ideas that could be used as well.

    At this point, I'm not sure splogs can be completely prevented from registering. However, I do think that if that's the case then the damage done could at least be contained locally without "the world" knowing a spammer has signed up.

  8. Bike
    Member
    Posted 13 years ago #

    Good thread. To catch the current spamflood:

    The moment any "<" is entered in a blog title or description, the sign-up page/script should automatically not create any tables at all but block/ban that user/username/blogname/emailaddress/domain/IP (level/options to be chosen by the admin) instead.

    So no bandaids like striptags, but an action as a result for attempted spam.

    Same for any first/second/xxxnd post that has 1/2/3/x links in them: it should lead to automatic suspension of the blog.

    ps: can we take out the version/release number and just freestyle link back to MU, without revealing we are using a maybe vulnerable version?

    Cheers, Bike

  9. lunabyte
    Member
    Posted 13 years ago #

    And removed from the headers sent, as well as other personal blog info... cough cough.

    As for your idea Bike, it is a possibility.

    However, then they'll know that it no longer works, and will not use it.
    Then you're back to square 1, and still fighting sign-ups that can't really be tracked.

  10. Farms
    Member
    Posted 13 years ago #

    I have to say, nofollow style mechanismns (i.e. non indexing) and quarantine periods, from my limited perspective, don't work.

    Look at the impact nofollow has had on comment spam, for example (i.e. none,. it's just got a lot worse).

    And disallowing <s etc. in blog names should just be default.

    I reckon that there are only two real solutions - the first is an Akismet-esque group intelligence system that we can just plugin.

    The second is plain old decent barriers to them registering... I honestly reckon that a ToS box, security question and even captcha solution should come with the core, preferably all set up with multiple / randomised elements from the start and easily adjustable by Site Admins.

    Ticking a box and, typing in an answer or reading a captch a really isn't too much to ask - after all, if people are actually going to be using blogs to any great degree, it's certainly not going to put them off, and if it does, then you probably don't want them.

    Just my 2c.

  11. Farms
    Member
    Posted 13 years ago #

    It sounds deeply cynical of me, but I (and most people out there) aren't so much worried by the effects of spam... just how it'll impact on them individually.

  12. lunabyte
    Member
    Posted 13 years ago #

    James, you're probably right really, to some extent with the effects.

    Things like;

    1) how much of my time is spent dealing with cleaning up the mess.
    2) how much time is spent on anti-spam measures
    3) how will my site look if someone finds out a spammer was here

    etc.

  13. SteveAtty
    Member
    Posted 13 years ago #

    You forgot the annoyance.

    I have to admit to abandoning a site I was working on because trying to stop the spammers just became too much effort. I spent all my time trying to outwit them and no time actually doing what I wanted so I dumped the project (Spammers were still hitting the URLs months later despite getting nothing but 404s)

  14. lunabyte
    Member
    Posted 13 years ago #

    Yep. Annoying is definitely on the list.

  15. andrea_r
    Moderator
    Posted 13 years ago #

    One thing I've noticed is however spammers are signing up, a good portion of them use the phrase "Default Title" as their blog title.

  16. boonika
    Member
    Posted 13 years ago #

    CAN ANYONE HELP TO SOLVE THIS PROBLEM:
    http://mu.wordpress.org/forums/topic.php?id=6246&page&replies=9

    I don't know what to do. How is it possible that someone can register without using wp-signup.php?

  17. andrea_r
    Moderator
    Posted 13 years ago #

    Another thing i noticed is spammers signing up for just a username, then auto-creating as many blogs as possible.

  18. boonika
    Member
    Posted 13 years ago #

    So what you are saying is that someone who already owns username can create blogs without using wp-signup.php?

  19. andrea_r
    Moderator
    Posted 13 years ago #

    Not necessarily, no. i'm just mentioning that for people who have blocked blog signups other ways and allowed user signups, they'll still get splogs.

  20. lunabyte
    Member
    Posted 13 years ago #

    Person registers for a username only. Logs in, then goes back to the registration page.

    Now they can add a blog, and choose a name for it.

    "Most" anti-splog measures aren't active when a user is logged in. It's a perception that i the user is logged in, then they are "OK".

    Easiest way to kill all of that is to:

    a) Disallow just signing up for a username.
    Then b) Only allow 1 blog per user by redirecting with a header() and user who is logged in and tries to visit the sign-up page.

  21. Richard Palace
    Member
    Posted 12 years ago #

    Is there a way to check the user IP from the admin dashboard? I have to get into the registrations log in the DB to check the user IP.

    Same IP have signed up as 10 different users for 10 blogs a day.

    We can ban IP and ban email domain.

    What about limiting 1 signup per day from the same IP?

  22. billdennis5
    Member
    Posted 12 years ago #

    Donncha asked: "What would discourage spammers?"

    Answer: "A buzzsaw. Right below the knuckles."

  23. lostdeviant
    Member
    Posted 12 years ago #

    Donncha, I hope you're reading this thread still. I have a captcha, and extra profile questions yet I'll get over 20 splog signups a day.

    We need something like Richard Palace mentions. Don't let more than one blog be signed up per IP each day.
    Let us actually see on the Blog page the IP number, don't hide it from us!
    We can search it so why can't see see it?

  24. billdennis5
    Member
    Posted 12 years ago #

    Criminals commit crimes because they make money. As long as there's money to be made by doing it, sploggers will continue to splog. As long as Google will send any idiot splogger cash because code from the same google adsense account is plastered on 1,000 splogs, we will have sploggers.

    Sometimes I wonder why I bother trying to earn an honest living.

  25. andrea_r
    Moderator
    Posted 12 years ago #

    Yep, and they consider low returns like 10% or even 1% to be "good".

    Rename the signup page. Rename everything in it that calls wp-signup.

    The sploggers have an automated program that hunts this down and does it. That's what it looks for.

    Also, lostdeviant - Donncha released a hashcash plugin to stop splogs. have you tired it too? banning the IP only works for a short time. they'll just get a new one.

  26. Klark0
    Member
    Posted 12 years ago #

    Lostdev, rename your wp-signup.php to something unique as andrea suggested. That cut down my splogs from 20-30 per day.

    It doesn't stop the "noobie" spammers though. Those are the ones that manually sit down and create splogs by hand. I get about 5 of those per day.

    Also, Hashcash works great for signup, but it has issues with Comments. All comments for me, even legit ones, were being marked as spam.

  27. demonicume
    Member
    Posted 12 years ago #

    1. change their site
    2. rewrite their dashboard so that the login button does a drive-by-down load which uploads a rootkit (instead of gears or some such).
    3. use this back door information to steal their information.
    4. by me a BMW with dubs and a kick-ass stereo system.

    /end thread hijack

  28. lunabyte
    Member
    Posted 12 years ago #

    Meh, depends on the model of Beamer.

  29. andrea_r
    Moderator
    Posted 12 years ago #

    I'm bettin' someone sent Santa huge list...

  30. xenon2050
    Member
    Posted 12 years ago #

    An ax and a will to use it might discourage them... :)

    In all seriousness though, there have been some great ideas in here, like not having the blogs update indexes for the first week... I think some built in security measures would be nice as opposed to having to add them. Maybe some kind of captcha but with admin configurable options that allow us to tweak the settings to work how we would like.

About this Topic