It is difficult to defend against spammers because the most severe tactics make it more difficult for legitimate users to participate. That is why we strive to achieve a healthy balance between allowing users to converse freely and keeping spammers away. We welcome the opportunity to do the “dirty work” so that you don’t have to worry about spammers infiltrating your community.
Although spam bots pose a challenge to unguarded forums, the most insidious forum spam comes from human spammers who sometimes blend in at first by making legitimate posts before posting their spam.
Here are some best practices to defend against forum spam:
- Remove spam immediately, ban the offending account, and ban his or her IP address. If your forum is popular, you will attract the attention of spammers. On the bright side, a popular forum will have many active users that can flag and report spam which allows for the situation to be resolved quickly. In other words, eliminate the spam and grab the ban hammer.
- “Unique question” and/or CAPTCHA on registration. This step is less than ideal because it has a affects legitimate users. However, it only needs to be completed once and it is a well-proven method to keep spam bots at bay.
- Settings to prevent flooding. By putting a limit on the number of threads a user can post per hour, you can limit a rogue user’s ability to “flood” the board with his or her junk.
- Check the user’s IP against an IP blacklist. Web services like Project Honeypot and Stop Forum Spam perform a “background check” that can prevent users from IP addresses with questionable histories from joining your forum.
- Institute filter to judge content for spam. Web services like Akismet can examine the content of a prospective post or thread and assess whether or not it contains spam.
- Hidden field on registration form, only visible to bots. Spam bots that blindly submit web forms can be trapped by a form that contains hidden fields.
- Probationary period for new users. We avoid this step because it’s so detrimental to legitimate users but this option could be employed by a well established forum. In this case, a moderator could be required to approve the user’s first threads) and/or post(s). Alternatively, new accounts could be subject to a 24-hour waiting period before they’re allowed to create threads of their own.
- Application to join the community. Asking users to explain why they wish to join your community will help weed out spammers. This step will no doubt inconvenience new users but could be appropriate for a well established forum.
- Examine country-of-origin. In our experience, most forum spam comes from India, China, and Indonesia. It is possible to identify new user registrations from these countries based on their IP and ask these users to provide additional verification before activating their membership.
In summary, we believe the ideal approach to stop spam is to gather feedback about the user before he or she joins your forum. This feedback can come from the user’s behavior (Does it behave like a bot?), the user’s reputation (is his or her IP blacklisted?), or the user’s country-of-origin (Has this country sent spammers to you before?). If the nature of this feedback raises any doubts, then the prospective user should be subject to a more rigorous registration process. If a spammer does manage to slip by your security mechanisms then prompt removal of the content will dampen the spammer’s effectiveness.