One spammer and the site has only been alive for two days

(David Patar) #1

i moved over my old site to the new site. I used another forum software (xenforo), i had so much spam protection, I never had anything.

Now I am getting spam sign-ups.

Did I miss some spam settings somewhere? IS there any stop spam tweaks, that other others use?

How do you stop spam?



(Jeff Atwood) #2

Can you provide a link to your site? Did you use a non default config, change any of the site settings?

We don’t see big spam problems with our customers and partners, so I am curious if you can provide more specifics.

(David Patar) #3

Everything is default. Messaged you my url. I hate having my site popup on other sites in google.

If you want signup I will make you a admin.


(Jeff Atwood) #5

It is unusual to have a lot of spam on a new site as most spammers care about page rank and new sites have none. Old, established sites have bigger challenges.

The basics of spam control are here:

However, if you have human spammers, which is usually the case these days, then you can tighten the trust level 0 (new user) restrictions a bit in admin site settings.

(Jeff Atwood) #7

I followed up and, as per the corrected title of the topic, you have deleted exactly one spammer. That is “so much” spam?

I think your definition of “so much” is rather strange, give it a month and then see.

One spammer is not a trend, it is a single data point…

(cpradio) #8

Just want to give a bit of input from a fairly busy, semi-popular forum (no idea how popular we are really, but we get a decent amount of traffic).

For today only, we’ve banned 19 spammers (and today isn’t over – I anticipate 5 to 10 more). To put this in perspective, that is NOTHING! When we were on vB, at our highest spam point, we were dealing with over 1000 a day. I remember times we were knocking out 300+ accounts an hour. We ultimately put in features into vB that took that down to 10-30 an hour, but it was still far more than what we get in Discourse currently.

Quite frankly, I attribute that low number to a variety of factors:

  1. Discourse is a JS only app, so most spammers do not have an automated way of attacking us yet
  2. Email verification/activation (they must use a valid email account and activate it by pressing a button on their return).
  3. The built in spam tools available in Discourse.

I personally love the fact that handling a spam account is 3 clicks. Flag, Spam, Delete Spammer. Try that in vBulletin (it is a few more steps) :smile:

@Nimda, please give it time. You’ll be surprised at how easy it is to keep the forum clean of spam. I really haven’t been that concerned about it. If the numbers start to rise, then discussions will need to be had on what changed and how to best handle the new attack vectors they are using. But that day hasn’t come yet.

(Jeff Atwood) #9

Also, if you guys at sitepoint have specific feedback / strategies on how to reduce the spammers impact even further, let us know. (I am particularly embarrassed that we used to “validate” email just by any old http request to the validation URL.) Always open to that kind of feedback from busy sites.

Be aware, though, that there are a lot of 100% human spammers out there, who can easily pass any CAPTCHA you put in front of them…

(cpradio) #10

Noted. And as an FYI, I despise CAPTCHA’s (most sites use them incorrectly – please do not go down this path :smile:). They aren’t a solution (and won’t stop the spam I believe we are seeing).

The last thing I want to do is add more features to an area that ultimately makes it harder for “real” users to create an account. So until I see a really big change in the amount of spam we battle, I don’t want to change a thing (and trust me, we’re very observant, so if we start to see it going up steadily, we’ll be having talks well before it reaches a critical moment of needing to be fixed). :smile:

(David Patar) #11

Thanks for the feed back. I have used API’s in the past to check emails, usernames and IP address and it seemed to have stop a very large portion of spam login/register attempts.

I will keep my faith in devs. I have nothing but much love for this community and once, I learn this system, I will start providing some mods/tweaks, if anything I will flood Jeff’s account with suggestions :smile:

(Mittineague) #12

Just tossing this out there as food for thought.

I saw mention somewhere recently about using third party blacklists.

What if Discourse users had the option of sharing their blacklists?

Probably best if a central pool had some kind of occurence check in place eg. IP reported from 3 or more Discourse sites.

There would be a time lag and might not be much use for “hit and run” types, but it could be a way for Discourse users to help each other.

(TheLoneCuber) #13

Ah… is the extra on-site “Click to activate” an extra layer of spam protection? Very clever Discourse, very clever.

(cpradio) #14

Yes, because it is easy to write a program to receive an email and click a link, but to make that program, click the link and then click a button is significantly harder.

So it helps prevent spammers from easily verifying their email address by simply opening a link, they must open the link and click a button :smile:

(Kane York) #15

Yes, the page runs some special javascript to make sure it’s an actual browser looking at the page, and it doesn’t do that until you click the button.

A common pattern with manual spam getups is a human registering a lot of accounts, then having a bot confirm the emails, which are then passed on to the “posting team” (or whatever you want to call it). The activate account page here breaks that, adding another human to their operational costs; while being completely expected and in the workflow for legitimate users - they expect a clickthrough to the site when opening the activation email.

(TheLoneCuber) #16

It annoyed me when I knew not better because it seemed yet another unnecessary step in an internet saturated with unnecessary UX’s. And because the wording of the activation email implies that your account is activated via the email click, to which you click but then arrive on-site to learn your account is not activated and you have to perform another action to activate it. And — as a first-time user — who knows if there’s yet another activation step beyond that? Maybe I’ll bail out here…

Discourse is a complex beast, and I’m certain there are many things that are in place for very specific and very important reasons. I think some simple text explanation notices would go a long way to improving a user’s experience and highlighting Discourse’s feature set at the same time.

In the case of the extra activation layer, if the activate account page had a simple notice saying…

  • “Verify that you’re human”, or
  • “Great work! You’re one click away from activation. Click here to finish to process”

… that would assist users, explain the process, and show the Discourse is a serious anti-bot tool.

(TheLoneCuber) #17

Could the final activation step be a “Agree to the Terms & Conditions of this site” button? The new user has landed on-site for the first time and they have to action one more step to proceed anyway, so could that final step serve as human verification and a T&C agreement all wrapped up in one?

(Kane York) #18

There’s an option in the site settings to require acceptance of the ToS before creating an account.

Edit: It was migrated to

(David Patar) #19

seems like I am getting one spam hit every two days from GB ip addresses. They keep posting items about losing weight and dieting.

I just added the ToS “I agree” at sign-up

just wanted to provide a update.

(Kane York) #20

If that doesn’t work, then you can know that it’s a human spamming you.

(David Patar) #21

if possible to prevent spam signups. Can somebody make hidden fields that can only be filled by bots? If the fields are filled, then refuse registration.

Since the files will automatically be filled by bots and not humans(because humans can’t see the fields), then you can limit the amount of bots attempting to sign up.

just a idea.

(Jeff Atwood) #22

We have done that for a long, long time. These are usually humans, there are a LOT more human spammers out there today vs. two or three years ago.