Apologies for the brief onslaught of spam...

Howdy all,

Our forums were inundated with a huge pile of Chinese spam yesterday evening. I’ve banned the user, and unpublished all of their content…but, folks receiving notifications from the affected forums would have gotten them via email. Sorry about that.

We have a pretty big list of spam prevention measures here at Virtualmin.com, including CAPTCHA, email verification for new users, and several honeypot hidden fields (so a bot would have a hard time making it through the registration process without tripping up at least one of those mechanisms). It was all posted by an actual human user who manually entered all the data, as far as we can tell.

I’m currently researching what our other options are; we have used both Mollom and Akismet in the past, but they were blocking legitimate messages far too often (like 20% of all posts were being blocked as spam), making users angry and confused, so we disabled them. We may re-enable one or both of them to see if the false positive rates have improved in the past couple of years.

Thanks for your patience while we murder the spammers…err, rather…clean up their mess, and try to figure out ways to stop them in the future.



Just an update: I’ve re-enabled Akismet anti-spam filtering. Please let us know if you find yourself getting 50x errors when trying to post to the forums (that’s how it responds to what it thinks are spam bots…this was a problem we had in the past, where it was falsely identifying legitimate users as spam bots). But, we rely on y’all to let us know when it happens, as there’s not really a good way to automatically detect it.

How about few mods just to keep clean the forum? You already said and i 100% agree that any automated service when it comes to forum post or blog comments is bad and too often makes things rather worst than prevents actual spam or unwanted content.
I had Askimet on several client websites but majority of them are e-commerce and marking legitimate messages or post did a lot of confusion with angry (potential) customers asking where did they message vanish. I ended hiring one person to keep it clean. Cost more but much less than trying to repair the situation i had almost on weekly basis.

I think that report button in forums added by joe does job perfectly for now.

Yep, we’re watching reported posts, and we’re banning users that spam. We usually catch them within an hour or two of posting, unless we’re all sleeping.

I’m also doing some other anti-spam work lately; it’s an ongoing process, but I’m definitely working on it.

I’m seeing this “hiring of humans to manually spam” become more prevalent. It seems the best options are to require a confirmation email, or a confirmation TEXT message.

That said, you might just allow “sign up” during certain hours of the day???

We do require a confirmation email during signup. A text message might be an option, but I suspect people would be hesitant to give out their phone number (I would be).

We don’t want to make it hard for folks to sign up, as this is where we want most conversations about Virtualmin to happen; it’s hard for us to follow Stack Overflow, Twitter, mailing lists, Web Hosting Talk, Low End Talk, etc. even though we try. If we make it harder to ask here, those questions will go elsewhere and people might not end up getting any reply, or worse and more common, a poorly informed reply.

And, of course, we’ve also got to sell some software, or we won’t be able to do this work, anymore (we all already have to have other incomes).

So, limiting signups won’t work. But, I am working on making the Drupal spam_detect module work again; it’s currently broken (in my experience, damned near every Drupal module is broken in some way, this one just happens to be broken in a way that prevents it from working, at all, because the “text_is_spammy” rule condition is broken on current Drupal versions). But, once working, it should allow us to use more advanced bayesian spam rules, as well as blacklisting specific domains and keywords and such. Also, it allows use of the SURBL database, which is a pretty good reputation-based method for spotting spam.

I’ve also re-enabled CAPTCHA in more locations. Hopefully it won’t effect existing users, and hopefully won’t prevent anyone from signing up, but it’ll make it slightly more time-consuming for spammers to sign up.