As the administrator of several forums, I don’t even have words to describe how frustrating forum spam has become. On my photo gallery software site, I had to take down the phpbb forums because the signal-to-noise ratio was just out of control. I had been using phpbb for most of the forums I set up for a while, however one of them had become a constant target for hackers and phpBB always seemed to have vulnerabilities. I decided it was worth my sanity to shell out the cash for vbulletin, and overall I’ve been very happy with that decision.
Of course, I had the same issues with spam as I did with phpbb. On one forum that had been around for many years, I was receiving upwards of 60-100 spam registrations a day. I had changed our forum settings to require my approval before anyone could post, which was great at sparing our users from spam posts about viagra, but was doing nothing to help my sanity. Out of those 60 new registrations, *maybe* one was valid. It got to the point where the sheer volume was overwhelming, so the accounts pending approval started to pile up. Unless the new forum member emailed me directly, they simply never got approved. Not a good way to run a forum, for me or for our users. I was feeling frustrating and cranky, and the users were being neglected and denied the ability to participate. Fail2.
When I logged into my vbulletin admin two days ago and saw that there were over 1,000 accounts awaiting my approval (and by way of a quick glance through the list realized that 95% of them were spam), I decided I needed to revisit some anti-spam tactics for vbulletin. I was already using vbulletin’s built-in captcha, and had added the NoSpam! plugin a year or two ago – I’ll go into it more in a moment. NoSpam! definitely helped, but as I was in a rush when I installed it, I didn’t force myself to sit down and come up with a range of good questions.
My goal was to find a solution (or several solutions) for registration spamming, not post-spamming – since logic would dictate that if the users who are able to successfully register are not spammers, you don’t have to worry about post-spam.
My first thought was to see if there was an Askimet system for vbulletin. Askimet does such an outstanding job at keeping WordPress blog comments spam-free that I thought it would be the perfect place to start. A quick Google search turned up less than stellar news. The reviews on Askimet’s vbulletin port were not great, citing many instances of false-positives, which would ultimately end up creating even more work for me in the long-run, since I’d be fielding user complaints of poists not showing up, etc. The more I thought about it, Askimet wasn’t really the right answer anyway, since it screens only posts, not registrations.
More Googling turned up an excellent blog post by Cormac Moylan, appropriately titled Fighting Spam in Vbulletin, where he goes into detail on several of the available options for fighting spam in vbulletin. The article was from 2006, but there were some products listed that I wasn’t aware, so it was very helpful. He, too, agrees that the Askimet port to vbulletin is not as awesome as its WordPress flagship. In a similar fashion to his post, I’m going to go through the available products and my own conclusions below.
NoSpam!
This plugin allows you to add an additional barrier to the registration process, where the user sees one of a randomized list of questions YOU define, and they have to type the correct answer into a text box. Spambots have been improving their OCR capabilities over the past several years, so an image captcha alone just doesn’t cut it anymore.
With NoSpam!, you create the questions – and the answers – so you’re able to really control the level of screening you want to implement. A simple math question (2 + 2 = __, with possible answers of “four” or “4”, for example) will be harder for a bot to grok than a basic image captcha. NoSpam! did help, and I recommend it. The fact that it was less effective as time wore on is very likely my own fault, since I stuck with basic math problems. I would expect that if spambots can easily detect and fool image captchas, they are probably capable of detecting basic math prompts these days. I’ve since changed the questions to ones that require an actual human to solve, but still easy enough for new users to get through. For example, for the Wench forums, one of my NoSpam! questions is “Fill in the blank – International _______ Guild.” Still not rocket science, but since the questions are more topical to the forum content itself, its doing a better job.
[download]
Enhanced Captcha Image Verification
I’ve only recently installed this one, but it looks like a great tactic to get around spambots – the demo speaks for itself. Its quite brilliant in its simplicity – four boxes with random images, and text that asks you to select a specific image from the group. Certainly easy enough for a real person to complete, but it will be more of a challenge for bots to figure it out. The install in vbulletin was very easy – upload the images, and then install the product by uploading the xml. Couldn’t ask for a simpler plugin.
[download]
Check Proxy RBL on New User Registration
If a bot gets past the first barriers – the standard image captcha, the enhanced image captcha, and the NoSpam! questions, there is one more line of defense – running the IP address of the registration user through the RBL, or Real-time Black List, databases, to see if it matches any of the known spammer IP addresses. If it finds a match, it deletes the signup and can either alert you by private message or by automatically starting a thread in a designated forum category of your choice.
I have just installed this one, so I’m not able to give you a success rate, however Cormac reported an 80% success rate with no mention of false positives. (Update: see my own updated numbers at the bottom of this post.)
This plugin comes with a small handful of RBL server addresses to check against, but this post on the Anti-Abuse Project site offers quite a few more, including:
bl.spamcop.net
cbl.abuseat.org
dnsbl.sorbs.net
socks.dnsbl.sorbs.net
dul.dnsbl.sorbs.net
http.dnsbl.sorbs.net
smtp.dnsbl.sorbs.net
misc.dnsbl.sorbs.net
dnsbl.njabl.org
combined.njabl.org
zen.spamhaus.org
rbl.spamlab.com
accredit.habeas.com
list.dsbl.org
multihop.dsbl.org
unconfirmed.dsbl.org
dnsbl.ahbl.org
dnsbl.burnt-tech.com
bl.deadbeef.com
dnsbl.delink.net
access.redhawk.org
no-more-funn.moensted.dk
spam.tqmcube.com
ko.tqmcube.com
prc.tqmcube.com
dnsbl.tqmcube.com
ubl.unsubscore.com
psbl.surriel.com
blacklist.spambag.org
combined.rbl.msrbl.net
dnsbl-1.uceprotect.net
dnsbl-2.uceprotect.net
dnsbl-3.uceprotect.net
cblless.anti-spam.org.cn
bl.spamcannibal.org
cbl.ni.bg
Banning E-mail Addresses and IP Addresses
Although this one seems like a no-brainer to me, I should definitely mention it. Vbulletin comes with the capabilities of banning whole or partial email addresses and IP ranges. I have been cultivating my domain ban list for several years, and you’re welcome to snag it and use it for yourself. (My list is fairly aggressive, so it might not be appropriate for everyone – for example, I don’t allow .ru domains at all, since I know none of our members would have a .ru address. You can gank my list here.
Apache’s mod_security
Another option to prevent post spam is to install Apache’s mod_security. Mod_security is an Apache module that provides intrusion detection and prevention for web applications. It aims at shielding web applications from known and unknown attacks, such as SQL injection attacks, cross-site scripting, path traversal attacks, etc – and has the added benefit of blocking spam posting as well.
Mod_security is basically a series of rules and regexes that Apache runs POST and GET data through. If it finds a match to potentially harmful or spammy information sent to the server via a POST or GET method, it will prevent the form submission from going through, throwing a 500 Internal Server Error message and logging the incident to a file.
Although I am a big fan of mod_security, its not going to be for everyone. If your forums are very active, it can really spike your server’s CPU load. Out of the box, its incredibly restrictive (which is good!), and blocks a lot of false-positives. It takes a while to comb through the incident log and refine the rules so that there is a balance between security and legitimate user-submitted content. This is definitely not for the novice, or for someone who needs a quick fix, but it should be considered as an option. You can find the download here and a tutorial on setting it up here.
Still not perfect
So as we’ve seen, there are some steps you can take in vbulletin that will make a significant difference in the amount of registration-spam you experience. These plugins and techniques are geared at intercepting and blocking spambots, specifically – however it should also be noted that sometimes the spammers actually *are* real people – and unless you’re willing to manually screen and approve every forum registration, there isn’t much you can do about those. Anything you could implement that could confuse them or prevent them from registering are the same things that will prevent your legitimate users from registering.
*** Sept 8, 2008 Update ***
I’ve now been running this plugin for about two weeks, and the RBL New User Registration check has prevented over 200 spam registrations. Registrations that would otherwise have made it through all of the aforementioned checks, since the RBL plugin collects the username, which means the registrant had to have gotten to and completed the registration form.
Over 200 spam registrations blocked, and approximately 10-15 total false positives (which could probably be remedied by removing a few of the more aggressive RBL servers from my list.) I can firmly state that the 10-15 false positives, compared to the 60 spam registrations a day I was getting, falls into the win column. Whitelisting an IP takes just a few seconds, so its not a big deal.
The ultimate outcome – these plugins combined have, for now, allowed me to turn off manual registration approval completely – with ZERO spammers making it through the blockades. My users are happier, and I’m happier.