Update: 31-MAR-2012
Done!
I don't really think most of our legitimate users will want to make more than 1 post per minute. But if it gets in your way please let me know and I can set up an automatic bypass of the limit for accounts that have been active for more than a week. This will require a bit of time to set up though.
Thanks again to everyone for their support! Have fun.
Update: 30-MAR-2012
Hi everyone,
A quick update to this issue: I finally decided to pay a Drupal developer to write a quick custom module to limit posts per minute. I'm convinced that this will drastically slow down the spammers, the worst of which post anywhere from 5 to 20 posts per minute. With a 1 post/minute limit in place, they will create much less havoc, and if we all remain vigilant to mark spam posts, they will be blocked in short order.
I now just need to resolve the issue where the spam post gets unpublished but the post remains on top of the lists. I think I might have a workaround.
Thanks to everyone for their patience!
Have fun.
Hi guys,
As you know we are still experiencing some problems with spammers. The new system that we have in place is definitely working as intended and it is preventing the spam problem from being much worse here. But we do have some determined spammers that hit the site harder and create more of a mess before they get blocked.
Sorry I haven't yet replied to the threads and complaints by worried users about spam on BLF. During the past week I have yet again been heavily researching the available options for spam control on Drupal and thinking about their viability on BLF. Here are my conclusions:
- Automated 3rd party anti-spam services like Mollom or Akismet are absolutely out the question. I use Mollom on another website that I maintain, and I am very disappointed in its performance, mainly because of the false positives. Another site that I frequently visit uses Akismet, and virtually all of their users despise it because it blocks their legitimate comments. And the rate of false positives would be even higher here on BLF since our legitimate users post so many links. These services are expensive and overrated and they annoy legitimate users even more than the spammers.
- CAPTCHAs are a good first line of defense, but they can't be relied on as the primary method and they must be used sparingly to avoid penalizing legitimate users. Most spam attacks are a combination of humans and robots. So a human solves the CAPTCHA and creates the user account, and then sets the robot to post from then on. Obviously we could prevent that by putting a CAPTCHA on every single page for all users before all posts, but that would be unfair to all of our legitimate users. Even if we were to do this only to users that have not yet proven their reputation, it would still be unfair to penalize new users, most of which are legitimate.
- IP blocking is utterly worthless. Spammers use proxies, so they simply switch to a different proxy and avoid the ban.
- Adding more moderators isn't a solution. We can't expect them to be awake or not travel on vacation. The spammers are bound to come when the moderators are off guard. As it is, all of our users around the world are moderators, so they're much more likely to be able to collectively stop a spam attack.
In view of all this, I want to keep using the same basic system that we have in place. It is working very well, but with one exception: When the spammers set a robot on the site, it goes through all the existing threads and posts the spam comment in different nodes (threads) at the rate of almost 20 per minute. If it were to post in just one node (thread), then an existing mechanism would kick in to prevent repeated posts. But unfortunately after extensive research and testing, I've found that there is no currently available functionality in Drupal to limit the rate of posts by any given user across the entire site. I'm actually really surprised that this functionality doesn't exist, it seems like such a fundamental necessity for reducing spam. If we could simply limit the number of posts by any given user to, lets say, 2 per minute, then spammers would manage a maximum of 5 or 6 posts and then get blocked.
So here's my request: Do we have any users here who are skilled mySQL / PHP programmers, or better yet with experience in Drupal? I have a basic understanding of the principles of databases and programming, but I'm a terrible coder and I need some help to create a custom module for BLF. The module would simply be a few lines of code that would query the database every time a user tries to post and get the last time he posted a new comment or new thread, and make the form POST fail if his last post was less than 30 seconds ago. I have some example modules that I can show you as a basic skeleton for creating this module, and I have some basic instructions from a Drupal expert for the SQL query.
Additionally, as a side request, I need a workaround to the current function that un-publishes posts that have been marked as SPAM. For some reason, the module that un-publishes posts that have been marked too many times as spam apparently uses a non-standard, non-Drupal hack to mark the post in the DB as un-published, which is why the "Recent Posts" list still shows those threads on the top even when the post is un-published. Again, this is just a one-liner that I can simply replace in the admin interface where I have the un-publish rules defined.
Any takers? Thanks very much in advance for your patience and willingness to help!