I've spent a while today reading the threads here on spam handling over the last couple of months. Thank you for having so much in one place, it's helped get my mind straight.
Capchas and email verification are fine for rejecting spambots. A lot of people are still reacting to spambots so it's as well to have those tools available.
Spamborgs aren't stopped by Capchas and email verification. I don't care whether they're inconvenienced, my sole need is to stop them. The only thing that'll stop them is a mature blacklist fed by honeytraps, just the way email spam was handled at that stage in its development (with user reports taking the place of the honeytraps - I think we can automate rather better now).
In the absence of a mature blacklist module I'm going to put new users on moderation and only take them off after I've been presented with a sensible post in a meaningful context. I'm not prepared to expose my users to spam and that's the cost to the newbies. I can recognize a spam account from the way it's named and configured and the email address it uses and the IP origin but I'm not prepared to put that many hours into fighting them, I need to batch filter new users onto my site and moderating new users will do that.
Here's the internal memo I just sent about the problem:
Capchas and email verification are fine for rejecting spambots. A lot of people are still reacting to spambots so it's as well to have those tools available.
Spamborgs aren't stopped by Capchas and email verification. I don't care whether they're inconvenienced, my sole need is to stop them. The only thing that'll stop them is a mature blacklist fed by honeytraps, just the way email spam was handled at that stage in its development (with user reports taking the place of the honeytraps - I think we can automate rather better now).
In the absence of a mature blacklist module I'm going to put new users on moderation and only take them off after I've been presented with a sensible post in a meaningful context. I'm not prepared to expose my users to spam and that's the cost to the newbies. I can recognize a spam account from the way it's named and configured and the email address it uses and the IP origin but I'm not prepared to put that many hours into fighting them, I need to batch filter new users onto my site and moderating new users will do that.
Here's the internal memo I just sent about the problem:
There's no adequate module for vBulletin yet.
I might look at the code and decide whether there's a sensible single place to put a two-line patch to query the honeypot.org database. If you want to leave the release level as it is until the new year I'll do it with what's there. If it's in your mind to get current then I'll leave it a while. Have you a preference? I may well not be able to put a patch in place anyway. At the point where I have the new user email registration returned, before switching it off "waiting for confirmation", I can http a query for the confirmation IP address and the registration IP address and if either of them give a positive I can change the new status to banned instead. Maybe that's five lines. To whatever extent the honeypot database is accurate it provides a solution. I'd definitely dry-run all the existing hand-banned accounts against it first to see that they and I agree.
I might look at the code and decide whether there's a sensible single place to put a two-line patch to query the honeypot.org database. If you want to leave the release level as it is until the new year I'll do it with what's there. If it's in your mind to get current then I'll leave it a while. Have you a preference? I may well not be able to put a patch in place anyway. At the point where I have the new user email registration returned, before switching it off "waiting for confirmation", I can http a query for the confirmation IP address and the registration IP address and if either of them give a positive I can change the new status to banned instead. Maybe that's five lines. To whatever extent the honeypot database is accurate it provides a solution. I'd definitely dry-run all the existing hand-banned accounts against it first to see that they and I agree.
Comment