Spammer Attacks the Forum

You may have found a rash of spam in your inbox this morning, or run into it on the forums if you spent any time earlier today having a look. We had a spammer send dozens of replies to dozens of threads last night with your typical “rolex watch” or equivalent spam that floats around on the web.

We have tried to keep a balance on the site by requiring both captcha and email verification on new accounts before a user can post anything. This has worked reasonably well since it keeps automated spamming scripts from creating accounts and spamming the forums like we had several years ago.

However … once someone does create an account they are free to spam. We get a regular flow of such spam though it has been at a low enough level that it has gone mostly un-noticed, and we have several senior community members who regularly detect such spam and remove the messages as well as disable the accounts. Last night’s spam unfortunately resulted in thousands of posts and was a lot more involved to remove them. If you subscribe to any give thread, then you will get email when someone responds to that thread which unfortunately includes such spam.

There are stronger options to try and further curtail spam though it’s always a tradeoff between the fight against spam and the disruption to you, the user. We could require new accounts to be moderated, but that means a new member who ‘desperately’ needs help is at the whim of someone enabling the new account. Even more extensive is to require moderation of posts. Neither of these are attractive to us.

For the short-term we have changed the forums so that most users will be required to enter a captcha when responding to a post. Personally, I hate captcha’s mostly because they are getting so hard to read that I can’t get them right half the time. I’m hoping that ours are not quite so bad. I’d like to hear from you how this is working out. If it ends up to be just a little bit of a hassle it may be well worth keeping. If it is really problematic then I would like to leave it up for a short time just to try and ward off another follow-up attack. (However … now that we have the tools in place, the next one won’t be nearly as bad to delete, though you will still get spammed if you subscribe to a thread).

If you happen to be a user type other than “tadpole” (which is our default authenticated user) then you should not be asked for a Captcha. That leads to another option, which is that we create a new user type that we can move people up to on request that does not require the Captcha. (Today we do have “Conributor”, “Developer” and “Leap Frog” which correspond to various users who have requested greater access to be able to edit more parts of the site and be generally more helpful.)

For now, thanks for your understanding and please do respond to this post if you feel that the Captcha is a real pain, or otherwise if you feel that it is not a big deal and not too hard to read in which case we can choose to live with it.

Philippe – on behalf of the FreePBX Team