Joomla! Forum - community, help and support

I love this forum. I love the questions that are asked; I learn much from the questions, comments, opinions, thoughts that people have about Joomla. This forum provides me both with information as well as with a source of entertainment ... regardless of whether I agree or disagree with other people's views.

Like most people, I don't like junk: I don't like advertising, discussions that veer so widely off-topic that we forget why we're here, nuisances ... spam.

Every day we see a dozen or more spam posts here. I'm not talking about other people's forums: I'm talking about this one.

The forum moderators here do a fine job. They're not thanked for what they do (and I think that's disappointing that they're not thanked) but it's a full-time job. The forum moderators who are active on the forum (i.e. they're here every day) are mostly located in Europe (or within a few hours' travel from Europe) and, obviously, they can't monitor every discussion (in every language) that appears on the forum. They rely on us forum users to advise them when we see something that is amiss. They rely on us reporting forum abuse. They react after-the-event. The forum abuse has to occur before they can act.

Where does the spam come from? Almost all of the spam originates from fake user accounts created by 'bots. After these fake accounts are registered, human actors use those accounts—sometimes immediately, sometimes days or weeks afterwards—to post their garbage. Some forum junk is posted automatically by non-human actors (i.e. spam 'bots) specifically designed to advertise products, services or scams.

As evidence of this, since the forum was created on 12-Aug-2005, there are now 733,939 forum accounts. That is, after 5,128 days since the forum was created, on average over 140 accounts are created every day (or, roughly, 10 accounts per minute) in that time.

Less than one forum account in every ten is actually used to post a message on the forum. That is, 90% of all forum accounts never visibly interact with the forum or they're used to post junk.

What prevents fake account registration? There isn't a high bar to cross to create a forum account: you just need an email account, fill in a couple of text boxes, click the CAPTCHA and you're done. The forum rules state that email addresses used with account registration must be legitimate (i.e. disposable addresses are not allowed) but there's not mechanism to verify that an email address exists or that it's not one of those "disposable" ones.

CAPTCHA does not prevent registration 'bots. If it did prevent non-human means of account registration then we would not see 10 account registrations/minute.

IP blocking doesn't work, either. This is because many automated registration agents use fast-flux DNS networks.

"Stop forum spam"/heuristic algorithms don't work either because, in the time it takes for honeypot farms to identify one source, hundreds of other sources are created. It's a losing battle trying to keep pace with the wave of spam sources.

Is it a problem for this forum? It depends on which side of the fence you live. I can't speak for the forum management team; it may not be a problem for team members. I can only speak for myself. I think it's a problem, even if other people may disagree with me. I'm simply providing my feedback about this forum and one of the problems that I see with it.

How does this forum deal with spam? At the moment, there is only one mechanism for "taking out the garbage". The garbage needs to be brought to the attention of forum moderators (by using the "Report this post" feature) and, when they next visit the forum, they physically take action. There is not a 100% consistent approach to dealing with spam: most forum moderators delete the spam posts and block the forum account used to create it ; some forum moderators do not block the offending forum account ; some forum moderators do neither (especially in the international/foreign-language forums that are not regularly patrolled) .

Can the problem be resolved? Well, it largely depends on whether the forum management team agrees that there's a problem in the first place. It may also depend on whether there are other mechanisms in the forum software (phpBB) that can overcome the high success rate of registration 'bots that bypass CAPTCHA and use disposable email addresses, etc. It also depends on a will to do something about it. These are questions that I cannot answer.

Another facet of the problem resolution lies in having enough forum moderators so that the forum can be monitored continuously, instead of monitoring the forum only 60-70% of the time.

Summary

I would like to know if the forum management team have any plans to address the issues I have raised.

I agree with sozzled on this. We need more moderators now. I also believe a method (icon / flag) to show a post has been reported would be useful, it would show the spammer they have been sussed and would save the rest of us from trawling through worthless posts.

sozzled wrote: ↑

Mon Aug 26, 2019 11:08 pm

(or, roughly, 10 accounts per minute)

1 account per 10 minutes, to be correct.

@Physicist: Yeah, I was good with mathematics (when I was at university) but I've always been unreliable with arithmetic! You're right: one new account is created every ten minutes. Thanks

Thank you, @gws. What a great idea! Visibly flag a post (so that the rest of us can see when it has been reported)! Admittedly, I report more than a dozen posts every day but most of them are not for spam. Most of them are requests to the forum moderators to move a topic from one forum category to a more appropriate one.

(Today was an unusual day; there was a flood of forum spam. I reported about thirty posts.)

I don't know whether it's feasible to implement a "reported" flag in this forum but I think it's a good idea.

What about integration with a 3rdparty spam-filtering system? There is one added to joomlaforum.ru (Russian Joomla community forum) several days ago, and there are no spam messages since that time (previously there were 10-30 per a day).

To illustrate my point about number of fake user accounts on this forum that are not intercepted by the registration procedure, see the following screenshot: You will see that the second one in the above list has not (yet) posted anything on the forum (and therefore has not been banned).

Reported posts are marked with a red exclamation sign. Maybe they are only visible to moderators.

Yes they are not visible to users.

I confirm they are not visible by us and sometimes when I report a post with spam it is already reported but We can't see it until we want to report

There have been thirty-six new accounts created today (and the day is not yet over):

• Five accounts have been banned; three more accounts have been reported for various forum abuse. This represents 22% of today's new accounts (or just over one in five) have posted forum graffiti.
• Six accounts (or 16.7%, or one-sixth) of today's new accounts have posted forum messages that are probably not rubbish.
• The remaining twenty-two new accounts (61.1% or nearly two-thirds) have not posted anything.

One wonders why so many people register every day and post nothing? I believe that the reason is because this forum is an open invitation for forum scammers to dump their junk here and cause the forum moderators and the members of this community unnecessary work.

That's why I think we have a problem. Still waiting to hear from the forum moderation team about whether this topic is being given any consideration.

UPDATE: Within two minutes of posting this topic, there was another new account registration for the purposes of advertising ... digital water meters!!! Oh, good grief. I'm not going to re-calculate the percentages.

I got an idea. We could deny users from registering in the forum unless they click a confirmation link in the back-end of their Joomla web site. That way only users with a Joomla web site will be able to register.

Yes, it is a good idea. Will it work for those working on localhost ?

Per Yngve Berg wrote: ↑

Fri Aug 30, 2019 6:34 pm

I got an idea. We could deny users from registering in the forum unless they click a confirmation link in the back-end of their Joomla web site. That way only users with a Joomla web site will be able to register.

Thank you, Per, for your idea. What about people who are having problems installing J! in the first place? What about people who want to ask questions about Joomla activities (e.g. Joomla events, the magazine), seeking professional services, etc.? These people may not have a "backlink" URL to submit.

Further, I agree with @bruno28

bruno28 wrote: ↑

Fri Aug 30, 2019 6:54 pm

Will it work for those [using] localhost?

If the website is isolated behind a firewall (e.g. intranet) or doesn't exist on the internet then there's no URL. Also, some people may not want to disclose the URL of their website for any number of reasons. This therefore discriminates against a range of forum users.

Money—that is, paying for the right to use the forum—doesn't discriminate (except against those people who are unwilling to part with it).

I just want to say thank you to the awesome forum moderators and global forum moderators. It's always easy to make suggestions - its much harder to actually do it

Thanks, @brian. I wouldn't go as far as saying the forum moderators are awesome.

brian wrote: ↑

Sat Aug 31, 2019 10:53 am

It's always easy to make suggestions - its much harder to actually do it.

Actually, that hasn't been my experience. It's actually pretty difficult to make suggestions—taken credibly—that make a difference. C'est la vie. I'm not making any suggestions at the moment; I'm just providing feedback.

> Thanks, @brian. I wouldn't go as far as saying the forum moderators are awesome.

Thats why your "feedback" might get less of a response than that of others. Plus your repeated demanding that people do things to your timescale doesnt go down well.

I have absolutely no idea what prompted your response, Brian.

My feedback is just that: feedback. No inverted commas around the word; nothing untoward in what I wrote (or what I intended to write). It was just honest, politely written, feedback with a request for some answers. That's all. I don't believe I made any demands. If I've repeated anything, it's only to raise the level of awareness about this issue.

I made a promise to myself last week to make a genuine effort to say "Thank you" to people who ask questions or reply to what I post on the forum. In keeping with that promise, thank you, Brian, for taking the time to comment, even though I don't quite fathom the depth of what you mean.

sozzled wrote: ↑

Mon Aug 26, 2019 11:08 pm

There is not a 100% consistent approach to dealing with spam: most forum moderators delete the spam posts and block the forum account used to create it ; some forum moderators do not block the offending forum account ; some forum moderators do neither (especially in the international/foreign-language forums that are not regularly patrolled) .

I understand that banning spam/fake accounts is a three-stage process. The first stage is to delete the offending forum posts; the second stage involves removing the offending account's ability to login to the forum; the third stage involves changing a forum user's rank to "I have been banned".

It seems that these three parts to banning users are not automatic; that is, it takes forum moderators more than a single mouse-click to perform the action (and sometimes some of the steps are omitted). Therefore, I have understated my estimate of the amount of fake user registrations and the spam they generate. The number of fake accounts is at least 25% of all new forum accounts but it's probably higher than that.

Would an email confirmation help? I don't remember doing one.

Thank you, @bobinski, for your question. It's been several years since I created the one and only account that I use here and I can't remember everything. I think that, for human users, there is a requirement to read an email and submit a "token" to activate the account.

However ...

... there are also black-hat techniques that bypass the account creation/activation safety features. As mentioned earlier in this topic, the forum rules state

When registering, a valid email address has to be used. Disposable email addresses are not permitted. If found, we will remove the account in question.

The problem is that email addresses are not verified at the time someone completes the new account form; verification occurs after that event. What we're seeing are new accounts being created en masse by automated processes and they lie there, dormant, awaiting activation later.

This helps to explain why two-thirds of all new accounts never post anything on the forum. These accounts are created, yes, but they're currently inactive.

Would it help if the newly registered user had to make a post within 1 hour of registering? I cant think of any reason for a legitimate user not to post a question very soon after they register,the automated bots will not post so after 1 hour their registration is just cancelled.

That's a good idea (I'll put that one down in my notebook for future reference). Thanks.

Still doesn't address the real issue here:

sozzled wrote: ↑

Mon Aug 26, 2019 11:08 pm

Is it a problem for this forum? It depends on which side of the fence you live. I can't speak for the forum management team; it may not be a problem for team members. I can only speak for myself. I think it's a problem, even if other people may disagree with me. I'm simply providing my feedback about this forum and one of the problems that I see with it.

...

Summary

I would like to know if the forum management team have any plans to address [any of] the issues [we] have raised.

I'm not trying to resurrect this topic to seek commentary from others. After spending a few years reporting as much spam as I can find (as I know other like-minded members of the community also do) and posting my views about spam at this forum on this forum, I've given these things up as a lost cause. So, just for the record, I will not write anything more on this forum about spam.

Because no-one from the forum management team has responded to this topic (or deliberately ignored it to hope that the matter disappears), I must conclude that the team doesn't see this as a problem. That's where I shall let things be. I'm not unhappy or disappointed; I'm just accepting the reality of the situation.

I have stopped reporting spam posts to the moderators.