It's too easy to spam this forum
Posted: Mon Aug 26, 2019 11:08 pm
I love this forum. I love the questions that are asked; I learn much from the questions, comments, opinions, thoughts that people have about Joomla. This forum provides me both with information as well as with a source of entertainment ... regardless of whether I agree or disagree with other people's views.
Like most people, I don't like junk: I don't like advertising, discussions that veer so widely off-topic that we forget why we're here, nuisances ... spam.
Every day we see a dozen or more spam posts here. I'm not talking about other people's forums: I'm talking about this one.
The forum moderators here do a fine job. They're not thanked for what they do (and I think that's disappointing that they're not thanked) but it's a full-time job. The forum moderators who are active on the forum (i.e. they're here every day) are mostly located in Europe (or within a few hours' travel from Europe) and, obviously, they can't monitor every discussion (in every language) that appears on the forum. They rely on us forum users to advise them when we see something that is amiss. They rely on us reporting forum abuse. They react after-the-event. The forum abuse has to occur before they can act.
Where does the spam come from? Almost all of the spam originates from fake user accounts created by 'bots. After these fake accounts are registered, human actors use those accounts—sometimes immediately, sometimes days or weeks afterwards—to post their garbage. Some forum junk is posted automatically by non-human actors (i.e. spam 'bots) specifically designed to advertise products, services or scams.
As evidence of this, since the forum was created on 12-Aug-2005, there are now 733,939 forum accounts. That is, after 5,128 days since the forum was created, on average over 140 accounts are created every day (or, roughly, 10 accounts per minute) in that time.
Less than one forum account in every ten is actually used to post a message on the forum. That is, 90% of all forum accounts never visibly interact with the forum or they're used to post junk.
What prevents fake account registration? There isn't a high bar to cross to create a forum account: you just need an email account, fill in a couple of text boxes, click the CAPTCHA and you're done. The forum rules state that email addresses used with account registration must be legitimate (i.e. disposable addresses are not allowed) but there's not mechanism to verify that an email address exists or that it's not one of those "disposable" ones.
CAPTCHA does not prevent registration 'bots. If it did prevent non-human means of account registration then we would not see 10 account registrations/minute.
IP blocking doesn't work, either. This is because many automated registration agents use fast-flux DNS networks.
"Stop forum spam"/heuristic algorithms don't work either because, in the time it takes for honeypot farms to identify one source, hundreds of other sources are created. It's a losing battle trying to keep pace with the wave of spam sources.
Is it a problem for this forum? It depends on which side of the fence you live. I can't speak for the forum management team; it may not be a problem for team members. I can only speak for myself. I think it's a problem, even if other people may disagree with me. I'm simply providing my feedback about this forum and one of the problems that I see with it.
How does this forum deal with spam? At the moment, there is only one mechanism for "taking out the garbage". The garbage needs to be brought to the attention of forum moderators (by using the "Report this post" feature) and, when they next visit the forum, they physically take action. There is not a 100% consistent approach to dealing with spam: most forum moderators delete the spam posts and block the forum account used to create it
; some forum moderators do not block the offending forum account
; some forum moderators do neither (especially in the international/foreign-language forums that are not regularly patrolled)
.
Can the problem be resolved? Well, it largely depends on whether the forum management team agrees that there's a problem in the first place. It may also depend on whether there are other mechanisms in the forum software (phpBB) that can overcome the high success rate of registration 'bots that bypass CAPTCHA and use disposable email addresses, etc. It also depends on a will to do something about it. These are questions that I cannot answer.
Another facet of the problem resolution lies in having enough forum moderators so that the forum can be monitored continuously, instead of monitoring the forum only 60-70% of the time.
Summary
I would like to know if the forum management team have any plans to address the issues I have raised.
Like most people, I don't like junk: I don't like advertising, discussions that veer so widely off-topic that we forget why we're here, nuisances ... spam.
Every day we see a dozen or more spam posts here. I'm not talking about other people's forums: I'm talking about this one.
The forum moderators here do a fine job. They're not thanked for what they do (and I think that's disappointing that they're not thanked) but it's a full-time job. The forum moderators who are active on the forum (i.e. they're here every day) are mostly located in Europe (or within a few hours' travel from Europe) and, obviously, they can't monitor every discussion (in every language) that appears on the forum. They rely on us forum users to advise them when we see something that is amiss. They rely on us reporting forum abuse. They react after-the-event. The forum abuse has to occur before they can act.
Where does the spam come from? Almost all of the spam originates from fake user accounts created by 'bots. After these fake accounts are registered, human actors use those accounts—sometimes immediately, sometimes days or weeks afterwards—to post their garbage. Some forum junk is posted automatically by non-human actors (i.e. spam 'bots) specifically designed to advertise products, services or scams.
As evidence of this, since the forum was created on 12-Aug-2005, there are now 733,939 forum accounts. That is, after 5,128 days since the forum was created, on average over 140 accounts are created every day (or, roughly, 10 accounts per minute) in that time.
Less than one forum account in every ten is actually used to post a message on the forum. That is, 90% of all forum accounts never visibly interact with the forum or they're used to post junk.
What prevents fake account registration? There isn't a high bar to cross to create a forum account: you just need an email account, fill in a couple of text boxes, click the CAPTCHA and you're done. The forum rules state that email addresses used with account registration must be legitimate (i.e. disposable addresses are not allowed) but there's not mechanism to verify that an email address exists or that it's not one of those "disposable" ones.
CAPTCHA does not prevent registration 'bots. If it did prevent non-human means of account registration then we would not see 10 account registrations/minute.
IP blocking doesn't work, either. This is because many automated registration agents use fast-flux DNS networks.
"Stop forum spam"/heuristic algorithms don't work either because, in the time it takes for honeypot farms to identify one source, hundreds of other sources are created. It's a losing battle trying to keep pace with the wave of spam sources.
Is it a problem for this forum? It depends on which side of the fence you live. I can't speak for the forum management team; it may not be a problem for team members. I can only speak for myself. I think it's a problem, even if other people may disagree with me. I'm simply providing my feedback about this forum and one of the problems that I see with it.
How does this forum deal with spam? At the moment, there is only one mechanism for "taking out the garbage". The garbage needs to be brought to the attention of forum moderators (by using the "Report this post" feature) and, when they next visit the forum, they physically take action. There is not a 100% consistent approach to dealing with spam: most forum moderators delete the spam posts and block the forum account used to create it



Can the problem be resolved? Well, it largely depends on whether the forum management team agrees that there's a problem in the first place. It may also depend on whether there are other mechanisms in the forum software (phpBB) that can overcome the high success rate of registration 'bots that bypass CAPTCHA and use disposable email addresses, etc. It also depends on a will to do something about it. These are questions that I cannot answer.
Another facet of the problem resolution lies in having enough forum moderators so that the forum can be monitored continuously, instead of monitoring the forum only 60-70% of the time.
Summary
I would like to know if the forum management team have any plans to address the issues I have raised.