Store
Community Documentation

v3 Knowledgebase

Spam Prevention


Contents




Introduction


In this article I wanted to share several ways on how to slow down SPAM on your community. Note I mentioned "slow down" as there is no cure for spam or lines of code that can fully prevent or halt spammers from reaching your community. Major social networking communities backed with tremendous amounts of funding like Facebook, Twitter etc... deal with the same sort of spam you deal with but on a much larger scale. Many clients come in asking for a bug fix to deal with spam. Unfortunately there is no such thing. What we can do is learn and work on ways to slow down spammers. Since spamming evolves the only way we can slow it down is to learn from it. The suggestions I bring forth in this article are some personal ways I guide clients to deal with spam and some great ideas that came from our community. This article will continually be updated with new ways to slow down spam on your community.


How is it done?


There are many methods of spamming. Some automated and some not. I am not sharing this information as a tutorial on how to spam sites as this can easily be found by doing a google search. This is intended for Admins to get an idea of how spam can be created, which will hopefully help them slow spam on their site in the future. For those that already know PHP have probably already learned that default PHP functions provide help do such things.

I take an example of common spam on sites. Not only our sites by any site. This spamming method is using a bot powered by an automated script that can be placed on public or private web server. Sometimes it can be placed in countries, which have no laws against such activities; which makes it harder for us to track and if found do anything about it. Using functions that come with PHP like Curl and a few lines of code can create such a script. Curl can not only behave and work like a web browser (from the receiving severs perspective) it can also send information to sites spoofing what web browser is being used. With such methods it is very difficult to distinguish a bot from a human user.

Let's take for example the registration form we provide. Using Curl we can view this registration page just like a user would via a web browser and the script can gather information and then automatically fill out the fields. It can also submit the form and create a new user without anyone having to actually be sitting down and filling out the form. I feel this information is important to pass along to webmasters. Many of you may already know this but its important to reiterate to make sure everyone is aware of this.

Now that we have an idea of how a bot can register on your community the same routine can then be used to login and add content to your site. Even upload content like images. Doing all this via a script on a web server where the creator of the script is no where close to be found and in many cases not even in the same country.


How did they find you?


The most common method to find anything is obviously a search engine. Many search engines today have APIs that allow anyone to use it. You don't even need an API in many cases as a simple Google search can find anything on the Internet. The common way spammers find a phpFox site or actually any mass produced product is by the default phrases it provides. Even if you were to edit your sites title and meta tags to be unique to your website in the end we are still using phrases that are part of the default language package provided by a mass produced product. Take for example our support suite here. This product was developed by a 3rd party company (Kayako) and we may have changed the template to snuggle into our default theme, however the phrases we use are still that of what Kayako provides with their default product. Using the index page as an example I use the following phrase:


Register a new account to submit new tickets or manage subscriptions.


I do a search on Google using quotes like:


"Register a new account to submit new tickets or manage subscriptions."


and I get back over 30,000 (note using default Google engine). We potentially found 30,000 sites to spam and we did it legally by a simple Google search. In this article we later discuss the importance of changing your sites phrases to make it harder on spammers to find your site but to also give your site a unique edge over fellow competitors. Again I mention this not to guide spammers on how to spam, obviously they already know how it works; it is for all of us to understand that a spammer can visit any mass produced website and view their live demo and a few minutes later can find thousands of sites to spam.


Dealing with SPAM


Below you will find several methods to deal with spam on your community. With some cases I include its strengths and its weakness.


Moderating New Users


The feature to moderate new users that register for your site has been released with phpFox v2.0.5dev1 or higher. If you have this feature you can enable it by logging into your AdminCP and going to:


Settings >> System Settings >> Manage Settings >> User


Next, look for the setting:


Approve Users


Set it to:


True


With this feature enabled every user that registers on your community will first have to be approved by you or your staff.

Strength
If you are constantly being attacked by spammers it is usually an automated bot that is performing the attack. By enabling this feature this will halt that operation and in most cases the bot would stop as it would identify that it is not able to create new accounts, which can be later used to spam the site.

Weakness
It is time consuming to maintain and can also slow down the process of registration for real users. Once your site grows you will need staff members to help moderate.


Email Verification


This feature forces users to first verify their email before they can log into your site. Before going into this feature make sure if you are running phpFox version 2.0.5dev1 or lower you have this patch installed. To enable this feature log into your AdminCP and go to:


Settings >> System Settings >> Manage Settings >> User


Next, look for the setting:


Verify Email At Signup


Set it to:


True


Strength
Great defense against most spammers as it requires a real email address and many spam bots do not use one or do not have an automated method to check emails.

Weakness
An automated script can be created to register on a community and can also be used to check emails and get the verification link we send out.


Captcha


Captcha is a widely used system on the Internet. With this feature enabled it will ask users when they are registering to look at an image we provide that usually has 8 alphanumeric characters and enter them into an input box. This system was designed to distinguish a human from a bot. To enable this feature log into your AdminCP and go to:


Settings >> System Settings >> Manage Settings >> Registration


Next, look for the setting:


Captcha on Registration


Set it to:


True


Strength
Great defense against most spammers as most bots do not have an automated method to crack a captcha image.

Weakness
There is technology out there that can crack captcha images and can easily be found with a Google search. We also provide support for reCaptcha. We always advice clients to use reCaptcha for their sites. The main benefit about reCaptcha over our own captcha is that it is located on a separate server from your own. Because of this the routine and database they have is constantly updated and learning. There are known methods of beating reCaptcha but since its located on a separate server the routine they provide can constantly be updated. There is one major flaw with captcha against bots and that is if a bot cannot crack the captcha someone can still physically visit your site and fill out the form just like a normal user would. There are many out there who do this for a living and once they have registered on your site they can continue using the automated script they created to spam your site since they have successfully and legitimately created an account.

To enable reCaptcha on your community please read this article.


Banning IPs


Each user has a unique IP when they visit your community. Based on this information you can easily ban a specific user or even an entire country of users. To ban a specific guest/bot you can do this from your AdminCP by going to:


Tools >> Online >> Guest/Bots


In the table you will find the column


Banned


You will find either a green or a red dot. If you click this dot it controls if you have banned the IP or not. Red means they have not yet been banned, while green means they have successfully been banned.

Once you have started banning IPs from your AdminCP you can manage them by going to:


Tools >> Ban Filters >> IP Address


This page will list all the IPs you have banned and is also a place where you can manually ban new IPs.

Another method of banning IPs is via an ".htaccess" file. This method is handy if you plan on banning an entire IP block or even entire countries, which consist of many IP blocks. Some may not like this option while others are okay with it. There are common countries that are known for spamming. I need to mention however not everyone from that country is a spammer. You may see it across many sites that these specific countries are known to have a statistically high amount of spammers. So you need to ask your self if you plan on banning an entire country you will have a very good chance of slowing down your spam to as low as 5% but will that justify the banning of legitimate users from those countries as well. In the end it comes down to how you market your business and if your specific niche does not have nor do you want any sort of market share in that country. If that is the case then this is one of the most effective ways to slow down spam on your site. To find information on sites that give out instructions and lists of banning countries do a Google search for "ban country ip" (without quotes) and you will find several sites. Here is one example.

Strength
Because most automated scripts are situated in specific areas (servers) this can drastically drop your spam on your site.

Weakness
If a company that is working on spamming sites or even an individual they can still get around IP bans. There are hundred upon thousands of Internet proxies out there, which can be used to hide the origin of the executing script. If you were to ban a specific users IP they can do a Google search and find a free proxy located in the U.S. and visit your site just as if they visited it for the first time.


Removing URL and Email Spam


One of the most common methods of spam is posting something on your community that is in most cases not related to anything your community is about. In some cases spam can have messages that sound and look very legitimate. Since the object of this specific method of spamming is to provide a return URL to their site it is a common method of free advertising. If you want to stop this from happening we provide features to remove external links and emails being posted on your community. You can enable these features from your AdminCP by going to:


Settings >> System Settings >> Manage Settings >> Registration (V2)


Settings >> System Settings >> Manage Settings >> Spam (V3)


Look for the setting:


Disable All External URL's


set this to:


True


That feature will disable all external links. Now you may want to allow some sites and if you do look for the setting:


URL White List


Here we provide the ability for you to add sites you see fit to allow on your community. The same feature can be enabled for banning emails and can be done from the same page. Look for the setting:


Disable All External Emails


set this to:


True


Just like banning external URLs we provide a "whitelist" for emails as well. Setting can be found on the same page:


Email White List


Moderating Site Content


If there is one method that comes close to fully preventing spam on your community it is the method of moderating content before they are publicly visible to the community. Several sections we provide as for v2.0.4 already come with the feature where Admins can moderate content before they are publicly visible. Many of these features are based on user group settings. This allows you to for example control your "Registered Users" to first have their photos approved by Admins, while say you created a "VIP" user group and for them you allow to upload photos without any moderation. This creates a layer of site moderation and once a user has passed your tests you can bump them to a new user group (eg. VIP), which will allow them the freedom to add content to your site without the constant moderation of you are your Admins.

Below I will list all the available methods of content moderation. Note that some were added at a later time so you may need a specific version of phpFox installed.


Forum Threads


Notice: This feature requires phpFox v2.0.5dev2 or higher installed.

Log into your AdminCP and go to:


Users >> User Group Manager >> Manage User Groups


Using the "Registered User" user group as an example click on the drop down icon and then click on the link:


Manage User Settings


Once you have reached the page to manage user group settings click on the module:


Forum


Then look for the setting:


Approve threads before they are displayed publicly?


Set this to:


Yes


Forum Posts


Notice: This feature requires phpFox v2.0.5dev2 or higher installed.

Log into your AdminCP and go to:


Users >> User Group Manager >> Manage User Groups


Using the "Registered User" user group as an example click on the drop down icon and then click on the link:


Manage User Settings


Once you have reached the page to manage user group settings click on the module:


Forum


Then look for the setting:


Approve forum posts before they are displayed publicly?


Set this to:


Yes


Groups


Notice: This feature requires phpFox v2.0.5dev2 or higher installed.

Log into your AdminCP and go to:


Users >> User Group Manager >> Manage User Groups


Using the "Registered User" user group as an example click on the drop down icon and then click on the link:


Manage User Settings


Once you have reached the page to manage user group settings click on the module:


Group


Then look for the setting:


Approve groups before they are publicly displayed?


Set this to:


Yes


Bulletins


Notice: This feature requires phpFox v2.0.5dev2 or higher installed.

Log into your AdminCP and go to:


Users >> User Group Manager >> Manage User Groups


Using the "Registered User" user group as an example click on the drop down icon and then click on the link:


Manage User Settings


Once you have reached the page to manage user group settings click on the module:


Bulletin


Then look for the setting:


Bulletins must be approved before they are displayed publicly?


Set this to:


Yes


Comments


Notice: This feature requires phpFox v2.0.5dev2 or higher installed.

Log into your AdminCP and go to:


Users >> User Group Manager >> Manage User Groups


Using the "Registered User" user group as an example click on the drop down icon and then click on the link:


Manage User Settings


Once you have reached the page to manage user group settings click on the module:


Comment


Then look for the setting:


Approve comments before they are displayed publicly?


Set this to:


Yes


Events


Log into your AdminCP and go to:


Users >> User Group Manager >> Manage User Groups


Using the "Registered User" user group as an example click on the drop down icon and then click on the link:


Manage User Settings


Once you have reached the page to manage user group settings click on the module:


Event


Then look for the setting:


Events must be approved first before they are displayed publicly?


Set this to:


Yes


Marketplace Listings


Log into your AdminCP and go to:


Users >> User Group Manager >> Manage User Groups


Using the "Registered User" user group as an example click on the drop down icon and then click on the link:


Manage User Settings


Once you have reached the page to manage user group settings click on the module:


Marketplace


Then look for the setting:


Enable if listings should be approved first before they are displayed publicly.


Set this to:


Yes


Uploaded Songs


Log into your AdminCP and go to:


Users >> User Group Manager >> Manage User Groups


Using the "Registered User" user group as an example click on the drop down icon and then click on the link:


Manage User Settings


Once you have reached the page to manage user group settings click on the module:


Music


Then look for the setting:


Songs must be approved first?


Set this to:


Yes


Uploaded Photos


Log into your AdminCP and go to:


Users >> User Group Manager >> Manage User Groups


Using the "Registered User" user group as an example click on the drop down icon and then click on the link:


Manage User Settings


Once you have reached the page to manage user group settings click on the module:


Photo


Then look for the setting:


Set this to True if photos uploaded must be approved before they are visible to the public.


Set this to:


Yes


Polls


Log into your AdminCP and go to:


Users >> User Group Manager >> Manage User Groups


Using the "Registered User" user group as an example click on the drop down icon and then click on the link:


Manage User Settings


Once you have reached the page to manage user group settings click on the module:


Poll


Then look for the setting:


This setting tells if polls posted by members of this group will need to be moderated (approved) before being shown on the site


Set this to:


Yes


Quizzes


Log into your AdminCP and go to:


Users >> User Group Manager >> Manage User Groups


Using the "Registered User" user group as an example click on the drop down icon and then click on the link:


Manage User Settings


Once you have reached the page to manage user group settings click on the module:


Quiz


Then look for the setting:


Do quizzes from user group need to be moderated before being shown?


Set this to:


Yes


Videos


Log into your AdminCP and go to:


Users >> User Group Manager >> Manage User Groups


Using the "Registered User" user group as an example click on the drop down icon and then click on the link:


Manage User Settings


Once you have reached the page to manage user group settings click on the module:


Video


Then look for the setting:


Should videos added by this user group be approved before they are displayed publicly?


Set this to:


Yes


Blogs


If you have phpFox v2.0.5dev2 or higher log into your AdminCP and go to:


Users >> User Group Manager >> Manage User Groups


Using the "Registered User" user group as an example click on the drop down icon and then click on the link:


Manage User Settings


Once you have reached the page to manage user group settings click on the module:


Blog


Then look for the setting:


Approve blogs before they are publicly displayed?


Set this to:


Yes


If you have phpFox v2.0.4 or lower the product is designed internally to have a system where blogs can be approved before they are displayed publicly. However, a setting hasn't been created yet for Admins to enable as this feature is actually tied into another feature. To enable this feature a free plug-in can be downloaded here.


Banning Emails


Many spammers use free email domains and at times even made up domains. If you see a trend of emails being used to spam your site you can ban the usage of that email upon registration direct from your AdminCP. Simply go to:


Tools >> Ban Filters >> Emails


Here is where you can ban a specific email or an entire domain. As an example if we wanted to ban everyone using hotmail we would ban the following:


*@hotmail.com


Friends Only


As of phpFox v2.0.4 there are several features which can be designed to be used in a "Friends Only" environment. Our goal is to have every feature over time have the option to run in a "Friends Only" environment. The idea behind a "Friends Only" environment is that if a spammer would register on your site and they would start off with no friends. Any content they add won't be seen by anyone since they have no friends. The only spam they can accomplish is befriending all the members on the site. It is then up to the members to decide if they should accept this user as a friend or not. If they do and they see they are spamming they can report the user and de-friend them so they don't get spammed any longer unless of course they join the free ads. With this environment it brings up a state of - if you cannot see the spam then it does not exist.

To complete a "Friends Only" environment with phpFox v2.0.4 or higher this requires several steps. Some are optional and up to you.


Viewing of Content


When a user adds an item to your site they can usually be browsed by other users from a public section specifically designed for that item. To make it where only friends of the one that added an item can view the item we first need to log into our AdminCP and go to:


Settings >> System Settings >> Manage Settings >> General


Look for the setting:


Item Location


Set it to:


profile


What this does is force items to be viewed on a users profile instead of a public environment.

Next, we need to make sure everyone who signs up has their privacy set to "Friends Only" when they first join your community. In order to do that go to:


 Settings >> System Settings >> Manage Settings >> Registration


Look for the setting:


User Default Privacy Setting on Registration


Set it to:


friends_only


This sets a users default privacy to "Friends Only" so only friends can view anything related to their profile. This unfortunately will not update users that have already registered before the time you edit this setting. You will have to notify your members to update their privacy settings from:


Settings >> Privacy Settings


Another issue with this specific setting is that users can change their privacy settings at anytime, however you should guide them its safest to keep it to "Friends Only" if you want to keep this system and still give them the freedom to choose.

This now covers the ability to view items.


Activity Feed


The activity feed by default shows activity from all your members. We need to set this to "Friends Only" and this can be done from your AdminCP by going to:


Settings >> System Settings >> Manage Settings >> Feed


Look for the setting:


Friends Only


Set it to:


True


Disable the "Whats New" Block (Optional)


The "Whats New" block that is found on your sites index page when you are both logged in or out is designed to display what is new from all your members and not just friends. Since we are trying to create a "Friends Only" environment you can remove this from the index page when a user is logged in from your AdminCP by going to:


CMS >> Blocks >> Manage Blocks


When you reach the page to manage blocks click on:


core.index-member


Look for the block:


core::new 


Click the green dot to disable it.


Bulletins


There is a bulletin block found on your sites index page when a user is logged in. To set this to only show bulletins from friends log into your AdminCP and go to:


Settings >> System Settings >> Manage Settings >> Bulletin


Look for the setting:


Bulletin Public


Set it to:


False


Mail


Users can contact one another by sending internal messages. To set it up so users can only message their friends log into your AdminCP. Unlike the recent changes we made which modified global settings this setting is controlled by a user group setting. In order to edit this setting go to:


Users >> User Group Manager >> Manage User Groups


As an example we are going to be using the "Registered User" user group. Click the drop down icon and then click on:


Manage User Settings


Next, click on:


Mail


Look for the setting:


This setting tells if the user can only send messages to people in his/her friends list. 


Set it to:


Yes


Browsing Content


At this point we have restricted most of what a user sees to what only their friends submit to the site. We also controlled how users can interact with one another and make sure only friends can message each other. Now we have to add some control on how users browse content. We may have setup that viewing an item on the site can only be viewed by friends, however browsing content is a different story. Certain sections can be closed off since it does not usually need public interaction.

As an example we are going to remove blogs from public access. To do this log into your AdminCP and go to:


CMS >> Menus >> Manage Menus


First, look for the grouping:


explore


Within that look for:


Blogs


Disable this menu by un-ticking the "Active" checkbox. Then hit the "Update" button at the bottom. What this does is remove the sub-menu from the "Explore" menu. Users will not be able to reach the public blog section and will only be able to browse blogs on their friends profiles.

The same could be done for the menus Photos, Polls, Videos, Quizzes as all of these can be accessed on a users profile and does not need public interaction on a "Friends Only" environment.

Note that all your users activity end up in the activity feed so your users will see when their friends add a new blog, photo etc...


Flood Control


Flood control is an effective method of slowing down spam on your community. Several features include flood control capabilities and below we include information on how to enable each of them. Each setting is controlled by a "User Group Setting" so before starting to edit each setting you need to go to:


Users >> User Group Manager >> Manage User Groups


Using the "Registered User" user group as an example click on the drop down icon and then click on the link:


Manage User Settings


We have now reached the page where we can edit "User Group Settings".


Comments


All comments being posted on your community has a flood control check. To enable this setting click on:


Comment


then look for the setting:


Define how many minutes this user group should wait before they can post a new comment. 


This controls how many minutes the user needs to wait before they can submit another comment.


Forum Posts/Threads


All forum posts and threads have a flood control check. To enable this setting click on:


Forum


There are 2 settings to look for:


Define how many minutes this user group should wait before they can post a new thread. 


and


Define how many minutes this user group should wait before they can post a new reply to a thread.


Polls


All polls added have a flood control check. To enable this setting click on:


Poll


Look for the setting:


How often can members of this user group post new polls (in minutes). 


Bulletin


All bulletins posted have a flood control check. To enable this setting click on:


Bulletin


Look for the setting:


Tells how often each member of this usergroup can post a bulletin. 


Blogs


Notice: This feature requires phpFox v2.0.5dev2 or higher installed.

All blogs posted have a flood control check. To enable this setting click on:


Blog


Look for the setting:


How many minutes should a user wait before they can submit another blog? 


Photos


Notice: This feature requires phpFox v2.0.5dev2 or higher installed.

All photos uploaded have a flood control check. To enable this setting click on:


Photo


Look for the setting:


How many minutes should a user wait before they can upload another batch of photos? 


Groups


Notice: This feature requires phpFox v2.0.5dev2 or higher installed.

All groups created have a flood control check. To enable this setting click on:


Group


Look for the setting:


How many minutes should a user wait before they can create another group?


Videos


Notice: This feature requires phpFox v2.0.5dev2 or higher installed.

All videos created have a flood control check. To enable this setting click on:


Video


Look for the setting:


How many minutes should a user wait before they can share/upload another video?


Quizzes


Notice: This feature requires phpFox v2.0.5dev2 or higher installed.

All quizzes created have a flood control check. To enable this setting click on:


Quiz


Look for the setting:


How many minutes should a user wait before they can create another quiz?


Events


Notice: This feature requires phpFox v2.0.5dev2 or higher installed.

All quizzes created have a flood control check. To enable this setting click on:


Event


Look for the setting:


How many minutes should a user wait before they can create another event? 


Marketplace


Notice: This feature requires phpFox v2.0.5dev2 or higher installed.

All marketplace listings created have a flood control check. To enable this setting click on:


Marketplace


Look for the setting:


How many minutes should a user wait before they can create another marketplace listing? 


Shoutbox


Unlike the last settings we edited the flood control setting for the shoutbox is not a User Group Setting and is instead a global setting that controls all user groups. To edit this setting go to:


Settings >> System Settings >> Manage Settings >> Shoutbox


Look for the setting:


Shoutbox Flood Limit (Seconds)


Default Title & Meta Tags


Once you start your community it is important to edit the default title and meta tags for your site. This can be done from your AdminCP. To edit your sites name and title go to:


Settings >> System Settings >> Manage Settings


There you will find crucial settings that need to be modified.

Next, go to:


Settings >> System Settings >> Search Engine Optimization


This groups all the meta tags as well as some other settings.


Change Default Phrases & Template


Spammers find and target sites they know run a specific product since they are familiar with the routine it provides or they have a script that is designed to spam said product. The importance to change your sites theme and phrases is not only to prevent spammers from finding your site but it is also to give your site a unique edge over fellow competitors. Even re-ordering your main menu will help. By changing your sites phrases this does not mean everything. Its key areas like the title of each block (eg. Recent Login, Whats New etc...).

You can manage your sites phrases and templates from your AdminCP.

Managing phrases can be done from:


Extensions >> Language >> Phrase Manager


Managing your sites templates can be done from:


Extensions >> Theme >> Manage Themes


For more information on how to edit your sites templates check out this article.


Promotion System


Notice: This feature requires phpFox v2.0.5dev2 or higher installed.

Earlier in this article we went over several ways to slow spam. If you plan on using site content moderation and flood controls you could also include the promotion system. The promotion system is used to automatically promote users to another user group usually to promote activity on your community, however it can also be used as a prevention layer for spam. What could be done is you could moderate all items being added and setup flood controls for the "Registered User" user group, which is the default user group for members signing up on your community. Since the promotion system uses activity points and counts how many days a user has been registered if a user is able to be around that long and attains the activity points you set without adding any spam (since you are monitoring all new items being added) the promotion system will automatically promote them to another user group (which you define). For this new user group you could disable all flood controls and content moderation since they have already "passed" your tests and would seem to be a valued member of your community. For more information on how to add a promotion check out this article.