By Tommy Sundstrom on

Today, Drupal forums are full of spam ads for cigarettes.

Maybe some inspiration for methods to figth spam can be collected from ExpressionEngine, that provides eight different. Of these i think Drupal only has CAPTCHAs and Membership.

  • Blacklists
  • CAPTCHAs
  • Comment Time Interval
  • Deny Duplicate Data
  • Rank Denial
  • Secure Form Mode
  • Site Membership
  • Trackback Pings Per Hour

In addition, some way to mass delete comments would be needed.

Comments

dries’s picture

dries commented

For now, I deleted the offending posts (6 forum topics about cigarettes) and blocked cigmania's user account.

Solution #9 is having enough site maintainers that can delete spam with a few clicks.

Solution #3 (comment time interval) is easy to implement with the new flood protection system in HEAD.

robertdouglass’s picture

robertdouglass commented

Ways that come to mind that allow Drupal sites to fend off spam:

  • comment moderation
  • forced preview (protects against automation)
  • Baysean (sp?) filters via spam.module

Drupal.org is wonderfully spam-free, we must be doing something right.

- Robert Douglass

-----
visit me at www.robshouse.net

escoles’s picture

escoles commented

I've always run with forced preview switched on. Doesn't help in the slightest.

And comment moderation does nothing to prevent DOS effects, and rapidly becomes unwieldy under heavy spambot onslaughts. It's useless for preventing comment spams.

davek@davekaufman.net’s picture

davek@davekaufman.net commented

I agree, I've run with forced preview of comments from the get-go, and it does nothing. I still see anywhere from 200 (roughly the average) to (maximum ever) ~1000 pieces of comment spam in a day. The spam.module catches 99.9% of this stuff, but it still clutters the database until I can go in and remove it by hand. That I cannot mass-delete (or auto-delete) comments marked as spam through the admin interface is a terrible usability failing. IMHO I should not have to edit the database directly to efficiently mass-delete.

escoles’s picture

escoles commented

I got 1000 spams twice; more commonly, it's four or five at a time, at intervals of one every half hour or so, increasing in frequency if I don't get in and flag them as spam.

More recently, I've been getting these extremely aggressive attacks I alluded to in my other replies. Today alone I've had three attacks of sufficient volume to DOS my website, once for about three hours. The attacks entail a hit rate on the "reply" page of about once every .75 seconds.

Here's the most troubling part: The bots do not require a link to the reply page; they appear to interpolate the link based on the URL of the node, so somehow obfuscating the "Reply" link won't work. Obfuscating the "Reply" page would have some effect, potentially, but it would still cause a heavy server load to continually return the "Access Denied" page.

Another very troubling thing: In the 16 hours or so that I was running Captcha, four comment spammers were able to post comments, regardless of the fact that Captcha was enabled. The highly aggressive attack resulted in no successful posts; these were from the older style, less aggressive attacks. This seems to indicate either that there is a known hole in the captcha or comment modules, or that the bots are incorporating captcha-defeating modules of their own.

I'm forced to conclude that captcha has basically been out-selected. It's history.

This is a veritable case-study in ecology. They're basically sowing the seeds for destruction of the very crop they harvest. Do these pissant Darwinians really understand that they are destroying the goose that lays the golden eggs?

davek@davekaufman.net’s picture

davek@davekaufman.net commented

I agree that changing the reply address would probably be futile. As for volume, it does fluctuate, but overall trend has it increasing, today alone I've seen about 500 pieces total. This is by no means enough to DoS my site , nor should it be any drupal site, I would think (unless hosted on a very small connection. Drupal in my experience is very resilient, especially with the rate limiting module enabled) but it is nevertheless extremely annoying.

Anyone else have any hard numbers on how hard they are being hit? What about drupal.org itself?

escoles’s picture

escoles commented
  1. Captcha does nothing to forestall denial of service effects that occur when a high-throughput spambot hits your site. At least twice in the last month I've been hit by spambots with a post frequency in excess of once per second; this results in thousands of simultaneous users, and crashes my site quickly. I was hoping that adding Captcha would increase my carrying capacity (by eliminating database writes), but that doesn't seem to be the case; on the second large attack, with Captchas in place on the comments module, the site crashed at about the same number of simultaneous users.

  2. Currently, the captcha module and the corresponding comments module patch appears to break all kinds of stuff, in random and hard to isolate ways. E.g, users are randomly logged-out when clicking "preview"; users report suddenly being granted administrative rights for the remainder of their session; "reply" link randomly returns 404. I haven't submitted bug reports on this yet because I haven't had a chance yet to isolate the details; I also haven't had luck in repeating some of the reported problems. But I have had luck in repeating the random logout issue -- though not reliably.

Drupal's comment time interval control is arcane in the extreme to understand, and appears to have a very high overhead (i.e., it seems to do a database write for every denial), which means that it isn't any better against DOS effects than anything else. I don't know what "Secure Form Mode", "Rank denial" and "Deny Duplicate data" refer to (though the latter may be a reference to the spam module, which is generally nice but again, vulnerable to DOS effects). Trackbacks are currently non-viable on Drupal, period, and will remain so as long as they are fully automated, so anything to do with that is moot. And I don't see how Blacklists are relevant, since comment spammers in my experience just randomly spoof their domain.

The only workable solution I've found so far is to disable posting for anonymous users.