For the last few weeks I’ve seen an increase of spam in my Writefreely site. My instance has open registration and I would like to keep it like that, however, every week or so a couple of new accounts are created and start posting spam, which is then published in the reader page, the rss feed and gopher site.
With the latest Writefreely version I can just delete those accounts and all the spam is gone, but they keep coming again and again and I’ve to keep a close eye on it. So I was wondering how do you guys handle spam? do you have that problem at all?
Unfortunately I don’t have the time to delete so many spam accounts. I tried it once with an invitation link that I had published on my website, also there came tons of spammers on de blog.
Writefreely would have to do something in any case, so the public offer is impossible.
Indeed, I also think Writefreely should provide some kind of anti-spam system, otherwise spam makes it difficult to keep the open registration. This are some approaches I think we could try:
Adding a CAPTCHA: This would help with bot spam, however, using a third party service to handle spam is not something I’m fond of, I’d rather have something built-in to avoid dependencies.
Adding a honeypot: Adding a hidden field in the registration form that bots will auto-fill, then we avoid the registration if that field was filled. This could help with bot spam too, however, most of the spam in my site doesn’t seem to be bot drive, so I guess we would need something else.
Require account approval: Before users can post anything the account must be approved by an admin. This would help with both bot and manual spam. It would require some admin work though. An easy way of doing this would be to automatically ‘silence’ new accounts until they are reviewed.
Do not allow posting links for a period of time: New accounts are not allowed to post links for a period of time. Disallowing links in posts for new accounts would probably discourage spammers.
Charge a small fee to create new accounts: We already have the web monetization thing implemented in the latest Writefreely version, so maybe we could allow the registration only to those who paid a small fee? I guess this would also discourage spammers or at least bring in some income to pay for the admin work of the site.
Of all this options I think 2 and 3 shouldn’t be hard to implement and could do a decent job preventing spam. Maybe I could try to modify the code and test it in my site, see how it goes. Anyway, what do you think? do we have more options a part from the ones I listed?
I agree, we should ultimately build something into the platform to fight spam. Unfortunately, it’s always going to be an issue with open platforms like this.
And I think the solutions you mention would be some good ones. We’ve also tried several things on Write.as to cut down on spam registrations, that I think we could bring to WriteFreely. First:
CAPTCHAs are effective, but not the best for users. They seem to reduce spam registrations, but especially by using Google’s service, it can turn many people off. I’d say this would be a lower priority.
Honeypots don’t seem to work. We’ve tried this before on our user registration page, and I don’t think it ever caught anyone. This does work for the email subscription signup form, but not user registration. I believe most “bots” creating accounts on sites like ours are actually people running automation software in their browser, so they won’t see invisible form fields.
But plenty of other things do work:
Watching for user behavior before registration. On Write.as, we track a very simple metric of time spent on the page. If it’s too short, that’s often bot behavior. It’s a little heavy-handed, but when we see this, we automatically block the registration and the IP address, too. You might also check if they’ve visited other pages on the site, etc.
Checking with Akismet. We’ve also experimented with checking signups against the Akismet API. This prevents a decent number of signups, too.
Blocking posts with plain URLs in them. This does frustrate some legitimate users, but catches more spammers overall. Basically, we have this and several other filter rules looking at published posts. If a user gets blocked several times, their account is automatically silenced. (Any real users caught by this then need to contact us to fix their account.)
Trusted account status. We have an extra user state on Write.as that indicates a user is “trusted”, and can bypass the filtering system. Users can enter this state by either paying for our Pro service, or having an admin manually mark them as trusted (maybe this could tie into option #5?).
I really like option #3 for something that can be done in the short term – especially to automatically “silence” new accounts until approved. Though I think the best option would be to create a new user state (e.g. “NeedsApproval”), so we can show the right messaging in the app – instead of something like “Your account is silenced.”
I agree the best option would be to a create a new user state. I’ve been checking out the code and this seems to involve more work than I can do at the moment though, so for now I will file an issue / feature request so we can work on it for future releases.
Is there a way to delete multiple users at once?
I thought my instance was closed, but apparently it was open and now I have 10 pages worth of spam accounts.
My own account is the only one that should remain, but deleting all the others one by one would take ages.
PS: Okay I deleted all 310+ Accounts manually, but it took me about an hour.