Is there a 100% effective remedy again spam?
Prevent spam account registations
Other tools to prevent spam account registration
Kunena’s built-in anti-spam mechanisms
The best way to prevent spam: category management
Other tools to prevent spam in your forum
Summary
I’ve recently installed Kunena on my website and love its functionality. The only problem is I’m getting spam and it’s getting worse. Are there recommendations or some sort of cheat sheet to follow to stop these bad guys/robots?a “forum user”, Kunena forum, 3 May 2015
The problem with spam is not confined to Kunena. Indeed, the discussion about forum spam has been going on long before Kunena (or Joomla) first appeared. People can spend almost as much time researching the subject as they may have to spend dealing with an outbreak of spam in their forums. The short answer to the question “How can I stop forum spam [in Kunena]?” is that you cannot. You can never completely eradicate spam—there is no 100% guaranteed solution to combat spam. Kunena does have some configuration settings that will help you to manage the amount of spam that you may get but those configuration settings, by themselves, will not completely innoculate you against the spam epidemic. This article is therefore only a guide—a collection of some ideas that I have found useful—in minimising the level of spam in your forum.
Is there a 100% effective remedy against spam?
The only truly effective remedy against spam is vigilance.sozzled, How to protect my forum from spam, 25 May 2010
It is probably fair to say that people reading this article are looking for some automated anti-spam products, tools, ideas, tips, tricks or know-how. It may sound harsh but we should all reflect on ourselves for a moment: most of us look for the easy way out—the “quick” fix, the automatic solution—because we’re lazy and we don’t want to do the work that’s involved in running a forum. There is no quick fix, automatic solution, or substitute for hands-on vigilance but there are a few time-saving tips to help you keep your forum spam-resistant.
Whether by intent or sheer good luck, some forums (like the one at this website) can remain spam-free. Of course, some websites attract more spam than others and it’s no secret that websites with higher rankings in search engines are those most often targeted by spam merchants. The genre of your site can also attract spam: sites that deal with leisure (e.g. online games, sports and videos), information technology or polemics seem to attract more spam than, say, those associated with more “erudite” things like tapestry-making, quantum physics or ornithology. It does not really matter what kind of website you have, there’s always the possibility that, sooner or later, someone will try to do some mischief and you will need to remove unwanted material from your site.
There’s a certain irony in “webcraft”: we web-developers spend our working lives building sites to attract visitors from all over the world; we play with metadata and site maps to achieve higher page rankings in search engines. Search engine optimisation is a two-edged sword attracting both legitimate visitors (customers) and spam merchants. Even if you have not intentionally submitted your website to a web search engine, there's always the possibility that your site will unexpectedly appear in Google or Bing simply because your site URL was listed in another website regularly being crawled by one of those things. It happens. It happened to me with a test site I was experimenting with and I was getting about 50 emails per day about attempts to register new accounts on it!
It is not “unfortunate” that your forum may attract spam. It’s part of doing business on the internet these days; it’s life.
The truth is that we don’t know why people invest their time in trying to infiltrate our websites with their pernicious nonsense. It doesn’t matter why; it only matters what you steps you can take to minimise it. Ideally, we would all like to have something that operates automatically in the background so that we don’t have to trouble ourselves with this “housework” but it’s a bit like vacuuming the carpets. The same thing can be said of “self spam-cleaning” websites: I doubt that we will ever find a automatic solution that lets people legitimately interact with your website—without them having to jump through hoops like trained animals—while keeping out the unwanted spam mongrels as well. Good forum management requires vigilance on your part; there's no escape.
I would not, for instance, recommend that you allow unrestricted posting access to your forums (unless that is your intention to do so). For every decision that you make there are consequences of those decisions and costs involved in maintaining your forum so as to minimise the ill-effects that spam messages will have. If you want to maintain a healthy, spam-free forum you need to be alert and make effective use of the forum moderation tools included in Kunena.
Prevent spam account registrations
Another way of looking at this issue is to ensure that the only people who can post messages on your forum are those who have accounts and have to login to post messages. There are a couple of configuration settings in Kunena that can help you but the most important thing to remember is that, unlike other self-contained forum products that have their own registration procedures Kunena relies on Joomla’s registration component[1].
You can change whether you allow users to register. This is done (in Joomla) with the setting Global Configuration » System » User Settings » Allow User Registration = Yes / No.
The latest versions of Joomla also include some additional “anti-spam” improvements as part of the registration process with the Joomla user profile plugin. Although enabling this plugin means that you can ask new account applicants a series of questions—you can even “force” them to check the “I accept the terms of use” item—it is also important to understand that Kunena does not use any of this extra data when it automatically creates a forum user profile. So, while you can add extra custom fields, if you wish, Kunena will not use them. On the other hand, asking for the extra information and forcing people to enter fields may prevent some automated registration scripts from working; however spambots usually have mechanisms to complete the registration form with dummy data anyway.
A lot of noise is made about using CAPTCHA with the Joomla registration process. Although CAPTCHA can slow down spambots, it is not reliable; it can be both helpful (in reducing spam registrations) and hurtful (in turning away legitimate new customers). Spambots dislike CAPTCHA but human beings probably hate it even more! Use it or do not use it—it’s only a small comfort but it could turn into a curse upon you—it’s your choice.
There is, perhaps, one “sure-fire” way to eradicate spam registrations on your website: charge your users a registration fee! I have never seen spam in a web forum where you have to pay an up-front fee to register before you can post a message on it. Spam merchants are—almost universally—free-loading parasites: they survive only because of your goodwill; because you are giving away a free opportunity for them to make money. Why not turn the tables around and make spam merchants pay, too … except they won’t.
Other tools to prevent spam account registration
There are several tools that you can use to prevent spam attacks on your site particularly if the attacker uses a “bad” (maliciously-engineered) web agent. Fortunately, there are a number of services that intercept potential attacks by “bad” web agents and return a “403 - Forbidden” response. This kind of response usually deters potential spammers from trying to attack your site with their particular brand of web agent. One tool that guards against most ’bot attacks is ZB Block from www.spambotsecurity.com.
You can also block access to your site from specific countries, domains, IP address or from certain ISPs. IP blocking is useless if the attacker uses IP address spoofing or fast flux techniques (because you never really know the source of the attack).
One of the simplest registration assistance tools is EasyCalcCheck Plus. This tool works on the challenge-response principle (e.g. ask a question like “What colour is grass?” [Answer: “green”]) that legitimate users can answer. While this tool probably guards against attacks from ’bots and those who may not understand the question, it will not protect against human spammers who do understand the question.
Some Joomla extensions (e.g. SpambotCheck, JJAntispam, iAkismet among others) use a combination of heuristics and databases of known spam sources but, to some extent, these rely on external spam “black lists”; these products sometimes fail to differentiate between the good and the bad. Some tools (e.g Stop Registration Bots) allow you to compile your own “black list” but you could spend a lot of your valuable time updating this list and, ultimately, you may decide it’s simply not worth the hassle. If you want to block access from a whole country, for example, you could look at jSecure or kSecure.
Lastly, if you decide to use one of the techniques I have discussed here (or even something else), never reveal the identity of the technique. The last thing you want spammers to see (when their registration has been blocked) is the name of the product that you used. For instance, you would not want them to see
Although it may be good advertising for the product you’ve used it also gives attackers a clue about how you may be defeated. If you want to safeguard your secrets, never reveal to anyone what secrets you may be guarding. The less that people know about how you’ve constructed your website—what software you are using—the safer and more secure your website will remain.
Kunena’s built-in anti-spam mechanisms
You may be wondering why (after reading more than fifteen hundred words) I have not discussed Kunena’s built-in security mechanisms. As you may have realised by now, I have not mentioned these things because there is more that you can do to prevent spam before people have access to your forum than what you might be able to do after they have that access and try to post their rubbish. To put it another way, once people have access to your forum then you are inviting them to post whatever they want wherever they can. The “trick” is to limit the amount of damage that they may be able to do. Some of the configuration settings in Kunena can help make this task more manageable for you; not totally spam-proof but manageable.
Require people to login to view the forum
A common belief among forum owners is “if people cannot view the forum without logging in then we’re safe from attack”. This is one reason—not the only one—for people changing the default Kunena Forum: Configuration setting Security » Security Settings » Registered Users Only from its default value [No] to Yes.
Really? Ask yourself the question: “what’s stopping someone from registering an account, logging in and then they post garbage in my forum?” The answer invariably centres around the earlier discussion we’ve been having; we’re back to preventing spam attacks by blocking their point of access which is the point of account creation. Although you may minimise some spam with the “Registered Users Only” approach, in my opinion this idea is an instant turn-off in attracting new customers. If people cannot see your forum they may be disinclined to create an account and login just to satisfy their passing curiosity; spambots are unscrupulous—well, for starters, they’re not human—about registering accounts wherever they can.
When to change this setting Small (“closed”) web-based communities
Effectiveness against spam attacks Nil
Require people to login to post to the forum
There is no right or wrong argument against changing the default Kunena Forum: Configuration setting Security » Security Settings » Allow Guests to Post/Write from its default value [No] to Yes.
If Allow Guests to Post/Write = Yes then people will need to have an account, login and then they can post to your forum. This still does not have any effect on the level of spam; we’re back to same discussion we’ve been having about preventing spam attacks by blocking their point of access which is the point of account creation. The difference between this setting and the one we’ve just mentioned is that it may attract customers who may feel inclined to register so that they can participate in your forum.
If Allow Guests to Post/Write = No then people will not need to have an account to post to your forum. This may lead to an increase in the amount of spam you get (and this is the biggest problem for owners of public forums). If you change this setting’s value then you are inviting anyone to post in any publicly-accessible category—more about this later—and, therefore, you should exercise caution. This setting, by itself, does not affect the level of spam your users will see; this setting should also be considered together with the Category Manager » Category Settings » Review posts = Yes.
When to change this setting Public blogging sites
Effectiveness against spam attacks May increase level of spam
Require email address for guest posts in the forum
Changing the default Kunena Forum: Configuration setting Users » User Related » Require E-mail from its default value [No] to Yes may be useful in conjunction with the previously-mentioned setting. It has no impact on the level of spam posted in your forum but it lets you—as the forum owner—learn something more about where the message(s) originated.
When to change this setting Public blogging sites
Effectiveness against spam attacks Nil
Display email addresses in the forum
Changing the default Kunena Forum: Configuration setting Users » User Related » Show E-mail from its default value [No] to Yes should be used with caution. If email addresses are displayed this will allow everyone to obtain them. Not recommended (except, perhaps, in closed communities where there is a high level of trust among members).
When to change this setting Small (“closed”) web-based communities
Effectiveness against spam attacks May increase level of spam
Display IP addresses to forum moderators
Changing the default Kunena Forum: Configuration setting Frontend » Look and Feel » Hide IP Addresses From Moderators from its default value [Yes] to No may be useful in forums with a high-level of activity. It has no impact on the level of spam posted in your forum but it lets you—as the forum owner—learn something more about where the message(s) orginated and may assist your forum moderators in dealing with spam and/or nuisance users.
When to change this setting Active, high-use forums
Effectiveness against spam attacks Nil, but may assist moderators to combat spam/troll users
Moderate new users
Changing the default Kunena Forum: Configuration setting Security » Security Settings » Allow Guests to Post/Write from its default value [0] to a positive number may be useful in forums with a high-level of activity. It has some effect on reducing the level of spam in your forum but it requires you or your forum moderators to approve the first n messages posted by users before they appear on the forum. If your forum moderators are not attentive, your users may be feel that you are not interested in their needs.
This setting only affects logged-in users. It has no effect on guest users (if you allow them to post/write on the forum). Use with discretion: a value between 1 and 3 is usually sufficient; a higher value may discourage your users from contributing to your forum.
When to change this setting Active, high-use forums
Effectiveness against spam attacks Moderate
CAPTCHA challenge for users and guests
See the article Using CAPTCHA spam protection in Kunena in the Kunena Wiki. It may lessen the amount of spam posted in your forum but, as we’ve discussed earlier, it will not prevent people who could not care if you use CAPTCHA or not.
When to change this setting Public blogging sites; active, high-use forums
Effectiveness against spam attacks Slight
Enable flood protection
Changing the default Kunena Forum: Configuration setting Security » Security Settings » Flood Protection from its default value [0] to a positive number may be useful in forums with a low-level of activity. It has some effect on spam but you should note that this setting applies to everyone (including you and your forum moderators). The effect of this setting means that n seconds have to pass before anyone may post their next message to the forum. Obviously, if you set this value too high it can have detrimental effects on the operation of your forum. This setting should be used with caution.
When to change this setting Forums with low level/infrequent activity
Effectiveness against spam attacks Moderate
Use the Stop Forum Spam setting
Adding a value[2] to the Kunena Forum: Configuration setting Security » Stop Forum Spam Configuration » API Key does not protect your forum from spam. What it does, when you ban a user from your forum, is report the details of the spam account to http://stopforumspam.com. It may be useful to other people who use the external [Stop Forum Spam] service but it does not prevent spam on your own site.
When to change this setting No recommendation
Effectiveness against spam attacks Nil
The best way to prevent spam: category management
You have probably realised that the basic Kunena configuration settings only give you limited protection against spam. The best way to protect your forum is to use some of the advanced settings in Kunena’s Category Manager—particularly how you define category permissions.
If you are not running a “public” forum (i.e. a forum where you require people to login to your site) then make sure that you do not allow guests (or the public) to be able to create new topics and/or reply to topics (click screenshot at right to enlarge the image).
If you are running a “public” forum (e.g. allowing people to comment on Joomla articles) then you need to be a bit more careful if you allow guests to post messages on your forum. I recommend that you do not allow guests to be able to create new topics: this is controlled by the setting Category Manager » <category> » Permissions » User Groups Allowed to Post. Make sure that you do not select the “Guests” for this setting. To allow guests to reply to topics in the category, add (CTRL + LEFT-MOUSEBUTTON) “Guests” to the setting User Groups Allowed to Reply. This will ensure that guests can only reply to “official” topics created by you, your forum moderators and other registered users.
In addition to the above settings for managing a “public” forum, I also recommend that you change the setting Category Manager » <category> » Category Settings » Review posts = Yes. This means that everyone who posts messages in this “public” category will have to have their messages approved by you or a forum moderator. You may, if you wish, use the “Review posts” settings in other categories—these are sometimes called “moderated categories”[3].—to give you added spam protection but, remember, you will have to approve messages posted by your registered users in those categories.
When to use these settings All forums
Effectiveness against spam attacks High (almost 100%)
Other tools to prevent spam in your forum
There have been several recommendations about using 3rd party products/plugins to protect your forum from spam. Some people swear by them (and some people swear at them). I do not have any personal views or experience on these things because, as I have mentioned several times earlier, there is a lot more that you can do to prevent spam if you make it more difficult for spammers to “get their foot in the door” in the first place.
If you choose to use some of these plugins, be aware that they do not prevent all spam (despite claims to the contrary). As one of the Kunena team members commented:
[I am not aware of a 100% spam free solution for Kunena]. It’s a multi-million dollar issue even the largest companies struggle with. If you have enough of a presence, especially in the software people use, many will find a way to exploit … your software. We hate spam too but the battle is an uphill one. [Most] … common practices work to slow spam down but there is no way to block people [who] create manual spam accounts. We try to fight automation-based attacks but even those can be tricky.coder4life, Kunena and Spam, 14 February 2014
Some people may find plugins like R Antispam (among others) useful. There are two things that should be mentioned. Firstly, these plugins can block legitimate messages as well as spam. Secondly, as I mentioned earlier in this article (about not revealing what product(s) you may be using to control spam), these products “advertise” their presence on your site (see the images left and right).
The best way of keeping a secret is to pretend there isn’t one.Margaret Atwood, The Blind Assassin
Summary
You can manage spam—you can reduce it and you may be able to eradicate it—if you are vigilant. The best ways to reduce spam are to prevent accounts registering on your website from untrustworthy sources. If you manage an open “public” forum then you will have more work to safeguard your site from the effects of spam.
Kunena is no better nor worse than any other internet forum. Kunena has a number of built-in facilities to manage spam (e.g. banning users is one of them).
There is no guaranteed automated mechanism to prevent spam. Kunena has several configurable settings to help with some of the “automated” aspects of running your forum and you should experiment with these settings to find a combination that works best for you.
There are several third-party products available that may assist but you should research them carefully. Some of these products are better than others.
Managing spam is, unfortunately, not without you having to do some work. If you do not put in the effort then you only have yourself to blame.
If you want to keep a secret, you must also hide it from yourself.George Orwell, 1984
Notes:
[1] See also User registration and general login issues. Kunena is not responsible for user registration or login. Kunena uses the Joomla registration component or you can use other Joomla extensions like JomSocial or Community Builder if you prefer. Kunena is also not responsible for:
- sending out "confirm this message" emails when people register
- the format or details of "confirm this message" emails when people register
- making sure that people actually use the forum; or
- making sure that all the user’s registration details are correct or checking that the user has a valid email address.
[2] To obtain the Stop Forum Spam API Key you need to signup to their forum first.
[3] See this explanation about “moderated categories”.
