With the recent release of Drupal 8 RC1, and the related increases in mentions on social media and tech news outlets, Drupal.org is seeing a modest bump in traffic. Along with that modest bump in real traffic, spammers have decided to increase their efforts to get content onto Drupal.org to boost their own SEO. Drupal.org is very attractive to these spammers.
Spam fighting is not fun, and certainly not glamorous, but it is a necessary part of keeping our community home clean and tidy. Community volunteers have helped report and block spam for many years, and Drupal Association staff are looking for ways to ease this burden.
Every spam fighting solution for a website as open as ours takes on spammers using two approaches: automated pattern matching and human review. I wanted to take a moment to walk through some of the approaches we use—though not in too much detail lest the spammers read this and adapt their methods to match.
On the automated front, we use tools like Mollom to do text analysis. Their system is constantly learning from the sites that use it. These services also have tools to help distinguish a robot from a human. Figuring out which spam is coming from bots helps us prevent certain types of spam from filling up the site. We also use tools like Honeypot to try and detect particularly fast submissions to the site. (Note: this is a tough one as many developers type as fast as a robot. You know who I'm talking about.)
Just as common as bot-based attacks are those that are run by humans. The advantage in using humans to place spam is they can get around bot-detection techniques such as captcha or submission speed check.
The most recent spam attacks are a combination of these techniques. We employed a combination of techniques to respond. These include some automated techniques and some that rely on humans.
The automated techniques will likely get a bit more strict for a time while we sort out the best ways to limit the rate of spam hitting Drupal.org. Most of the spam is submitted to our forum system.
As for the human-reliant techniques, we need your help. If you see something, report it. We switched the focus of our development team this week on building the tools to make reporting process much easier. Early next week confirmed users should be able to help us target spam and remove it from Drupal.org with minimal effort by simply flagging content as spam.
We really appreciate all of the amazing work our community does to help keep its home tidy and free of spam. Our community is phenomenal!
Comments
Thanks :)
Thanks for responding to spam :)
For those not familiar with the various options to report spammers on Drupal.org, we just contributed that documentation page at https://www.drupal.org/node/2593111
Appreciate the effort Joshua
Appreciate the effort Joshua
Thanks to all who work hard
Thanks to all who work hard to keep drupal.org usable.
The recent influx of spam posts should make it abundantly clear just how valuable and important this is.
Question - is it useful/advisable/good practice to put a comment on a spam post saying that it's been reported?
Would this save the next potential reporter some effort?
============================
Resonetrics: Better Tools for Building Brands
http://resonetrics.com
http://technologyformarketers.com
http://kittenassociates.org
http://www.linkedin.com/in/sammooreatresonetrics
Hi Sam, great question. The
Hi Sam, great question. The answer is a resounding yes! Leaving a comment on the post that it has been reported helps prevent duplicate reports, and saves us untold time in the webmaster queue closing duplicate issues.
Next question
Sam's question could be understood in two ways: (1) Should the reporter add a comment of his own telling others that (s)he reported the spam already? -or- (2) Will the spam reporting mechanism add a small comment (or some marker) to the reported comment so others will see it has been flagged already?
The second would of course be
The second would of course be nice to have, but for now I'm happy to add a note when reporting.
============================
Resonetrics: Better Tools for Building Brands
http://resonetrics.com
http://technologyformarketers.com
http://kittenassociates.org
http://www.linkedin.com/in/sammooreatresonetrics
Done. I updated the
Done. I updated the documentation at https://www.drupal.org/node/2593111#deduce
Thanks Sam for the question/suggestion :) Good idea.
I didn't think about adding
I didn't think about adding the report link - good catch.
Now if only there were some way to automate all this... :-)
============================
Resonetrics: Better Tools for Building Brands
http://resonetrics.com
http://technologyformarketers.com
http://kittenassociates.org
http://www.linkedin.com/in/sammooreatresonetrics
I also noticed.
Being a regular visitor on the site, I have also noticed many spams in the forums.
As a contributor I also think, Drupal.org should include the checks to detect spamy code and unwanted things. This will decrease spams to penetrate into the site which are using contributed modules or patches.
nofollow
Would it help to add a rel="nofollow" tag to links in forum posts and comments?
ref: https://en.wikipedia.org/wiki/Nofollow
Hi JvE, I just confirmed
Hi JvE, I just confirmed with drumm that we set rel="nofollow" globally. Though it may not be working properly... looking into that now.
_
see #1548066: Signature links don't get rel="nofollow" added in all cases
#2396165: Code filter
#2396165: Code filter configuration removes blank lines is now deployed, which also covers adding nofollow to links.
Just as common as bot-based
what if spam-humans start marking our(genuine user/contributors) post/comment as spam?
Well that would certainly be
Well that would certainly be disruptive, but probably not profitable in any way...?
My sense is that spammers are posting links back to their own setups to gain link juice (hence the importance of rel=nofollow); I'm not sure how a bogus spam report would help anyone, but right now there's not much of a defense against it except human review, eh?
============================
Resonetrics: Better Tools for Building Brands
http://resonetrics.com
http://technologyformarketers.com
http://kittenassociates.org
http://www.linkedin.com/in/sammooreatresonetrics
I don't know this is the
I don't know this is the right place for suggestion..
One option is not to show report spam button on comments/post for users who are already certified or for those are well known for contributing to community since long back say > 2 years.
=-=
not sure I agree with the above suggestion. Accounts can and have been hacked/taken over in the past. The suggestion would also set the table for two scenarios. Mass registrations that lie in wait for x time and are then revived to spam. The countless number of aging accounts to be revived for spamming.
Need an opinion -https://www
Need an opinion -
https://www.drupal.org/node/2596253 has a spammy looking title:
, but the body looks like a legitimate Drupal question.
Should something like this be reported?
============================
Resonetrics: Better Tools for Building Brands
http://resonetrics.com
http://technologyformarketers.com
http://kittenassociates.org
http://www.linkedin.com/in/sammooreatresonetrics
Immediate thought is spam.
Immediate thought is spam.
A quick Google search on the username and Australia brings up a Dell post which is slightly better in terms of English but again the company name serves no relevance which would suggest spam to me.
James T
Action Medical Research - www.action.org.uk
I see the new flagging of
I see the new flagging of spam has been released. Nice!
Can the "New forum topics" block in the left sidebar be filtered to show only non-flagged nodes?
This is a good idea. Please
This is a good idea. Please open an issue at https://drupal.org/project/issues/drupalorg.
Issue created: https://www
Issue created: https://www.drupal.org/node/2599766
We deployed new system to
We deployed new system to report spam based on Flag yesterday. Details can be found here: https://www.drupal.org/node/2588119#comment-10482660.
Just tried this out and it
Just tried this out and it works great. Nicely done.
============================
Resonetrics: Better Tools for Building Brands
http://resonetrics.com
http://technologyformarketers.com
http://kittenassociates.org
http://www.linkedin.com/in/sammooreatresonetrics
Hurray.
Hurray.
Updated doc
Thanks all for your contributions to help fighting spam :)
Done. I updated the documentation at https://www.drupal.org/node/2593111
With new simplified workflow to report spam and what happen after spam reports section.
I haven't seen any spams on
I haven't seen any spams on issues queues for quite some time now,
and rarely on forums, though i don't use forums much, but will certainly report whenever i encounter any.
Anyway you guys have done a fabulous job on fighting spams on drupal.org, thanks a lot.
sina.salek.ws, Software Manager & Lead developer
Feel freedom with open source softwares
Just as common as bot-based
They may be living organisms, but they are far from human. I have more respect for pond scum than for spammers.
Protect spam
Joshuami, thank for your efforts Drupal Org. will be more powerful and if you continue we will be healthier. The spammer must go down.
There is no way to report
There is no way to report spam on groups.drupal.org, I feel like groups.drupal.org has been slowly decaying through a lack of attention for quite some time.
Flag abuse
g.d.o does have the flag abuse module. It may be restricted to group moderators. I see it.
Spam Fighting
I use a script that I found which takes data from stop forum spam - http://www.stopforumspam.com
http://www.webhostingtalk.com/showthread.php?t=1244455
This script will download the data and reduce the attacks to almost nothing before they even get onto your web site.
Sorry this is really only suitable for dedicated servers, I did try it on a VPS but it did struggle unless you have a powerful one.
This has seen spam reduced on one site from 50,000+ attempts a month to less than 100
one way to stop spam
making the registration process longer. this may not stop all spammers, but most will move on to other sites as they loosing time registering.
Progress?
How are all the implemented changes working?
How many spam posts are filtered per day by mollom?
How many are flagged by users?
Is anything else planned to be done?
Progress
We have seen a lot of progress in our spam fighting.
Mollom was a great help blocking over 141,000 spam posts in the past year plus since it was put in place.
Flagging was a huge help for reporting. (I'll see if I can get you some specific numbers.) It definitely sped the ability for both staff and volunteers to remove spam.
Our biggest win has been the recent implementation of a module to work with Distil's browser finger printing technology. (We only fingerprint on the signup page to identify repeat offenders.)
Since implementing those steps, we've seen a huge drop in what Mollom even sees. Additionally, that work is blocking a ton of spammers before they can even create an account. (We are still working through some false positive issues with users that have a fresh installation of Google Chrome since its fingerprint is not unique.)
Expect a blog post in the next month or so where we detail how this new technology works.
Suggestion for the forums:
Suggestion for the forums:
make mollom treat a post tagged with a version of Drupal lower than 6 as highly suspicious.
About half of the posts I flag as spam are tagged with drupal 4.5, 4.6 or 4.7.