With the recent release of Drupal 8 RC1, and the related increases in mentions on social media and tech news outlets, Drupal.org is seeing a modest bump in traffic. Along with that modest bump in real traffic, spammers have decided to increase their efforts to get content onto Drupal.org to boost their own SEO. Drupal.org is very attractive to these spammers.

Spam fighting is not fun, and certainly not glamorous, but it is a necessary part of keeping our community home clean and tidy. Community volunteers have helped report and block spam for many years, and Drupal Association staff are looking for ways to ease this burden.

Every spam fighting solution for a website as open as ours takes on spammers using two approaches: automated pattern matching and human review. I wanted to take a moment to walk through some of the approaches we use—though not in too much detail lest the spammers read this and adapt their methods to match.

On the automated front, we use tools like Mollom to do text analysis. Their system is constantly learning from the sites that use it. These services also have tools to help distinguish a robot from a human. Figuring out which spam is coming from bots helps us prevent certain types of spam from filling up the site. We also use tools like Honeypot to try and detect particularly fast submissions to the site. (Note: this is a tough one as many developers type as fast as a robot. You know who I'm talking about.)

Just as common as bot-based attacks are those that are run by humans. The advantage in using humans to place spam is they can get around bot-detection techniques such as captcha or submission speed check.

The most recent spam attacks are a combination of these techniques. We employed a combination of techniques to respond. These include some automated techniques and some that rely on humans.

The automated techniques will likely get a bit more strict for a time while we sort out the best ways to limit the rate of spam hitting Drupal.org. Most of the spam is submitted to our forum system.

As for the human-reliant techniques, we need your help. If you see something, report it. We switched the focus of our development team this week on building the tools to make reporting process much easier. Early next week confirmed users should be able to help us target spam and remove it from Drupal.org with minimal effort by simply flagging content as spam.

We really appreciate all of the amazing work our community does to help keep its home tidy and free of spam. Our community is phenomenal!

Comments

Francewhoa’s picture

Thanks for responding to spam :)

For those not familiar with the various options to report spammers on Drupal.org, we just contributed that documentation page at https://www.drupal.org/node/2593111

Loving back your Drupal community result in multiple benefits for you  
tatha.bh’s picture

Appreciate the effort Joshua

Sam Moore’s picture

Thanks to all who work hard to keep drupal.org usable.
The recent influx of spam posts should make it abundantly clear just how valuable and important this is.

Question - is it useful/advisable/good practice to put a comment on a spam post saying that it's been reported?
Would this save the next potential reporter some effort?

B_man’s picture

Hi Sam, great question. The answer is a resounding yes! Leaving a comment on the post that it has been reported helps prevent duplicate reports, and saves us untold time in the webmaster queue closing duplicate issues.

broon’s picture

Sam's question could be understood in two ways: (1) Should the reporter add a comment of his own telling others that (s)he reported the spam already? -or- (2) Will the spam reporting mechanism add a small comment (or some marker) to the reported comment so others will see it has been flagged already?

Sam Moore’s picture

The second would of course be nice to have, but for now I'm happy to add a note when reporting.

Francewhoa’s picture

Done. I updated the documentation at https://www.drupal.org/node/2593111#deduce

Thanks Sam for the question/suggestion :) Good idea.

Loving back your Drupal community result in multiple benefits for you  
Sam Moore’s picture

I didn't think about adding the report link - good catch.
Now if only there were some way to automate all this... :-)

nitin.k’s picture

Being a regular visitor on the site, I have also noticed many spams in the forums.
As a contributor I also think, Drupal.org should include the checks to detect spamy code and unwanted things. This will decrease spams to penetrate into the site which are using contributed modules or patches.

JvE’s picture

Would it help to add a rel="nofollow" tag to links in forum posts and comments?
ref: https://en.wikipedia.org/wiki/Nofollow

B_man’s picture

Hi JvE, I just confirmed with drumm that we set rel="nofollow" globally. Though it may not be working properly... looking into that now.

WorldFallz’s picture

drumm’s picture

#2396165: Code filter configuration removes blank lines is now deployed, which also covers adding nofollow to links.

nithinkolekar’s picture

Just as common as bot-based attacks are those that are run by humans. The advantage in using humans to place spam is they can get around bot-detection techniques such as captcha or submission speed check.

what if spam-humans start marking our(genuine user/contributors) post/comment as spam?

Sam Moore’s picture

Well that would certainly be disruptive, but probably not profitable in any way...?
My sense is that spammers are posting links back to their own setups to gain link juice (hence the importance of rel=nofollow); I'm not sure how a bogus spam report would help anyone, but right now there's not much of a defense against it except human review, eh?

nithinkolekar’s picture

I don't know this is the right place for suggestion..
One option is not to show report spam button on comments/post for users who are already certified or for those are well known for contributing to community since long back say > 2 years.

VM’s picture

not sure I agree with the above suggestion. Accounts can and have been hacked/taken over in the past. The suggestion would also set the table for two scenarios. Mass registrations that lie in wait for x time and are then revived to spam. The countless number of aging accounts to be revived for spamming.

Sam Moore’s picture

Need an opinion -
https://www.drupal.org/node/2596253 has a spammy looking title:

OzStaff Holdings Pty Ltd - Combination of Drupal

, but the body looks like a legitimate Drupal question.

Posted by JamesSmith1 on October 19, 2015 at 5:17am
Hi, Is Drupal 8 already contains components of Symfony 2.. I have this framework but it is not working..

Should something like this be reported?

jamestombs’s picture

Immediate thought is spam.

  • Title holds no relevance.
  • User is brand new.
  • For a user from Australia that speaks English the English is terrible and largely nonsensical.

A quick Google search on the username and Australia brings up a Dell post which is slightly better in terms of English but again the company name serves no relevance which would suggest spam to me.

James T
Action Medical Research - www.action.org.uk

JvE’s picture

I see the new flagging of spam has been released. Nice!

Can the "New forum topics" block in the left sidebar be filtered to show only non-flagged nodes?

tvn’s picture

This is a good idea. Please open an issue at https://drupal.org/project/issues/drupalorg.

JvE’s picture

tvn’s picture

We deployed new system to report spam based on Flag yesterday. Details can be found here: https://www.drupal.org/node/2588119#comment-10482660.

Sam Moore’s picture

Just tried this out and it works great. Nicely done.

yelvington’s picture

Hurray.

Francewhoa’s picture

Thanks all for your contributions to help fighting spam :)

Done. I updated the documentation at https://www.drupal.org/node/2593111
With new simplified workflow to report spam and what happen after spam reports section.

Loving back your Drupal community result in multiple benefits for you  
sinasalek’s picture

I haven't seen any spams on issues queues for quite some time now,
and rarely on forums, though i don't use forums much, but will certainly report whenever i encounter any.
Anyway you guys have done a fabulous job on fighting spams on drupal.org, thanks a lot.

sina.salek.ws, Software Manager & Lead developer
Feel freedom with open source softwares

Steel Rat’s picture

Just as common as bot-based attacks are those that are run by humans

They may be living organisms, but they are far from human. I have more respect for pond scum than for spammers.

softdote’s picture

Joshuami, thank for your efforts Drupal Org. will be more powerful and if you continue we will be healthier. The spammer must go down.

dgtlmoon’s picture

There is no way to report spam on groups.drupal.org, I feel like groups.drupal.org has been slowly decaying through a lack of attention for quite some time.

yelvington’s picture

g.d.o does have the flag abuse module. It may be restricted to group moderators. I see it.

XTCHost’s picture

I use a script that I found which takes data from stop forum spam - http://www.stopforumspam.com

http://www.webhostingtalk.com/showthread.php?t=1244455

This script will download the data and reduce the attacks to almost nothing before they even get onto your web site.

Sorry this is really only suitable for dedicated servers, I did try it on a VPS but it did struggle unless you have a powerful one.

This has seen spam reduced on one site from 50,000+ attempts a month to less than 100

wildmandmc’s picture

making the registration process longer. this may not stop all spammers, but most will move on to other sites as they loosing time registering.

JvE’s picture

How are all the implemented changes working?
How many spam posts are filtered per day by mollom?
How many are flagged by users?
Is anything else planned to be done?

joshuami’s picture

We have seen a lot of progress in our spam fighting.

Mollom was a great help blocking over 141,000 spam posts in the past year plus since it was put in place.

Flagging was a huge help for reporting. (I'll see if I can get you some specific numbers.) It definitely sped the ability for both staff and volunteers to remove spam.

Our biggest win has been the recent implementation of a module to work with Distil's browser finger printing technology. (We only fingerprint on the signup page to identify repeat offenders.)

Since implementing those steps, we've seen a huge drop in what Mollom even sees. Additionally, that work is blocking a ton of spammers before they can even create an account. (We are still working through some false positive issues with users that have a fresh installation of Google Chrome since its fingerprint is not unique.)

Expect a blog post in the next month or so where we detail how this new technology works.

JvE’s picture

Suggestion for the forums:
make mollom treat a post tagged with a version of Drupal lower than 6 as highly suspicious.
About half of the posts I flag as spam are tagged with drupal 4.5, 4.6 or 4.7.