Highlighted

How to protect your website from SPAM submissions

Adobe Employee ,
Nov 29, 2012

Copy link to clipboard

Copied

What is SPAM and why does a website owner encounter SPAM?

Spam is no longer limited to email marketing, but it comes in various forms through websites and blogs that support commenting or forms.

There are several reasons for which a human or an automatic spammer might submit comments and forms with irrelevant information:

  • Comments

    • To bring visitors to the site that the comment or the user is referring

    • To link-back (for free) an other website for search engine ranking benefits

  • Submitted web forms

    • Different commercial or scam purposes – I am sending you an offer via the contact form; works just like in the case of email spam

What type of SPAM can you find on your website on your customers’ websites?

SPAM in comments or web forms can be submitted automatically by Spam bots or by humans. Both human spammers and Spam bots get cleverer and cleverer all the time to achieve their goals.

Human spammers improve their text and comments all the time so that they seem as natural as possible; whereas bots improve their ways of bypassing anti Spam mechanisms .

Both types of spammers are equally dangerous, although the content submitted by Spam bots can be more annoying due to the large number of comments or submitted forms.

How can you protect your sites from SPAM

Before listing a series of best practices, I must say that there is no single solution for this, that the process is a continuous one and that the site owner/partner must commit to it on e medium-long time frame.

Human SPAM has to be treated differently from automatic SPAM and vice-versa.

Human Spammers

     1. Use Akismet. Make sure that you enable Akismet from the Admin Console > Module Modules>Comments.

EnableAkismet.jpg

Make sure that you train Akismet everyday for at least 2-3 weeks, until Akismet learns what type of content and what users to consider SPAM. BC is sending right to Akismet all the information related to a comment: user IP, username, website, email address, comment text.   Based on these details Akismet will learn which user is dangerous and start marking all the comments from that user as SPAM. And if the user changes the IP, username, email address or website, Akismet learns the  structure of the comment used by that specific user and mark it as SPAM.

     2. Moderate each comment: if Akismet fails at some point, be sure that the company behind the service is doing the best to improve the SPAM detection algorithms. Hence, until they release a new version or until they improve the current one, you need to start moderating comments. This is a shared responsibility, between the technology providers and the website owners.

Observation: Sometimes, Akismet may mark valid comments as SPAM (in this case, they are called false positives). In order to teach Akismet that this specific comment is a valid one, you need to mark it as valid.

moderate.jpg

So your responsibility as a partner or your customer’s responsibility is to check regularly the Comments tab and mark them as SPAM or to approve them as genuine comments.

Automatic Spammers

The most effective solution for spam bots is a strong CAPTCHA. But most of the times a strong CAPTCHA can annoy blog or forum users. Any commenter wants a very easy way to submit his content and make it accessible to others. And you or your customers must make sure to provide this easiness.

However, n order to avoid irritating automatic spam submitted through forms and blogs, follow the next steps:

For Blogs or forums:

     1. Start with Akismet (see the above observations).

     2. If you are not satisfied with the level of SPAM that you encounter, you can enable CAPTCHA on your comments. Go to Site Settings > Captcha and choose the type of Image verification that you want to enable. In the case of comments we only offer native Image Verification solutions. For web forms we’ve also enabled reCaptcha.

Captchas.jpg

     3. Make sure that you enforce CAPTCHA on “Comments”.

     4. As you can see, there are 2 versions for the native CAPTCHA solution. If the level of SPAM is very high, we recommend that you use the second one (“Harder to read, but more secure”).

Observation: If your business has a strong social presence or if you want to build a strong social presence and Facebook is an important channel, you can also use Facebook comments for your blog.

For WebForms (and checkout forms):

     1. CAPTCHA – when you create the form make sure that you enable ”Image Verification” in Misc. The version of CAPTCHA (“Easier to read vs. Harder to read, but more secure”) will be the one that you chose from Site Settings>Captcha.

     2. reCaptcha If this solution is not what you are looking for, you can try inserting reCaptcha, the Google native image verification system. You can find it also in the Misc section.

forms.jpg

     3. Anti-bot Fraud Protection module: All new forms come, by default, with “Web form protection module” enabled. You can see it in the form or if you check out the Code View, you’ll be able to see the generated code for this module.  Make sure that you don’t delete it. The usage of this type of modules is something that we recommend that you always do. It is in fact a hidden “Input Field” with a random name. Spam bots usually fill this field, and once we detect that this field is being filled, we realize that the corresponding form submission is through a bot. Humans don’t see this field and aren’t able to submit it. For older forms, you will have to add this module to a form if it is not activated yet.

Observation: our research shows that visitors (humans) are not as annoyed by filling in image verification fields (CAPTCHA, reCaptcha) in case of web forms (contact submission, payment forms etc)  compared to comments. So, when dealing with web forms, try to enable an image verification form (whether the new Captcha Image Verification version or reCapctcha).

What’s missing and known issues

  1. In case of blog comments, when using Akismet, the associated workflow notification is being sent just before Akismet succeeds to mark a comment as SPAM. This is because Akismet checks for SPAM asynchronous (independent) from the comment engine. We are working on fixing this issue
  2. Our current analytics system displays visits from spam bots as real visits and we make no distinction between human visitors and spam bots yet.

Let us know how your process of stopping SPAM from your sites and blogs works.

Kind Regards,

Dragos Manescu, Product Manager Adobe Business Catalyst

Topics

Documentation

Views

12.8K

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more

How to protect your website from SPAM submissions

Adobe Employee ,
Nov 29, 2012

Copy link to clipboard

Copied

What is SPAM and why does a website owner encounter SPAM?

Spam is no longer limited to email marketing, but it comes in various forms through websites and blogs that support commenting or forms.

There are several reasons for which a human or an automatic spammer might submit comments and forms with irrelevant information:

  • Comments

    • To bring visitors to the site that the comment or the user is referring

    • To link-back (for free) an other website for search engine ranking benefits

  • Submitted web forms

    • Different commercial or scam purposes – I am sending you an offer via the contact form; works just like in the case of email spam

What type of SPAM can you find on your website on your customers’ websites?

SPAM in comments or web forms can be submitted automatically by Spam bots or by humans. Both human spammers and Spam bots get cleverer and cleverer all the time to achieve their goals.

Human spammers improve their text and comments all the time so that they seem as natural as possible; whereas bots improve their ways of bypassing anti Spam mechanisms .

Both types of spammers are equally dangerous, although the content submitted by Spam bots can be more annoying due to the large number of comments or submitted forms.

How can you protect your sites from SPAM

Before listing a series of best practices, I must say that there is no single solution for this, that the process is a continuous one and that the site owner/partner must commit to it on e medium-long time frame.

Human SPAM has to be treated differently from automatic SPAM and vice-versa.

Human Spammers

     1. Use Akismet. Make sure that you enable Akismet from the Admin Console > Module Modules>Comments.

EnableAkismet.jpg

Make sure that you train Akismet everyday for at least 2-3 weeks, until Akismet learns what type of content and what users to consider SPAM. BC is sending right to Akismet all the information related to a comment: user IP, username, website, email address, comment text.   Based on these details Akismet will learn which user is dangerous and start marking all the comments from that user as SPAM. And if the user changes the IP, username, email address or website, Akismet learns the  structure of the comment used by that specific user and mark it as SPAM.

     2. Moderate each comment: if Akismet fails at some point, be sure that the company behind the service is doing the best to improve the SPAM detection algorithms. Hence, until they release a new version or until they improve the current one, you need to start moderating comments. This is a shared responsibility, between the technology providers and the website owners.

Observation: Sometimes, Akismet may mark valid comments as SPAM (in this case, they are called false positives). In order to teach Akismet that this specific comment is a valid one, you need to mark it as valid.

moderate.jpg

So your responsibility as a partner or your customer’s responsibility is to check regularly the Comments tab and mark them as SPAM or to approve them as genuine comments.

Automatic Spammers

The most effective solution for spam bots is a strong CAPTCHA. But most of the times a strong CAPTCHA can annoy blog or forum users. Any commenter wants a very easy way to submit his content and make it accessible to others. And you or your customers must make sure to provide this easiness.

However, n order to avoid irritating automatic spam submitted through forms and blogs, follow the next steps:

For Blogs or forums:

     1. Start with Akismet (see the above observations).

     2. If you are not satisfied with the level of SPAM that you encounter, you can enable CAPTCHA on your comments. Go to Site Settings > Captcha and choose the type of Image verification that you want to enable. In the case of comments we only offer native Image Verification solutions. For web forms we’ve also enabled reCaptcha.

Captchas.jpg

     3. Make sure that you enforce CAPTCHA on “Comments”.

     4. As you can see, there are 2 versions for the native CAPTCHA solution. If the level of SPAM is very high, we recommend that you use the second one (“Harder to read, but more secure”).

Observation: If your business has a strong social presence or if you want to build a strong social presence and Facebook is an important channel, you can also use Facebook comments for your blog.

For WebForms (and checkout forms):

     1. CAPTCHA – when you create the form make sure that you enable ”Image Verification” in Misc. The version of CAPTCHA (“Easier to read vs. Harder to read, but more secure”) will be the one that you chose from Site Settings>Captcha.

     2. reCaptcha If this solution is not what you are looking for, you can try inserting reCaptcha, the Google native image verification system. You can find it also in the Misc section.

forms.jpg

     3. Anti-bot Fraud Protection module: All new forms come, by default, with “Web form protection module” enabled. You can see it in the form or if you check out the Code View, you’ll be able to see the generated code for this module.  Make sure that you don’t delete it. The usage of this type of modules is something that we recommend that you always do. It is in fact a hidden “Input Field” with a random name. Spam bots usually fill this field, and once we detect that this field is being filled, we realize that the corresponding form submission is through a bot. Humans don’t see this field and aren’t able to submit it. For older forms, you will have to add this module to a form if it is not activated yet.

Observation: our research shows that visitors (humans) are not as annoyed by filling in image verification fields (CAPTCHA, reCaptcha) in case of web forms (contact submission, payment forms etc)  compared to comments. So, when dealing with web forms, try to enable an image verification form (whether the new Captcha Image Verification version or reCapctcha).

What’s missing and known issues

  1. In case of blog comments, when using Akismet, the associated workflow notification is being sent just before Akismet succeeds to mark a comment as SPAM. This is because Akismet checks for SPAM asynchronous (independent) from the comment engine. We are working on fixing this issue
  2. Our current analytics system displays visits from spam bots as real visits and we make no distinction between human visitors and spam bots yet.

Let us know how your process of stopping SPAM from your sites and blogs works.

Kind Regards,

Dragos Manescu, Product Manager Adobe Business Catalyst

Topics

Documentation

Views

12.8K

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Contributor ,
Dec 13, 2012

Copy link to clipboard

Copied

Comments shouldn't be automaticall posted to a BC site as a default. That process inheritantly will collect spam because if you add the default Blog with the built in BC module template without following your instructions it is geared to promote SPAM.

Partners with due dilligence who are going to enable the anti-spam feature, etc shouldn't have a problem with ticking one box to enable auto approval of comments.

Rather than just assuming all Partners will understand the risks of unmoderated comments.

In regards to the new anti-spam features Dragos .. when implemented correctly .. I still have yet to see one come through. It's a wonderful feeling. Good work.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Adobe Employee ,
Dec 14, 2012

Copy link to clipboard

Copied

Hi Gary,

thanks for the feedback.

Keep me in the loop for what happens with the spam levels on your sites.

Dragos M.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Explorer ,
Jan 06, 2013

Copy link to clipboard

Copied

I have been getting reports that people get error messages that refer to credit card when trying to sumbim the forms that have no credit card fileds. I tracked it doen to the Anti-bot Fraud Protection module. It appears that when Autofill feature of the browser fills in the form, it also filld in this hidden field and causes them not to be able to submitt the form. The probelm is, the error message is not clear. I have never been able to get an error to appear so I don't know what the message is but obviously the message is not clear if the people are getting confused. The message needs fixing. 

This shoudl be better documented because I found nothig else except this paragraph on this module. 

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Adobe Employee ,
Jan 06, 2013

Copy link to clipboard

Copied

Hi,

I will be investigating this issue. The thing is that, normally, the "Autofill" feature should not fill the hidden field, hence no abnormal error should occur. I'll get back with a solution.

Thanks,

Dragos M, Product Manager Adobe Business Catalyst

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
New Here ,
Feb 24, 2013

Copy link to clipboard

Copied

Has there been any update to this?

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
New Here ,
Jun 20, 2013

Copy link to clipboard

Copied

We've had similar reports. Even without auto-fill. 

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
New Here ,
Jan 09, 2013

Copy link to clipboard

Copied

Hi,

I was wondering if on Blog Comments that the "rel=nofollow" tag can be automated on BC? I have tested on a site and can't see that this tag is included in the comments to blogs.

In the past couple of months we have implemented 2 blogs for clients and both are getting rubbish responses coming through. Although BC recognises it as Spam we are getting inundated with email notifications.

The issue is that low end SEO'ers think that they can steal a link to help web page ranking by finding blogs that do not have the nofollow tag.

This would be very useful to have in addition to the Captcha code and Akismet checks. With the rel=nofollow, we can then add an advisory at the top of the comments section referring to Spammy comments, nofollow etc.

Regards

Geoff

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Adobe Employee ,
Mar 18, 2013

Copy link to clipboard

Copied

Good Information.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Explorer ,
Jun 10, 2013

Copy link to clipboard

Copied

Since human spammers are impossible to stop, is there a way in BC admin to  mark specific spammers, thereby preventing any associated future workflow notifications from being sent?

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...