• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
Locked
0

How to protect your website from SPAM submissions

Adobe Employee ,
Nov 29, 2012 Nov 29, 2012

Copy link to clipboard

Copied

What is SPAM and why does a website owner encounter SPAM?

Spam is no longer limited to email marketing, but it comes in various forms through websites and blogs that support commenting or forms.

There are several reasons for which a human or an automatic spammer might submit comments and forms with irrelevant information:

  • Comments

    • To bring visitors to the site that the comment or the user is referring

    • To link-back (for free) an other website for search engine ranking benefits

  • Submitted web forms

    • Different commercial or scam purposes – I am sending you an offer via the contact form; works just like in the case of email spam

What type of SPAM can you find on your website on your customers’ websites?

SPAM in comments or web forms can be submitted automatically by Spam bots or by humans. Both human spammers and Spam bots get cleverer and cleverer all the time to achieve their goals.

Human spammers improve their text and comments all the time so that they seem as natural as possible; whereas bots improve their ways of bypassing anti Spam mechanisms .

Both types of spammers are equally dangerous, although the content submitted by Spam bots can be more annoying due to the large number of comments or submitted forms.

How can you protect your sites from SPAM

Before listing a series of best practices, I must say that there is no single solution for this, that the process is a continuous one and that the site owner/partner must commit to it on e medium-long time frame.

Human SPAM has to be treated differently from automatic SPAM and vice-versa.

Human Spammers

     1. Use Akismet. Make sure that you enable Akismet from the Admin Console > Module Modules>Comments.

EnableAkismet.jpg

Make sure that you train Akismet everyday for at least 2-3 weeks, until Akismet learns what type of content and what users to consider SPAM. BC is sending right to Akismet all the information related to a comment: user IP, username, website, email address, comment text.   Based on these details Akismet will learn which user is dangerous and start marking all the comments from that user as SPAM. And if the user changes the IP, username, email address or website, Akismet learns the  structure of the comment used by that specific user and mark it as SPAM.

     2. Moderate each comment: if Akismet fails at some point, be sure that the company behind the service is doing the best to improve the SPAM detection algorithms. Hence, until they release a new version or until they improve the current one, you need to start moderating comments. This is a shared responsibility, between the technology providers and the website owners.

Observation: Sometimes, Akismet may mark valid comments as SPAM (in this case, they are called false positives). In order to teach Akismet that this specific comment is a valid one, you need to mark it as valid.

moderate.jpg

So your responsibility as a partner or your customer’s responsibility is to check regularly the Comments tab and mark them as SPAM or to approve them as genuine comments.

Automatic Spammers

The most effective solution for spam bots is a strong CAPTCHA. But most of the times a strong CAPTCHA can annoy blog or forum users. Any commenter wants a very easy way to submit his content and make it accessible to others. And you or your customers must make sure to provide this easiness.

However, n order to avoid irritating automatic spam submitted through forms and blogs, follow the next steps:

For Blogs or forums:

     1. Start with Akismet (see the above observations).

     2. If you are not satisfied with the level of SPAM that you encounter, you can enable CAPTCHA on your comments. Go to Site Settings > Captcha and choose the type of Image verification that you want to enable. In the case of comments we only offer native Image Verification solutions. For web forms we’ve also enabled reCaptcha.

Captchas.jpg

     3. Make sure that you enforce CAPTCHA on “Comments”.

     4. As you can see, there are 2 versions for the native CAPTCHA solution. If the level of SPAM is very high, we recommend that you use the second one (“Harder to read, but more secure”).

Observation: If your business has a strong social presence or if you want to build a strong social presence and Facebook is an important channel, you can also use Facebook comments for your blog.

For WebForms (and checkout forms):

     1. CAPTCHA – when you create the form make sure that you enable ”Image Verification” in Misc. The version of CAPTCHA (“Easier to read vs. Harder to read, but more secure”) will be the one that you chose from Site Settings>Captcha.

     2. reCaptcha If this solution is not what you are looking for, you can try inserting reCaptcha, the Google native image verification system. You can find it also in the Misc section.

forms.jpg

     3. Anti-bot Fraud Protection module: All new forms come, by default, with “Web form protection module” enabled. You can see it in the form or if you check out the Code View, you’ll be able to see the generated code for this module.  Make sure that you don’t delete it. The usage of this type of modules is something that we recommend that you always do. It is in fact a hidden “Input Field” with a random name. Spam bots usually fill this field, and once we detect that this field is being filled, we realize that the corresponding form submission is through a bot. Humans don’t see this field and aren’t able to submit it. For older forms, you will have to add this module to a form if it is not activated yet.

Observation: our research shows that visitors (humans) are not as annoyed by filling in image verification fields (CAPTCHA, reCaptcha) in case of web forms (contact submission, payment forms etc)  compared to comments. So, when dealing with web forms, try to enable an image verification form (whether the new Captcha Image Verification version or reCapctcha).

What’s missing and known issues

  1. In case of blog comments, when using Akismet, the associated workflow notification is being sent just before Akismet succeeds to mark a comment as SPAM. This is because Akismet checks for SPAM asynchronous (independent) from the comment engine. We are working on fixing this issue
  2. Our current analytics system displays visits from spam bots as real visits and we make no distinction between human visitors and spam bots yet.

Let us know how your process of stopping SPAM from your sites and blogs works.

Kind Regards,

Dragos Manescu, Product Manager Adobe Business Catalyst

TOPICS
Documentation

Views

13.2K

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Contributor ,
Dec 13, 2012 Dec 13, 2012

Copy link to clipboard

Copied

Comments shouldn't be automaticall posted to a BC site as a default. That process inheritantly will collect spam because if you add the default Blog with the built in BC module template without following your instructions it is geared to promote SPAM.

Partners with due dilligence who are going to enable the anti-spam feature, etc shouldn't have a problem with ticking one box to enable auto approval of comments.

Rather than just assuming all Partners will understand the risks of unmoderated comments.

In regards to the new anti-spam features Dragos .. when implemented correctly .. I still have yet to see one come through. It's a wonderful feeling. Good work.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Dec 14, 2012 Dec 14, 2012

Copy link to clipboard

Copied

Hi Gary,

thanks for the feedback.

Keep me in the loop for what happens with the spam levels on your sites.

Dragos M.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Jan 06, 2013 Jan 06, 2013

Copy link to clipboard

Copied

I have been getting reports that people get error messages that refer to credit card when trying to sumbim the forms that have no credit card fileds. I tracked it doen to the Anti-bot Fraud Protection module. It appears that when Autofill feature of the browser fills in the form, it also filld in this hidden field and causes them not to be able to submitt the form. The probelm is, the error message is not clear. I have never been able to get an error to appear so I don't know what the message is but obviously the message is not clear if the people are getting confused. The message needs fixing. 

This shoudl be better documented because I found nothig else except this paragraph on this module. 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Jan 06, 2013 Jan 06, 2013

Copy link to clipboard

Copied

Hi,

I will be investigating this issue. The thing is that, normally, the "Autofill" feature should not fill the hidden field, hence no abnormal error should occur. I'll get back with a solution.

Thanks,

Dragos M, Product Manager Adobe Business Catalyst

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Feb 24, 2013 Feb 24, 2013

Copy link to clipboard

Copied

Has there been any update to this?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jun 20, 2013 Jun 20, 2013

Copy link to clipboard

Copied

We've had similar reports. Even without auto-fill. 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jan 09, 2013 Jan 09, 2013

Copy link to clipboard

Copied

Hi,

I was wondering if on Blog Comments that the "rel=nofollow" tag can be automated on BC? I have tested on a site and can't see that this tag is included in the comments to blogs.

In the past couple of months we have implemented 2 blogs for clients and both are getting rubbish responses coming through. Although BC recognises it as Spam we are getting inundated with email notifications.

The issue is that low end SEO'ers think that they can steal a link to help web page ranking by finding blogs that do not have the nofollow tag.

This would be very useful to have in addition to the Captcha code and Akismet checks. With the rel=nofollow, we can then add an advisory at the top of the comments section referring to Spammy comments, nofollow etc.

Regards

Geoff

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Mar 18, 2013 Mar 18, 2013

Copy link to clipboard

Copied

Good Information.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Jun 10, 2013 Jun 10, 2013

Copy link to clipboard

Copied

Since human spammers are impossible to stop, is there a way in BC admin to  mark specific spammers, thereby preventing any associated future workflow notifications from being sent?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jul 31, 2013 Jul 31, 2013

Copy link to clipboard

Copied

Hi,

We are getting "human spammers" using our Contact Us forms.  We have Recaptcha set up.  But that doesn't seem to phase these people.  Can Akismet look at forms Comments and be trained?

FootSteps Marketing

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Contributor ,
Aug 14, 2013 Aug 14, 2013

Copy link to clipboard

Copied

Okay, here's my brain wave or brain fade: To beat the spammers server-side validation is required for forms. This is just an idea, BC could develop it for us.

Step one is to split the email field into two fields like so: _______ @  _______. This will help limit auto-fill. Add all other fields you want and a button called 'confirm'.

Step two. On submit only the two email address fields are sent to the server for verification, where the server combines the two fields and only then creates a customer ID. The customer ID is sent back to the browser as a new form post address, loading a new page (or with JS reformatting the existing page) which displays the content of the form fields and asks the customer to confirm these before finally submitting them (you may want to allow them to go back and edit the form too).

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Apr 05, 2014 Apr 05, 2014

Copy link to clipboard

Copied

Hi Guys,

Any update on changing the workflow notification so they are sent after the post is determined to be spam or not?

Akismet is generally working well on the site to detect spam (and then delete) but it is still really annoying for clients when they receive workflow notifcations for all spam comments.

Thanks

Madeleine

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Contributor ,
Apr 05, 2014 Apr 05, 2014

Copy link to clipboard

Copied

Guys, just a reminder to this make sure for public areas of the site you have CatpchaV2 installed and Enforced for comments. The standard captcha doesn't work anymore. This will significantly reduce the amount of SPAM as a first line of defence.

It's not a favorite, but if you are going to enable workflows for comments you must turn this on. Customers will eventually ignore the workflows if there are getting more spam comments than legit ones.

Screen Shot 2014-04-06 at 10.10.32 am.png

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Apr 05, 2014 Apr 05, 2014

Copy link to clipboard

Copied

Hey Gary,

Most of my clients do not want to use this version as it is too hard to read (clients are calling complaining) and so they are worried they are losing enquiries because of this.

Thanks

Madeleine

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Contributor ,
Apr 05, 2014 Apr 05, 2014

Copy link to clipboard

Copied

LATEST

yes .. I know .. it's not the best, but catcha1 doesn't work, I've run mutplie tests on sites switching between captchas and as soon as I roll back to captcha1 spam starts poring in. Eventually, captcha2 will be cracked as well.

If you prevent a workflow because it's pending a spam check, then won't the customer loose that enquiry/comment as well? Either or they'll still need to check every workflow or comment submission.

You might need to look at alternatives, depending on your situation and weigh it up.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines