Getting tons of comment spam, in spite of captcha

ptomblin

Joined: 2005-12-10
Posts: 42

Posted: Thu, 2007-01-18 20:38

I'm suddenly getting a dozen or so comment spams every day, in spite of the fact that I've enabled captcha. Is the captcha not strong enough, or are they using sweatshops to spam?

Is there a way to increase the strength of the captcha? Or can I set it so only registered users can post comments?

valiant

Joined: 2003-01-04
Posts: 32509

Posted: Thu, 2007-01-18 21:22

the g2.1.2 captcha was slightly flawed. please upgrade to g2.2 and ensure that captcha is enabled for guest comments.

--------------
Enter the Gallery 2 Theme Contest today!

Merira

Joined: 2007-04-13
Posts: 17

Posted: Fri, 2007-04-13 04:32

Gallery version = 2.2.1 core 1.2.0.1
PHP version = 4.4.4 apache
Webserver = Apache/1.3.37 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 PHP/4.4.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.28 OpenSSL/0.9.7a
Database = mysql 4.0.27-standard, lock.system=flock
Toolkits = LinkItemToolkit, NetPBM, Thumbnail, ImageMagick
Acceleration = none, none
Operating system = Linux vps.landofbeginnings.org 2.6.9-022stab078.23-smp #1 SMP Thu Oct 19 14:42:15 MSD 2006 i686
Default theme = matrix
gettext = enabled
Locale = en_US
Browser = Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50727; Media Center PC 4.0; Crazy Browser 2.0.1)

I am getting the same problem, and I have upgraded to 2.2.1, captcha enabled for guest posting but still getting spammed

valiant

Joined: 2003-01-04
Posts: 32509

Posted: Fri, 2007-04-13 12:51

what's the version of your captcha module?
- you should have captcha version 1.1.4.
- comment module version 1.1.3

and in site admin -> captcha, it should be set to "high" for guest comments.

also note that human people can still post spam. so if your spam volume is less than 5 comments per day or so, it could well be that some people actually post those comments manually. that's not what captcha can protect from.

--------------
Documentation: Support / Troubleshooting | Installation, Upgrade, Configuration and Usage

ptomblin

Joined: 2005-12-10
Posts: 42

Posted: Fri, 2007-04-13 13:05

Is there an RSS feed for comments? I tend to get somewhere between 1-10 spam comments all in a bunch about once a week or so - that frequency makes me think it might be human entered. I only get legitimate comments about once a week or so as well. I'd like it if there was some way to get notified that there was a new comment so I can examine it to see if there is a spam run in progress.

Merira

Joined: 2007-04-13
Posts: 17

Posted: Wed, 2007-04-18 14:31

you should have captcha version 1.1.4. - Yes
comment module version 1.1.3 -Yes

and in site admin -> captcha, it should be set to "high" for guest comments - Yes

About twice a day I have to clear the same spam possibly from one person posting as Guest

Merira

Joined: 2007-04-13
Posts: 17

Posted: Fri, 2007-04-20 11:14

Spam has inceased

captcha version 1.1.4. - Yes
comment module version 1.1.3 -Yes
site admin -> captcha, it should be set to "high" for guest comments - Yes

brashquido

Joined: 2006-09-13
Posts: 60

Posted: Thu, 2007-04-26 23:47

I'm in the same boat as Merira. I've been using Gallery 2 for at least 6 months, but it has only been in the last few weeks that spam has become an issue. Maybe captcha isn't enough these days? Maybe addition spam prevention such as the AKISMET service would be helpful, or at least some kind of comment moderation queue so that we don't have links to p0rn and other such undesirables placed on our sites?

valiant

Joined: 2003-01-04
Posts: 32509

Posted: Thu, 2007-04-26 23:56

> Maybe captcha isn't enough these days?

agreed. we're currently developing an akismet module for G2 which should help in protecting from comment spam.

--------------
Documentation: Support / Troubleshooting | Installation, Upgrade, Configuration and Usage

brashquido

Joined: 2006-09-13
Posts: 60

Posted: Mon, 2007-04-30 14:35

Excellent! Just cleared out a dozen or so spam comments again today. It seems there are either some people with WAY too much time on their hands planting these spam comments, or there are some smart bots getting around which OCR the captcha image to get the code. To be honest I think the captcha image displayed by G2 is pretty basic, and probably quite easy to OCR and successfully get the correct code out of. Some options I've seen on forums is that you have to enter the captcha in reverse, but it wouldn't be too long before bots got around that either. Another option to comment security and perhaps even replace captcha might be KittenAuth. There is no way a bot is going to get around that reliably as it requires you to click on every image showing a particular item. I think it is a bit friendlier than captcha too. Akismet is on the way, and I think for now at least this will plug the hole. Was getting very close to disabling comments on my site all together.

dms

Joined: 2005-01-17
Posts: 17

Posted: Tue, 2007-06-12 15:57

I've seen a massive surge in spam to my site as well which is very disappointing. Call me an old so-and-so but I detest seeing links to dodgy scams or "products" shown on my site.

My "solution" was to write some code which shows me all pages containing http links, and once I've skimmed them I just hit a button to delete the lot! This works for my site because I have a very low rate of real postings, but I imagine for legit sites this wouldn't work - unless you perhaps ban all comments by guests with url's in them.

However, again in my case deleting all comments with "link portal" in them would work a treat too!

scaturan

Joined: 2004-09-12
Posts: 1153

Posted: Thu, 2007-06-14 03:47

mod_security works well for filtering comments with embedded URL addresses. However, exceptions have to be made if you intend to use the Permalinks & Link Items plugins or use the "Remote Web Site" upload method.

Apache 2.2.4 / mod_security 1.9.4

set this globally in httpd.conf

Quote:

SecFilterSelective SCRIPT_FILENAME "main.php" "chain,id:1000,deny,nolog,status:404"
SecFilter "http:|http://|href=|http%3A%2F%2F|spamkeyword1|spamkeyword2"

then per <VirtualHost> you want to exclude, add this to it's corresponding <Directory> container:

Quote:

SecFilterRemove 1000

bharat

Joined: 2002-05-21
Posts: 7994

Posted: Tue, 2007-07-03 04:32

I'm getting a ton of "Link Portal" spam links on my site every day (about 20-50 a day). It's driving me nuts. I've gotten pretty far in adding Akismet support into the comment module, though so hopefully that'll be available as an experimental module for 2.3 within another week or two. In the meantime, I hacked modules/comment/AddComment.inc to add the following block inside the handleRequest function:

            /* stupid spammers */ 
            if (stripos($form['subject'] . $form['comment'], 'Link Portal') !== false) { 
                return array(null, null); 
            }

which seems to be keeping them out. Or it will until they read this thread and change the way their spam looks.

steidlf

Joined: 2004-09-06
Posts: 56

Posted: Tue, 2007-07-03 10:20

I read this article with a fresh installed G2, until now I don't suffer from spam comments.
But I still look for a mail to the admin for each comment created, to be the first one reading each comment and be able to delete spam immediately.

I read about akismet and kittyauth, my favorite module for G2 would be KittyAuth, using my own pictures from my gallery, feeded with my keywords (or tags).

(just my 2 cent)

Frank

---
http://photos.franksteidl.ch

pashdown

Joined: 2007-02-22
Posts: 8

Posted: Mon, 2007-07-16 20:44

I've taken your strategy one step further:

        if (stripos($form['subject'] . $form['comment'], 'http') !== false) {
             return array(null, null);
        }

efedora

Joined: 2002-10-04
Posts: 34

Posted: Tue, 2007-07-17 01:47

We don't get many comments. It would not be a burden to have all comments held until they are approved. Something like 'moderation' on Google Groups.

AXYPB

Joined: 2007-08-09
Posts: 6

Posted: Thu, 2007-08-09 19:29

pashdown wrote:

I've taken your strategy one step further:

        if (stripos($form['subject'] . $form['comment'], 'http') !== false) {
             return array(null, null);
        }

This is an interesting strategy. There are two things I would like to do to make this complete:

Rather than redirect possible offenders to a blank page, return a simple message noting that images and links are disallowed in guest comments.
Remove the markup buttons in the Add Comment interface pertaining to URLs and images.

How would one go about doing that?

bharat

Joined: 2002-05-21
Posts: 7994

Posted: Fri, 2007-08-10 18:47

FYI, I've added Akismet support to the comment module in 2.3 so when you upgrade to the latest code, you can sign up for a key at www.akismet.com and plug it in on the comment Site Admin page and then have it rescan all of your comments and flag all the spam ones. Then it will keep new spam comments out. In the past week, Akismet has blocked 1000+ spam messages in my production gallery (http://menalto.com/gallery) and only let in about 30. Marking the new comments as spam is relatively quick and easy. It's nice not to be overrun by spam anymore

joemonster

Joined: 2006-04-12
Posts: 236

Posted: Mon, 2007-08-13 17:14

This looks quick and effective... in which file did you do this modification?

pashdown

Joined: 2007-02-22
Posts: 8

Posted: Mon, 2007-08-13 18:18

modules/comment/AddComment.inc

Quote:

/**
* @see GalleryController::handleRequest
*/
function handleRequest($form) {
global $gallery;

$itemId = GalleryUtilities::getRequestVariables('itemId');

/* Make sure we have permission to add a comment */
$ret = GalleryCoreApi::assertHasItemPermission($itemId, 'comment.add');
if ($ret) {
return array($ret, null);
}

/* stupid spammers */
if (stripos($form['subject'] . $form['comment'], 'Link Portal') !== false) {
return array(null, null);
}
if (stripos($form['subject'] . $form['comment'], 'http') !== false) {
return array(null, null);
}

list($ret, $isAnonymousUser) = GalleryCoreApi::isAnonymousUser($gallery->getActiveUserId());

johndbritton

Joined: 2005-03-23
Posts: 78

Posted: Fri, 2007-11-30 05:29

I'm working on the comment moderation feature now... I've made some progress already, you can follow along and provide input here:

http://gallery.menalto.com/node/71948

the_dave

Joined: 2008-07-01
Posts: 1

Posted: Thu, 2008-07-03 16:01

You can do this by creating a new error state and modifying the comment page to display this error. In the modules/comment/AddComment.inc you can modify the handle request to include this code:

            if (empty($form['comment'])) {
                $error[] = 'form[error][comment][missing]';
            }

In context, it's part of the handleRequest method:

    /**
     * @see GalleryController::handleRequest
     */
    function handleRequest($form) {
        global $gallery;

        $itemId = GalleryUtilities::getRequestVariables('itemId');

        /* Make sure we have permission to add a comment */
        $ret = GalleryCoreApi::assertHasItemPermission($itemId, 'comment.add');
        if ($ret) {
            return array($ret, null);
        }
        
        list($ret, $isAnonymousUser) = GalleryCoreApi::isAnonymousUser($gallery->getActiveUserId());
        if ($ret) {
            return array($ret, null);
        }
        
        $redirect = $status = $error = array();
        if (isset($form['action']['add'])) {
            GalleryCoreApi::requireOnce(
                'modules/comment/classes/GalleryCommentHelper.class');
            
            if (empty($form['subject'])) {
                $form['subject'] = '';
            }
            
            if (empty($form['author']) || !$isAnonymousUser) {
                $form['author'] = '';
            }
            
            if (empty($form['comment'])) {
                $error[] = 'form[error][comment][missing]';
            }

You can then make a change to modules/comment/templates/AddComment.tpl to display the error. Search for the code:

    {if isset($form.error.comment.missing)}
    <div class="giError">
      {g->text text="You must enter a comment!"}
    </div>
    {/if}

And add the new section that will display the error directly after:

    {if isset($form.error.comment.http)}
    <div class="giError">
      Comments do not allow links!
    </div>
    {/if}

ptomblin Joined: 2005-12-10 Posts: 42	Posted: Thu, 2007-01-18 20:38
	I'm suddenly getting a dozen or so comment spams every day, in spite of the fact that I've enabled captcha. Is the captcha not strong enough, or are they using sweatshops to spam? Is there a way to increase the strength of the captcha? Or can I set it so only registered users can post comments?
	XUser login Username: * Password: * Create new account Request new password
valiant Joined: 2003-01-04 Posts: 32509	Posted: Thu, 2007-01-18 21:22
	the g2.1.2 captcha was slightly flawed. please upgrade to g2.2 and ensure that captcha is enabled for guest comments. -------------- Enter the Gallery 2 Theme Contest today!

Merira Joined: 2007-04-13 Posts: 17	Posted: Fri, 2007-04-13 04:32
	Gallery version = 2.2.1 core 1.2.0.1 PHP version = 4.4.4 apache Webserver = Apache/1.3.37 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 PHP/4.4.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.28 OpenSSL/0.9.7a Database = mysql 4.0.27-standard, lock.system=flock Toolkits = LinkItemToolkit, NetPBM, Thumbnail, ImageMagick Acceleration = none, none Operating system = Linux vps.landofbeginnings.org 2.6.9-022stab078.23-smp #1 SMP Thu Oct 19 14:42:15 MSD 2006 i686 Default theme = matrix gettext = enabled Locale = en_US Browser = Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50727; Media Center PC 4.0; Crazy Browser 2.0.1) I am getting the same problem, and I have upgraded to 2.2.1, captcha enabled for guest posting but still getting spammed

valiant Joined: 2003-01-04 Posts: 32509	Posted: Fri, 2007-04-13 12:51
	what's the version of your captcha module? - you should have captcha version 1.1.4. - comment module version 1.1.3 and in site admin -> captcha, it should be set to "high" for guest comments. also note that human people can still post spam. so if your spam volume is less than 5 comments per day or so, it could well be that some people actually post those comments manually. that's not what captcha can protect from. -------------- Documentation: Support / Troubleshooting \| Installation, Upgrade, Configuration and Usage

ptomblin Joined: 2005-12-10 Posts: 42	Posted: Fri, 2007-04-13 13:05
	Is there an RSS feed for comments? I tend to get somewhere between 1-10 spam comments all in a bunch about once a week or so - that frequency makes me think it might be human entered. I only get legitimate comments about once a week or so as well. I'd like it if there was some way to get notified that there was a new comment so I can examine it to see if there is a spam run in progress.

Merira Joined: 2007-04-13 Posts: 17	Posted: Wed, 2007-04-18 14:31
	you should have captcha version 1.1.4. - Yes comment module version 1.1.3 -Yes and in site admin -> captcha, it should be set to "high" for guest comments - Yes About twice a day I have to clear the same spam possibly from one person posting as Guest

Merira Joined: 2007-04-13 Posts: 17	Posted: Fri, 2007-04-20 11:14
	Spam has inceased captcha version 1.1.4. - Yes comment module version 1.1.3 -Yes site admin -> captcha, it should be set to "high" for guest comments - Yes

brashquido Joined: 2006-09-13 Posts: 60	Posted: Thu, 2007-04-26 23:47
	I'm in the same boat as Merira. I've been using Gallery 2 for at least 6 months, but it has only been in the last few weeks that spam has become an issue. Maybe captcha isn't enough these days? Maybe addition spam prevention such as the AKISMET service would be helpful, or at least some kind of comment moderation queue so that we don't have links to p0rn and other such undesirables placed on our sites?

valiant Joined: 2003-01-04 Posts: 32509	Posted: Thu, 2007-04-26 23:56
	> Maybe captcha isn't enough these days? agreed. we're currently developing an akismet module for G2 which should help in protecting from comment spam. -------------- Documentation: Support / Troubleshooting \| Installation, Upgrade, Configuration and Usage

brashquido Joined: 2006-09-13 Posts: 60	Posted: Mon, 2007-04-30 14:35
	Excellent! Just cleared out a dozen or so spam comments again today. It seems there are either some people with WAY too much time on their hands planting these spam comments, or there are some smart bots getting around which OCR the captcha image to get the code. To be honest I think the captcha image displayed by G2 is pretty basic, and probably quite easy to OCR and successfully get the correct code out of. Some options I've seen on forums is that you have to enter the captcha in reverse, but it wouldn't be too long before bots got around that either. Another option to comment security and perhaps even replace captcha might be KittenAuth. There is no way a bot is going to get around that reliably as it requires you to click on every image showing a particular item. I think it is a bit friendlier than captcha too. Akismet is on the way, and I think for now at least this will plug the hole. Was getting very close to disabling comments on my site all together.

dms Joined: 2005-01-17 Posts: 17	Posted: Tue, 2007-06-12 15:57
	I've seen a massive surge in spam to my site as well which is very disappointing. Call me an old so-and-so but I detest seeing links to dodgy scams or "products" shown on my site. My "solution" was to write some code which shows me all pages containing http links, and once I've skimmed them I just hit a button to delete the lot! This works for my site because I have a very low rate of real postings, but I imagine for legit sites this wouldn't work - unless you perhaps ban all comments by guests with url's in them. However, again in my case deleting all comments with "link portal" in them would work a treat too!

scaturan Joined: 2004-09-12 Posts: 1153	Posted: Thu, 2007-06-14 03:47
	mod_security works well for filtering comments with embedded URL addresses. However, exceptions have to be made if you intend to use the Permalinks & Link Items plugins or use the "Remote Web Site" upload method. Apache 2.2.4 / mod_security 1.9.4 set this globally in httpd.conf Quote: SecFilterSelective SCRIPT_FILENAME "main.php" "chain,id:1000,deny,nolog,status:404" SecFilter "http:\|http://\|href=\|http%3A%2F%2F\|spamkeyword1\|spamkeyword2" then per <VirtualHost> you want to exclude, add this to it's corresponding <Directory> container: Quote: SecFilterRemove 1000

bharat Joined: 2002-05-21 Posts: 7994	Posted: Tue, 2007-07-03 04:32
	I'm getting a ton of "Link Portal" spam links on my site every day (about 20-50 a day). It's driving me nuts. I've gotten pretty far in adding Akismet support into the comment module, though so hopefully that'll be available as an experimental module for 2.3 within another week or two. In the meantime, I hacked modules/comment/AddComment.inc to add the following block inside the handleRequest function: /* stupid spammers */ if (stripos($form['subject'] . $form['comment'], 'Link Portal') !== false) { return array(null, null); } which seems to be keeping them out. Or it will until they read this thread and change the way their spam looks.

steidlf Joined: 2004-09-06 Posts: 56	Posted: Tue, 2007-07-03 10:20
	I read this article with a fresh installed G2, until now I don't suffer from spam comments. But I still look for a mail to the admin for each comment created, to be the first one reading each comment and be able to delete spam immediately. I read about akismet and kittyauth, my favorite module for G2 would be KittyAuth, using my own pictures from my gallery, feeded with my keywords (or tags). (just my 2 cent) Frank --- http://photos.franksteidl.ch

pashdown Joined: 2007-02-22 Posts: 8	Posted: Mon, 2007-07-16 20:44
	I've taken your strategy one step further: if (stripos($form['subject'] . $form['comment'], 'http') !== false) { return array(null, null); }

efedora Joined: 2002-10-04 Posts: 34	Posted: Tue, 2007-07-17 01:47
	We don't get many comments. It would not be a burden to have all comments held until they are approved. Something like 'moderation' on Google Groups.

AXYPB Joined: 2007-08-09 Posts: 6	Posted: Thu, 2007-08-09 19:29
	pashdown wrote: I've taken your strategy one step further: if (stripos($form['subject'] . $form['comment'], 'http') !== false) { return array(null, null); } This is an interesting strategy. There are two things I would like to do to make this complete: Rather than redirect possible offenders to a blank page, return a simple message noting that images and links are disallowed in guest comments. Remove the markup buttons in the Add Comment interface pertaining to URLs and images. How would one go about doing that?

bharat Joined: 2002-05-21 Posts: 7994	Posted: Fri, 2007-08-10 18:47
	FYI, I've added Akismet support to the comment module in 2.3 so when you upgrade to the latest code, you can sign up for a key at www.akismet.com and plug it in on the comment Site Admin page and then have it rescan all of your comments and flag all the spam ones. Then it will keep new spam comments out. In the past week, Akismet has blocked 1000+ spam messages in my production gallery (http://menalto.com/gallery) and only let in about 30. Marking the new comments as spam is relatively quick and easy. It's nice not to be overrun by spam anymore

joemonster Joined: 2006-04-12 Posts: 236	Posted: Mon, 2007-08-13 17:14
	This looks quick and effective... in which file did you do this modification?

pashdown Joined: 2007-02-22 Posts: 8	Posted: Mon, 2007-08-13 18:18
	modules/comment/AddComment.inc Quote: /** * @see GalleryController::handleRequest / function handleRequest($form) { global $gallery; $itemId = GalleryUtilities::getRequestVariables('itemId'); / Make sure we have permission to add a comment / $ret = GalleryCoreApi::assertHasItemPermission($itemId, 'comment.add'); if ($ret) { return array($ret, null); } / stupid spammers */ if (stripos($form['subject'] . $form['comment'], 'Link Portal') !== false) { return array(null, null); } if (stripos($form['subject'] . $form['comment'], 'http') !== false) { return array(null, null); } list($ret, $isAnonymousUser) = GalleryCoreApi::isAnonymousUser($gallery->getActiveUserId());

johndbritton Joined: 2005-03-23 Posts: 78	Posted: Fri, 2007-11-30 05:29
	I'm working on the comment moderation feature now... I've made some progress already, you can follow along and provide input here: http://gallery.menalto.com/node/71948

the_dave Joined: 2008-07-01 Posts: 1	Posted: Thu, 2008-07-03 16:01
	You can do this by creating a new error state and modifying the comment page to display this error. In the modules/comment/AddComment.inc you can modify the handle request to include this code: if (empty($form['comment'])) { $error[] = 'form[error][comment][missing]'; } In context, it's part of the handleRequest method: /** * @see GalleryController::handleRequest / function handleRequest($form) { global $gallery; $itemId = GalleryUtilities::getRequestVariables('itemId'); / Make sure we have permission to add a comment */ $ret = GalleryCoreApi::assertHasItemPermission($itemId, 'comment.add'); if ($ret) { return array($ret, null); } list($ret, $isAnonymousUser) = GalleryCoreApi::isAnonymousUser($gallery->getActiveUserId()); if ($ret) { return array($ret, null); } $redirect = $status = $error = array(); if (isset($form['action']['add'])) { GalleryCoreApi::requireOnce( 'modules/comment/classes/GalleryCommentHelper.class'); if (empty($form['subject'])) { $form['subject'] = ''; } if (empty($form['author']) \|\| !$isAnonymousUser) { $form['author'] = ''; } if (empty($form['comment'])) { $error[] = 'form[error][comment][missing]'; } You can then make a change to modules/comment/templates/AddComment.tpl to display the error. Search for the code: {if isset($form.error.comment.missing)} <div class="giError"> {g->text text="You must enter a comment!"} </div> {/if} And add the new section that will display the error directly after: {if isset($form.error.comment.http)} <div class="giError"> Comments do not allow links! </div> {/if}

Getting tons of comment spam, in spite of captcha

XUser login