I found an interesting comment on facebook, and I felt it's so
insightful that I wanted to post it here. I asked the author (Matt Moo)
for a permission to publish his comment. He said "Sure. If you would
like I can go more in depth." So he did. The result is below.

- Jussi

Matt Moo wrote:

"This is my story of battling spam on a 7 year old site with a LOT of
traffic. After a news article mentions my site, I get 300+ legit content
pieces per day (comments, articles, news, blogs, etc). Just way too much
for a person to authorize every submission.

My site gets 400 to 600 attempted spam comments, and 60 or so attempted
account creations per day. Surprisingly, this is a HUGE reduction in
numbers. I created an anti spam module which for the past year or so has
snagged every spam attempt, with only a handful of potential false
positives. Any suspected spam actions on my site get moved to a holding
area, which the spammer can see when they browse the site (based on ip)
but no one else except an admin can. This way a user doesnt re-post or
complain when a false positive happens and their comment isnt immediatly
viewable.

Somethings that I found over the years that had a major impact:

ALWAYS reparse all user generated content, and if links are found,
insert a rel="nofollow" it tells the major search engines to not
consider that link as part of your content and to not spider it... thus
eliminating most of the benefit of spamming you. Users can still click
links, but for my site... links/html/formatting/images are very
important, so blocking html wasn't an option.

force a 24 hour waiting period before accounts can post content, with
the ability to activate via email to give instant posting ability.

For a long time, I had a moderator for each state, and they had the
ability to delete content that was auto flagged as spam, or flag
comments. Eventually this was removed from abuse and petty fights on the
site.

Put in spam traps, when content is flagged as spam, redirect the user to
blocked content. Most of my spam comes from china, so by loading an
article on tiananmen square, they get kicked offline for 15 minutes (the
great firewall of china sees the content, flags them, and locks them out
for a bit).

When you are 100% positive that a spammer is hitting your site, ie: they
use the same content over and over, set up a nasty trap. Open 500+
windows on their browser, redirect them to the worst web site you can find.

Adding a captcha really pissess of your users, a simple one (a few
letters) will stop most of the bots without annoying your users too
much, a complex one will likely stop them all... but also prevent people
from submitting legit content. Most bot authors wont bother putting an
OCR system into their spamming, too much effort and they will simply go
off to another easier site to spam. Once in a while you run into a
spammer that has a vendetta against you, and you have to implement a
complex captcha until they calm down. The complexity of your captcha
should be easy to change/adjust as a setting option.

Banning proxies doesnt do much, banning IP's doesnt do anything at all.
Content based fuzzy logic detection is the only method that will work in
a high volume site."

#############################################################
This message is sent to you because you are subscribed to
the mailing list Lasso
Lasso@lists.lassosoft.com
To unsubscribe, E-mail to: <Lasso-unsubscribe@lists.lassosoft.com>
Send administrative queries to <Lasso-request@lists.lassosoft.com>