Bug #2338
closedcommonsinabox.org PM spam
0%
Description
Last night a spammer signed up for commonsinabox.org and sent out some spam PMs. I'd like to have a brief discussion here about how to avoid this in the future, and deal with it when it does happen. The immediate concern is commonsinabox.org, but if there are general takeaways for Commons In A Box, let's discuss that too.
First, I do have in place a couple lines of defense against bot-spammers on commonsinabox.org. I changed the signup slug from 'register' to 'signup'. I installed a simple honeypot plugin (the one written by Pixel Jar). And I extended the honeypot to do some are-you-human checking, using a couple of questions. Here's the code, which the devs should have access to: https://github.com/cuny-academic-commons/commonsinabox-org/blob/master/wp-content/mu-plugins/buddypress-honeypot.php I think that this is about as good as we're going to get in terms of blocking bot spam, though I'll be happy to hear Ray and Bowe's thoughts about it. (Also, I'd be happy to hear your thoughts about whether adding something like this to Commons In A Box is a smart idea.)
My guess is that last night's spammer was not a bot, but was an actual human being, maybe a Mechanical Turk type of thing. As long as we have open registrations, we leave ourselves open to this sort of thing.
A couple ideas for mitigating damage:
- Disable PMs - are they really useful on commonsinabox.org?
- Require that users be signed up for a certain period of time before being able to send PMs. Or some other minimum number of friends, amount of activity, etc
- Disable email notifications of PMs
Other ideas?
Finally, when we do get hit with spam like this, we should have a cleanup policy. I see that someone has already deleted the user. In the future, it would be nice just to mark the user as Spam, so that the user remains in the database. As far as the spam content, I can easily delete all the spam PMs from the database, but then I should also delete the "You have a new message" notifications. And if I delete them both, people who click through on the links in their emails will see a 404, which might be more confusing than having the spam PM.