New Spam Prevention Features

[Ryan Ashbrook]

Spam has always been an ongoing battle for community owners as spammers find new ways to circumvent existing anti-spam practices.

We have seen an uptick in new ways spammers are breaking through existing defense.

As such, we here at Invision Community continue to look at new ways for community managers to combat against spam. For our September release, we have added several new tools that can prevent spammers from registering in the first place and help combat them even if they register successfully.

Let's take a look at these new tools and settings.

Geolocation based registration filtering

Oftentimes, spam attacks can originate using bots and servers from specific regions. Using our existing Geolocation service, we have now added filters that will allow administrators to hold registrations from specific regions for administrator review, or deny the registration entirely.

Using this, administrators whose communities are under a spam attack from a specific region, can temporarily filter registrations from that region. Multiple regions can be defined at once, and each individual region can either be held for administrator review, or denied completely.

Disposable Email Filtering

We have added an extra option to our spam defense system to filter users registering with throwaway disposable emails, which are often used by spammers to bypass email validation.

During Spam Defense checking, we now also check the domain in use for the registration against a frequently maintained list. If the user passes through the normal spam defense checking, but is found to have a disposable email address, then the administrator can define one of the following actions to be taken.

• Allow the registration to proceed
• Allow the registration, but moderate all posts (which an option to remove moderation after a certain amount)
• Flag the account for administrator review
• Register the account but immediately ban it
• Completely deny the registration

For both Geolocation and disposable email filtering, the existing Spam Defense Whitelist is always honored ahead of these filters.

Contact Us Email Verification

A common pain point has been the Contact Us page. While the spam does not go to a user facing location, it does still land in the administrators inbox, or other area defined by the sites Contact Us settings.

To help with this, if a visitor who is not logged in attempts to use the Contact Us page, then in addition to the existing CAPTCHA, the administrator can optionally require the person to verify their email address before the message is ever sent. This applies to all Contact Us behaviors, including any added by third party applications.

Cloud Content Analysis

For our Invision Community Cloud customers, we have also added an additional layer of spam prevention after registration.

After a user registers, or if the account has been dormant, then the first few content submissions will be analyzed using a custom developed algorithm within our platform.

The algorithm takes into factor many different elements of the content, and will rank the post between 1 (not spam) and 5 (definitely spam).

The algorithm can be constantly adjusted and improved based on trends without any intervention from the administrator, and without the need to update to new releases of Invision Community.

The administrator can then decide one of the following actions to take based on the score that was received.

• Allow the submission
• Hold the submission for moderator review
• Deny the submission completely

Of course, specific groups can be made exempt from this and not have their content checked at all, which is useful for sites with subscription based registrations which may not want to have this applied to new subscribers, but do want to have new non-subscribers checked.

Spam can quickly become a headache for most community managers, and these new tools will help further combat it at the source. For our enterprise and Invision Community Cloud customers, being able to check for spam when posting is a new tool which will further filter out more of those annoying topics and posts.

We hope these new features give you additional tools in the fight against spam.

The features and changes presented here are available in the following packages:

Geolocation based registration filtering, Disposable Email Filtering, Contact Us Email Verification: Beginner, Creator, Creator Pro, Team, Business, Enterprise, Invision Community Classic (Self Hosted).

Content Analysis: Beginner, Creator, Creator Pro, Team, Business, Enterprise.

View full blog entry

[Matt]

Ryan and the team have done a fantastic job with these new tools and I'm really keen to see how they help in the current spam wave we're all experiencing.

[Chris027]

Thank you guys for this. 

[PoC2]

I don't get spam but I appreciate the great work IPS does in helping blocking it where it is an issue.

[sudo]

The disposable filter is epic! nice work!

[PoC2]

The disposable email filter is a really nice touch.

IPS really does amazing stuff.

[Cedric V]

Disposable email filtering is great. Nice job on that.

[Askancy]

Beautiful tool, my forums are overrun with spam. Initially from Russia, now from Finland and Germany.

But when a admin in our community reports a user as a spammer, does IPS Spam receive a report to learn new data? 

I would like to have a tool in Admin for mass management of users...

[Ryan Ashbrook]

1 minute ago, Askancy said:

But when a admin in our community reports a user as a spammer, does IPS Spam receive a report to learn new data? 

Yes, nothing has changed in that regard - if you mark a user as a spammer, then our spam defense learns from that. 🙂 

[Cedric V]

3 minutes ago, Askancy said:

Beautiful tool, my forums are overrun with spam. Initially from Russia, now from Finland and Germany.

But when a admin in our community reports a user as a spammer, does IPS Spam receive a report to learn new data? 

I would like to have a tool in Admin for mass management of users...

It may be worth checking in with Cloudflare and banning traffic from certain countries like Russia, China, etc. Navigate to the Firewall menu and select the "Tools" option. Choose "IP Access Rules" and create a new rule for the country you want to block. Select "Block" as the action and enter the country code or name you wish to block. 

[Makoto]

Are you able to mention what you're using to filter disposable emails?

I have an application that uses kickboxes free disposable email checking tool, but it seems like they've become a bit less reliable lately. I still get a lot of disposable emails that get through the service. It catches some, but not all. They used to have a much stronger catch rate.

There are other paid API endpoints out there that do a much better job, but they require a monthly subscription to use.

Are you using any singular service, a combination of databases on your infeastructure, or is it a "select your service" type thing (which I'm guessing it's not since it's tied into your spam service)

Very cool to see this being added to the core software regardless! People using disposable emails to register accounts for spam or to bypass other limits/restrictions has definitely been a growing problem I've seen.

Edited August 16, 2023 by Makoto

[Matt]

We don't want to say too much for obvious reasons, but we use a mixture of sources to determine spam accounts and disposable email addresses.

[SeNioR-]

Disposable email filtering is great. Nice job on that.

[Makoto]

1 hour ago, Matt said:

We don't want to say too much for obvious reasons, but we use a mixture of sources to determine spam accounts and disposable email addresses.

I definitely look forward to seeing how it performs. I was planning on just giving one of the paid services a try recently, but if you're able to provide this as part of your included spam defense systems that is a great value for license holders.

[Robert Angle]

This means no more sexy lonely women using the Contact Us form, lol

[Dreadknux]

Fantastic updates guys, I am aware of many spam accounts on my community that come from one particular city/country so the geolocation feature will be super useful. Many thanks for this!

Edited August 16, 2023 by Dreadknux

[TheLlamaman]

For the Geolocation settings, is there a way of filtering all countries EXCEPT the specified one (i.e., a whitelist instead of a blacklist)? My forum's users are all based in one country, so it would make sense for me to validate all users outside of this country.

Also, does the work for users who register via SSO (e.g. Google Login)?

[Marc Stridgen]

2 hours ago, TheLlamaman said:

For the Geolocation settings, is there a way of filtering all countries EXCEPT the specified one (i.e., a whitelist instead of a blacklist)? My forum's users are all based in one country, so it would make sense for me to validate all users outside of this country.

Also, does the work for users who register via SSO (e.g. Google Login)?

Not at present, but thank you for the feedback of course. We anticipate there will be things people bring up once this has been released that can be improved on, as with most new features.

[Ryan Ashbrook]

4 hours ago, TheLlamaman said:

Also, does the work for users who register via SSO (e.g. Google Login)?

Yes, for our built in login methods. Truly custom Single Sign On integrations, which may not use our login handler system / OAuth, may need to implement spam checking, if it's desired (some may have a requirement that no further validation is done outside of their service).

[TSP]

The "Geolocation based registration filtering" sounds good, but maybe you could also provide an option to flip it to a whitelist? So you can choose a global setting that'll apply when a geolocation filter entry for the country is not present, and then you'll add the countries that should be treated differently/whitelisted instead.

[SeNioR-]

Interesting

[Ocean West]

In the past I had installed HotJar on the server and it allows you to watch video of what the users are doing and I know the there is a sweat shop in Inda that people are manually creating accounts, and with in seconds of verifications they have a edited their profile with a picture and usually some blurb in the about us with links usually copy and pasting.

I don't get the effort to bother sometimes they create an account and let it sleep for a while then come back to edit it. 

 

[Makoto]

4 hours ago, Ocean West said:

In the past I had installed HotJar on the server and it allows you to watch video of what the users are doing and I know the there is a sweat shop in Inda that people are manually creating accounts, and with in seconds of verifications they have a edited their profile with a picture and usually some blurb in the about us with links usually copy and pasting.

I don't get the effort to bother sometimes they create an account and let it sleep for a while then come back to edit it. 

 

Yes, these services absolutely exist. They are paid fractions of a penny for each completed captcha. 

The services are so popular there are many Python and PHP libraries just to have your scrapers or other tools hook into these services and bypass captcha pages.

[jaeitee]

On 8/17/2023 at 12:23 AM, Ryan Ashbrook said:

Contact Us Email Verification

A common pain point has been the Contact Us page. While the spam does not go to a user facing location, it does still land in the administrators inbox, or other area defined by the sites Contact Us settings.

To help with this, if a visitor who is not logged in attempts to use the Contact Us page, then in addition to the existing CAPTCHA, the administrator can optionally require the person to verify their email address before the message is ever sent. This applies to all Contact Us behaviors, including any added by third party applications.

 

Excellent.

Spam via the Contact form gets to the point you start ignoring the emails due to the volume.

[Adriano Faria]

Is this part of 4.7.13 Beta 1? The new tab don't appear to me:

 

 

Actually, I can't find any of the new features.

Thanks.