There's no way to force comment moderation now. I don't know if it's planned or not. It wouldn't be too bad for very small blogs with a lot of comment spam, but I'm sure it could get tiresome very quickly for any site that gets more than a couple of comments per week. There are some very good antispam tips in [url=http://forums.b2evolution.net/viewtopic.php?t=3764&highlight=whoo+antispam]this thread[/url]. Some of my favorites:

Renaming the htsrv directory
an .htaccess line that prevents any direct access to the comment file
Keep the antispam list updated

Personman -

I concur with your favs, all of which, I have done. To that, I might add changing the comment_post.php file name too. (I believe whoo has directions for this [url=http://village-idiot.org]on her site[/url], where I got the idea, but you'll have to search for it.)

However, despite these measures, we were hit with trackback spam just two days ago. :(

I've been revisiting the issue and believe that I have come upon a couple of simple tools to strengthen the defenses. One involves a mixed use of hex/ascii iso-8859-1 entity values in _advanced.php file for the "htsrv" definition (specifically, the use of special characters in the directory name). The other, a php cron to dynamically and randomly change the htsrv dir name on a periodic basis.

I'll post more when I have it nailed down better.

Personally, I'm not fond of blocking IP's ... as it's always "after the fact".

Nor the "captcha" method (where visitors type in some graphically displayed number to leave a comment). I don't like to put the onus on visitors just to minimize MY spam.

Meonkeys ... I know moderation is something Francois is keen about. (Not sure what, if anything, he's gonna do with it). You CAN limit comments to registered users, but for me, I don't want to limit the ability of visitors to post. (It's kinda like giving up).

The quickest way to deter comment and trackback spam is to change the htsrv dir name and simply make a habit of changing it once in a while. For referral spam ... don't post stats. Email spam? When you put your email on the page ... you can use a javascript encrypter script to hide the email from being 'harvested'.

Report all spam addy's on the anti-spam tab (which also provides a quick way of deleting a bunch of matches from your blog DB too). Very satisfying to nail a spammer and know that other b2evo users will block their efforts. :)

The "htsrv" dir name change is easy. Change dir name. Modify reference in _advanced.php. Boom-batta-bing.

Cheers,

-stk :D

i changed the directory name a few days ago.
still getting spam. not as much as before, but still, getting spammed about once a day. maybe twice.

what kind of spam? comment or trackback?

(changing htsrv won't do anything for email or referrer spam)

send me an email ... I'll work with you to get my idea #1 implemented on your site. I'm curious to see if it keeps spamming at bay and if so, for how long.

Cheers,

-stk

it's comment spam.

i'll write you as soon as i find the time
thanks for your offer in advance.

greetings.

FYI re AntiSpam Efforts

"Bad Behavior" is a plugin originally made for WordPress, which now has a generic component so it can be used with any blog. Unlike other antispam techniques discussed o these boards, this plugin is "live", looking at the behavior associated with access attempts. Where there is excess bandwidth, or other typical spam behavior, the bot/person is blocked. There are built-in safeguards for friendly bots, such as google.
http://www.ioerror.us/software/bad-behavior/

While I'm here, note that I truly adored using b2evolution for a year or so, but finally decided to look for a replacement during the Memorial Day weekend. There are some spammers who are so determined that they resort to manually entering their crud. Changing the comment file and directory names helped for a spell, but the spammers came back, with a vengeance. Because b2evo stubbornly refuses to filter or moderate comments, what was once a joy became a royal PIA. Bluntly, I have better ways to spend my time than to babysit the htaccess file with continuous updates. Fortunately, WordPress has improved by leaps and bounds since my April 2004 b2evo adoption, and it's enough like b2evo to prevent withdrawal pains. You can now opt to moderate certain likely-to-be-spam comments, out of the box. I've found that system to be quite intelligent, but adding a few spam-related plugins brought me absolute peace, globally (comments, trackbacks and pingbacks).

Thankfully, there are scripts available which allowed me to import roughly 1000 b2evo posts, plus comments, within minutes. Googling will yield how-to's if you want to keep a true multiblog structure. Otherwise, the import nicely handles converting blog names to parent directories, and categories within the respective blogs to subcategories. I only encountered one grr: if the parent directory had no posts within itself directly, it would not appear on the blog list. But adding a post to it quickly cured the problem.

There is rarely a need to hack core code, as a robust plugin system exists to handle the hundreds of tweaks made freely available by the WP community. You simply unzip the plugin package, upload to the plugins directory, activate via the admin panel, and it's done. Ditto themes/skins. FWIW, I've found the drop-in trackback and pingback antispam plugins to be golden. Equally appreciated: plugins allowing easy integration of AXS stats, Technorati tags and delicious; live comment preview; witty (random quotes); smart archives; stylesheet switcher. In short, I've lost nothing but spam headaches per this transition, and gained an embarrassment of available easy-to-implement features.

For those interested, here's some starter pages to review. But be sure to read up on WordPress first, to ensure it will meet your particular needs/desires.

March 2005 script: http://themikecam.com/downloads/import-b2evolution.php.txt
There are several versions of this script in circulation. This one properly handles post-date and permalink issues proving troublesome in other importer scripts.

info re b2evo to wp: http://www.google.com/search?q=b2evo-to-wordpress

Michael,

Glad you like WP! :) Seems like there are plenty of open source blogging packages to go around.

Because WP is popular, it's a big [url=http://www.village-idiot.org/archives/2005/05/16/spam-just-for-wordpress/]target for spam[/url]. And I think that's what spam is all about ... not making yourself a target.

Nothing wrong with an anti-spam plug in, per se, but I see avoiding spam as a dance I really don't want to do. You change things up a bit and you avoid spam for a while. Then blammo - spammo - you get hit again and it's time to up the defenses. (Like you say, changing the htsrv works for a while. Change it again and it works for less of a while ... pretty soon, you need to do something NEW). A plug-in will be defeated eventually ... then what?

I like whoo's take on [url=http://www.village-idiot.org/archives/2005/04/05/wordpress-windows/]wordpress plugins[/url] and [url=http://www.village-idiot.org/archives/2005/03/02/sp-am/]spam[/url]. She sums it up so nicely that it's worth posting here:

[regarding spam] Nothing is guaranteed. I could say, “Hey, look at me, I have no spam, and this is what I do!” and 10 seconds later I could be hit...

The goal is to make it harder to hit you than the other 100,000,000 blogs and forums and guestbooks on the ‘net. You can distinguish yourself, by making small changes...

I can't really knock WP, nor do I wish to, but I can say that a reliance on all things plug-in, isn't the way I want to go. Yeah, it's simple (embarrassingly easy) but I prefer b2evo, which I like to think of as a "thinking person's blogging engine". ;)

stk wrote:

...
You CAN limit comments to registered users,
...

How is this done?

Meonkeys,

This is not something that I recommend , desire, have done or do ...
But to each his own ... it's completely up to you!

Spam is a hassle and may leave you in the lurch,
But to find such solutions here just use search.

"comments" AND "registered" AND "users" was what I used,
to find EdB's post which helps keep comments from being abused.

[url=http://forums.b2evolution.net/viewtopic.php?t=2438&highlight=comments+registered]HERE YOU GO![/url]

:D

Thanks for the link, stk! I like the poem, too. :)

I did actually search the forums quite a few times before asking this trivial question, but I was using google, and limiting my results using site:forums.b2evolution.net. I just couldn't find what I was looking for: exactly the link you provided.

Next time I'll just use the search feature for this forum.

Glad you liked the poem (it was a slo day!)

-stk :D

stk wrote:

The quickest way to deter comment and trackback spam is to change the htsrv dir name and simply make a habit of changing it once in a while. For referral spam ... don't post stats.

...

(changing htsrv won't do anything for email or referrer spam)

All I've been getting is referrer spam (dozens every day) and I tried the HTSRV trick. Now I see it doesn't make a difference.

I didn't want it to come to this, but I guess I'll delete the links to the stats pages.

Question: Just because I take away links to the stats pages, won't they still be there if people know the address? I've even noticed my stats pages are listed in Google.

Have a look for whoos anti-spam thread, there are tips there for locking down access to stats thru .htaccess.

Mike,

Electing NOT to show the stats is a simple way to deal with referrer SPAM. (Note: You will still get the referral SPAM, but you will deny the spammers their objective).

By listing the "last referers" (sic) on a site, the referral spammer gets a link on your page, back to their site. (1) It's another form of advertising (someone looking at the stats on YOUR page, might click through to their site and buy something) and (2) the spammer site gets a higher search engine ranking (because of all the referral spam links that they've scattered around).

As you've concluded, changing the HTML Services directory name "HTSRV", doesn't do a thing for referral spam.

I notice that the single display (permalink view), which you can get to by clicking either comments or the permalink icon for a single article, does NOT display a trackback address (as it normally does). THIS is the only place that the HTSRV directory is displayed on a b2evo blog page. So ... as a result, you can rename the HTSRV and know that you're not publicizing the name in your HTML (of course, without a trackback URL ... you won't get any trackbacks either) ;)

Regarding referral spam ... there may be a couple of things you can do.

1) Use the anti-spam blacklist option to ferret out, report and then remove the unwanted referral spam on your page (places like "refinance1.kazan.ws" and "free-webcam-chat-rooms.xxcds.com")

2) We don't display stats on our page, so I'm not certain, but it would seem to me that you could edit the stats.php page for your skin and OMIT "latest referrers". (The rest of your stats appear to contain very few unwanted items). Your top referrers, searches, top referring engines, Indexing Robots and Top aggregators all appear to have valid data. (It's just the last referrers that seem to display the referral spammers addresses and gets them what they want).

Of course, you'll still need to stay on top of the antispam tab in the back office ... update the black list periodically, and ferret out, report and delete the undesireable referral spam.

BUT ... you'd get to keep the majority of your stats page and keep the spammers from achieving their goal (a link back to their scammy site on your page!)

Hope this helps.

-stk :D

Thanks for the advice. I hadn't thought of editing my stats.php to remove last referrers.

I've been going through the anti-spam steps with every spammer. I've also been blocking all the domains using the function in my cPanel interface. This essentially blocks spammers by adding the IP's to my website's root .htaccess. I think this is enough... I've never made any changes to the .htaccess in the blog area of my site. Wouldn't that be redundant?

All that is great to keep out return spammers. But I get a dozen new ones every day. It takes an hour or so to go through all this maintenance. That's why I was hoping to block or discourage new ones somehow.

So even if I take visible links off my stats page, they'll still be hitting me and messing up my monthly webstats for the site. Great.

I've noticed that some spammers are hitting areas of my multiblog that I never use. Blogs I started, but never made public. Or those introductory b2evolution pages that I never deleted. I guess I should delete those areas, right?

I haven't concerned myself with trackbacks up to this point. (I'll have to do some research to find out what they are and why they're important.)

This is interesting. I just noticed that some referring searches for my site were Yahoo searches for

"URLs, email, AIM and ICQs will be converted automatically." watch

Which is part of the text at the bottom of every comment window. Maybe I should change that text, so I don't look like every other b2evolution blog out there.

Now that I'm on a roll... What if I renamed target pages like _stats.php and _arcdir.php? And chaged their names in the main.php file to go from this:

case 'stats':
// this includes the statistics if requested:
require( dirname(__FILE__).'/_stats.php');
break;

case 'arcdir':
// this includes the archive directory if requested
require( dirname(__FILE__).'/_arcdir.php');
break;

To something like this:

case 'info':
// this includes the statistics if requested:
require( dirname(__FILE__).'/_info.php');
break;

case 'otherpages':
// this includes the archive directory if requested
require( dirname(__FILE__).'/_otherpages.php');
break;

Would that bring on millions of problems that I can't predict?

I've just added b2evolution but have been running a CMS for a while which was getting comment spam and implimented a simple change which stopped it dead cold.

I applied the same change to my b2evo comments and haven't gotten any yet...

Basically, I require them to complete the last word of a *simple* phrase in addition to the comments. Said phrase having something to do with the site in question... So it says on the comment form beneath the comment:

Complete the following phrase: Hong _ _ _ _
This is to protect against comment spamming, etc... etc...

My site being about a certain city in china, as an example. It's always the same phrase (which makes it easy for repeat commenters) and not one of those random image generators, but the point is it's simpler than registering to comment (which discourages a lot of users) and automated spammers won't bother coming around and check out how to "infiltrate" my tiny little site. If they do, I just change the phrase, but they haven't yet...

A relatively simple change to the _feedback.php and comment_post.php files...

This hack has already been implemented. If you search, you'll find it.

I don't display stats on my blogs... never have.

Yet these referrer spammers have devoured my bandwidth this month and shut my site down today when I hit my limit. I need something to help stop the bandwidth hogging.

I searched for 'spam' and 'bandwidth'.

http://forums.b2evolution.net/viewtopic.php?t=4512&highlight=spam+bandwidth

Graham wrote:

I searched for 'spam' and 'bandwidth'.

http://forums.b2evolution.net/viewtopic.php?t=4512&highlight=spam+bandwidth

Thanks Graham... I am so frustrated and confused on how to stop this. Didn't occur to me to search for something bandwidth related. So ridiculous that this is actually costing me money now and I feel helpless to stop it. :-/

nate_02631 how did you do that? What were your changes to the files you mentioned?

and to Graham, I have searched to find the hack which would implement nate_02631's concept, but couldn't find it. Can you suggest where that is or how to do it?

sam,
This thread is a year and a half old now. Are you using the current version of b2evolution? It does a much better job of handling spam than earlier versions. There are plugins that make it even better. The [url=http://plugins.b2evolution.net/index.php/2007/01/08/turing_test]Turning Test plugin[/url] adds the functionality you were asking about. There are [url=http://plugins.b2evolution.net/index.php]others[/url].

Thanks so much personman... The Turing Test plugin is exactly what I wanted. I tried that once on Edb's website, but didn't know how to find it again or what it was called.

It's called exactly that, and is currently on the plugins section's main page. A few more plugins and it'll slide to page two, but for now click 'Extend' (above) then plugins, or this http://plugins.b2evolution.net/