Optimization of Flarum Anti-Spam Mechanism

Littlegolden

After my forum was captured by spams a couple of days, I realized that Flarum's current processing and detection of Spam is not perfect. Here are my suggestions.

Integrate all current anti-Spam extensions into one.

In the extension settings, you can choose whether to enable one of the functions:

FoF Stop Flarum Spam
FoF Spamblock
FoF Disposable Emails
Mail Filter
FoF Ban IPs
Suspend

And add the following functions on that basis:

Discussion Creation Frequency Detection: In the first stage, set a user can only create x discussions within a set period of time. When the user violates this rule, when the user try to create discussion, prompt "You are currently operating too frequently. Please try again later."
In the second stage, another longer period is set. The user can only create y discussions. When the user violates this rule, the user is prohibited from using the topic creation function and the reply function for a few minutes.
(Currently FoF Filter has the ability to merge duplicate posts, which is very insufficient)
UA or Request Header Detection: detect whether it is normal browsing behavior.
Post CAPTCHA: Post a discussion, reply needs a captcha verification or Google reCAPTCHA (which is very effective when under spam attack.)

Yalfoosh

Hi, Mail Filter creator here. What you have to understand that all these extensions, including mine (especially mine!) are nowhere near the level of polish that is needed to be added into Flarum. Perhaps in the future they might be added (or something similar to them), but currently only Suspend is at the level it needs to be, even though I think the options of how much you limit a banned person are too sparse - ex. a better integration would be if they were simply put into a special user group.

Anyways, back to the point. Everything you said is valid, but lets examine some problems without your proposed changes:

This system's flaws are mainly in "what are good numbers". This is something that not only depends on the community, but is also hard to figure out for the administrator as well. Regarding this, there is already Akismet, ~~which is built-in~~ was built-in, sorry. I think it does a good job - the nature of my forum allows for some spam, yet my users never complained it was annoying. I ended up turning it off because it had nothing to do, Spamblock will be more effective if I ever encounter really malicious spammers. So try to look at that extension, maybe modify it in some way you see better fit and submit a pull request so all of us can benefit from it.
So, you're technically gimping your forum to be unusable for useful automation, like data mining, because it might be abused by bots. While your concern is valid, I would suggest you solve problems without sacrificing accessibility. Browsing something without a browser isn't the issue here - it's what you do with it that can become bad.
This is also unnecessary. While the new reCAPTCHA is a remarkable piece of work, it is still only AI built by humans. While the new reCAPTCHA rarely ever bothers users because of how stealthy it is, it is unnecessary to apply it to posts - not everyone would like to limit posts to only human-like posters, especially if you're using bots for moderation - like I will in the future once I develop my bot-powered automoderation plugin. What would solve your problem is the system 1.

So to conclude, while I think that you have a point, keep in mind that loads of default extensions is not what Flarum is intended to be - a light yet modern forum. Every extension you include makes it heavier and harder for developers to focus on the core itself.

Are spammers difficult to deal with on a Flarum forum? Yeah, they definitely are. But there are already tools like Akismet and Post approval which serve both as a soft and hard measure against spam. For everything else, let people use extensions if they want to.

[deleted]

Yalfoosh In my case, I use a WAF with daily updated rules to track spammers. For most of them who trigger the rulesets, they won't even be able to load the page, let alone login and post.

Littlegolden

Yalfoosh Thank you for your reply, I explained some places:

Akismet does not seem to be integrated in the new Flarum installation package. Users need to go to GitHub to find it and install it. Thank you for telling me this extension. I haven’t used it yet. I will install it and give it some time to see the effect. Also, is this extension synchronized with the neweast Akismet rules?
I use a WAF, which has some built-in rules and have no daily updated rules function, it cannot stop a spamer from creating an account then use this account to create more than 40 spam discussions or gambling advertisements per minute. I need to manually ban ip + ban account + delete discussions and posts in database, when I do this, spamer creates another account and then sends spam discussions. Although I turned on Mail Filter、FoF Filter, this only hides the spam things, I still needed to delete them manually.

I remember that both Flarum and MyAdminhq websites have suffered a large number of spam posts. Is it easier to deal with spamer when sending spam in English, and it is more difficult to deal with CJK characters? Spam attack even makes MyAdminhq website shut down at the end.

reCAPTCHA is required for posting discussions or replies. This feature is only enabled when spam attacks are encountered, which can effectively prevent spam.
I know that integrating anti-spam extensions into Flarum Core is unrealistic. So what I mean is combining them into one extension, so that it is easy to install and use, users do not need to find additional anti-spam extensions, they only need to Install a special anti-spam extension. New features need only be added here.

ash3T

[deleted] I use a WAF with daily updated rules to track spammers

Would you share which WAF you are using, and have you tried others?

Yalfoosh

Littlegolden Well, from what I understand, you would benefit greatly from a mass post/account deleter extension, as well as a somewhat intelligent rapid -fire posting detection extension.

The first one is tricky - although it is not difficult to create such an extension, it's misuse could lead to grave consequences. Personally, in the near future I might be creating an extension that automatically erases users who never validated their mail based on a set of rules. It's something I need given that I have a rate of almost 2% incorrectly typed academic emails, something that might prevent future users from registering with their own account if it was previously mistakingly entered. You might then be interested in giving it more functionality, such as deleting permabanned users and their posts.

For now, you can probably go to your database via SSH and run SQL queries that will delete the spam, but I'd recommend you talk to someone more qualified than me on how to do it.

The second one can already happen using rule based spam filters. I'm pretty sure Akismet covers rapid-fire posting. The only question is if their plan is acceptable for you (they do have free plans, but they also have paid plans). A more lightweight extension could be written, of course, too, but I don't know of anyone that's currently interested in doing it.

Personally, my current line of work revolves heavily about spam detection. It's something that's insanely tricky given today's software and hardware capabilities. The algorithms we have are trash and the knowledge we have about language itself is very poor. Effectively combating spam requires intricate knowledge of not only its patterns, but also the techniques for detecting them. To answer your question on what spam is harder to detect, most systems are trained on english data, so naturally detecting english spam is usually the easiest.

What I would recommend you to do is that you focus on solving the problem with Akismet for now, because it's probably the best fit given your problems. Better solutions will without a doubt include more complex systems that will have to combine good performance with low overhead, and those are far, far away.

Littlegolden

Yalfoosh Thank you, I will see what I can do.