Comment / forum spam and how to stop and fight it

This guide explains forum or comment spam and gives quick general tips on how to limit both incoming and outgoing spam.

Spam in blogs (also called simply blog spam, comment spam, or social spam) is a form of spamdexing. ( the deliberate manipulation of search engine indexes.) It is done by posting (usually automatically) random comments or promoting commercial services to blogs, wikis, guestbooks, or other publicly accessible online discussion boards. Any web application that accepts and displays hyperlinks submitted by visitors may be a target.

Adding links that point to the spammer's web site artificially increases the site's search engine ranking on those where the popularity of the URL contributes to its implied value, an example algorithm would be the PageRank algorithm as used by Google Search. An increased ranking often results in the spammer's commercial site being listed ahead of other sites for certain searches, increasing the number of potential visitors and paying customers.

  1. Make sure registration include a CAPTCHA Captcha's are those slightly deformed images of words and you see on sign up pages. Captcha's do a pretty good job of keeping out spam bots.
  2. Require email confirmation before allowing someone to post Bots and humans can get around this but it's an extra bit of efforts that most real people won't mind.
  3. Make sure links in your forum are set to "nofollow" This tells search engine crawlers not to follow the links and therfore, SEO spammers will derive no benefit from spamming your forum.
  4. Enable anti-spam plugins These plugins can automatically detect suspected spam based on links, IP addresses, email addresses and the comment itself. Keep in mind that these plugins are not 100% effective and do sometimes return false positives.
  5. Don't allow editing of comments after a few minutes have passed A frequent trick used by spammers is to create a comment that doesn't look out of place (For example: "This is a great post, very insightful.") and then will come back after a couple of weeks and edit the comment to include spam links.
  6. Be ruthless Moderators and administrators should review the spam queue on a daily basis, ban spammers and delete all their content.

Application Specific Recommendations:


Akismet - This is the original blog anti-spam tool developed by Matt Mullenweg. It works pretty well although every now and then innocent people get caught in the filters. Fortunately, there is an appeals process so that someone at Auttomatic will review your information and give you a reprieve, if they decide you really have not been naughty. You should activate Akismet as soon as you install WordPress. Most Websites can get an Akismet API key free-of-charge and most of the remaining sites only have to pay a nominal fee to offset the cost of maintaining the service. Akismet will mark suspicious comments as spam and hold them for your review. You SHOULD review your spam queue at least once a week. You as the site administrator have the ability to unmark any comments you think are okay.

Stop Spammer Registrations - This plugin checks the database at Stop Forum Spam to see if someone leaving a comment has been tagged as a spammer. Sometimes there are false-positives but if people trying to leave comments on your blog are incorrectly blocked, if you make it easy for them to contact you, you can whitelist their email addresses and/or IP addresses. I have done this enough times to know it works. You can also set your plugin to maintain a local cache to reduce the amount of traffic between your blog and the database. You do NOT need an API key to use this plugin, but if you do get one you can report comment spam to the database and that actually helps you as the automated spam tools will keep coming back to your site and leaving more comments.

Stop Spammer Registrations also works with other services. According to standard text embedded in the plugin dashboard, the plugin "eliminates 99% of spam registrations and comments. Checks all attempts to leave spam against, Project Honeypot, BotScout, DNSBL lists such as, Ubiquity Servers, disposable email addresses, and HTTP_ACCEPT header."

Linksleeve - If you're advanced enough to feel comfortable dinking with the code of your Website, you can a few lines of code developed by Virante to check the URLs left in comments against the various spam databases. Learn more at


Q&A CAPTCHA - At this time, the Q&A CAPTCHA plugin seems to be the most effective single solution against spambots (and some human spammers). For this technique to be effective, you must use simple but non-obvious question and answer combinations. For instance, "What programming language is phpBB written in?" is an effective question, while "What colour is the sky?" or "2+2 = ?" are not. These questions are particularly effective on niche forums where one can ask a question that is not immediately obvious to the general populace.

Blocking UTC-12 Registrations - NOTE: Although reasonably effective when this was first written, it is no longer particularly effective.

Though generally hesitant to suggest specific MODs or changes, this particular change has proven to be mostly effective against the current generation of spambots. The below change will simply show an error message to bots that attempt to register using the UTC-12 timezone (many bots select it as it is 0 on the list index; it is an uninhabited timezone so there is no harm in blocking this timezone).

The change is quite simple:

#-----[ OPEN ]------------------------------------------

#-----[ FIND ]------------------------------------------

       $data = array(
         'username'         => utf8_normalize_nfc(request_var('username', '', true)),
         'new_password'      => request_var('new_password', '', true),
         'password_confirm'   => request_var('password_confirm', '', true),
         'email'            => strtolower(request_var('email', '')),
         'email_confirm'      => strtolower(request_var('email_confirm', '')),
         'lang'            => basename(request_var('lang', $user->lang_name)),
         'tz'            => request_var('tz', (float) $timezone),

#----[ AFTER, ADD ]------------------------------------------

         if ($data['tz'] == -12)
            $message = $user->lang['ACCOUNT_INACTIVE'];
            $message = $message . '

' . sprintf($user->lang['RETURN_INDEX'], '', ''); trigger_error($message); } # #-----[ SAVE/CLOSE ALL FILES ]------------------------------------------ # # EoM

Downloadable CAPTCHA Plugins - The key to effective spam prevention is making your forum unique. An effective way to do this is to utilize a third-party CAPTCHA plugin, made possible by phpBB 3.0.6's CAPTCHA architecture change. A list of validated CAPTCHA plugins (and other antispam MODs) is available here. Do note that all antispam MODs are not equally effective--you should review feedback in each item's Support area in the Customisation Database before deciding on the solution that is right for you.

Newly Registered Users Group - phpBB 3.0.6 also sees the introduction of the "Newly Registered Users" group. This feature, which may be enabled via the User Registration Settings page of the ACP, allows the administrator to define a minimum post count; if a user is below this limit they will be a member of the Newly Registered Users group. Permissions may be set on this group much like any other group -- an example use is to place the Newly Registered Users group on the moderation queue for all forums. The user is automatically removed from the group when they reach the defined post amount. Be aware that this feature is not retroactive -- users who registered prior to a board's upgrade to phpBB 3.0.6 will not be placed in the Newly Registered Users group, regardless of their post count.

Anti-Spam ACP - Anti-Spam ACP adds many powerful anti-spam features to your phpBB3 forum such as an Akismet integration, Stop Forum Spam Integration, an IP Search tool, Spam Word list, control over profile fields, flagging suspicious users (for logging their actions), and an easy one click ban link from their profile which clears out their profile and posts.

Current Features:

  • Akismet Integration
  • One Click Ban
  • Stop Forum Spam Integration
  • Spam word catcher (like word censor, except makes posts by authors with less than X posts need approval if the post contains any of the words in the list)
  • Disabling of certain profile fields until X number of posts (or require or always disable)
  • User Flag (Allows you to flag a user (and unflag after they've been flagged). Once flagged, actions performed by that user to their profile, or editing of posts, or adding posts gets listed on a log in the ACP.)
  • Spam Log
  • IP Search

Anti-Spam ACP can be found here.

http:BL - Project Honey Pot offers an effective system to keep spammers and mail address harvesters away from websites. http:BL matches the website visitor’s IP address against a database. If the IP address is known to be used by a spammer the visitor will be blocked before the website is even rendered. The system uses DNS which makes queries very fast.

In order to use http:BL you first have to sign up for Project Honey Pot. You will receive a special key that is used to authenticate against the system.

The MOD for phpBB3 can be found here.

Fighting spam on a system level


Install and enable SpamAssasin - Refer to the installation instructions on this page.

Enable realtime blocklists (RBLs) with exim

to enable enter

cd /etc/virtual
rm -f use_rbl_domains
ln -s domains use_rbl_domains

This will setup the list of domains to be filtered to match the active domains list, so new domains added to the server are also included for the spammer IP blocking.

The RBLs will connect out to remote servers for each email, check to see if the sending IP is a spammer, and prevent that email from arriving. These lists are regularly updated, so they are highly effective.

Note that some lists also block entire ISP IP ranges, so if your clients are not able to send email, then can switch to sending email through port 587 instead of port 25.

To disable RBLs, enter the following:

cd /etc/virtual
rm -f use_rbl_domains
touch use_rbl_domains

Exclude the orignal message from bounced emails - this ensure the message doesn't get re-flagged as spam on the other end. Edit your /etc/exim.conf and set:

bounce_return_message = false

Set require verify = sender - Edit your /etc/exim.conf and uncomment:

#require verify = sender

In case not needed, disable popb4smtp - Popb4smtp allows relaying for POP and IMAP authenticated users. The best way to remove popb4smtp it to remove it from your exim configuration rather then disabling it completely, as it is a required component for the bandwidth usage counter of DirectAdmin. Edit your /etc/exim.conf and set:

hostlist relay_hosts = net-lsearch;/etc/virtual/pophosts
hostlist relay_hosts =

Further options may include:

installation and configuration of ModSecurity

  • spam
  • 33 Users Found This Useful
Was this answer helpful?

Related Articles

Can you provide me with the password for a POP3 account?

As all POP3 passwords are encrypted, we are unable to provide our clients with passwords for POP3...

How to access my Joomla admin login by HTTPS if I have a private SSL certificate installed?

To start accessing your administrator login page via HTTPS you should edit the code of two files...

How do I Write a New Post in WordPress?

WordPress is one of the most popular blogging platforms for a lot of different reasons. One of...

How to update to the latest version of Joomla 3

Always back up your site before updating The popular CMS Joomla can be updated in a number of...

Problems sending out E-mail

If you are unable to send email, you should first verify that you have your email client...