Spam prevention

[bjb568]

So far what I can think of is:

• nofollow links
• asking a programming question "captcha" when registering
• hidden form element
• hidden link

Obviously #124 is a big step toward protection too.

What other tricks are there? Which ones should be implemented?

[ArcticEcho]

What about passing all questions from users with < X rep to a review queue before publishing?

[bjb568]

Oh yeah, that's a good idea.

[bjb568]

Another thing could be adding a token to a hidden form element via JS so spambots would need JS to have the form successfully submit.

[ArcticEcho]

Good thinking. So that just leaves advanced spambots and human spammers (if the queue doesn't prove to be practical)...

[Unihedro]

Additionally, I propose that a "safelink bank" is defined and new users (< x rep) can only use links that are defined in safelinks. The reasoning is that askers shouldn't really need to link to anything more than documentation and trusted fiddling sites like jsbin and ideone, x rep can remove these new user restrictions, which prevents hazardous (and pretty much any un-safe) links posted by new users. Considering how hard it is to get reputation, the removal of new user restrictions would overcome the possibility to see spamlinks.

Gibberish and flat spam, on the other hand, simply needs care.

[thomas-daniels]

What about requiring email verification before being able to ask a question? (Note: if we do this, the email thingy also needs to be fixed, as I never got a verification email)

[bjb568]

1. It is fixed. 2) Email verification is already required to active your account.

[thomas-daniels]

Hmm... how were those spammers able to post stuff with 0 rep then? Because email verification gives you 50 rep, didn't it?

[bjb568]

No, I manually give out 50 rep to people I trust only because DevDoodle is in its early stages and reputation doesn't work naturally yet. You don't need rep to ask a question. What email verification does is allow you to log in.

[thomas-daniels]

Ah, I see.

[ArcticEcho]

... or we could just run Smokey, Pham and Chris's bot.

[bjb568]

:D

[Unihedro]

Man, CCTV style monitoring is so 1900. And the spammers will always find a way. Not saying that it's important or that my concern is more than an arbitrary, pointless rant that gives you no information or room to constructively improve, but they will always find a way. ALWAYS.

[ArcticEcho]

But, but... who doesn't like a good old-fashioned cyber stakeout?

[thomas-daniels]

What about disallowing mailinator.com email addresses? According to the JSON you posted in the Tavern, one of the spammers used that. I've looked it up and apparently it is a website where you can simply access an inbox without having to create an email address. I cannot think of any situation where a real user would want to use that, so we can probably disallow it. If spammers have to create an actual email address, it will at least slow them down, or they might simply don't.

[ArcticEcho]

It may be worth our while to look for - and block - other such services too.

[Unihedro]

It really isn't that hard to buy a $0.99 per year .xyz domain and then set up all MX records to redirect to a real inbox for a spammer to sign up with a@elitehckr.xyz, b@elitehckr.xyz, et cetera, either. So I think that simply blocking a few sources of tempmail services aren't absolutely the most practical ways to go about it, but it's a good start.

[thomas-daniels]

Here's a nice list of temp-mail services:
http://alternativeto.net/software/10minutemail/

[bjb568]

I'm closing this now since I don't think it's really an issue. It can be reopened when spam poses a bigger threat.