You are here

HomeForumsSite discussion

spam invasion ...and disable html

October 4, 2009 - 22:35 — PhotoComiX

you may see a invasion of spam some quite hard to detect
(for that hard to detect trick is copy a normal message adding just few links and repost ..hard to detect without reading all the message ...and we are lucky that nobody yet get the idea to hide links in word as gimp or script )

But both the most visible and most hidden spam have something in commune, the goal to post hyperlinks

Then maybe most of that may be avoided ...maybe not by mollum . but simply disabling html when who post did not login first

And for the occasion may be added a useful option to this side : allow to post in PLAIN TEXT
Is a pain that often part of messages vanish because seen as html tag ,option to disable html will prevent that

And i believe automatically disable html when no login was done will deprive spammer of their goal, they are not interested to post link in plain text

Forums: 
Site discussion
October 5, 2009 - 16:13 — schumaml

It is possible to create different input formats that disallow certain elements of HTML - for example, just preventing the use of <a> elements will make url spamming useless. I've even created this format already.

Drupal allows the admin to limit the access to input formats to certain user groups (e.g. anonymous users won't be allowed to use HTML, only plain text), but has one major drawback:

The default input format will always be available to everyon e and is selected by default (kind of obvious, isn't it).

This means that is the default is plain text, then authenticated users will have to change it to HTML when they want to post a URL that's supposed to be transformed into a link.

If the default format is HTML, then the unauthenticated spammers will be able to use it, too.

October 5, 2009 - 22:14 — mahvin

Legitimate users shouldn't mind manually coding their hypertext links, as for most of us that is what we do anyways. (Or I would hope this was the case!)
October 6, 2009 - 06:03 — PhotoComiX

I found more problematic the actual impossibility to use plain text then have HTML disabled ...even more if will be only partially disabled just to prevent masked links
October 6, 2009 - 10:20 — schumaml

Why is this impossible?

As I wrote, it is rather easy to create an input format that allows most formatting options of HTML - different text weight, style, ... - but disallows links (the <a>element</a>). If you check the existing HTML formats, you'll see the "Restricted HTML I've created.

The only problem with this is that in order to make this useful (i.e. limit unauthenticated users to this format), it has to be the default for everyone. Authenticated users can change it, but they'll have to know about this.

We could try this for a few days, ingnore complaints by users who think that the site is suddenly broken and see if the effect on spam is noticeable. Keep in mind that this might have an impact on Mollom's spam detection:

<a href="spamsite">babble babble babble</a>

is different from

&lt;a href="spamsite"&gt;babble babble babble&lt;/a&gt;

October 6, 2009 - 10:51 — ingo

Hi, firstly, Mollom gets to see the data before the tag-filter applies (the tag filter is applied on the output, not the input), so it wouldn't be affected. That said, to me links are one of the most important parts of the web and Registry users should be able to link to their sites as they wish. I'm not going to give in to some stupid spammer and disable that. What I would find ok is disabling HTML in comments only, not other content, but unfortunately, that is impossible with Drupal 5, as far as I can tell, because comments share the content input format settings. best, Ingo
October 6, 2009 - 13:17 — schumaml

I thought that one of the problems with the Drupal Mollom module was that the whole transformed content got sent? Or is this fixed in the current version?

Maybe we can have a restricted default, but change the value of the input format for authenticated users when a reply/post page is loaded - can we include any Javascript code conditionally? A cursory inspection of the site building options didn't show any obvious places to do this, but I didn't look very hard.

October 6, 2009 - 21:29 — ingo

Actually, I haven't looked to closely at what it sent to Mollom. I just assumed that they see the actual content, before filters, but I can see why that might not be the case. Regarding links, what do you think of photocomix's idea with plain vs. embedded links? We could use the url filter to turn http-URLs into links and disallow the "a" tag.
October 6, 2009 - 21:53 — mahvin

Anything to keep anons from hiding a href links in comments is a good idea. If you noticed, a lot of the spammers who signed up both hid links in duplicated comments and created comments with nothing but a href links all throughout. I don't recall what the process was when I signed up with the Registry, do we have to verify our email address in order to log in, initially? The reason I am asking is, anything that we can put between an automated spammer script and the Registry is a plus. It might reduce the amount of automated spam the Registry gets if members have to validate themselves in some fashion.
October 6, 2009 - 18:02 — PhotoComiX

Maybe i was not clear Would be sufficient disable embedded ,hidden links As example to prevent to use words as " nice plugin" or "gimp" to hide links for porno or pirate sides NOT to disable plain link as http://gimp.org or www.gimp.org ############################### But anyway will be useful a option to post message in plain text so for example we may wrote something as "to change script location edit this line >image< Filters/... " without have to invent trick as the inverted arrow i used here
October 6, 2009 - 21:27 — ingo

Hey, thats an interesting idea. Yes, it would be quite useful to do this. We only have to be carefull not to break existing stuff. I'll look into it tomorrow.
October 5, 2009 - 16:30 — schumaml

And don't think that doing this will stop spammers - they are most likely using automated tools anyway.

October 5, 2009 - 22:28 — ingo

One of the things the regular "spam" module offers is checking of URLs against SURBL, a list of spammer URLs. I should hope that this will reduce the amount of spam URLs in posts. For my e-mail spam filter, I have found SURBL to help quite a bit. My current interpretation of all this is still that Mollom has had a marked reduce in efficiency, so I hope by adding alternative measure, we can counter that and that other restrictions are not necessary.
October 5, 2009 - 22:56 — schumaml

We should set the filter policy of the Spam module to "reject" instead of "accept and unpublish", though.
October 20, 2009 - 16:21 — ffaat

I like the Recent Comments, but since I don't visit daily there are often comments that have scrolled off the bottom. Is there a way in the site software to see which scripts have new comments?

-Rob A>

Subscribe to Comments for &quot;spam invasion ...and disable html&quot;

Unless otherwise noted, the rights for the individual plugins are with their respective authors. Logo image by Jakub Steiner.