Let's see how to turn Dolphin into SPAM-repellent! Ideas. Tips. Tools.

Andrew Boon posted 16th of April 2015 in Dolphin.pro News. 13 comments.

Your fresh-out-of-the-oven social network is up and running. Hosting server optimised, friends invited, initial marketing campaign launched, coffee is still hot and... TA-DA! The first member joined! Name is "Prudence", wants to "meet nice people", and... WOW! Another one! Girl again... posting in blog already... something about designer bags..? WTF!?! Before the day is out your server is bogged down by a spammers and scammers, both virtual and real. Another coffee, two hours of cleaning up, marketing campaign suspended.  Time to research and see what is to be done to prevent the next onslaught.


Dolphin The Spam Magnet

Pretty much every successful CMS is targeted by spammers as an easy target for spam automation, or at least familiar environment for click-monkeys. Spamming business requires scale to be lucrative, so they can't afford dealing with "special" sites or sites that have extensive array of anti-spam tools in place. So, let's discuss what can be done to equip your Dolphin-based social network to effectively ward off automated attacks and attract little or no attention from the evil hordes of organic bots. Dolphin already has quite a few tools in place, but they require setting up properly to be effective. We are also very keen to hear your ideas on what else we could add to the platform to further spam-proof it. 


Dolphin Antispam Tools

These are accessible via Dolphin Admin panel. Just log in to your admin and go to Tools > Antispam Tools.

DNS block lists 

Your first line of defence. Enable this tool and activate default lists.  You can look for more lists online and add them. These include known IPs of spammers, proxies, spambots, abusing countries.

URI DNS block lists 

Next, we cut off the hand that feeds them. This tool works with lists of known spam-associated domains. If such domain exists in the text, it's marked as spam. Spammers don't have as many "clients", so tracking them is a little easier. A URI DNSBL lists the domain names and IP addresses which are found in the "clickable" links contained in the body of spams, but generally not found inside legitimate messages. This antispam method scan submitted content for the urls and check them if any of them is a link to spam site. If such url detected in the text then content is not submitted. You can also add domains and URLs yourself. 


Powerful anti-spam service for comments from Wordpress. It's free for non-commercial sites and $5/month for commercial ones. You will need to get an Akismet API key to activite it.



Yet another blacklist service from the good people at Stop Forum Spam. You'd only need the API key to be able to add your spammers you caught to the common database. The service is free, by donation. 


Other Helpful Features

Along with dedicated anti-spam tools, Dolphin has equipped a few more "guns"


- "Nofollow" attribute for external link is automatically added

- Captcha security image to stop slow-down bots
- CSRF tokens in forms
- Protection against submitting the form with automated tools
- Email confirmation
- Members pre-approval settings
- Content pre-approval settings
- Membership levels without posting privileges
- Registration by invitation only

- Split join form (configurable using join form builder)
- Security question (configurable using join form builder)

- Also a paid join form is coming in Dolphin 7.2 soon


Just think about which options would suit your site niche without alienating legitimate members. There is a bit of legwork to be done setting it all up, but that's part of the fun of being a webmaster!


What Else?

Now let's see what else you could do to aid in the battle and also what do you think we could do to further improve Dolphin's anti-spam ammunition. 


Renaming Join Form

It's been a known trick for a while with some members reporting good success. Just renaming the join form file name seems to help a lot. 


Custom Join Form Names?

As an extension of the above trick, we could try to create "custom" names for the join form of every site. Something like "join-thisandthissite.php". This would mean that spam-bots would require specific configuration for every site. It's a tricky thing to do, so let's talk about whether you think it may be an effective option?



As I mentioned, we are already adding a "paid join"  feature to 7.2. The idea of Paywall is to charge a small fee for the right to publish visible content. This is 100% effective, but slows down registrations. We use a form of Paywall here on Boonex.com. Paywall must be well-communicated - you have to clearly explain to your visitors that the fee is small and is only for anti-spam purposes, in their best interest, keeps the site clean and can be refunded on request. A small $3-5 fee will do the trick, however depending on circumstances, it may be more effective to use Paywall after the free registration, in a form of paid membership levels. Please, share your ideas and vision on what would be the most effective Paywall system for Dolphin Pro?



Another popular method is to require new members to gain some "points" before they can start posting public content or contacting other members. In this case you would generally allow posting some "safe" content like plain-text comments, and even that with limited amount per day. They get some points for all comments that stay published for more than a few days, or for friend-requests from other members, or posts to their profile feed by other members, etc. Just actions that hint on legitimacy of the new profile. Once certain amount of points is reached - they get upgraded. Such tool could be improved beyond anti-spam usability, but again, it's a serious system improvement that we first need to plan right, so please share your ideas. 


And what are your favourite tricks?


Recommended by
Please login to post a comment.
Based on a suggestion I found in the BoonEx Forum, I added a Forbidden Email Provider function to design.inc.php file and over time have been adding email providers that I've found to be repeatedly associated with spammers... but not my members personal emails. This simple trick appears to help keep many spammers from setting up accounts on my dolphin site. As you can guess, I don't use it for Gmail, Hotmail and other very popular email providers... but at least I can eliminate many of the 'temp' see more email providers.
BTW, Deano has a "Dolphin Anti Spam" module which has within it a tool for doing the same thing... eliminating the need to edit a Dolphin core file.
Andrew Boon
This is a good one, indeed. A whole lot of them come from slack email providers with poor policies, like 123.com.
site point idea is good..
as a payment option can u add paypal too.. if that can work with store module that would be great..

u should add these in trident too..i mean sitepoint ..where member will earn point with post and post likes when they will receive..
Andrew Boon
Yep, certainly. I just feel that we should try to plan it out first. SitePoints may be a rather "core" tool that would be linked to various modules, settings, permissions, etc. So, it needs to be clearly defined before development.
The absolute most affect that I have had to wipe out spammers is adding a security question in the join form. The English language is not easily understood by those who don't have it as their first language and there are some unusual quirks. My security question is this "What is 3 plus 2" the answer of course is 5 but for non english speaking people or robots even understanding the question is impossible. It is important to have the question in this form. If you said "Add 3 + 2" see more or "3 +2" the question could be easily understood. I have not had a single spammer since implementing this security question and the backend security (file access) has been faultless after having a complete review of file permissions and changing those where they were not secure.I do manual approval of all profiles to cover those few english speaking people who manage to create a spammer profile.
Of course I use auto blocklists as well and every now and then do a review of geo locations accessing my server and do some manual blocking of persistent IPs using up server resources trying to get in.
All in all I have no issues any more with spammers.
We use a security question and it certainly helped before we went to 7.1 from what I can see now the current tools make the question unnecessary. We may try removing it, or possibly using such a question in the content submission workflow.

This might sound daft but we are happy to have genuine looking sign ups but we don't like their less genuine, spammy, content submissions.
i know its a different topic but don't where to suggest for new feature..

so is it possible to add feature like ..tag friends in post ..while creating post or after creating post..
so it will show in their timeline...
i think its a good idea ..what do u think..
I wouldn't put a site online without GeoIP blocking. If you are operating an English language site primarily for US citizens for example, why even allow access from countries that have no business on your site. At the very minimum, access to the join form should be restricted.

I have also used Maxmind's proxy detection service to block access to the join form via US based anonymous proxies. This is a paid service, but for mission critical applications, it's worthwhile.
Use a text message feature. The person enters their mobile number and gets a response code, then they put the response code in the box. Like Uber and tons of other sites.
It is necessary to make a paid access. This will open up start-ups and get the money back at least for hosting, which can not be obtained on only one advertisement. Paid access to 100% to avoid spam. Text codes on the phone is not effective against spammers live, not robots.
All you need is to use a free Incapsula account. Your site will even run faster. Said it all before but nobody listens :(
My site does not assume these costs.
Below is the legacy version of the Boonex site, maintained for Dolphin.Pro 7.x support.
The new Dolphin solution is powered by UNA Community Management System.