How marvellous it seemed when I first found I could add forums to websites, and allow people to comment. But as many a webmaster has quickly learned, there's a dark side to forums and comments: they can become magnets for spammers.
After I first had such problems, soon restricted forum posting and commenting to registered users only. But even then, spambots later blitzed one of my forums, exploiting flaw to post around 200 messages in 5-10 minutes (so fast my webhost complained about surge in cpu usage). Had to delete one by one; and a few hours later, this happened again! Happily, the forum software creators released a version that's proven more resistant to such automated spamming.
Marie Celeste websites overrun with forum and comment spam
I've occasionally come across sites that seem festooned with forum and/or comment spam – seems the sites were set up, then nigh on abandoned, becoming playgrounds for spammers.
Used to think I wasn't the type to let my sites languish like this. But, after minor spam comment problem, I was thinking of such Marie Celeste sites only yesterday and, in the afternoon, by chance checked a website I set up some time ago. Noticed there was forum I'd forgotten about; had a look and – sure enough – over 200 spam posts. My solution brutal and simple: the forum wasn't being used, so I deleted it.
Measures to guard against forum and comment spam
There are a few measures to try, which can halt or at least reduced having websites spammed like this.
User Registration – Very important; ensuring that anonymous users can't post. As I found, depends on forum/comment software not having flaw that's exploited. Maybe best if registration requires valid email address.
Maybe, too, can ensure that people registering aren't automatically able to post; or if they can post, the posts must be checked before being published.
Users behavng badly can be banned; and hope they won't register again with another email address.
Use decent software – Maybe check the forum/comment software is up to snuff – googling may help indicate if it's prone to being exploited by spammers. Then, should keep up with security updates.
Minimise places people can post comments – I've found it tempting to allow comments and posts in various places: seemed good if people could readily comment on articles, photos etc. But also found that, sooner or later, this could lead to trouble (I'd be happy if regular people reading this article could comment, but no comments here; instead, there's forum for posting).
Captchas – supposed to verify that it's a person not a bot making a post; by ensuring that must enter some letters and/or numbers, or answer to simple maths problem. I've read that even with captchas, spambots can sometimes post; indeed, had spam comments to my Gallery even tho supposedly had captcha enabled (maybe by human, or perhaps a spambot).
Notification re posts – If you enable posting, it seems wise to ensure that you're notified about new posts made. This way, even if some software flaw is suddently exploited, you should learn something is amiss.
mod_security in htaccess – If you can use htaccess and mod_security, can block posts containing certain words that are favoured by spammers but wouldn't be expected in posts to your site. Seems to be some good info on this at An introduction to mod_security.