Difference between revisions of "Reducing spam in Moodle"

Jump to: navigation, search

Note: You are currently viewing documentation for Moodle 2.3. Up-to-date documentation for the latest stable version is available here: Reducing spam in Moodle.

Line 3: Line 3:
 
Upgrade to 1.9.4 or later and use the new [[Security_overview| Security report]] to analyse your configuration.  Then do all the things it tells you.
 
Upgrade to 1.9.4 or later and use the new [[Security_overview| Security report]] to analyse your configuration.  Then do all the things it tells you.
  
==Strongly recommended==
+
==Very strongly recommended==
  
 
* Make sure that 'register_globals' is switched off in your PHP settings (this is the default).  Otherwise your site may be at risk of being cracked, allowing spammers to modify your scripts and insert spam wherever they like.
 
* Make sure that 'register_globals' is switched off in your PHP settings (this is the default).  Otherwise your site may be at risk of being cracked, allowing spammers to modify your scripts and insert spam wherever they like.
 +
* Keep "Force users to login for profiles" enabled in ''Administration > Security > [[Site policies]]'' to prevent anonymous visitors and search engines from seeing user profiles.
  
 
==Further suggestions==
 
==Further suggestions==
  
* Keep "Force users to login for profiles" enabled in ''Administration > Security > [[Site policies]]'' to keep anonymous visitors and search engines away from user profiles.
 
 
* Keep "Profiles for enrolled users only" enabled in ''Administration > Security > [[Site policies]]'' (in Moodle 1.6.9, 1.7.7, 1.8.8 and in 1.9.4 onwards).
 
* Keep "Profiles for enrolled users only" enabled in ''Administration > Security > [[Site policies]]'' (in Moodle 1.6.9, 1.7.7, 1.8.8 and in 1.9.4 onwards).
 
* Keep self registration disabled in ''Administration > Users > Authentication > [[Manage authentication]]'' common settings.
 
* Keep self registration disabled in ''Administration > Users > Authentication > [[Manage authentication]]'' common settings.
 
* Consider the [[Risks|spam risks]] involved in allowing certain capabilities, such as [[Capabilities/mod/forum:replypost| replying to forum posts]], for visitor accounts.
 
* Consider the [[Risks|spam risks]] involved in allowing certain capabilities, such as [[Capabilities/mod/forum:replypost| replying to forum posts]], for visitor accounts.
  
If [[Email-based self-registration]] is used for self registration:
+
If you must use [[Email-based self-registration]] then:
 
* Add spam protection to the new account form by enabling reCAPTCHA (in Moodle 1.9.1 onwards) - see [[Security FAQ]] for details of how to do so. ReCAPTCHA is quite effective against '''most''' automated spambots, but will not foil human spammers at all.
 
* Add spam protection to the new account form by enabling reCAPTCHA (in Moodle 1.9.1 onwards) - see [[Security FAQ]] for details of how to do so. ReCAPTCHA is quite effective against '''most''' automated spambots, but will not foil human spammers at all.
 
* Limit self registration to particular email domains with the allowed email domains setting or deny email addresses from particular domains, such as mailinator.com and temporaryinbox.com, with the denied email domains setting. Both settings are in ''Administration > Users > Authentication > [[Manage authentication]]'' common settings.
 
* Limit self registration to particular email domains with the allowed email domains setting or deny email addresses from particular domains, such as mailinator.com and temporaryinbox.com, with the denied email domains setting. Both settings are in ''Administration > Users > Authentication > [[Manage authentication]]'' common settings.
Line 20: Line 20:
 
* Keep "Email change confirmation" enabled in ''Administration > Security > [[Site policies]]'' (in Moodle 1.8.6 and in 1.9.2 onwards).
 
* Keep "Email change confirmation" enabled in ''Administration > Security > [[Site policies]]'' (in Moodle 1.8.6 and in 1.9.2 onwards).
  
==Cleaning up profiles==
+
==Cleaning up spam==
If your site was open and you have a spam problem then here are some things you can do to clean up the profiles:
+
 
 +
If your site was open in the past and you have a spam problem then here are some things you can do to clean up the profiles:
 
   
 
   
 
* Browse your user list looking for patterns to detect users who need to be deleted.  For example, spammers might have chosen a country that none of your real users has.
 
* Browse your user list looking for patterns to detect users who need to be deleted.  For example, spammers might have chosen a country that none of your real users has.

Revision as of 07:14, 12 February 2009

The easy way

Upgrade to 1.9.4 or later and use the new Security report to analyse your configuration. Then do all the things it tells you.

Very strongly recommended

  • Make sure that 'register_globals' is switched off in your PHP settings (this is the default). Otherwise your site may be at risk of being cracked, allowing spammers to modify your scripts and insert spam wherever they like.
  • Keep "Force users to login for profiles" enabled in Administration > Security > Site policies to prevent anonymous visitors and search engines from seeing user profiles.

Further suggestions

  • Keep "Profiles for enrolled users only" enabled in Administration > Security > Site policies (in Moodle 1.6.9, 1.7.7, 1.8.8 and in 1.9.4 onwards).
  • Keep self registration disabled in Administration > Users > Authentication > Manage authentication common settings.
  • Consider the spam risks involved in allowing certain capabilities, such as replying to forum posts, for visitor accounts.

If you must use Email-based self-registration then:

  • Add spam protection to the new account form by enabling reCAPTCHA (in Moodle 1.9.1 onwards) - see Security FAQ for details of how to do so. ReCAPTCHA is quite effective against most automated spambots, but will not foil human spammers at all.
  • Limit self registration to particular email domains with the allowed email domains setting or deny email addresses from particular domains, such as mailinator.com and temporaryinbox.com, with the denied email domains setting. Both settings are in Administration > Users > Authentication > Manage authentication common settings.
  • Consider only enabling self registration for a short period of time to allow users to create accounts, and then later disable it.
  • Keep "Email change confirmation" enabled in Administration > Security > Site policies (in Moodle 1.8.6 and in 1.9.2 onwards).

Cleaning up spam

If your site was open in the past and you have a spam problem then here are some things you can do to clean up the profiles:

  • Browse your user list looking for patterns to detect users who need to be deleted. For example, spammers might have chosen a country that none of your real users has.
  • Use the "Bulk user actions" tool under Admin > Users > Accounts to find all these users and delete them. Note that versions prior to 1.6.7, 1.7.5, 1.8.6, 1.9.2 had a bug that did not properly hide deleted user profiles, so make sure you have upgraded to a later version if you want to keep user profiles visible to the world.
  • Spam Cleaner is a simple script to help you delete spammer accounts more easily: