Note: You are currently viewing documentation for Moodle 3.2. Up-to-date documentation for the latest stable version of Moodle is probably available here: Reducing spam in Moodle.

Reducing spam in Moodle: Difference between revisions

From MoodleDocs
No edit summary
(security template, page update)
Line 1: Line 1:
==Background==
{{Security}}
 
What exactly is the problem?  Read [[Why porn spam has been appearing in Moodle sites|why porn spam has been appearing in Moodle sites]].
 
==The best thing to do==
==The best thing to do==


Upgrade to the latest 1.9.x or 1.8.x and use the [[Security_overview| Security report]] to analyse your configuration.  Then do all the things it tells you.
Upgrade to the latest stable version of Moodle and use the [[Security_overview| Security report]] to analyse your configuration.  Then do all the things it tells you.


Note this is not strictly necessary to combat just profile spam (see the critical settings below) but it will protect you against dozens of other known security vulnerabilities.
Note this is not strictly necessary to combat just profile spam (see the critical settings below) but it will protect you against dozens of other known security vulnerabilities.
Line 12: Line 9:


# Make sure that 'register_globals' is switched '''off''' in your PHP settings (this is the default).  Otherwise your site may be at risk of being cracked, allowing spammers to modify your scripts and insert spam wherever they like.
# Make sure that 'register_globals' is switched '''off''' in your PHP settings (this is the default).  Otherwise your site may be at risk of being cracked, allowing spammers to modify your scripts and insert spam wherever they like.
# Keep "Force users to login for profiles" '''enabled''' in ''Administration > Security > [[Site policies]]'' to prevent anonymous visitors and search engines from seeing user profiles.
# Keep "Force users to login for profiles" '''enabled''' in ''Settings > Site administration > Security > [[Site policies]]'' to prevent anonymous visitors and search engines from seeing user profiles.
# Keep "Profiles for enrolled users only" '''enabled''' in ''Administration > Security > [[Site policies]]'' (in Moodle 1.6.9, 1.7.7, 1.8.8 and in 1.9.4 onwards).  This will prevent affected profiles from being visible even to other users on the site.
# Keep "Profiles for enrolled users only" '''enabled''' in ''Settings > Site administration > Security > Site policies''.  This will prevent affected profiles from being visible even to other users on the site.


==Strong recommendations==
==Strong recommendations==
Line 22: Line 19:
==Allowing self-registration==
==Allowing self-registration==


If you don't need it, please keep self-registration '''disabled''' (it's the default) in ''Administration > Users > Authentication > [[Manage authentication]]'' common settings.   
If you don't need it, keep self-registration '''disabled''' (it's the default) in ''Settings > Site administration > Plugins > Authentication > Manage authentication'' common settings.   


If you '''must''' use [[Email-based self-registration]] to allow people to make their own accounts then:
If you '''must''' use [[Email-based self-registration]] to allow people to make their own accounts then:
# Add spam protection to the new account form by enabling reCAPTCHA (in Moodle 1.9.1 onwards) - see [[Security FAQ]] for details of how to do so. ReCAPTCHA is quite effective against '''most''' automated spambots, but will not foil human spammers at all.
# Add spam protection to the new account form by enabling reCAPTCHA - see [[Security FAQ]] for details of how to do so. ReCAPTCHA is quite effective against '''most''' automated spambots, but will not foil human spammers at all.
# Limit self registration to particular email domains with the allowed email domains setting or deny email addresses from particular domains, such as mailinator.com and temporaryinbox.com, with the denied email domains setting. Both settings are in ''Administration > Users > Authentication > [[Manage authentication]]'' common settings.
# Limit self registration to particular email domains with the allowed email domains setting or deny email addresses from particular domains, such as mailinator.com and temporaryinbox.com, with the denied email domains setting. Both settings are in ''Settings > Site administration > Users > Authentication > Manage authentication'' common settings.
# Consider only enabling self registration for a short period of time to allow users to create accounts, and then later disable it.
# Consider only enabling self registration for a short period of time to allow users to create accounts, and then later disable it.
# Keep "Email change confirmation" enabled in ''Administration > Security > [[Site policies]]'' (in Moodle 1.8.6 and in 1.9.2 onwards).
# Keep "Email change confirmation" enabled in ''Settings > Site administration > Security > [[Site policies]]''.


==Cleaning up spam==
==Cleaning up spam==
Line 34: Line 31:
If your site was open in the past and you have a spam problem then here are some things you can do to clean up the profiles:
If your site was open in the past and you have a spam problem then here are some things you can do to clean up the profiles:


# Use our [[Spam cleaner]] report, available in all stable versions of Moodle released in February 2008 or later.  Alternatively you can [http://cvs.moodle.org/contrib/tools/spamcleaner/spamcleaner.php?view=co download a version of the spam cleaner script] and run it in your existing Moodle site.
# Use our Spam cleaner report in ''Settings > Site administration > Reports > Spam cleaner'' to locate user accounts responsible for spam and other nasty stuff and help you delete them.
# Browse your user list looking for patterns to detect users who need to be deleted.  For example, spammers might have chosen a country that none of your real users has.
# Browse your user list looking for patterns to detect users who need to be deleted.  For example, spammers might have chosen a country that none of your real users has.
# Use the [[Bulk user actions]] tool under ''Administration > Users > Accounts'' to find all these users and delete them.  Note that versions prior to 1.6.7, 1.7.5, 1.8.6, 1.9.2 had a [http://moodle.org/mod/forum/discuss.php?d=101407 bug] that did not properly hide deleted user profiles, so make sure you have upgraded to a later version if you want to keep user profiles visible to the world.
# Use the [[Bulk user actions]] tool in ''Settings > Site administration > Users > Accounts'' to find all these users and delete them.


== See also ==
== See also ==
* [[Security FAQ]]
* [[Security FAQ]]
* [[Hacked site recovery]]
* [[Hacked site recovery]]
* [[Why porn spam has been appearing in Moodle sites]] - background to the problem which occurred in 2009


[[Category:Security]]
[[Category:Report]]


[[es:Minimizar_el_spam_en_Moodle]]
[[es:Minimizar_el_spam_en_Moodle]]

Revision as of 08:55, 18 October 2011

The best thing to do

Upgrade to the latest stable version of Moodle and use the Security report to analyse your configuration. Then do all the things it tells you.

Note this is not strictly necessary to combat just profile spam (see the critical settings below) but it will protect you against dozens of other known security vulnerabilities.

Critical settings

  1. Make sure that 'register_globals' is switched off in your PHP settings (this is the default). Otherwise your site may be at risk of being cracked, allowing spammers to modify your scripts and insert spam wherever they like.
  2. Keep "Force users to login for profiles" enabled in Settings > Site administration > Security > Site policies to prevent anonymous visitors and search engines from seeing user profiles.
  3. Keep "Profiles for enrolled users only" enabled in Settings > Site administration > Security > Site policies. This will prevent affected profiles from being visible even to other users on the site.

Strong recommendations

  • Make sure you upgrade your site often. Recent versions of Moodle have new fixes and warnings that will help you avoid security issues.
  • Consider the spam risks involved in allowing certain capabilities for visitor accounts, such as replying to forum posts or posting to blogs.

Allowing self-registration

If you don't need it, keep self-registration disabled (it's the default) in Settings > Site administration > Plugins > Authentication > Manage authentication common settings.

If you must use Email-based self-registration to allow people to make their own accounts then:

  1. Add spam protection to the new account form by enabling reCAPTCHA - see Security FAQ for details of how to do so. ReCAPTCHA is quite effective against most automated spambots, but will not foil human spammers at all.
  2. Limit self registration to particular email domains with the allowed email domains setting or deny email addresses from particular domains, such as mailinator.com and temporaryinbox.com, with the denied email domains setting. Both settings are in Settings > Site administration > Users > Authentication > Manage authentication common settings.
  3. Consider only enabling self registration for a short period of time to allow users to create accounts, and then later disable it.
  4. Keep "Email change confirmation" enabled in Settings > Site administration > Security > Site policies.

Cleaning up spam

If your site was open in the past and you have a spam problem then here are some things you can do to clean up the profiles:

  1. Use our Spam cleaner report in Settings > Site administration > Reports > Spam cleaner to locate user accounts responsible for spam and other nasty stuff and help you delete them.
  2. Browse your user list looking for patterns to detect users who need to be deleted. For example, spammers might have chosen a country that none of your real users has.
  3. Use the Bulk user actions tool in Settings > Site administration > Users > Accounts to find all these users and delete them.

See also