Filed in Guardian, News, Updater on Friday 8th June, 2012
You might have had an email from us, explaining that you have a number of publicly visible fake members on your ExpressionEngine site. There’s no need to panic, but here’s a bit more information to help you decide what to do.
Have you noticed that some of your member profiles have links to other websites? They say things like I really love designer handbags (with a link back to a site selling bags). These are spammers and the stuff they’re posting gives them what’s known as backlinks to their sites. Amongst other things, Google uses backlinks to help calculate search results, so spammers think that if they post a load of them they’ll appear higher in the search engine results.
Well once you’ve been discovered by spammers (or by one of the people who sells lists of sites to spammers) then you’ll get inundated by them. Some of them post manually, but a lot of them use scripts or ‘bots’ to automatically join your site and post link spam. This can result in you getting hundreds of fake members a day.
So that’s the first bit of the problem. You know yourself that if you visit a forum that’s full of spam you probably think ‘oh, that’s not very professional’
The second bit of the problem is that some of these links go back to websites you wouldn’t want visitors to your site to think you were related to. Some might be fake e-commerce sites selling counterfeit goods, or just taking customers money before closing down, some may be your competitors, others may be porn. Either way, if you’ve spent time and money developing your brand and your website, you don’t want to be associated with something that tarnishes your reputation.
Additionally, because some spammers target the same site over and over again, your site might start to come up in unrelated or unsavoury searches, purely because there’s lots of text with that search term hidden in member profiles on your site.
And finally, we’ve seen some sites with over 100,000 spam profiles, all open, all visible to Google. Your site could be penalised for being a link farm, so your genuine search engine results could suffer as a result.
It depends on the sort of site you have and the version of ExpressionEngine you’re running.
If it’s version 1.x and you don’t have a forum, then contact your developer, ask them to switch off new member registrations and make all profiles ‘hidden unless logged in’. This means that no one else can join, and Google (and your customers) can’t see the fake members any longer. If you want to clear out the spammers then ask your developer to .(JavaScript must be enabled to view this email address) and we can send them a free tool that will help with that.
If you are running a forum, then clearly you want members to be able to join, however switching member profiles to ‘hidden unless logged in’ removes the ‘appeal’ of your site to spammers because Google can’t see the profile spam they post. Be aware though that unless it’s a closed forum both Google and your customers can still see any spammy posts they make on your forum. Talk to your web developer about using Member Utilities to catch them. This is a product we developed and is just under $15 to purchase. It will notify you of members who have posted profile spam and help you ban them in bulk.
If you are getting a lot of spam posts in the forum itself, then switch on notifications. This will tell you that someone has posted and if you format the notification properly, it’ll also show you what they’ve posted so you can identify and remove spam posts quickly.
If you’re running 2.x with no forum or membership functionality then it’s unlikely that you’ll suffer this problem as membership is set to ‘off’ by default.
If you’re running 2.x with a forum or membership function then please bear with us whilst we develop Member Utilities for 2.x. However, you can ask your developer to sign up for the beta of Cerberus Guardian which might help keep it under control…. Otherwise it’s a case of looking through the profiles and banning each member manually (sorry!). Keep checking back though, because we’re steaming ahead with it.
Cerberus is a database of spammers. We’ve got over half a million entries. It comes in two parts, Cerberus Updater which sends us information when you ban spammers and Cerberus Guardian which is a barrier to known spammers joining your sites in the future. You can find out a bit more about it here.
Well, the more spammers we know about the easier it is to stop them. If your site has a large number of fake profiles then we’d really like the data; things like username, screen name etc. If you ask your developer to contact us, we can talk it through with them to make sure we get the data we need in the correct format. This isn’t a huge job for them, and we can even harvest the data ourselves, then clear it out for you free of charge if you’d be happy for us to do that.
Certainly not! It was a feature of ExpressionEngine (a superb CMS) that had membership set to ‘on’. That was originally what the community and most of their customers wanted. Unfortunately it was exploited by spammers, who realised they could use it to post link spam to sites without forum functionality. Pretty quickly some individuals were making a living by selling lists of ExpressionEngine sites with membership on but no forum, so spammers started to hit the same sites over and over again.
Site owners didn’t notice because they were busy posting brilliant new content to the site and they never needed to check if they had new members joining… why would they? it wasn’t a membership site! It’s nothing that your developer has done, in fact where we can, we contact the developer direct because we don’t want their clients thinking they’ve done anything wrong. As an example, one of our sites ended up with 84,000 spam members and we didn’t notice until we saw the profile linked to on another forum.
ExpressionEngine does amazing things, it’s has great functionality, and the best of us might overlook turning off one of the many functions a client doesn’t need - that’s how much it does out of the box. The team at EllisLab realised this was a problem, so using feedback from the community they made version 2.x with membership set to ‘off’ by default.
.(JavaScript must be enabled to view this email address). We’re not using this as a sales pitch or to scare you, our focus is getting Cerberus Guardian up and running and making EE a spam free CMS so more people use it. We know some great developers and the changes you need to make to your site are minuscule, but it will benefit you and the rest of the ExpressionEngine user base if you carry them out.
If we can’t help you, we know a lot of fabulous developers who can.